An open community
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Register Log In

Home Forums Mac Software Mac Operating Systems xxx wants to use the "Local Items" keychain

Print Thread

xxx wants to use the "Local Items" keychain #31753 11/13/14 04:31 PM
Joined: Aug 2009 Iowa Virtual1 OP
OP Virtual1 Joined: Aug 2009 Iowa	currently we have around 75 macs in labs. the lab macs are authenticating over our windows active directory, but are NOT using network home folders. Students save data they need to keep or have portable on their network share. I recently upgraded the machines from 10.7 to 10.9, and was unpleasantly surprised by 10.9's new keychain. There is an incompatibility here because they introduced the "localitems" keychain for users. This keychain is in more of a file database format, and uses the user's login keychain to unlock, just like the login.keychain. Students are required to change their password every 60 days. They can also change it on a whim, or reset it with a web interface at a kiosk, or call our student service number and get it force reset. All of these methods will render their login and localitems keychains locked at login on any computer other than the one they changed their password at. (if any) When they sit down on another computer, the login.keychain will pop up a prompt and offer to reset or update the password. This process works fine. The localitems keychain however, does not. It causes a barrage of keychain popups, demanding they unlock it, with no option to reset it. Having to dismiss the dialogue box one or two dozen times every few minutes is not uncommon. Keychain Access is powerless to fix the problem. Apple's recommended solution is to dig into the Keychains folder (past a hidden folder) and delete the keychain folder and REBOOT. Yes, reboot. There is NO other alternative. Logging out isn't sufficient - secd maintains a lock on the file and caches its contents. It can be deleted with RM but it will get recreated. Really annoying. I scripted some resets to run automatically at reboot and when a user logs out, since the students really don't use their keychains in the lab, but this business of having to delete a hidden file and reboot every computer a student has used every time they change or reset their password, is downright silly. I've found over a dozen admins complaining about this, and have been on the phone twice (long calls) with Apple, but no one has a solution, beyond Apple's KB: http://support.apple.com/en-us/TS5362 This is a fair one-time solution for an individual user, but isn't a good solution for an entire campus. Has anyone come up with a better plan? (macmule has a good though incomplete breakdown of the problem: https://macmule.com/2014/03/30/the-local-items-keychain-in-mavericks/) I work for the Department of Redundancy Department

Moderated by alternaut, dkmarsh, joemikeb

Link Copied to Clipboard

Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)

Responsive Width:

PHP: 7.4.33 Page Time: 0.023s Queries: 15 (0.013s) Memory: 0.5676 MB (Peak: 0.6123 MB) Data Comp: Zlib Server Time: 2024-04-18 17:28:20 UTC
Valid HTML 5 and Valid CSS