Extension Attributes Kerberos

dmccluskey
Contributor

I could use a little help

I am trying to make EA to report back when a user has signed into Kerberos SSO.

The way I am trying to go about is the read the SSO log file and scan for the word "Principal"

If Principal is in the log then the user signed in.

This is the EA I tried to make that is not working.

Thanks for any help

 

#!/bin/bash

loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )

KSSOUSERID="$( /Users/$loggedInUser/Library/Logs/Kerberos_SSO.log | grep Principal | cut -d '=' -f2 | xargs)"

if [[ "${KSSOUSERID}" == "" ]] ;
then
/bin/echo "<result>Not Signed-In</result>"
else
/bin/echo "<result>Sign-In Complete</result>"
fi

exit 0

1 ACCEPTED SOLUTION

dmccluskey
Contributor

that did it

thanks guys

#!/bin/bash

loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )

KSSOUSER=$(defaults read //Users/$loggedInUser/Library/Group\ Containers/group.com.apple.KerberosExtension/Library/Preferences/group.com.apple.KerberosExtension.plist acme.ORG:userName)

if [[ "${KSSOUSER}" == "" ]]
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${KSSOUSER}</result>"
fi

exit 0

View solution in original post

8 REPLIES 8

sdagley
Esteemed Contributor II

@dmccluskey Are you sure the log file is present if you don't have debug logging enabled? My org uses Kerberos SSO and even though I'm signed in I have no log file in the path you're using.

dmccluskey
Contributor

we do, our KSSO was built with help from apple and it creates a log file.

2022-07-26_12-26-10.jpg

dmccluskey
Contributor

Maybe it would help instead of focusing on the log file present or not....

how does one make a EA to scan a file and report back if a word is present. and if that word is present that makes the answer for the result.

damienbarrett
Valued Contributor

We use Apple's Kerberos/SSO plug-in also. I also have this Kerberos_SSO.log file in ~/Library/Logs/ root but it's empty. I used FSMonitor to watch my file system as I signed into the SSO plugin and found that it's writing domain data to

~/Library/Group Containers/group.com.apple.KerberosExtension/Library/Preferences/group.com.apple.KerberosExtension.plist

The ~/Library/Preferences/Kerberos_SSO.log file is also being touched but it remains empty (or seemingly so; cat-ing it in Terminal just shows nothing). Maybe you can grep the .plist in GroupContainers?

dmccluskey
Contributor

i think you might be onto something

better then the log file idea.

 

loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )

 

KSSOUSERID="$(/usr/libexec/PlistBuddy -c Print /Users/$loggedInUser/Library/Group Containers/group.com.apple.KerberosExtension/Library/Preferences/group.com.apple.KerberosExtension.plist | grep acme.ORG:userName | cut -d '=' -f2 | xargs)"

 

if [[ "${KSSOUSERID}" == "" ]] ;

then

/bin/echo "<result>None</result>"

else

/bin/echo "<result>${KSSOUSERID}</result>"

fi

 

exit 0

 

 

I use something like with intune EA

 

loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )

AADUSERID="$(/usr/libexec/PlistBuddy -c Print /Users/$loggedInUser/Library/Application\ Support/com.microsoft.CompanyPortalMac.usercontext.info | grep aadUserId | cut -d '=' -f2 | xargs)"

if [[ "${AADUSERID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUSERID}</result>"
fi

exit 0

 

 

but it doesnt work

Im not sure if its because the grep key has a : in it

acme.ORG:userName

dmccluskey
Contributor

Screen Shot 2022-07-26 at 1.19.14 PM.png

mm2270
Legendary Contributor III

There's also the /usr/bin/app-sso binary, which can output information about who is logged in. But I think it has to be run as the logged in user to get the proper information.

If you want to use that plist though, nothing wrong with that. However, you shouldn't need to use PlistBuddy for reading it, defaults should work fine as it's a pretty flat plist structure. If you know that the REALM details are always going to be the same, something like this should work

/usr/bin/defaults read /Users/$loggedInUser/Library/Group\ Containers/group.com.apple.KerberosExtension/Library/Preferences/group.com.apple.KerberosExtension.plist ACME.ORG:userPrincipalName

In terms of your previous EA script attempts not working, are you sure you're allowing the Macs to submit inventory to see the results? This is a commonly overlooked step when creating EAs. They are only going to show results after an inventory submission.

 

 

dmccluskey
Contributor

that did it

thanks guys

#!/bin/bash

loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )

KSSOUSER=$(defaults read //Users/$loggedInUser/Library/Group\ Containers/group.com.apple.KerberosExtension/Library/Preferences/group.com.apple.KerberosExtension.plist acme.ORG:userName)

if [[ "${KSSOUSER}" == "" ]]
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${KSSOUSER}</result>"
fi

exit 0