New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSStatus error -34018 when accessing keychain during sending e-mail phase #174
Comments
@everetteallen Thanks for the report. Are you having any specific run time problems? Here's a similar discussion about the same error code... |
I am seeing the same error in 10.9.5 and 10.10 when I try (and fail) to connect it to a JSS. |
@MitchelSBlake thanks for letting us know. Actually I think it happens when accessing the keychain to retreive the password to send the e-mail indicating that an error occurred. It's the kc accessing the security framework that is triggering the error. If we're able to logistically figure out how to add a provisioning profile and at the same time keep this open source, we should be able to set up the keychain-entitilements necessary to silence this warning. That being said, if you wouldn't mind, try running a similar autopkg invocation and see if you get the same error there. Thanks |
Hey Scott ( @MitchelSBlake ), I have no Idea how it will work for open source contributors, would you mind cloning and trying to build off that branch and see if it causes any problems. Thanks. --Eldon |
It fails when I build on the mailcore2 step. WARNING: could not get prebuilt.list from repository |
Turns out, this isn't my problem. I'm still seeing the errors, but they aren't causing a failure in the software. My problem turns out to be that JDS servers are not reported through the API, so Autopkgr cannot find them. |
Thanks Scott, As far as your JDS, what is not getting reported? Is the DistPoints or the server itself? |
In my JSS API, when you do a GET for distributionpoints, JDS servers are not listed. I inherited an environment that is 100% JDS, so when I enter my user/pass into Autopkgr, "nothing" happens. However, when I look at the tomcat logs, the server is returning http code 200, it's just an empty list. It looks as if Autopkgr will need to either come up with a different way of pulling JDS servers, or wait until JAMF updates the API to list them, but that should probably be broken out into a new issue. |
Hey Scott, I'm not sure if the jss-autopkg-addon actually supports JDS yet, but I think the python-jss lib is about to get an overhaul on how distribution points are handled which may address that. On another note, |
I would get distribution points the same way as anyone else, but JDS servers are not yet exposed to the API. |
Still cannot build. Current error: |
That one's strange. I'm looking forward to mailcore2 getting their os x podspec working. Look in the mailcore2/scripts folder there should a file called get-mac.sh, just run that from the terminal it should give you a more verbose output than when it's run from Xcode. |
The only get-*.sh file is get-prebuilt.sh. Running that, I get this: I might suggest clearing out your repo, re-cloning, then adding in files until you can build. |
Hey Scott, You may need to fiddle with the code signing identity in the build settings to make it work. |
Sorry, I'm not going to be able to build for at least for a few weeks because I don't currently have a code signing certificate. I already requested a developer account through my employer weeks ago, but the request still needs to go through some red tape. If you have a specific build you think will fix the issue, I'd be happy to test the app if you can get it to me. |
No problem. I'll get a build put up soon. The other work around if you're interested is to just create a self signed certificate in Set the name to "Mac Developer" and set the Certificate Type to When you do finally get your certificate make sure you delete the one you create otherwise it can break the automatic id setting when it finds multiple matching. |
If only it were that easy. Xcode needs an Apple ID that's a member of the program. |
That's what I was afraid of. I've been able to do that when the app is just code signed, but the provisioning profile may be too much. (However I did realize that it won't work with "Mac Developer" as the name but will with "Local Mac Developer" as the name.) On another note looks like you JDS issue may be getting addressed in the python-jss lib at least. Now we will have to figure out how to get that info into AutoPkgr. |
I am also having the same issue trying to build any branch. The error throws for me on 10.9 and 10.10 as well. Is there are nightly or test binary ? |
@everetteallen which error? The mailcore2 or the Developer ID one? |
@MitchelSBlake I just put up another couple commits to the keychain-entitlements in an attempt to make this work. here is a link to an extremely rough sketch of the contrib docs It won't address the SecOSStatusWith issue directly, since that will only get solved when we do release builds with both a code signed binary and keychain entitlements that are signed with the official provisioning profile. I don't currently have the provisioning profile needed to build testing candidates, but am working with the owners of the project to procure it. When that happens I will get something up for testing. Mainly what I am trying to do here is make it so the general public can clone, build and contribute. I would greatly appreciate it if you would clone, and try to build the keychain-entitlements branch and let me know if you encounter any specific issues. If you do encounter any issues, but can figure out how to resolve them please put up a PR. Thanks for all of your help, Eldon |
Eldon, |
I think we have a design issue right now which we'll have to rethink. Right now the defaults aren't actually set until you've successfully connected to the JSS Repo and retreived an array of distribution points from the api. However with a JDS setup, no DP's are returned from the api, it looks to AutoPkgr like it's not actually a valid JSS server (even though it is). We should probably just set the defaults when entered even thought the values may not be correct. We're working on getting ready for the new python-jss that should have JDS support and once that happens all will be dandy. I'll put up that branch and post more on that once I have the rough sketch cleaned up. Thanks again for your help. We really depend on comments like this to help us understand how it's working in a wild. --Eldon |
@everetteallen I just updated the title because the |
@eahrold been pulled a way this week on other things but trying to get back to it today. I will see if I can get a build and follow up. |
@MitchelSBlake good news, we've got a pre-release up with JDS support. We'd love it if you could give it a test drive and report back at issue #216. @everetteallen not sure if you're running JDS as well, if so we would also love your input. --Thanks |
So got a chance to do some testing with the pre-release: So I thought this might be related to self-signed cert issue and I did the got: So may be I am confused about the JDS setup. If I have a JSS configured why do I need to add a JDS distribution point? The files, etc should all be uploaded to the JSS anyway, which then pushes them to the JDS. Given this I configured the JSS and JDS info the same. If that is not the case then would explain the 404. Also still seeing these: |
So first off these messages....
Are completely unrelated to JSS in any way. They're 100% related to accessing the keychain when sending an email. You'll see the exact same thing in the log if you do a "Send Test Email". We're still debating how to best handle including entitlements while keeping the project Open Source. Once we start building the project with entitlements, that error will go away, but that may still be a while. More to the point. The reason that currently you need to configure the JDS manually is because it's not exposed to the API, so python-jss has no way of auto-detecting that the way it will with SMB/AFP shares (However Casper Admin uses some private methods to pull this). The credentials may or may not be the same for your JSS and your JDS, and the URL is almost certainly not. You should be able to find the url for the JDS here https://your.jssserver.com/distributionServer.html?list @homebysix may be able to chime in, he's got a much more comprehensive knowledge about JSS than I do, but hopefully this will give you a little something more to go on. Also it may be helpful if you could post the exception traceback from the console. Thanks for your help. |
Understood on the email error. On the JSS 404, there is plenty of mis-understanding about JSS/JDS. "It looks like Casper Admin (both web version and the application) will We were all mis-led at first by the Casper Admin fat app which mounts So to me a JDS should not be treated as a webdav share as we are I wonder if it makes sense to use the JDS code as code for webdav Stepping back to a wider view that covers AutoPKGR we need to make sure Also I think the scope of this has changed so might want to open in another issue. Everette 11/26/14 1:01:55.189 PM AutoPkgr[15080]: (FULL AUTOPKG TRACEBACK) |
Just yesterday, my TAM sent me an alternative workflow for adding packages to a JDS:
|
All, On 11/26/14 3:09 PM, Scott Blake wrote:
Everette Gray Allen Systems Programmer II |
@everetteallen You're well beyond the scope of my knowledge of JSS. Thanks for all that info. Do you have any specific suggestions as to how we should show a "representative UI for the JSS/JDS sync"? The 404 Error that early on seems strange, It's actually more like it's not even pointing to the correct API url for the distributionpoints. When you do this does it look right?
|
To be clear on the need here in Casper 9.x: |
I haven't tried that approach yet, but the jamfds inventory is what checks It is my understanding that this is the only way (short of direct sql) of adding a package to a JDS. If the package is not in the DB when it runs inventory, it will remove the package. |
@eahrold in the case as of a Casper 9 JSS with JDS distribution points the confusion is that the JSS and JDS function as 1 unit even tho they are separate physical servers with different urls. So my JSS_URL and my JDS_Repos entry should and do have the same url. On the 404 I believe this may have been because of an earlier mis-match of the 2 entries so I will be testing (test server really is 404 right now). |
@MitchelSBlake your mileage may vary but my understanding is that the JSS sync to the master is the key that also trips off the JDS Master to sync to other JDS subordinates and the behavior I have observed is that just putting a package in the correct folder in the master JDS is not enough. In fact I have faked this by uploading a very small, dummy package of the same name to the JSS, let that sync and then replaced the one on the Master JDS and updated its checksums with still no joy. |
10/27/14 10:18:09.300 AM AutoPkgr[34833]: SecOSStatusWith error:[-34018] The operation couldn’t be completed. (OSStatus error -34018 - Remote error : The operation couldn‚Äôt be completed. (OSStatus error -34018 - client has neither application-identifier nor keychain-access-groups entitlements))
The text was updated successfully, but these errors were encountered: