From 6f39035c92713b08065bee28ffdf06c5fe32a971 Mon Sep 17 00:00:00 2001 From: Derrick Brashear Date: Wed, 19 Jan 2011 22:56:12 -0500 Subject: [PATCH] MacOS: don't allow krb5 at login when AD plugin authenticates if AD is being used to verify authentication (e.g. via builtin) don't allow get krb5 at login to succeed. since a helper does this we can't grey the option, but we can decline to act on it. Change-Id: I1f2bb891377c3ed9765f9e58141c77ec54d3ae22 Reviewed-on: http://gerrit.openafs.org/3690 Reviewed-by: Derrick Brashear Tested-by: Derrick Brashear Tested-by: BuildBot --- src/platform/DARWIN/AFSPreference/PListManager.m | 45 ++++++++++++++---------- 1 file changed, 26 insertions(+), 19 deletions(-) diff --git a/src/platform/DARWIN/AFSPreference/PListManager.m b/src/platform/DARWIN/AFSPreference/PListManager.m index f90f5bd..8497870 100644 --- a/src/platform/DARWIN/AFSPreference/PListManager.m +++ b/src/platform/DARWIN/AFSPreference/PListManager.m @@ -12,7 +12,7 @@ #import "TaskUtil.h" #define BACKGROUNDER_AGENT_NAME @"AFSBackgrounder.app/Contents/MacOS/AFSBackgrounder" - +#define AD_CONF_FILE @"/Library/Preferences/DirectoryService/ActiveDirectory.plist" @implementation PListManager // ------------------------------------------------------------------------------- // krb5TiketAtLoginTime: @@ -29,28 +29,35 @@ FileUtil *futil = nil; SInt32 object_index = 0; - //check system - if (Gestalt(gestaltSystemVersionMajor, &osxMJVers) != noErr || Gestalt(gestaltSystemVersionMinor, &osxMnVers) != noErr) @throw [NSException exceptionWithName:@"PListManager:krb5TiketAtLoginTime" - reason:@"Error getting system version" - userInfo:nil]; - //get auth plist file + // check system + if (Gestalt(gestaltSystemVersionMajor, &osxMJVers) != noErr || Gestalt(gestaltSystemVersionMinor, &osxMnVers) != noErr) @throw [NSException exceptionWithName:@"PListManager:krb5TiketAtLoginTime" reason:@"Error getting system version" userInfo:nil]; + + // are we eligible to run? + plistData = [NSData dataWithContentsOfFile:AD_CONF_FILE]; + + // Get plist for updating with NSPropertyListMutableContainersAndLeaves + plist = [NSPropertyListSerialization propertyListFromData:plistData mutabilityOption:NSPropertyListMutableContainersAndLeaves format:&format errorDescription:&error]; + + if(plist) { + // Get "AD Advanced Options" dic + NSMutableDictionary *rightsDic = [plist objectForKey:@"AD Advanced Options"]; + if ([[rightsDic objectForKey:@"AD Generate AuthAuthority"] boolValue]) + return; + } + + // get auth plist file plistData = [NSData dataWithContentsOfFile:AUTH_FILE]; - - //Get plist for updating with NSPropertyListMutableContainersAndLeaves - plist = [NSPropertyListSerialization propertyListFromData:plistData - mutabilityOption:NSPropertyListMutableContainersAndLeaves - format:&format - errorDescription:&error]; + + // Get plist for updating with NSPropertyListMutableContainersAndLeaves + plist = [NSPropertyListSerialization propertyListFromData:plistData mutabilityOption:NSPropertyListMutableContainersAndLeaves format:&format errorDescription:&error]; + if(!plist) { - @throw [NSException exceptionWithName:@"PListManager:krb5TiketAtLoginTime" - reason:error - userInfo:nil]; - + @throw [NSException exceptionWithName:@"PListManager:krb5TiketAtLoginTime" reason:error userInfo:nil]; } - - //Get "rights" dic + + // Get "rights" dic NSMutableDictionary *rightsDic = [plist objectForKey:@"rights"]; - + //Get "system.login.console" dic NSMutableDictionary *loginConsoleDic = [rightsDic objectForKey:@"system.login.console"]; -- 1.9.4