Alright this is my first post so please go easy on me. We have been working on this for a little while and I thought I would try posting since we haven’t been able to make any head way. In our environment we have the Magic Triangle setup and works pretty well with snow leopard but for some reason Lion has a few issues. One of those issues is around VPN and Kerberos, basically we have users that connect remotely via VPN and then immediately need to grab a new Kerberos ticket so that applications that are Kerberos aware, ie PHD, Chat, CIFS, and Printers, etc… can connect without needing anything from the users. The users them selves aren’t going to be much help past clicking on an icon and doing what pops, so terminal commands like kinit, klist, and kdestroy wont be of much use here.
Here is what we would like to see happen. They click the an application / Script that we write which calls the VPN connection up and starts trying to connect, the script will pause or wait until the connection has been established and then continue on and pop a dialog box and ask for a password, which would be their domain password and then it will request the ticket from the domain here.
So far we can get the VPN to pop, connect, and ask for the password for the Kerberos command. However here is the problem. The script pops the password dialog before the VPN has even opened, and it wont quit the script when we have met any of our requirements, it continues to run until we tell it to stop.
We would like the VPN to continue to try connecting until 1 of 4 things happen:
- The user clicks cancel on the system VPN box that pops up, at which point it should quit.
- The time out of the script has been reached, at which point it should quit.
- The VPN never connects, at which point it should quit.
- And finally if it does connect to stop trying to connect the vpn and continue on to the kinit section of the script (mostly working now), and quit after a ticket has been granted.
We had a few idea’s of how to reach this conclusion but so far none of them have panned out but I will post what we have so far. We thought we could mostly rely on the error numbers or messages to signal when to end the script or to move to the next section but no dice yet.
Thanks in advanced for your input and any help you provide.
tell application "System Events"
tell current location of network preferences
set VPNservice to service "VPN (IPsec)" -- name of the VPN service
if exists VPNservice then connect VPNservice
try
repeat until (connected of current configuration of VPN)
delay 5
end repeat
on error the error_message number the error_number
if the error_number is -128 or the error_number is -1708 then
end if
end try
set isConnected to connected of current configuration of VPNservice
if isConnected then
end if
end tell
end tell
try
-- testing for Kerberos ticket presence and attempt to renew
set kerb to do shell script "/usr/bin/klist | /usr/bin/grep krbtgt"
set renewKerb to do shell script "/usr/bin/kinit -R"
on error
set thePassword to text returned of (display dialog "Please enter your domain password:" default answer "" with hidden answer)
do shell script "/bin/echo '" & thePassword & "' | /usr/bin/kinit -l 10h -r 10h --password-file=STDIN"
display dialog "Kerberos ticket acquired." with icon 1 buttons {"OK"} default button 1
end try
Well I haven’t gotten any feedback yet but I have an updated script, and while it isn’t exactly what I was looking for its very close.
I was going to add a bunch more logic around expired passwords but I ran out of time so maybe someone out there has a bit more info on the kpasswd / kinit commands and how to pass the variables to them and reset the passwords. I’m fairly close I think.
I have been reading and gathering bits from all over the internet so I realize that its missing some uniformity but without any input from the community this is what I have come up with so far.
try
display dialog "How would you like to proceed?" buttons {"VPN and Ticket", "Ticket Only", "Cancel"} default button 1 giving up after 15
if gave up of the result is true then
error number -128
else
if button returned of result is "Cancel" then
error number -128
else
if button returned of result is "VPN and Ticket" then
tell application "System Events"
tell network preferences
repeat 10 times
set VPN to the service "VPN (IPsec)"
if current configuration of VPN is connected then
exit repeat
else
tell service "VPN (IPsec)"
connect
delay 3
end tell
end if
end repeat
end tell
end tell
end if
end if
end if
try
set kerb to do shell script "/usr/bin/klist | /usr/bin/grep krbtgt"
set renewKerb to do shell script "/usr/bin/kinit -R"
display dialog "Ticket is still valid, renewal is not needed." buttons {"OK"} default button 1
on error
try
set thePassword to (display dialog "Please enter your network password:" default answer "" default button 2 giving up after 10 with hidden answer)
set theText to the text returned of thePassword
set theButton to the button returned of thePassword
set theGaveUpState to gave up of thePassword as string
if theGaveUpState is "true" then
error number -128
end if
if theButton is "Cancel" then
error number -128
end if
do shell script "/bin/echo '" & theText & "' | /usr/bin/kinit -l 10h -r 10h --password-file=STDIN"
display dialog "Ticket acquired." buttons {"Ok"} default button 1 giving up after 10
on error errmsg
if (errmsg contains "expire") then
display dialog "Password has expired, please contact the IT Dept." buttons {"Ok"} default button 1 giving up after 10
if gave up of the result is true then
error number -128
end if
if button returned of result is "Ok" then
error number -128
end if
else
if (errmsg contains "Password incorrect") then
repeat 3 times
display dialog "Password incorrect, would you like to try again?" buttons {"Yes", "No"} default button 1 giving up after 10
if gave up of the result is true then
error number -128
else
if button returned of result is "No" then
error number -128
else
try
set thePassword to text returned of (display dialog "Please enter your network password:" default answer "" with hidden answer)
do shell script "/bin/echo '" & thePassword & "' | /usr/bin/kinit -l 10h -r 10h --password-file=STDIN"
display dialog "Ticket acquired." buttons {"OK"} default button 1
exit repeat
#if (errmsg contains "Your password/account will expire") then
#repeat
#display dialog "Password has expired, would you like to set a new Password?" with icon 2 buttons {"Yes", "No"} default button 1
#if result = {button returned:"no"} then
#exit repeat
#else
#try
#set thePassword to text returned of (display dialog "Please enter your network password:" default answer "" with hidden answer)
#do shell script "/bin/echo '" & thePassword & "' | /usr/bin/kinit -l 10h -r 10h --password-file=STDIN"
#display dialog "Kerberos ticket acquired." with icon 1 buttons {"OK"} default button 1
#exit repeat
#end try
#end if
#end repeat
#end if
end try
end if
end if
end repeat
end if
end if
end try
end try
end try