MacOS: don't allow krb5 at login when AD plugin authenticates

if AD is being used to verify authentication (e.g. via builtin) don't allow get krb5 at login to succeed. since a helper does this we can't grey the option, but we can decline to act on it. Change-Id: I1f2bb891377c3ed9765f9e58141c77ec54d3ae22 Reviewed-on: http://gerrit.openafs.org/3690 Reviewed-by: Derrick Brashear <shadow@dementia.org> Tested-by: Derrick Brashear <shadow@dementia.org> Tested-by: BuildBot <buildbot@rampaginggeek.com>
2025-01-21 00:10:15 +00:00 · 2011-01-19 22:56:12 -05:00 · 2011-01-19 22:56:12 -05:00 · 6f39035c92
commit 6f39035c92
parent 53dcb4a56e
1 changed files with 28 additions and 21 deletions
--- a/src/platform/DARWIN/AFSPreference/PListManager.m
+++ b/src/platform/DARWIN/AFSPreference/PListManager.m
@ -12,7 +12,7 @@
 #import "TaskUtil.h"

 #define BACKGROUNDER_AGENT_NAME					@"AFSBackgrounder.app/Contents/MacOS/AFSBackgrounder"
-
+#define AD_CONF_FILE @"/Library/Preferences/DirectoryService/ActiveDirectory.plist"
@implementation PListManager
 // -------------------------------------------------------------------------------
 //  krb5TiketAtLoginTime:
@ -29,28 +29,35 @@
 	FileUtil				*futil = nil;
 	SInt32                                  object_index = 0;

-	//check system 
-	if (Gestalt(gestaltSystemVersionMajor, &osxMJVers) != noErr || Gestalt(gestaltSystemVersionMinor, &osxMnVers) != noErr) @throw [NSException exceptionWithName:@"PListManager:krb5TiketAtLoginTime" 
-																																						   reason:@"Error getting system version"
-																																						 userInfo:nil];
-	//get auth plist file
-	plistData = [NSData dataWithContentsOfFile:AUTH_FILE];
-	
-	//Get plist for updating with NSPropertyListMutableContainersAndLeaves
-	plist = [NSPropertyListSerialization propertyListFromData:plistData
-											 mutabilityOption:NSPropertyListMutableContainersAndLeaves
-													   format:&format
-											 errorDescription:&error];
-	if(!plist) {
-		@throw [NSException exceptionWithName:@"PListManager:krb5TiketAtLoginTime" 
-									   reason:error
-									 userInfo:nil];
-		
+	// check system
+	if (Gestalt(gestaltSystemVersionMajor, &osxMJVers) != noErr || Gestalt(gestaltSystemVersionMinor, &osxMnVers) != noErr) @throw [NSException exceptionWithName:@"PListManager:krb5TiketAtLoginTime" reason:@"Error getting system version" userInfo:nil];
+
+	// are we eligible to run?
+	plistData = [NSData dataWithContentsOfFile:AD_CONF_FILE];
+
+	// Get plist for updating with NSPropertyListMutableContainersAndLeaves
+	plist = [NSPropertyListSerialization propertyListFromData:plistData mutabilityOption:NSPropertyListMutableContainersAndLeaves format:&format errorDescription:&error];
+
+	if(plist) {
+		// Get "AD Advanced Options" dic
+		NSMutableDictionary *rightsDic = [plist objectForKey:@"AD Advanced Options"];
+		if ([[rightsDic objectForKey:@"AD Generate AuthAuthority"] boolValue])
+			return;
 	}
-	
-	//Get "rights" dic
+
+	// get auth plist file
+	plistData = [NSData dataWithContentsOfFile:AUTH_FILE];
+
+	// Get plist for updating with NSPropertyListMutableContainersAndLeaves
+	plist = [NSPropertyListSerialization propertyListFromData:plistData mutabilityOption:NSPropertyListMutableContainersAndLeaves format:&format errorDescription:&error];
+
+	if(!plist) {
+		@throw [NSException exceptionWithName:@"PListManager:krb5TiketAtLoginTime" reason:error userInfo:nil];
+	}
+
+	// Get "rights" dic
 	NSMutableDictionary *rightsDic = [plist objectForKey:@"rights"];
-	
+
 	//Get "system.login.console" dic
 	NSMutableDictionary *loginConsoleDic = [rightsDic objectForKey:@"system.login.console"];