Posted on 06-18-2013 02:33 PM
We are trying to use Keychain Minder as a login item to keep users from seeing Apple's cryptic keychain dialog after an AD-initiated password change. The problem we are having is that Keychain Minder doesn't run until AFTER the system keychain dialog has appeared and been dismissed. Obviously, this defeats the purpose.
Also, I know that keychain minder is 5 years old, but I have yet to find another alternative. I'm open to other suggestions. Thanks.
Posted on 06-18-2013 02:41 PM
If you look in Keychain Access's Preferences, in the First Aid tab, you'll see a checkbox for Synchronize login keychain password with account. This setting is stored in ~/Library/Preferences/com.apple.keychainaccess.plist, so it's set on a per-user basis.
Relevant link: http://www.jaharmi.com/2009/08/29/sync_the_keychain_passphrase_with_the_login_account_password_in_sn...
You can enable or disable that checkbox using a defaults command:
To disable:
defaults write com.apple.keychainaccess SyncLoginPassword -bool false
To enable:
defaults write com.apple.keychainaccess SyncLoginPassword -bool true
You can also manage this through MCX.
Posted on 06-18-2013 03:34 PM
It's also now a default setting in KeyChain Access, Preferences to sync the login password with the keychain, which performs the same task as KeyChain Minder. After a password change, the next time a user logs in, they're promoted to either update their keychain password, create a new keychain or to simply ignore the prompt and login (leaving them with a locked keychain).
Posted on 06-20-2013 11:05 AM
Thanks for the responses, but:
@rtrouton: This setting only works if you change the user's password through system preferences. AD-initiated password changes do not synchronize automatically.
@daniel.behan: The difference with keychain minder is that you can customize the message the user sees. Our users are going to get confused if they get prompted with some box about a keychain and a password. They have no idea what this means, and won't know which option to select.
Posted on 06-20-2013 12:07 PM
@nextyoyoma,
The Synchronize login keychain password with account setting is a little mislabeled. What it actually turns on and off is the keychain update window you see at the login window. I may not have understood what you meant, but I thought that's what you wanted to turn off.
Posted on 01-30-2017 07:20 AM
I realize this is an old thread but we've had lots of problems with the Keychain after a user changes their centralized Active Directory password. Users simply don't follow the on screen instructions then they just ignore the issue which seams to cause more problems with Keychain. Additionally if they did sync their Keychain with the login password it would still be trying to use the old password to login to mail or websites that use their centralized password. They continue their confusion and use the wrong password and end up locking them selves out of everything because of multiple wrong passwords. So I setup a Self Service tool to deal with it. We just instruct the user to use the tool when they run into the issue.
The script archives their Keychain directory and logs them out so on login they create a new Keychain. If there was anything in the Keychain directory they need later it's in the .zip archive. I try to do double checking to be sure we are only dealing withe the currently logged in user. There are likely other considerations or improvements that could be made but this is want's been working for us so far.
#!/bin/bash
# Script name: KeychainArchiveSelfService.sh
# This script will archive and delete a users Keychain directory
# set this up so the users runs it via Self Service, don't use it as an automated script.
# to do this in an automated way you would need to iterate through all user directories
# Self Service setup
# Make this an ongoing tool and don't use any triggers.
# Set the Restart Options to restart immediatly if the user is logged in.
# The script is set to run before any other items.
# Be sure you setup this as a Self Service tool and add a discription to
# warn the user that they should not use this tool without being advised to
# do so by support staff. We try to make it as safe as possible if they do
# run it without our advice. Also warn that this will restart their machine.
# In testing you may find other ways you prefer to use this.
# create a log directory if it doesn't exist so you can keep track of the script actions
[ -d /var/log/ManagmentLogs ] || mkdir /var/log/ManagmentLogs
keychainfixlog="/var/log/ManagmentLogs/keychainfix.log"
# Get the currently logged in user from casper.
casperCurrentUser=$3
# Use this info to be sure the current user is the logged-in user
# may be a bit over the top and may duplicate what $3 does but I'm doing it anyway
# if the script is not run by the user from SelfService there could be problems
# found at https://macmule.com/2014/11/19/how-to-get-the-currently-logged-in-user-in-a-more-apple-approved-way/
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser;
import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0];
username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
# now check that the Casper user and the actual logged-in user are the same
# run the archive and delete if usernames match otherwise exit
# this should also help prevent the script being used in an automated run
if [ "$casperCurrentUser" == "$loggedInUser" ]; then
# usernames match so lets archive then delete the users Keychain
# also make notes in a log file
printf "
$(date +"%Y %b %d %T") - Keychain archive and removal is being run for $casperCurrentUser.
" >> $keychainfixlog
# echo for Casper policy log
echo "Keychain archive and removal was started for $casperCurrentUser."
# check that we actually have a directory to do something to before doing it
# if the user is logged in there should be a directory, just another safety check
if [ -d "/Users/${casperCurrentUser}/Library/Keychains" ]; then
# zip the Keychain directory and date it and put the in users ~/Documents
zip -r "/Users/${casperCurrentUser}/Documents/Old_Keychain-$(date +%y%m%d_%H%M%S).zip" "/Users/${casperCurrentUser}/Library/Keychains" >> $keychainfixlog
# add log info for this step
printf "$(date +%T) Removing /Users/${user}/Library/Keychains folder and contents
" >> $keychainfixlog
# now remove the old Keychain directory and log the activity
# If something is deleted by accident it's in the .zip file
rm -rf "/Users/${casperCurrentUser}/Library/Keychains" >> $keychainfixlog
# echo for Casper policy log
echo "Keychain archive and removal was run for user $casperCurrentUser. Check log $keychainfixlog for details."
exit 0
else
printf "$(date +%T) No Keychains directory found at /Users/${casperCurrentUser}/Library/Keychains
" >> $keychainfixlog
exit 1
fi
else
printf "
$(date +"%Y %b %d %T") casperCurrentUser - $casperCurrentUser - is not the same as loggedInUser - $loggedInUser -" >> $keychainfixlog
echo "casperCurrentUser - $casperCurrentUser - is not the same as loggedInUser - $loggedInUser -"
exit 1
fi
exit 0