Login.Keychain in 10.9.x

Johnny_Kim
Contributor II

Hey guys,
I know a lot of members here are having issues when it comes to AD and keychain. I'm trying to tackle this with the most efficient way possible for end teachers/staffs this year.

How I used to manage this...
OS X 10.7.x - There is a script on Self Service that simply removes the "login.keychain" and prompted them to either restart now or later using Cocoa Dialog. Once restarted and logged in, the computer will create a new login.keychain. End of the problem.

I ran the same script and method on 10.9 to test this and the results are little different.
After it restarts, while logging in, it prompts me to type in my password to access the local.keychain. ("OS X wants to use the "Local Items" Keychain"). One scenario that this will be an issue is end users forgetting their password.

What is everyone doing to fix this issue with AD and Keychain in Mavericks?

9 REPLIES 9

bentoms
Release Candidate Programs Tester

@Johnny.Kim, I've a write up on that at the following link. You should be able to use the information to amend your script.

http://macmule.com/2014/03/30/the-local-items-keychain-in-mavericks/

Johnny_Kim
Contributor II

Bentoms,
Thanks for the write up, I'll take a look at it!

-John

alexjdale
Valued Contributor III

We generally tell people to drag everything in ~/Library/Keychains to the trash and then restart, that fixes it. They can't delete the files because they are locked, and the OS will track that they were moved if they simply logout and log back in so the issue remains.

Apple really dropped the ball on this when they changed the keychain system for iCloud keychain sync. It's like they completely ignored use cases with network accounts where passwords are changed outside of the system. Even if the user remembers their previous password, they keep getting prompts.

On top of all that, RSA SecurID stores soft tokens on the login keychain, so we have to reissue those often after repairs.

JPDyson
Valued Contributor

Do your folks not leverage the keychain at all? We have certificates and preferences stored there, and losing them every 60 days with a password change would not be acceptable.

alexjdale
Valued Contributor III

All of our certificates are stored on the System keychain, I do everything at the system level when it comes to Profiles and whatnot. Anything a user stores on their Login keychain is their business (website passwords, for example), and I always tell them if they need anything from their old keychain, it's still in the trash after they reboot. Nobody ever seems to care, RSA tokens are the only exception.

I moved everything to the System keychain for the reasons you mentioned, losing the Login keychain caused terrible support issues. You basically can't rely on the Login keychain anymore these days and need to make it expendable.

bentoms
Release Candidate Programs Tester

The local items keychain contains keychain items that can be synced via iCloud. So website logins etc.

Most of the time they are also present in the login.keychain, so it's safe to delete the local items keychain as I linked.

This issue is why I forked ADPassMon, as 10.9 is a pain with this new keychain.

Johnny_Kim
Contributor II

Update: I am trying to keep things simple for end user. So far, this seen to work for my environment.

End user runs a policy on self service, which triggers a script to delete the entire keychain folder, prompts them to restart using cocoadialog and problem solved.

GabeShack
Valued Contributor III

Is there a way to script this to delete the folder for all users and not just the currently logged in user? Would love to run this on a few labs that we upgraded to 10.9. Least amount of end user actions required.

Really I'd love to script this so it trashes the ~/Library/Keychains folder then auto selects create new keychain (instead of update keychain) for each user.

@Jonny.Kim Whats the version of the script your using?

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

Johnny_Kim
Contributor II

@gshackney I modified a script I believe I found here.

CD="/your/cocoadialog/location/CocoaDialog.app/Contents/MacOS/CocoaDialog"
loggedInUser=$( ls -l /dev/console | awk '{print $3}' )

rm -f -r "/users/$loggedInUser/Library/Keychains"

if [ "$loggedInUser" != 'root' ]; then # Check if at the login window, if it is, the following code is skipped
#### CocoaDialog message box asking for the user to select restart
rv=`$CD msgbox --title "Restart Please" 
--text "To complete the Keychain Fix, a restart is required." 
--informative-text "It is important that you select Restart, but you may select Later to restart at a more convenient time." 
--no-newline --button1 "Restart" --button2 "Later" --float`
#### If the user selects restart, an apple script runs to run the Apple restart command. Gives the user a minute to cancel restart.
if [ "$rv" == "1" ]; then
echo "User selected Restart"
osascript -e 'tell application "loginwindow" to «event aevtrrst»'
elif [ "$rv" == "2" ]; then
echo "User selected Later"
exit
fi
else
echo "No User logged in. CocoaDialog not necessary"
fi