NoMAD should check the user keychain for saved password before it tries to auto sign-in with kerberos ticket

Summary: In environments where NoMAD is used on Macs bound to AD, NoMAD will always auto-sign and never prompt user to sign-in with username and password in the presence of a valid kerberos ticket. This causes potential application problems where NoMAD will never have a chance to save user credentials in the user's keychain even if UseKeychain and SignInWindowOnLaunch are both set to true.

If NoMAD never has an opportunity to save user's password in the keychain, NoMAD will fail to sync user keychain password and FileVault unlock password when LocalPasswordSync is set to true.

Device Configuration:

• A Mac with macOS 10.12.5 and 10.12.6
• Mac bound to AD and user signing in to workstation with their AD account

Steps to Reproduce:

1. Install NoMAD on any Mac bound to AD.
2. Ensure that SignInWindowOnLaunch, UseKeychain, and LocalPasswordSync are present and set to true in your com.trusourcelabs.NoMAD.plist
3. Confirm that NoMAD has not stored any user credentials in the user's keychain by opening the Keychain Access.app by searching any keychain entries for "NoMAD". Delete any keychain entries for "NoMAD".
4. Ensure there is a valid kerberos ticket issued and not expired with the klist command. If no tickets have been issued, then use the kinit command to request a new kerberos ticket.
5. Launch NoMAD

Expected Results: When NoMAD is launched and UseKeychain is set to true, NoMAD should check for the presence of a keychain item for "NoMAD" in the user's keychain and if no entry is present, prompt user to sign-in so that it can capture the user's password and store it in the keychain regardless of the presence of a valid kerberos ticket.

Actual Results: NoMAD launches and automatically signs-in using the valid kerberos ticket without prompting user to sign-in and without checking to see if password has already been saved in the keychain when UseKeychain is set to true. This prevents NoMAD from successfully capturing the user password and saving it in the user's keychain.

Even if we try to force a sign-in window by setting SignInWindowOnLaunch to true, NoMAD will automatically sign-in with the valid Kerberos credential that is present.

If NoMAD doesn't have a password stored in the keychain and LocalPasswordSync is set to true, next time a user changes their password in AD then NoMAD will fail to sync user's keychain password and FileVault passwords as it doesn't have the user's "old" password saved in the keychain.

Notes: Feel free to reach out to me (@lechlerjr) in the #nomad Slack channel if you need more info.

changed milestone to %V. 1.1

assigned to @Mactroll

As of 1.0.5 there's no logic in NoMAD to do this, however, I do agree that it's a valid configuration.

Will look at incorporating this into 1.1 as the code shouldn't be hard.