[pam] home directory per kerberos (alpha)

author: Jonathan Bauer 2013-06-18 19:08:00 +0200
committer: Jonathan Bauer 2013-06-18 19:08:00 +0200
commit: 24023c6869de453e675d77be97f7e6cf48ed3a39 (patch)
tree: b6be9bb1fb528d7bed9efcf2c7476af86577efa2 /remote/modules/pam
parent: [pam] add config files for rpc services (diff)
download: tm-scripts-24023c6869de453e675d77be97f7e6cf48ed3a39.tar.gz
tm-scripts-24023c6869de453e675d77be97f7e6cf48ed3a39.tar.xz
tm-scripts-24023c6869de453e675d77be97f7e6cf48ed3a39.zip
14 files changed, 35 insertions, 13 deletions
diff --git a/remote/modules/pam/data/etc/idmapd.conf b/remote/modules/pam/data/etc/idmapd.conf
index 61cfe2d9..2253cf0d 100644
--- a/remote/modules/pam/data/etc/idmapd.conf
+++ b/remote/modules/pam/data/etc/idmapd.conf
@@ -4,7 +4,7 @@ Verbosity = 0
 Pipefs-Directory = /run/rpc_pipefs
 # set your own domain here, if id differs from FQDN minus hostname
 Domain = uni-freiburg.de
- # localdomain
+# localdomain
 
 [Mapping]
 
diff --git a/remote/modules/pam/data/etc/pam.d/common-account b/remote/modules/pam/data/etc/pam.d/common-account
index 3a5d5a14..26055551 100644
--- a/remote/modules/pam/data/etc/pam.d/common-account
+++ b/remote/modules/pam/data/etc/pam.d/common-account
@@ -23,4 +23,5 @@ account	requisite			pam_deny.so
 # since the modules above will each just jump around
 account	required			pam_permit.so
 # and here are more per-package modules (the "Additional" block)
+account required			pam_krb5.so
 # end of pam-auth-update config
diff --git a/remote/modules/pam/data/etc/pam.d/common-auth b/remote/modules/pam/data/etc/pam.d/common-auth
index 1fa577e7..088ed13f 100644
--- a/remote/modules/pam/data/etc/pam.d/common-auth
+++ b/remote/modules/pam/data/etc/pam.d/common-auth
@@ -14,7 +14,8 @@
 # pam-auth-update(8) for details.
 
 # here are the per-package modules (the "Primary" block)
-auth	[success=2 default=ignore]	pam_unix.so
+auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
+auth	[success=2 default=ignore]	pam_unix.so try_first_pass
 auth	[success=1 default=ignore]	pam_ldap.so use_first_pass nullok_secure
 # here's the fallback if no module succeeds
 auth	requisite			pam_deny.so
diff --git a/remote/modules/pam/data/etc/pam.d/common-session b/remote/modules/pam/data/etc/pam.d/common-session
index c5813892..e3180dd4 100644
--- a/remote/modules/pam/data/etc/pam.d/common-session
+++ b/remote/modules/pam/data/etc/pam.d/common-session
@@ -26,8 +26,10 @@ session	required			pam_permit.so
 # See "man pam_umask".
 session optional			pam_umask.so
 # and here are more per-package modules (the "Additional" block)
-session	[success=1]	pam_unix.so 
-session [success=ok]	pam_ldap.so
+session	[success=3]	pam_unix.so 
+session	[success=2]	pam_krb5.so minimum_uid=1000
+session [success=1]	pam_ldap.so
 session optional 	pam_mkhomedir.so skel=/etc/skel umask=0022
+session optional	pam_script.so
 session	required	pam_systemd.so kill-session-processes=1
 # end of pam-auth-update config
diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service
new file mode 120000
index 00000000..194aba77
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service
@@ -0,0 +1 @@
+../rpc-gssd.service
+\ No newline at end of file
diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service
new file mode 120000
index 00000000..66a28252
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service
@@ -0,0 +1 @@
+../rpc-idmapd.service
+\ No newline at end of file
diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service
deleted file mode 120000
index f68f14b9..00000000
--- a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service
+++ /dev/null
@@ -1 +0,0 @@
-../rpc-sercices.service
-\ No newline at end of file
diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service b/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service
new file mode 100644
index 00000000..6623428d
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=NFS rpcsec_gss daemon
+Requires=run-rpc_pipefs.mount
+After=run-rpc_pipefs.mount
+
+[Service]
+ExecStart=/usr/sbin/rpc.gssd -f -vvv
diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service b/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service
new file mode 100644
index 00000000..c4da93e7
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=NFSv4 ID-name mapping daemon
+Requires=network.target run-rpc_pipefs.mount
+After=network.target
+
+[Service]
+ExecStart=/usr/sbin/rpc.idmapd -f
diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service b/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service
deleted file mode 100644
index db6b115a..00000000
--- a/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-Description=Start RPC services
-Requires=activate-nss-ldap.service
-After=activate-nss-ldap.service
-
-[Service]
-ExecStart=/usr/sbin/rpc.gssd
-ExecStart=/usr/sbin/rpc.idmapd
diff --git a/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount b/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount
new file mode 100644
index 00000000..692adce8
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount
@@ -0,0 +1,7 @@
+[Unit]
+Description=Pipefs RPC filesystem
+
+[Mount]
+What=rpc_pipefs
+Where=/run/rpc_pipefs
+Type=rpc_pipefs
diff --git a/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close
new file mode 120000
index 00000000..a12002a7
--- /dev/null
+++ b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close
@@ -0,0 +1 @@
+/etc/pam-script/pam_script_ses_close
+\ No newline at end of file
diff --git a/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open
new file mode 120000
index 00000000..783d5605
--- /dev/null
+++ b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open
@@ -0,0 +1 @@
+/etc/pam-script/pam_script_ses_open
+\ No newline at end of file
diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf
index 5f762481..38600f01 100644
--- a/remote/modules/pam/pam.conf
+++ b/remote/modules/pam/pam.conf
@@ -6,6 +6,7 @@ REQUIRED_INSTALLED_PACKAGES="
 	krb5-config
 	libpam-krb5
 	libssl-dev
+	ldap-utils
 "
 REQUIRED_CONTENT_PACKAGES="
 	libpam0g
@@ -31,6 +32,7 @@ REQUIRED_BINARIES="
 	umount.crypt_LUKS
 	mount.crypto_LUKS
 	umount.crypto_LUKS
+	ldapsearch
 "
 REQUIRED_DIRECTORIES="
 	/lib
author	Jonathan Bauer	2013-06-18 19:08:00 +0200
committer	Jonathan Bauer	2013-06-18 19:08:00 +0200
commit	24023c6869de453e675d77be97f7e6cf48ed3a39 (patch)
tree	b6be9bb1fb528d7bed9efcf2c7476af86577efa2 /remote/modules/pam
parent	[pam] add config files for rpc services (diff)
download	tm-scripts-24023c6869de453e675d77be97f7e6cf48ed3a39.tar.gz tm-scripts-24023c6869de453e675d77be97f7e6cf48ed3a39.tar.xz tm-scripts-24023c6869de453e675d77be97f7e6cf48ed3a39.zip