OS X need to repair your library

Chriskmpruitt
Contributor

Hello all,

We have been getting this error since upgrading to Mavericks. "OS X needs to repair your Library to run applications. Type an Administrator's name and password to allow this". This happens on a per user base. A user can login and get this error and logoff and get no error. It seems "random" but we know its not. Just cant seem to connect the dots.

If you navigate to ~/library. It says "The operation can't be completed because the item can't be found". But if you navigate through Computer-->Macintosh HD-->Users everything is there, and has full permissions.

Things we have tried that have failed.

  1. Fix disc permissions
  2. Repaired Keychain
  3. Software update to OS X 10.9.2
  4. Deleted Login Keychain via script
  5. Created a folder in ~/Library/User/keychain @Postimage
  6. sudo update_dyld_shared_cache -root / @Login
  7. Disabling Keychain Update via script

We are using Active Directory Our Users are Managed, Mobile

Any help would be greatly appreciated

117 REPLIES 117

bentoms
Release Candidate Programs Tester

@Chriskmpruitt, are your home folders located on a server?

If your pushing out any DMG's that FEU or FUT's, please check their permissions too.

SGill
Contributor III

I was seeing this too, but solved it with just:

sudo update_dyld_shared_cache -root /

based on advice from this thread over at DeployStudio Forums:

http://www.deploystudio.com/Forums/viewtopic.php?id=5383

Chriskmpruitt
Contributor

Thank you guys for the quick posts.

Our home folders are not located on a server.

I have been through our DMGs a few times to check if any have FEU or FUT's. Everything looks good there. If that was the problem, we would see it more consistent and not so "Random"

@Gillaspy I really like that thread, it is exactly what we are going through. There is no known "fix" besides just restarting the machine

SGill
Contributor III

I was under the impression that the command was fixing the issue before anyone logged into a newly imaged machine, but its true that I was also giving those computers an additional restart, too, so it would make an interesting test to leave out the restart to see if the command is helping at all…haven't done it that way yet.

Michael_Meyers
Contributor

I had a same sort of error with the Keychain. After trying to repair it a few times, I recreated my image (updating to 10.9.2) and the issue went away.

Chriskmpruitt
Contributor

@Mike_Meyers and @Gillaspy are you running Active Directory?

Chriskmpruitt
Contributor

@Mike_Meyers and @Gillaspy are you running Active Directory?

SGill
Contributor III

Yes, all AD, no OD.

Michael_Meyers
Contributor

Yes to AD, no to OD.

fabian_ulmrich
Contributor

Hi there,

I just ran into the same issues with OS 10.9.3 and I tried almost everything I could find about this. Last, I tried this on an unmanaged computer with a fresh install and I got the same errors.

"OSX needs to repair your Library to run applications...bla bla"

I figured out some weird permission issues on the users homefolders which are created at the point of login on our Server (Windows Server 2008 R2), where 'Everyone' has delete/deny permissions. I was a little bit wondering about this, so I removed 'Everyone' from the list and applied those permissions to all child objects. By fixing that, I had no issues anymore.

Can't really tell if this is the same problem for you guys because we are using Acronis/GroupLogic ExtremeZip to mount the Shares via AFP from the WindowsServer. Also asked ExtremeZip Support if this is already a known issue with Mavericks, because we had no problems with 10.8.

Our AD client configuration looks like the following:

Active Directory Forest = our.domain.com
Active Directory Domain = our.domain.com
Computer Account = computerName$

Advanced Options - User Experience
Create mobile account at login = Disabled
Require confirmation = Disabled
Force home to startup disk = Disabled
Mount home as sharepoint = Enabled
Use Windows UNC path for home = Enabled
Network protocol to be used = afp
Default user Shell = /bin/bash

Advanced Options - Mappings
Mapping UID to attribute = not set
Mapping user GID to attribute = not set
Mapping group GID to attribute = not set
Generate Kerberos authority = Enabled

Advanced Options - Administrative
Preferred Domain controller = not set
Allowed admin groups = not set
Authentication from any domain = Enabled
Packet signing = allow
Packet encryption = allow
Password change interval = 14
Restrict Dynamic DNS updates = not set
Namespace mode = domain

Maybe anyone else has a similar setup and has some more suggestions regarding this issue.

Thanks & Cheers!

jake_snyder
New Contributor III

We're having the same problem with Mavericks. We have an all AD environment and we repeatedly get the OS X needs to repair your Library to run applications. This error occurs for new and and old users. Entering credentials to run the repair gives a 30 second window before returning with the same error message.

Chriskmpruitt
Contributor

have you tried the same steps that we did?

kevin5495
New Contributor III

Having the same issue here. AD users get the “OS X needs to repair your library to run applications” error, local users work fine. Entering admin credentials doesn’t help.

Instead of mounting AD users SMB share the OS points the home directory to /var/empty.

I haven’t edited the default user template as many seeing this issue have and the update_dyld_shared_cache suggestion doesn’t help.

Oddly, an earlier version of my (monolithic) 10.9.4 image worked fine on new iMacs, when I apply to other machines (late 2013 Mac Pros, late 2013 iMac) it errors. Binding to AD using Deploy Studio plug-in.

This is becoming more unnerving as September approaches.

jake_snyder
New Contributor III

I tried running sudo update_dyld_shared_cache -root / on the admin side of things, but it didn't seem to help.

I'm at 10.9.4

I also tried a new smb share and made sure the permissions were correct. The problem occurs when the user signs into 10.9.4 - the home directory on the windows server gets partially created, but the permissions are completely wrong.

I have more luck if I have the account login on a 10.8 computer first, and then login on a 10.9.4 computer.

SGill
Contributor III

Under 10.9.4, with AD accounts I am seeing better results if the account is generated under 10.9.1 (and later) and not imported from a record generated under 10.9.0 and earlier. Some sort of directory schema change has seemingly occurred to support iCloud Keychain with the release of 10.9.1:

http://support.apple.com/kb/TS5362?viewlocale=en_US&locale=en_US

Unfortunately, following the directions in the article above won't be an option for many multiple user environments and will only help with single-user workstations.

With the AD-based Password change/Keychain update dialog, I am seeing that there continues to be an issue with the "Continue Logging In" button (the OS might complain about no access to various items related to the Keychain), but that "Update Keychain PW" and "New Keychain" work if the directory record was generated by Mavericks 10.9.1+ and not an earlier OSX version (and if the user is correct about what their prior password was for the "Update Keychain PW" button).

jruskey
New Contributor

We are seeing the same problem. Brand new out of the box 10.9.4 machines. All updates run. AD Only. Bound to AD. I have an access problem while creating the home folder for a user. Home folder should point to windows server 2008r2 share. On the first logon from any new Mac, the access right to the network home is corrupted. It sets up some folders on the server share, but screws up the security on all folders so we have no access to those folders. If I log in as the same user on a 10.6.8 machine, no problems. It creates the folders in their network share home folder and all security is correct.

kevin5495
New Contributor III

Testing yesterday I found the same results on an out of the box iMac. I bound to AD using Apple's AD plug-in, restarted, logged in as an AD user and got the same error. Opening a ticket today.

bentoms
Release Candidate Programs Tester

FWIW, I have not seen this with AD mobile accounts & 10.9.x.

I guess there is a package that you're installing that may be causing the issue.

jake_snyder
New Contributor III

It seems like @jruskey][/url and @kevin5495 are having the same problems that I'm running into. I just made a bit of progress:

I found that an Everyone Deny permission appears within the home directory folder on the server. If I delete this permission on the few folders that are actually created (Library, Desktop, and Documents), then I can actually save files to those folders. Unfortunately the other default folders are still missing (Movies, Music, Pictures, Public).

I think we'll be able to resolve the issue if we can figure out how to avoid having that Everyone Deny permission attaching itself to folders within the home directory. Could this be prevented by modifying the default user profile?

jake_snyder
New Contributor III

@bentoms this is happening on a 10.9.4 imac fresh out of the box so it can't be related to packages

bentoms
Release Candidate Programs Tester

@jake.snyder, so it looks like your AD homes are located on an SMB share right?

When you say "fresh out the box" do you mean the local admin account on the OS supplied by Apple?

Really not seeing the same issues as you, so it may help if you detailed some more of your setup. Perhaps there is some commonality.

kevin5495
New Contributor III

In my case I created the local admin account as part of the AppleSetup wizard. No updates, no packages. The other thing I touched was Directory Utility. Because the AD home directory pointed to /var/empty we're looking at AD now.

jake_snyder
New Contributor III

@bentoms][/url good call, let me provide more detail

Our AD homes are located on a SMB share (windows 2008 R2). I verified that the permissions on the share are setup exactly the way Apple recommends for Mavericks (I was even sent a custom made video by an Apple engineer detailing the permission and security settings for the share so those should be perfect).

I then took a brand new imac that came with 10.9.4 already installed and signed into a local admin account and then bound it to AD using the mac AD-plugin. I signed out and restarted the computer, and then tried signing in with a fresh AD account that was pointed to my AD home directory share. I can sign in just fine, but I immediately get the “OS X needs to repair your library to run applications" error. I can't save or do much in the environment when it does this.

If I look at the permissions of the newly created home directory for my fresh AD account it looks kind of funny - only the Library, Documents, and Desktop folders were created. I noticed that there was an Everyone Deny permission on each of those folders and when I delete the Everyone Deny permission on each folder (Library, Documents, Desktop) I can actually use the account and save documents. If I log out and back in after those changes, the other typical home directory folders are still missing.

Edit: I should note that I don't have this problem with 10.8.x or 10.7.x

bentoms
Release Candidate Programs Tester

@jake.snyder, yea I don't know. It's not something I do.. & tbh, my "it doesn't happen to me" wasn't helpful. Sorry.

Which Mac OS has this worked on before?

jruskey
New Contributor

@jake_snyder, Your symptoms are identical to what we are seeing. I have been working on this for 2 days with no luck. Considering go to 10.8.x on the new imacs to see if that fixes the issue.

agrosvenor
New Contributor

@bentoms, this has worked on 10.8.5 and all previous versions -

@jruskey, - I suspect rolling back to 10.8.x will work - it did for us, but we are still trying to get 10.9.4 operational for this upcoming semester

[for reference, I work in the same department as @jake.snyder ]

jruskey
New Contributor

@bentoms][/url][/url][/url, @agrosvenor][/url][/url, I can't roll back. These all shipped with 10.9.x and not matter what I try, it won't allow 10.8.x to install. So, back to the fun.

jake_snyder
New Contributor III

@jruskey that's really unfortunate, @agrosvenor and I haven't made any progress in the last 24 hours

jake_snyder
New Contributor III

we were assigned an Apple engineer from Apple Enterprise Support this morning so we'll see if we can make any progress once they reach out to us

jruskey
New Contributor

@jake.snyder, There is the obvious problem of the home directories not mapping. We are all experiencing that. Let me know what they say. I have confirmed if I use AdmitMac from Thursby, my home drives mount correctly. Now, that isn't the solution since it is about $70/machine for that plug in. However, even if we paid the money for that, the other issue is that no network users can log in after the Mavericks machine goes to sleep. You either have to reboot or log in with a local account, log out and then network accounts are fine. Are you also lucky enough to have this other problem as well?

Please let me know what your apple engineer says. Thanks so much.

Olivier
New Contributor II

We also have our AD homes on a SMB server, but quite frankly, I don't think this is the root cause. Same for the udld force cache.

I also have seen couple of times this since 1 or 2 years now, and the only thing I could notice when pb happens, is a mismatch between the UID in the Directory service record for that user (dscl . -read /Users/yourADuser ) and the UID seen on the user's Library folder on disk (run a simple "ls -lnr /Users/yourADuser/Library").
Remember that OSX silently checks, and updates if needed, any user's record entries during session logon (99,999% of the time, there is obviously nothing to update but...) : this is what maybe created the permissions mismatch and the annoying popup.

jruskey
New Contributor

This happens with old users, brand new test users created, etc. It is every network user. It is only on 10.9.x. Any other versions from 10.6.8 and up, no issues whether new or existing user.

ebioit
New Contributor II

We are seeing the same error on our older classroom computers. Our Mid 2009 MacBook Pros and Early 2009 iMacs prompt us after imaging: "OSX needs to repair your library in order to run applications..." Furthermore they fail to bind to the active directory at imaging time. If we log into the Local Admin and repair the library when prompted - we are then able to manually bind the computer to the AD furthermore, the required applications work for the Local Admin and AD users.

Our newer computers (Late 2009 +) do not display the repair message and bind to the AD. Imaging is a flawless process on these iMacs and MacBook Pros.

We are using 10.9.4 build 13E28 images created from AutoDMG - its quite the predicament, we may end up imaging our classroom computers with 10.8 again. This is the first time I've experienced the age of a mac producing different imaging results in such a manner.

jruskey
New Contributor

@jake.snyder, has your apple engineer been able to resolve anything as of yet?

jake_snyder
New Contributor III

@jruskey not yet, they've been getting pretty deep into logs and verifying what we're seeing, I'm hoping for a resolution soon. I'll post on here as soon as I get anything.

jake_snyder
New Contributor III

@ebioit have you tested brand new accounts with network home directories on 10.9.4? I'd be curious to see if you have success or not.

michaelhusar
Contributor II

I saw the same things with old user accounts from 10.8 when we moved to Mavericks. We saved the work-data and made a new account/library.
Base OSX 10.9.4 is from AppStore and packed with Composer.
Before that we were also exploring the everybody-deny-delete-road: We removed that ACL from the user template and wrote a launch agent for removing. But OSX "repairs" that - so you always end up with files with everybody-deny-dele-ACL in the Library. The only remedy we found was ExtremeZ-IP (handles the ACL correctly).

jake_snyder
New Contributor III

@michaelhusar @jruskey I just downloaded the trial of Acronis ExtremeZ-IP and can confirm we didn't have account corruption when using AFP, but it still only created three folders (Desktop, Documents, Library).

I'm still waiting for next steps from the kind folks at Apple. They are very detailed and thorough but I'm afraid I won't have time to wait for their solution.

I'm preparing two options for the scenario where Apple can't figure it out in time for the start of my school year:

  1. Roll back to 10.8.5 on iMacs that will support it and run forced local home directories on our 20 brand new imacs - less than ideal for those that will need to use these computers.
  2. The other option is to implement Acronis ExtremeZ-IP, but the unlimited client licensing is expensive for a technology that Apple is moving away from.

Michael - Do you have instructions or tips for how to setup ExtremeZ-IP? I followed the instructions I found for version 3, but they seem slightly dated. It seems to be working except that its only creating 3 folders.

Thanks all. If Apple support comes through, I'll post a follow up here.

jruskey
New Contributor

@jake.snyder - I understand your frustrations. What we did with the labs that can't be downgraded is similar to option 1. We created a generic local login since it is in a lab. Then, we have Aliases on the desktop that allow users to connect to their home directories, shares, etc. Not ideal, but didn't have a lot of options.

I did use AdmitMac from Thursby and it works very well. I think education pricing is about $132 per license($110 for the license and $22 for support). The more licenses you purchase, you get volume pricing. It works very well, but it is expensive. We ended up purchasing a 5 pack for the machines that we are rolling out to staff that won't be in labs.

If you hear anything from apple, let me know. Thanks so much.