UPDATE: 11/17/19
This issue was fixed in 10.15.0, only to break again in 10.15.1! I’m covering the issue again here.
mrmacintosh.com/10-15-1-update-breaks-update-keychain-password-again-workaround/
If you are here for the 10.15.1 issue, you can follow the same 10.14.4 workaround instructions below.
UPDATE: 07/31/19
This will probably be the final update. Sadly the issue is NOT fixed in 10.146. Even worse, this will be the final update and the issue will not be fixed in Mojave. I submitted this issue right after it was found in 10.14.4 and it’s just a bummer that this will never be fixed in Mojave. The only good news I can give you is that this is fixed in macOS Catalina 10.15.
UPDATE: 07/09/19
The AD Mobile Account option to “Update Keychain Password” when resting your password outside the Mac is still broken in macOS Mojave 10.14.5. This issue is still not fixed in current 10.14.6 Beta! Be sure to contact Apple if you haven’t already done so!
10.14.4 Update password fixes/problems
I really like the 10.14.4 update, trust me I do! It arrived with so many fixes that have really helped MacAdmins. The problem is, it also broke a few things. Just when I thought we found all the fixes/problems a new one pops up. If you have been following along, this is now my 4th article on password fixes/problems in the 10.14.4 update. Lets quickly review
- 1. 10.14.4 will now sync your AD password to FileVault if forgotten
- 2. 10.14.4 update fixes AD Account/FileVault password change sync
- 3. 10.14.4 Update breaks local account password reset when using FileVault Recovery Key
- 4. 10.14.4 Update breaks “Update Keychain Password” + Workaround
10.14.4 Update breaks “Update Keychain Password” process for Ad Mobile Accounts.
This issue affects Active Directory Mobile Account users. If you use Mobile Accounts you have seen this message before.
You will only see this message if you change your Active Directory Password outside the Mac. An example of this would be if you changed your AD password on a 2nd Mac, Windows PC or Web Portal. Logging in with the new password will sync that new password down to the Macs local cache but can NOT change the keychain password without the OLD password. You can click “Create New Keychain” and brand new login keychain will be created. But what if you have Xcode Developer Certs and Private keys or Wifi certs? In this case you need your old keychain intact.
Clicking “Update Keychain Password” just creates a new login keychain.
If you click “Update Keychain Password” you should see this. (10.14.0-10.14.3)
Instead, after clicking the update button you will not see this message and you are now at the desktop. If you open up keychain access you will see that your login keychain was wiped out.
Workaround – Find renamed keychain, change password and restore.
Good news, I have a workaround for you. The old login Kkeychain luckily still remains in ~/Library/Keychains
We will have to perform a few steps to restore your old login keychain
- 1. Find renamed keychain – located in ~/Library/Keychains and called login_renamed_1.keychain-db
- 2. Change password of login_renamed_1.keychain-db from old to new
- 3. Remove login.keychain-db
- 4. Rename login_renamed_1.keychain-db to login.keychain-db
- 5. Restore login.keychain-db to Keychain Access.app
- 6. Log out and back in.
1. Find renamed keychain
The old keychain is located in ~/Library/Keychains and called login_renamed_1.keychain-db
2. Change login_renamed_1.keychain-db password
You used to be able to change the login keychain password through Keychain Access. This is no longer possible.
What if we clicked “Add Keychain” and tried to add the renamed keychain then try to change the password?
This looks promising but after clicking “change password for keychain login_renamed” nothing happens. I then tried to unlock it with the old password.
After unlocking I attempted to change the password again.
Still no go! After clicking change password nothing happened. At this point, I thought I was out of luck.
Enter CLI command security
Never give up a fight without visiting the Command Line Interface! The CLI can be your best friend. Let’s take a look at the security man page and see if anything will help us. Open terminal and type in man security
set-keychain-password Set password for a keychain.
Oh ya, now we are talking! Let’s take a look at the options.
Perfect, just what we are looking for. Lets try it out.
sudo security -v set-keychain-password /path_to_user_keychain
You will be prompted for your old and new password. Now that the old keychain has the same password as your AD account we can move it back into Keychain Access.app.
3. Remove login.keychain-db
Now we can just delete the empty login keychain.
Right click on login and select Delete Keychain “Login” then click “Delete References & Files”. You should now only have Local Items, System and System Roots.
4. Rename login_renamed_1.keychain-db to login.keychain-db
We now need to rename login_renamed_1.keychain-db to login.keychain-db. You can either do this in keychain access or in the finder. Let’s rename in the finder. Click once on login_renamed_1.keychain-db and change it to login.keychain-db.
5. Restore login.keychain-db to Keychain Access.app
Now all we need to do is add our old keychain back to Keychain Access.app. Right click in the keychain section and select “Add Keychain”.
Navigate to ~/Library/Keychains/login.keychain-db and select it. You will now see login in the keychain box! At this time it will be locked. You can test unlocking it now. Right click on login and select “Unlock Keychain login”
You will now be prompted to enter in your current password.
6. Log out and back in to confirm
You have now restored your old keychain. Log out and then back in to confirm. You are now good to go!
As always, we need to submit a bug report to Apple.
I can not stress how important this is. The more reports we put in the higher priority the issue gets. We are also running out time and only have about 3 weeks before 10.14.5 is released.
I have submitted a bug report to Apple at bugreport.apple.com. I also created an open radar at openradar.appspot.com
https://openradar.appspot.com/radar?id=4962927241068544
Credits
Thanks to hawkzhang45 from JAMF Nation forum for calling this issue out. Also to m.entholzner for conformation and submitting an Apple Enterprise Ticket. You can read the original thread here.
10.14.4 update keychain password
Thank you! This saved my bacon (and 12 years of passwords and secure notes!) I filed a bug report against macOS 10.14.6. I expect better from Apple for such an important function.
Bug report submitted. There’s no reason when we’re regularly getting 1.5+GB Security Updates for Mojave that this can’t be fixed, especially since it’s a regression.
Users encountered this with such frequency and I’d even seen it happen a couple times so I was starting to question my sanity.
Thanks very much for this tutorial, I was pretty sure my world had ended when I (foolishly?) changed my AD password direct in AD, then came back to my macOS Mojave – 10.14.6 went through the motions and found I’d wiped my keychain.
These instructions have helped me revive 10 years worth of passwords, and pushed me to backup my keychain-db outside of my standard encrypted TimeMachine backup… To which the key to unlocking was inside my keychain………….
Mike,
I am glad you were able to save your login keychain. Nothing like that sinking feeling when you think you’ve lost something very important only to find it later!
Hi,
thanks a lot for the detective work and the instructions, very helpful. I wonder why you don’t use the Terminal to rename the keychains, since the Terminal is already used for the security command. This appears to be much easier than renaming via keychain access or the Finder. But I assume this only works on the CLI when the Keychain Access app is closed.
And I think you don’t need the ‘sudo’ for the security command, as long as you work on your own keychain.
Matthias,
Thanks for the note, Now that this issue will never be fixed on Mojave I can look at other ways to fix the Keychain using the security command like you mentioned. I think someone even wrote a script to do this. I will look for it and post it. Thanks!