Deleted keys from keychain! Please help!! (new user)

Hi! This is my first mac experience and I purchased mine back in May. When I got it I didn't know what root was and started exploring through everything in the system (bad idea haha) - anyway - I saw in my keychain (which I didn't really understand - and still don't completely to be honest) some keys that weren't valid. This was the kerberos.kdc and apple.systemdefault keys and certificates if I remember correctly. Being an idiot I deleted them because I didn't think I needed them. Somehow I figured the only way to stop sharing files (I don't know how this happened but somehow I landed on a server where I could see a bunch of other peoples files and I was afraid they could see and mess with mine too - so googling led me to believe if I deleted those keys and certs that would no longer be a problem). I have googled this over and over again and read many forums and I cannot seem to find the answer. What is odd is I can see the copy of my old keychain in a timemachine back up from June but when I click on it, nothing happens. I don't know how to move that file back to my computer and I cannot find it on the root user. I can follow instructions well - but I am afraid of tampering much with my system. It just seems like everything I am doing on the internet such as emails and web searches are not very encrypted and the computer is a bit slow for having just been purchased. (Sorry this is so long). I tried to do a fresh install back before I had any files on the computer and it would not let me! It gave me some error when I tried to make a back up disc. So... point being - is there any way I can get those keys and certs back? HOW? And I also just recently clicked on metadata keychain in my library and it threw a metadata keychain into my keychain!!
Tl;dr

Short version:
I deleted my apple and kerberos keys and certs that come with a fresh install - how can I get them back? Is there a code I can run to mimic the install session that forms those keys? Will upgrading to OSX mountain lion give me NEW keys??

I clicked on a metadata keychain item in my library and it pushed a metadata keychain into my keychain. I don't know what that is. Googling just sort of confused me - it is for Spotlight - but I don't know what that is. Indexing?

I cannot figure out how to transfer files from my time machine to my computer.

And If I must do a fresh install to solve this problem, what is the easiest way?

My system is OSX Lion Version 10.7.4 iMac Intel Core i5
Kaspersky Anti Virus

- the other day I got an email saying someone used my id to log into facetime... I'm worried my camera might have been hacked. I checked my router and see that there are frequent DOS attacks on my router. ACK and RST scans. Most people said not to worry about them.

Anyway - thank you for any help you can provide and sorry for the long post!! Please be gentle - I am new to mac but I am excited to learn. (Just don't want to break it in the process) haha ;D

Attach your Time Machine backup drive to the computer. Open Time Machine. Now find a date that your keychain was OK. Use the Time Machine Finder to navigate to your keychain file that was working. When you find it, right click on it and select restore. It will then ask you where you wish to restore it to and at the same time it will open your Finder. Just navigate back to the original keychain file and select it. The keychain file from Time Machine will restore over the top of the bad keychain file and you'll be back in business. After that, reboot your machine.

Let us know if that works for you.

Thank you for the reply! When I try to do that - it was weird, I was open in my time machine and it did not give me the option to restore from the date that I bought the computer. It said I only had "write" permissions. I can see the file even now without going into time machine but I cannot see an option to restore when I click on it. I tried closing out the other keychain and opening the other one and it's still the same. I also see something in that keychain folder applepushserviced - and right now folders are closing on me without me clicking on them. Uh oh.

How long have you been making Time Machine backups? If you purchased your computer in May and kept an external drive attached for Time Machine, you would have dozens of backups to choose from by now.

Are you sure you know how to use Time Machine? When you open Time Machine it displays a number of dates from which to restore from on the right side of the screen. If you pick a date before you deleted the keychain information, you should be able to navigate to the keychain file and select it in Time Machine. Are you doing that or something else?

Give us a step by step of exactly what it is you're doing when you try to restore. Maybe we can determine what's wrong.

I started making the back ups in June. I don't keep continual backups every hour because I don't feel that I need to. Usually just one a day. But I am not sure if I messed with the keychain before I set up time machine. Either way I know the date on the file is the day I purchased the computer.

What will happen is I will go into time machine and the library looks a bit different - I am not able to restore that keychain item though - and I DO see it in my regular library as well when I leave time machine - it seems like the date just didn't update. I do know that oddly when I first got my computer the date on the machine changed to like 1969 or something out of nowhere. I've been reading on the forums now learning what some of these problems are.

I just plug in the time machine, open it up, find the oldest date, go to the library, go to keychain folder, and then there is sometimes 3 files there - sometimes when I come out of time machine there are like 6 files there. ::edit:: I click on the keychain file and right click but it does not give the option to restore the keychain to the date of when I bought it. There just is no option for that. But when I open in the regular program it just opens the keychain that I have now.:: I am pretty sure I am using time machine correctly although I know I should be doing hourly backups probably...

I think I might need to just start over, but have no idea how.

If you changed the keychain file before you started making backups, then every instance of it in Time Machine is going to be the bad file. You may also have some corruption in your Time Machine backup files.

But this is what confuses me:

What is odd is I can see the copy of my old keychain in a timemachine back up from June but when I click on it, nothing happens. I don't know how to move that file back to my computer and I cannot find it on the root user.

Click to expand...

When I see what you replied above, can I assume that you have a backup of the original keychain file? Let me additionally ask.... how are you logged into your machine? Are you logged on as Root or your regular user name?

chscag said:

If you changed the keychain file before you started making backups, then every instance of it in Time Machine is going to be the bad file. You may also have some corruption in your Time Machine backup files.

But this is what confuses me:



When I see what you replied above, can I assume that you have a backup of the original keychain file? Let me additionally ask.... how are you logged into your machine? Are you logged on as Root or your regular user name?

Click to expand...

I THINK I have a backup of the original file, but it just won't open. I know I was able to view text or a log file of the actual creation of the kerberos key - then I see there is a time where the computer tried to access it but it says the key is no longer there. I believe I have a pretty useless time machine back up - but thought maybe there could be a script I could run to regenerate the process that happens for the keychain when you first start up your system for the first time. And I am logged in as root user. (Now I understand why when my brother dual booted my old pc with linux he wouldn't give me the root password. He knows I am curious. The two do not go well together - hahaha)

The first thing you need to do is disable the root user. Logging on as root will get you into trouble big time! The root user has read and write permissions over just about everything in the system. Which means in effect that you can accidentally remove or move vital system files and kexts. It could render your Mac useless.

Log off and log on as a regular user. Your regular user name that is. Then access Time Machine again and let's see if you can find that file. The keychain file is going to be different when you log on as a regular user.

To make sure I do this right, the regular user is just a regular user. I didn't realize when I first made the account that I am an administrator account (that is the root user, right?). I will log into the other regular account I made but I do not use that account ever so I am not sure what will be on there haha. Just want to make sure I am doing what you say correctly.

well I am logged in as a regular user I think but I can still see system roots in the keychain file. When I log into time machine I see that I can access library - which has just 3 keychain files and then I can go to OSX and I can go to that folder and there are about 5 keychain files there. OK it will not lot me even view back to June on this one - but it WILL let me right click on the file - I just don't know where to put it -

Now it says finder wants to make changes. Type admin name and pass to allow this. I'll wait for your OK on that. I'm saving the file just to the documents? Where do I save it to?

Well LOL time machine won't open up anymore. Oh dear.

You need to save the file back over itself. The original keychain file should be located in your user library under keychain. If you get a statement that Finder wants to make changes, go ahead and type in your admin password.

Ok so the thing is that sometimes in this other account it won't open time machine. I logged back into the account (root) I usually use (whoops) and then back into the regular one and it let me open time machine again. But now it won't let me save the file this time. It was letting me before. Also there are TWO Keychain folders in my backup. One is in the regular library and the other is in a System library (marked with an X). In the regular one is the regular keychain, some other one with some numbers attached to it, and I can't remember the other thing. In the system keychain folder there is EVroot.plist, systemCAcerts, systemrootcerts, systemtrustsettings,x509anchors or something ---- so I'm not sure what that is all about. But I don't get why the time machine backup itself will change. Also the weird thing that metakey is gone in the backups themselves... so I'm wondering if my stuff is being tampered with currently. I see a log file that LKDC-setup was created on May 28th - but it doesn't say when the key stopped working. As of right now it is back to not letting me restore the key. I think I might have to do a clean install as it seems like everything is goofy.

Thank you for your help so far. I will be back tomorrow to check on this and see if there is anything I can do before possibly just needing to do a fresh install or take it to apple (blah). Thanks!

OK so I did the following and it seems to work. I just don't know how to bind the machine itself. I found the answer here:

How to give a Mac OS X machine a new Kerberos identity | Automatica

Hope this helps someone! Thanks again for your help!