Active Directory Account Information

Javert93
Javert93 used Ask the Experts™
on
Hi Experts,

My company is currently porting one of our client-side applications to Mac OS X (10.5 or higher), but so far I've hit a road block on some of the information our application gathers, which is two-fold:

First, I need a way to query the name of the AD domain bound to the computer. I have found what appears to be the NT 4 compatible domain name under the Setup:/Network/Service/..*/SMB/Workgroup key in SCDynamicStore, but what I really want is the fully qualified domain name (FQDN). So far the Apple documentation has been less than helpful providing any hint, and google isn't helping much, either, since most search results I get refer to DHCP, DNS, or how-to guides on how to do the binding in the UI. I know the domain name set from DHCP *can* match the AD domain, but it's not guaranteed to match, or even be set by the DHCP server. Considering that the UI knows what it is, I would think it would at least be stored in a plist file somewhere. I also know that I can probably use the Directory Services API to ask the domain controller for it, but somehow doing a round trip on the network for something that *should* already be on the local machine seems a bit, to put it bluntly, hacky imo.

The other piece of information I need is about the console user. I can get the user name without a problem, but determining if (a) the user is actually a domain user, and (b) what domain they were authenticated against seems to be proving as elusive as how to get the AD domain for the machine itself.

Unfortunately, since the decided porting strategy is to use the existing code with a shared code base (the application was originally written for Win32), I do not have the option of using Objective-C or Cocoa (the app is written mostly in C with a little C++), but anything Carbon or POSIX is fair game. That said, if there is anything in Cocoa that can point me in the right direction (or at least give me more search terms for google), I welcome hearing about it.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
you are looking at it the wrong way.

query kerberos information. if they have a kerberos ticket they are on a domain and logged in.

Author

Commented:
That makes sense; which API would I use to access that information? Also, will the kerbos ticket give me the domain associated with the user account (which is the main tidbit I am after)? Also, do have any ideas how to get the name of the domain bound to the computer itself? I need both pieces of information because in the cases of domain trust scenarios, the user's domain may not necessarily match the domain bound to the machine. Feel free to correct my assumptions if I am looking at it too much from Win32-tinted glasses.
# Generic Security Service Application Program Interface (GSS-API)

The definition of GSS-API (which is used in the Mac OS X implementation of Kerberos) is basically equivalent to Kerberos v5, but is used to denote the application interface for developers. *


You might also be able to query this file
edu.mit.Kerberos
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
Thanks for the reply. The file you mentioned will indeed get me halfway there (it contains the domain name bound to the machine). Unfortunately, the GSS-API you mentioned only seems to deal with doing generic Kerberos client-server authentication, and doesn't seem to have any functions that will query the local information I am looking for. However, it did help me find information in the Apple docs about the krb5.keytab file, which is used to store the ticket information. The only problem is, the file is in a binary format, and isn't documented by Apple, so I am not even sure if it contains the information I am looking for. Any ideas?

Author

Commented:
Oh, and I almost forgot to mention that the other problem with the keytab file is that it in the etc directory, so permissions will be a definite issue unless there is an API that will allow me get information from it.
I just bound my mac to the domain.

this file is in /Library/Preferences
cat edu.mit.Kerberos
# WARNING This file is automatically created, if you wish to make changes
# delete the next two lines
# autogenerated from : /Active Directory/All Domains
# generation_id : 286494956
[libdefaults]
      default_realm = mydomain.edu
      dns_fallback = no
[domain_realm]
      .mydomain.edu = mydomain.edu
[logging]
      kdc = FILE:/var/log/krb5kdc/kdc.log
      admin_server = FILE:/var/log/krb5kdc/kadmin.log

Author

Commented:
Yes, that's similar to what I have in mine, so that gets me half the information I need. Sadly, there is nothing about users, though. I did manage to find *some* functions related to the user and directory services (getpwent), but that doesn't seem to have the domain name, either.

Unfortunately, checking for the presence of a Kerberos ticket with tell me that a user is actually a domain user, but it won't get me what I really need, which is the domain name associated with that user.

Author

Commented:
Ok, so I did some more digging, and it looks like the association between the local user acccount and the domain account is stored for as long as it takes to do the authentication, and any further requests for the mapping need to go to network for a lookup. I found wbinfo, which produces the exact information I need (i..e. "wbinfo --user-info jdoe"), but since it goes out to the network, it's out of of the picture of possibilities for me.

However, on the machine domain front, I did find a file that contains the information I can need in a nice, loadable plist (/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist). Between this value and the Setup:/Network/Service/..*/SMB/Workgroup key, I think I will be able to make due.

Thanks for all your help in pointing me in the right direction.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial