MacOS: don't allow krb5 at login when AD plugin authenticates
authorDerrick Brashear <shadow@dementia.org>
Thu, 20 Jan 2011 03:56:12 +0000 (22:56 -0500)
committerDerrick Brashear <shadow@dementia.org>
Thu, 20 Jan 2011 19:14:56 +0000 (11:14 -0800)
if AD is being used to verify authentication (e.g. via builtin)
don't allow get krb5 at login to succeed. since a helper does this we can't
grey the option, but we can decline to act on it.

Change-Id: I1f2bb891377c3ed9765f9e58141c77ec54d3ae22
Reviewed-on: http://gerrit.openafs.org/3690
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

src/platform/DARWIN/AFSPreference/PListManager.m

index f90f5bd..8497870 100644 (file)
@@ -12,7 +12,7 @@
 #import "TaskUtil.h"
 
 #define BACKGROUNDER_AGENT_NAME                                        @"AFSBackgrounder.app/Contents/MacOS/AFSBackgrounder"
-
+#define AD_CONF_FILE @"/Library/Preferences/DirectoryService/ActiveDirectory.plist"
 @implementation PListManager
 // -------------------------------------------------------------------------------
 //  krb5TiketAtLoginTime:
        FileUtil                                *futil = nil;
        SInt32                                  object_index = 0;
 
-       //check system 
-       if (Gestalt(gestaltSystemVersionMajor, &osxMJVers) != noErr || Gestalt(gestaltSystemVersionMinor, &osxMnVers) != noErr) @throw [NSException exceptionWithName:@"PListManager:krb5TiketAtLoginTime" 
-                                                                                                                                                                                                                                                                                                                  reason:@"Error getting system version"
-                                                                                                                                                                                                                                                                                                                userInfo:nil];
-       //get auth plist file
+       // check system
+       if (Gestalt(gestaltSystemVersionMajor, &osxMJVers) != noErr || Gestalt(gestaltSystemVersionMinor, &osxMnVers) != noErr) @throw [NSException exceptionWithName:@"PListManager:krb5TiketAtLoginTime" reason:@"Error getting system version" userInfo:nil];
+
+       // are we eligible to run?
+       plistData = [NSData dataWithContentsOfFile:AD_CONF_FILE];
+
+       // Get plist for updating with NSPropertyListMutableContainersAndLeaves
+       plist = [NSPropertyListSerialization propertyListFromData:plistData mutabilityOption:NSPropertyListMutableContainersAndLeaves format:&format errorDescription:&error];
+
+       if(plist) {
+               // Get "AD Advanced Options" dic
+               NSMutableDictionary *rightsDic = [plist objectForKey:@"AD Advanced Options"];
+               if ([[rightsDic objectForKey:@"AD Generate AuthAuthority"] boolValue])
+                       return;
+       }
+
+       // get auth plist file
        plistData = [NSData dataWithContentsOfFile:AUTH_FILE];
-       
-       //Get plist for updating with NSPropertyListMutableContainersAndLeaves
-       plist = [NSPropertyListSerialization propertyListFromData:plistData
-                                                                                        mutabilityOption:NSPropertyListMutableContainersAndLeaves
-                                                                                                          format:&format
-                                                                                        errorDescription:&error];
+
+       // Get plist for updating with NSPropertyListMutableContainersAndLeaves
+       plist = [NSPropertyListSerialization propertyListFromData:plistData mutabilityOption:NSPropertyListMutableContainersAndLeaves format:&format errorDescription:&error];
+
        if(!plist) {
-               @throw [NSException exceptionWithName:@"PListManager:krb5TiketAtLoginTime" 
-                                                                          reason:error
-                                                                        userInfo:nil];
-               
+               @throw [NSException exceptionWithName:@"PListManager:krb5TiketAtLoginTime" reason:error userInfo:nil];
        }
-       
-       //Get "rights" dic
+
+       // Get "rights" dic
        NSMutableDictionary *rightsDic = [plist objectForKey:@"rights"];
-       
+
        //Get "system.login.console" dic
        NSMutableDictionary *loginConsoleDic = [rightsDic objectForKey:@"system.login.console"];