Add a SigninAllowed policy.

chrome/browser/signin/signin_tracker.cc

Index: chrome/browser/signin/signin_tracker.cc
diff --git a/chrome/browser/signin/signin_tracker.cc b/chrome/browser/signin/signin_tracker.cc
index abc4fbe6fc6b5bbd316cef9f0d84ab3a24e53cfa..1036c5085c2f9a0fd3e0068a8177f14e765bc147 100644
--- a/chrome/browser/signin/signin_tracker.cc
+++ b/chrome/browser/signin/signin_tracker.cc
@@ -142,8 +142,9 @@ void SigninTracker::HandleServiceStateChange() {
   // Long term, we should separate out service auth failures from the signin
   // process, but for the current UI flow we'll validate service signin status
   // also.
-  ProfileSyncService* service = profile_->IsSyncAccessible() ?
-      ProfileSyncServiceFactory::GetForProfile(profile_) : NULL;
+  ProfileSyncService* service =
+      profile_->IsSyncAccessible() && profile_->IsSigninAllowed() ?

[Andrew T Wilson (Slow), 2013/02/04 15:41:48]

No need to check IsSigninAllowed() here - leave it as IsSyncAccessible(), since
we're really just checking to see if there's a ProfileSyncService.

If you want to add a check to IsSigninAllowed(), then do it above:

if (signin->GetAuthenticatedUsername().empty() || !signin->IsSigninAllowed()) {
   ... failure
}

[Adrian Kuegel, 2013/02/05 10:55:15]

Done.

+          ProfileSyncServiceFactory::GetForProfile(profile_) : NULL;
   if (service && service->waiting_for_auth()) {
     // Still waiting for an auth token to come in so stay in the INITIALIZING
     // state (we do this to avoid triggering an early signin error in the case