Webmin authentication (and other user-related tasks) broken in modern Mac OS X versions

Joe's picture
Submitted by Joe on Mon, 04/06/2015 - 02:28 Pro Licensee

So, nidump doesn't exist in Mac OS X since version 10.6 (I think). It has been replaced by the dscl command, which doesn't use the same commands or produce the same output, as far as I can tell.

It can do XML "property list" format, and some sort of semicolon separated thing.

For example, this is as close as I can get to a shadow style output (which is still pretty far off):

# dscl . -list /Users "authentication_authority"

Which outputs:

joe ;ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2> ;Kerberosv5;;joe@LKDC:SHA1.C8E9D268C81427D76AEF109662D3669897D64BAD;LKDC:SHA1.C8E9D268C81427D76AEF109662D3669897D64BAD
root   ;Kerberosv5;;root@LKDC:SHA1.C8E2C81427DD366698876AEF10997D69D2664BAD;LKDC:SHA1.C8E2C81427DD366698876AEF10997D69D2664BAD ;ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2>

I'm gonna keep poking at it. I don't have a machine with nidump so I can compare what the old stuff what expecting, but from a brief reading of the code it seems nidump could produce a passwd/shadow style output. I'll keep trying to make dscl do something reasonable.

Oh, actually, there's also the "defaults" command which might do something better...looking into it.

Status: 
Closed (fixed)

Comments

Joe's picture
Submitted by Joe on Mon, 04/06/2015 - 02:35 Pro Licensee

Oh, this is also something (not sure what, exactly):

plutil -p /var/db/dslocal/nodes/Default/users/joe.plist

That print the whole joe.plist file in some sort of dump format. Unfortunately the "passwd" field has stars, but the authentication_authority field does have hashed passwords and a bunch of other crap around it, as above in the dscl output.

Also, let me know if you need me to send you details for logging into my Mac VM.

Joe's picture
Submitted by Joe on Mon, 04/06/2015 - 16:38 Pro Licensee

Forgot to assign this one.

Submitted by JamieCameron on Mon, 04/06/2015 - 23:49

I'll look into this - sounds like Apple completely changed the user DB format since the last time I implemented this in Webmin.

Submitted by JamieCameron on Sat, 04/25/2015 - 17:56

Actually, it looks like the cause here may be that when a server like Webmin is started from a root shell via SSH, it loses permissions when that session is disconnected!

Try SSHing in as root, and running /etc/webmin/restart, leave the shell option, and see if the Users and Groups page works.

Submitted by JamieCameron on Sun, 05/03/2015 - 12:24

Confirmed, the real issue here is that Webmin might not be started via launchd - when it is, user editing works fine. I'll fix this in the next release..

Submitted by Issues on Sun, 05/17/2015 - 12:25

Automatically closed -- issue fixed for 2 weeks with no activity.

Submitted by Issues on Sun, 05/17/2015 - 12:25

Automatically closed -- issue fixed for 2 weeks with no activity.