The “Local Items” Keychain In Mavericks

Standard
UPDATE: My fork of ADPassMon has now been merged with main & many changes have been made, for more information follow this link.
Screen Shot 2014-03-29 at 11.21.15 PM

The “Local Items” keychain is something that you may have the misfortune of running into when changing passwords via an external directory service due to password expiry or a using forgetting their passwords in Mavericks.

I spent some time tackling it when forking ADPassMon to not only update Users passwords not via the pref pane, just through ADPassMon, & then also updating the users keychain password.

Below are my observations on the new keychain.

“Local Items” Keychain? Never heard of it.

Probably not, but I’m sure you’ve heard of iCloud Keychain, this new “Local Items” keychain appears to be where password items that can be synced via the iCloud Keychain are kept (alongside them residing in the Login Keychain if created on the Mac).

So this “Local Items” keychain is just like the login keychain?

Not exactly.

On a Mac running 10.9, open Keychain Access. Below the login keychain you should see the “Local Items” Keychain.

Keychain Access

If you click the  “Local Items” keychain you may see it populated with various password items, if using iCloud Keychain this will also include passwords saved on other devices connected to your iCloud account.

Untitled 2

If you navigate to ~/Library/Keychains/ you’ll notice there is a sub folder which is named like: “A8F5E7B8-CEC1-4479-A7DF-F23CB076C8B8″

This is actually the Macs UUID, which you can get via the below:

system_profiler SPHardwareDataType | grep 'Hardware UUID' | awk '{print $3}
Screen Shot 2014-03-30 at 12.05.54 AM

Within this folder you’ll see keychain-2.db, this is the actual “Local Items” keychain itself. It’s an SQLLite DB with contents that are obfuscated via some method.

So it just updates with the login keychain?

Again, not exactly.

When a users password changes, if they know their old password then things will be fine. They can update both the login & the “Local Items” keychain passwords either when updating their password via the “Users & Groups” pref pane or if using a network login, they can update via the login window.

Great if a user remembers their old password. But if I had a Β£ for every Keychain call…

I think anyone supporting Macs in an environment with expiring/changing passwords would say the same. This is where the “Local Items” keychain becomes a pain.

When prompted to update a keychains password, the user may click “Update Keychain Password”

Remote Desktop Picture 29 March 2014 22.48.27 GMT

This should then give a prompt to unlock the “login” keychain.

Remote Desktop Picture 29 March 2014 22.53.18 GMT

If the user has forgotten the keychain password, they will then receive prompts to unlock the login keychain.

Screen Shot 2014-03-29 at 10.57.24 PM

Familiar enough. We use Keychain Minder to then prompt the users to assist with the users updating, unlocking or creating a new login keychain.

Keychain Minder has been a great aide with this familiar issue over the years, & still works if the user knows their old keychain password.

But when trying to create a new keychain, you’ll again be asked for the “Local Items” keychains password:

Screen Shot 2014-03-29 at 11.08.27 PM

If the password is not known, (& by now it is likely the user doesn’t now their “Local Items” keychains password), then Keychain Minder will error:

Screen Shot 2014-03-29 at 11.08.48 PM

But the pain doesn’t stop there. If you the go back into Keychain Access you’ll notice that there is no longer a login keychain, just the locked “Local Items” keychain.

Screen Shot 2014-03-29 at 10.12.03 PM

If the user then tries to save a password in an app like Safari, they’ll be advised that no keychain can be found & asked to create a new one:

Screen Shot 2014-03-29 at 11.20.45 PM

The user will then be prompted to create a new keychain:

Screen Shot 2014-03-29 at 11.21.06 PM

One more alert will appear advising that this will delete all their saved passwords:

Screen Shot 2014-03-29 at 11.20.58 PM

But, almost immediately after which they’ll be asked to unlock the “Local Items” keychain again:

Screen Shot 2014-03-29 at 11.21.15 PM

If the user then tries to update their password via the Users & Groups pref pane, this seems to complete but no login keychain is created & the “Local Items” keychain is still locked.

Worse still, if the user the logs out or restarts, they are presenting with the prompt to unlock the “Local Items” keychain upon login:

Remote Desktop Picture 29 March 2014 23.22.26 GMT

So what’s the solution?

Sadly, when using the security create-keychain command in on it’s own to create a new keychain the issue persists. (This is probably the same method employed by Keychain Minder to create new keychains).

In attempting to tackle this issue, I came to the conclusion that some daemon (identityservicesd or securityd) was somehow caching the “Local Items” keychain. Unloading & reloading those daemons was not an option as not all companies will allow their users to be Administrators, & felt too much like a hack for me to proceed with. But I did find an Apple kb article, that details how to stop the “Local Items” keychain prompts.

The above helped me to come to a solution in my forked ADPassMon, when launched it can check to see if the login.keychain is locked:

Screen Shot 2014-03-30 at 02.13.56

If the users selects “Create New Keychain” they are then prompted to restart:

Screen Shot 2014-03-30 at 02.27.25

The below code snippet of from ADPassMon, in order to resolve this issue I am doing the following:

  1. Getting the Macs UUID
  2. Emptying the folder containing the “Local Items” keychain.
  3. Deleting the login.keychain
  4. Restarting so the daemon processes can do what they need at the next login to create new login & local items keychains.

I hope this has been helpful, & please check out ADPassMon.

30 thoughts on “The “Local Items” Keychain In Mavericks

  1. Mike

    Whoa! Thanks for the excellent inprmation! We run into this situation frequently and appreciate your solution.

  2. Chuck Taylor

    Ben, thanks for your hard work on this. I’ve been running into this problem with the Default User Template and AD accounts since 10.9 was released. I can’t wait to try it out.

  3. Gabe Shackney

    I’m wondering if there is a way to script this so it looks at all users folders on the machine instead of just the currently logged in user? Then I can run it on a whole lab all at once and reboot to fix it.

  4. Robin Bassett

    This hopefully will solve my issues however is there anyway we can start the ADPassMon application without the dialogue appearing everytime? when the user logs in. I have added it to the start items WGM policy for the machine.

  5. Nick

    Great writeup, it clarified a lot of the bits and pieces I’ve been gathering from different forums about the Local Items keychain.

  6. Matt

    Has anyone figured out a way to suppress the repeated system notifications that the local items keychain is locked? ADpassmon helps, but the local items keychain prompts still appear repeatedly in front of the window asking the user to change their password.

    • 1.Open Keychain Access application

      2. Click the login keychain from the keychains list on the left to highlight it

      3. Click the BIG lock at the top left to lock the login keychain.

      4. Click the lock again to unlock the login. You will be prompted with the following:

      “Keychain Access wants to use the “login” keychain.”

      Enter the “login” password

      5. After entering your login keychain password (the password you just changed to), you should be presented with a Local Items reset password dialogue:

      6. IMPORTANT: In the above prompt, in the Current Password field, you must enter the current Local Items keychain password. This is the very first password that you used when we switched to Windows server in May 2015. In the New Password field, enter the password that you just changed for your computer and iBiz email account.

      7. Clicking the reset button will re-sync your login password with the Local Items (or iCloud) keychain password.

      To be sure this has been done correctly, restart your computer. When you log back in, you should not see any prompts to enter your Local Items Keychain password.

      • The problem is that the “Local Items” keychain uses the login.keychain password that was 1st used when the “Local Items” was updated. If your password expires every 30 days (like ours) & say this is a loaner laptop then use infrequently, it can be a pain to figure out what password was used.

        • Hmm.. in the environment that I administer uses mobile accounts synced with Active Directory, even on loaners, rather than a “guest” account with a cycling password. When passwords get updated, “login items” gets synced with the change; “Local Items” does not.

          • Right. That’s what I meant.

            So you need to know the password used to create “local items” keychain, which if not known.. Means your fix won’t work. πŸ™ This is why in ADPassMon I followed Apple’s KB & delete it following a login.keychain reset.

            • Yes but in the future, when passwords change, it should ALSO update the login.items keychain along with it. So after a reset via Apple’s KB article, you’ll always have that password πŸ™‚

                • Nick

                  Oh well.. For me it syncs on all my clients’ computers without ADPassMon on Yosemite and above.

                  • Great thanks! I’ll be honest, we had so many issues with Yosemite that we didn’t deploy it en masse & are looking to 10.11 instead.

                    I’ll test things out on 10.10 & see if the differ any from the above, this post is titled “The “Local Items” Keychain in Mavericks” so.. πŸ™‚

                    • You are absolutely correct! I, personally, use it on my own MBP and am grateful for your work, as well as the great info and explanation on this page. I’ve referenced it countless times, forwarded it along to many; so thank you!!

                    • Thanks man! That’s all I blog for, well that & to remind me. πŸ™‚

                      I’ll soon be playing more with 10.10 & 10.11 in greater detail in regards to ADPassMon… So some changes to come. πŸ™‚

  7. Pingback: Identityservicesd

Leave a Reply to WordPress.com SupportCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.