Keychains after a backup

[creer31]

Hi,

 

When I backup an entire OS (X.2.4), and after restore it on another computer, the keychains doesn't work, my keychains' password doesn't work, and i can't create a new keychain. So i can't use anymore the keychains ...

 

Someone know why ??

 

Thanks.

 

David

 

[CallMeDave]

What version of Retrospect are you using?

 

Check the permissions of your keychane file at:

 

~/Library/Keychains/your_login_name

 

If it's owned by root, change it so that it's owned by your_login_name.

 

Dave

[mkran]

I have the same issue, permissions look fine but the keychain is dead. Workstation 5.0.238, client 5.0.540

[CallMeDave]

Quote:

---

I have the same issue, permissions look fine but the keychain is dead

 

---

 

"fine" as in what?

 

Have you run the Repair Permissions routine from Disk Utility?

 

dave

[mkran]

Sorry for not being clearer. I mean that permissions look the same as on the source that was backed up. Owner is me R+W, group is staff R, Others is R. One note is that when the restored disk is not the boot disk, group is blank; when the restored disk is the boot disk, group is staff.

 

I ran repair permissions with no effect.

 

MikeK

[creer31]

I have Server 5.0.238, client 5.0.540

 

I have run the repair permissions from Disk Utility and it repair a lot of things, but the keychains still doesn't work, and i still can't create a new keychain.

 

The permission of the file are good (also Owner is me R+W, group is staff R, Others is R)

 

I can import a keychain from the original OS, but my password doesn't work anymore, and i can't open it or add something in it.

 

I think we don't have the rights of another file in charge of the control of the keychain ...

 

 

David

 

[mcswgn]

Have you tried openning /Applications/Utilities/Keychain Access? If so, what do you see? Under normal circumstances, if you click on the Keychains icon on the top right, a window should slide out showing your keychains. For most people there is probably just one matching their short login name (which is the keychain in ~/Library/Keychains). If your keychain doesn't show at all, you should be able to re-add it by going to File->Add Keychain.

 

Is Keychain Access where you have tried to create a new keychain? If so, what exactly is happening?

[creer31]

Yes, I open the keychain access program, and i can see my login in there, but the password I put on the original OS doesn't work once I restore the OS.

 

I can also add a keychain and use the original keychain (who still work on the original OS), but with no effect, password doesn't work.

 

I tried to create a new keychain in the keychain access, I give a name and a password, but with no effect to, the keychain access is still empty, like i can't save the keychain file...

 

Maybe, the backup is wrong, I only select the drive where the OS is, I don't change any advanced option.

 

Thanks.

 

David

 

[CallMeDave]

What were the _exact_ steps you took in the Backup and Restore operations?

 

Dave

[mkran]

Immediate->Backup->Pismo all files

Restore->entire hard drive->Empty firewire drive

Boot the Pismo from the firewire drive

Notice keychain problem

reboot from pismo internal, go back to work for a while

Another automated Backup script runs, adding some files

Notice "ignore privileges" was set on the firewire drive

Erase firewire drive

Restore->entire hard drive->Empty firewire drive

keychain problem still exists

Bum out.

 

Can anyone do a "restore entire drive" and *not* have this happen?

 

Mikek

[CallMeDave]

Quote:

---

Can anyone do a "restore entire drive" and *not* have this happen?

 

---

 

I can.

 

Here's what I did today:

 

- Retrospect 5.0.238/Mac OS X 10.2.4 on iMacDV

- Configure keychain with two keychains, different passwords

- Local File Backup of boot volume (with the seperated backup files stored on a different partition volume)

- Restore entire disk to empty partition volume

- Boot to newly Restored volume; both keychains present and accessable

 

-and-

 

- Retrospect 5.0.238/Mac OS X 10.2.4 on G4733

- Retrospect OS X Client 5.0.540/Mac OS X 10.2.4 on iMacDV

- File Backup of Client

- Restore entire disk to empty partition on Client

- Boot to newly Restored volume; both keychains present and accessable

 

Dave

[mcswgn]

I have certainly restored entire disks and I have never seen a problem with the keychain not working afterwards. The fact that you are unable to create a new keychain makes it sound like a utility needed to work with keychains is not functioning properly (as opposed to a corrupted keychain file).

 

Quote:

---

Yes, I open the keychain access program, and i can see my login in there, but the password I put on the original OS doesn't work once I restore the OS.

 

---

 

Let me make sure I have this correct: You open Keychain Access and the Keychains "side bar" on the right is out. It shows "Keychain Files" and below that your login name, but on the left of the name is a *closed* padlock? You select this keychain file and click on the lock button at the top of the main window (or select "Unlock <keychain> from the File menu) and what happens? You get a password dialog box, enter your password (same as for the original disk) and... Nothing happens? It just silently remains locked or do you get an error message (like the password is incorrect)? I notice on my keychain I see the items in the keychain whether it's locked or not. Do you see any items at all listed in the main window when the keychain is selected?

 

Quote:

---

I tried to create a new keychain in the keychain access, I give a name and a password, but with no effect to, the keychain access is still empty, like i can't save the keychain file...

 

---

 

So you do: File -> New -> New Keychain...

and it asks for a name and it gives you an oportunity to pick where to save it with the default your Keychains folder. You enter a name, click Create, and it then presents you with a window to enter a passphrase (and verify). You do this and what exactly happens? Nothing? It just acts like it's silently ignoring you?

 

I would suggest trying the following (some of which are just real long shots):

 

1. Check the permissions of all enclosing folders, ~Library & ~/Library/Keychains. They should be owned by you and rw by owner.

 

2. Try creating a new keychain again in the default location, BUT stop part way through as follows. Select New Keychain, enter the name and click Create and then don't do anything else. Neither enter a password nor click cancel. Leave the password window open! Now go to the terminal, /Applications/Utilities/Terminal, (you will probably have to move it to one corner since thie middle of the screen is taken up by the password dialog box) and execute the following command:

 

ls -l Library/Keychain

 

In the listing you get do you see the new keychain already? (You should.) Now enter a keychain passphrase, verify, and click OK. Go back to the terminal and issue the same command again. (Just hit the up arrow and it will supply it to you so you don't have to retype.) Is the new keychain still there or has it disappeared?

 

3. Run the Process Viewer (/Applications/Utilities/Process Viewer). Click on the Name heading so it sorts by name and select "All Processes" from the drop down menu at the top next to Show. Look for two processes SecurityServer and SecurityAgent. SecurityServer should say root and SecurityAgent should have your username.

 

4. Move your keychain out of ~/Library/Keychains and replace it with a copy of the one from the original disk just using the Finder.

 

Taking a wild guess I will predict that permissions in (1) will look fine. The new keychain will disappear in (2). (4) won't do you any good, because something will be wrong with the processes in (3). Then again, I've never won any football pools :-)

[mkran]

I did a clean local backup of my retrospect server boot disk and restored to a locally connected firewire drive. This produced a bootable system with a working keychain. Thus it appears that the broken keychain is a result of backing up a Mac OS X system via the Retrospect Client. A local restore of a Client backup does not produce a working keychain for me.

 

So, I ask again, more specifically, can anyone do a Client backup and then restore the system with a working keychain? So far I know of 3 people who cannot.

 

(I can try all of the debug suggestions, but only if you tell me you can do a Client backup and have it work! Even then, I'm not sure what it will tell us.)

 

Mike

[mcswgn]

Quote:

---

So, I ask again, more specifically, can anyone do a Client backup and then restore the system with a working keychain? So far I know of 3 people who cannot.

 

---

 

I only do client restores and I've never seen a problem with the keychain. However, I also don't follow the directions in the manual to installing a new system on the client and then restoring over it. I always boot off another disk (a bootable CD).

[mkran]

Aargh - thought I was onto something! I assume you are doing Client backups too, not just network restores of a locally mounted backup? What version client and server? What version of OS X? Any changes from the default settings?

 

I have the client set to allow option-8 private files.

All server script backup options are the defaults.

The security general preference is toggled to not always require authentication, otherwise all preferences are defaults.

 

My continued thanks...

 

MikeK

[CallMeDave]

Quote:

---

Immediate->Backup->Pismo all files

Restore->entire hard drive->Empty firewire drive

Boot the Pismo from the firewire drive

Notice keychain problem

reboot from pismo internal, go back to work for a while

Another automated Backup script runs, adding some files

Notice "ignore privileges" was set on the firewire drive

Erase firewire drive

Restore->entire hard drive->Empty firewire drive

keychain problem still exists

Bum out.

 

---

 

Tell me where in the above there was a Client involved?

 

>>it appears that the broken keychain is a result of backing up a

>>Mac OS X system via the Retrospect Client.

 

No, as I wrote earlier in this thread I have backed up and restored via the Client with no loss of keychain access.

 

>>A local restore of a Client backup does not produce a working keychain for me.

 

Ah, this is the first time you've said that you're backing up via the Client and then doing the Restore locally.

 

Again, what _exactly_ are you doing?

 

>>I assume you are doing Client backups too, not just network

>>restores of a locally mounted backup?

 

Why are you asking this? Are you describing mounted AFP volumes? File Sharing? Please explain.

 

 

 

Dave

 

 

 

[mkran]

Oops, I'm sorry Dave, I forgot your description of doing a Client backup. My bad. No reason to be asking about mounted disks.

 

I have done many things to try to narrow this down, so they may appear inconsistent, but here's what I have done:

 

Backup via client, network restore to separate firewire drive attached to client -> bad keychain.

Backup via client, local restore to separate firewire drive attached to server -> bad keychain.

Backup local server drive, local restore to separate firewire drive attached to server -> good keychain.

 

MikeK

[creer31]

My answer is a bit late, but I can now confirm the same thing and if a put the Retrospect Server on the OSX I want to backup, the keychain is good, and when i did the same with the Retrospect Client, the keychain doesn't work ...

 

So for me, i take this solution even if it's less confortable ...

 

Maybe Dantz could repair this in the next update, if they read us ??

 

Thanks for all !!

 

 

David

 

[CallMeDave]

Quote:

---

 

Backup via client, network restore to separate firewire drive attached to client -> bad keychain.

 

 

---

 

Just to be clear, are you saying:

 

 

Backup via client, restore via client to separate firewire drive attached to client -> bad keychain.?

 

[mkran]

Yes, sorry for not being clearer.

 

MikeK

[AmyJ]

Maybe Dantz could repair this in the next update, if they read us ??

 

We're currently investigating these issues based on customer reports. Thank you for continuing to post your set up and configuration information.