Posted on 07-11-2014 05:52 AM
Hey guys,
I know a lot of members here are having issues when it comes to AD and keychain. I'm trying to tackle this with the most efficient way possible for end teachers/staffs this year.
How I used to manage this...
OS X 10.7.x - There is a script on Self Service that simply removes the "login.keychain" and prompted them to either restart now or later using Cocoa Dialog. Once restarted and logged in, the computer will create a new login.keychain. End of the problem.
I ran the same script and method on 10.9 to test this and the results are little different.
After it restarts, while logging in, it prompts me to type in my password to access the local.keychain. ("OS X wants to use the "Local Items" Keychain"). One scenario that this will be an issue is end users forgetting their password.
What is everyone doing to fix this issue with AD and Keychain in Mavericks?
Posted on 07-11-2014 05:54 AM
@Johnny.Kim, I've a write up on that at the following link. You should be able to use the information to amend your script.
http://macmule.com/2014/03/30/the-local-items-keychain-in-mavericks/
Posted on 07-11-2014 06:28 AM
Bentoms,
Thanks for the write up, I'll take a look at it!
-John
Posted on 07-11-2014 07:42 AM
We generally tell people to drag everything in ~/Library/Keychains to the trash and then restart, that fixes it. They can't delete the files because they are locked, and the OS will track that they were moved if they simply logout and log back in so the issue remains.
Apple really dropped the ball on this when they changed the keychain system for iCloud keychain sync. It's like they completely ignored use cases with network accounts where passwords are changed outside of the system. Even if the user remembers their previous password, they keep getting prompts.
On top of all that, RSA SecurID stores soft tokens on the login keychain, so we have to reissue those often after repairs.
Posted on 07-11-2014 07:46 AM
Do your folks not leverage the keychain at all? We have certificates and preferences stored there, and losing them every 60 days with a password change would not be acceptable.
Posted on 07-11-2014 11:40 AM
All of our certificates are stored on the System keychain, I do everything at the system level when it comes to Profiles and whatnot. Anything a user stores on their Login keychain is their business (website passwords, for example), and I always tell them if they need anything from their old keychain, it's still in the trash after they reboot. Nobody ever seems to care, RSA tokens are the only exception.
I moved everything to the System keychain for the reasons you mentioned, losing the Login keychain caused terrible support issues. You basically can't rely on the Login keychain anymore these days and need to make it expendable.
Posted on 07-11-2014 11:42 AM
The local items keychain contains keychain items that can be synced via iCloud. So website logins etc.
Most of the time they are also present in the login.keychain, so it's safe to delete the local items keychain as I linked.
This issue is why I forked ADPassMon, as 10.9 is a pain with this new keychain.
Posted on 09-01-2014 07:04 PM
Update: I am trying to keep things simple for end user. So far, this seen to work for my environment.
End user runs a policy on self service, which triggers a script to delete the entire keychain folder, prompts them to restart using cocoadialog and problem solved.
Posted on 10-02-2014 07:34 AM
Is there a way to script this to delete the folder for all users and not just the currently logged in user? Would love to run this on a few labs that we upgraded to 10.9. Least amount of end user actions required.
Really I'd love to script this so it trashes the ~/Library/Keychains folder then auto selects create new keychain (instead of update keychain) for each user.
@Jonny.Kim Whats the version of the script your using?
Gabe Shackney
Princeton Public Schools
Posted on 10-02-2014 07:52 AM
@gshackney I modified a script I believe I found here.
CD="/your/cocoadialog/location/CocoaDialog.app/Contents/MacOS/CocoaDialog"
loggedInUser=$( ls -l /dev/console | awk '{print $3}' )
rm -f -r "/users/$loggedInUser/Library/Keychains"
if [ "$loggedInUser" != 'root' ]; then # Check if at the login window, if it is, the following code is skipped
#### CocoaDialog message box asking for the user to select restart
rv=`$CD msgbox --title "Restart Please"
--text "To complete the Keychain Fix, a restart is required."
--informative-text "It is important that you select Restart, but you may select Later to restart at a more convenient time."
--no-newline --button1 "Restart" --button2 "Later" --float`
#### If the user selects restart, an apple script runs to run the Apple restart command. Gives the user a minute to cancel restart.
if [ "$rv" == "1" ]; then
echo "User selected Restart"
osascript -e 'tell application "loginwindow" to «event aevtrrst»'
elif [ "$rv" == "2" ]; then
echo "User selected Later"
exit
fi
else
echo "No User logged in. CocoaDialog not necessary"
fi