Merge branch 'master' of git.openslx.org:openslx-ng/tm-scripts

34 files changed, 633 insertions, 77 deletions

diff --git a/remote/modules/pam/TODO b/remote/modules/pam/TODO
new file mode 100644
index 00000000..6f95e62d
--- /dev/null
+++ b/remote/modules/pam/TODO
@@ -0,0 +1 @@
+suse krb5 mount home dirs
diff --git a/remote/modules/pam/data/etc/gssapi_mech.conf b/remote/modules/pam/data/etc/gssapi_mech.conf
new file mode 100644
index 00000000..ac41f5fd
--- /dev/null
+++ b/remote/modules/pam/data/etc/gssapi_mech.conf
@@ -0,0 +1,21 @@
+# Example /etc/gssapi_mech.conf file
+#
+# GSSAPI Mechanism Definitions
+#
+# This configuration file determines which GSS-API mechanisms
+# the gssd code should use
+#
+# NOTE:
+# The initiaiization function "mechglue_internal_krb5_init"
+# is used for the MIT krb5 gssapi mechanism.  This special
+# function name indicates that an internal function should
+# be used to determine the entry points for the MIT gssapi
+# mechanism funtions.
+#
+# library                               initialization function
+# ================================	==========================
+# The MIT K5 gssapi library, use special function for initialization.
+libgssapi_krb5.so.2			mechglue_internal_krb5_init
+#
+# The SPKM3 gssapi library function.  Use the function spkm3_gss_initialize.
+# /usr/local/gss_mechs/spkm/spkm3/libgssapi_spkm3.so    spkm3_gss_initialize
diff --git a/remote/modules/pam/data/etc/idmapd.conf b/remote/modules/pam/data/etc/idmapd.conf
new file mode 100644
index 00000000..2253cf0d
--- /dev/null
+++ b/remote/modules/pam/data/etc/idmapd.conf
@@ -0,0 +1,12 @@
+[General]
+
+Verbosity = 0
+Pipefs-Directory = /run/rpc_pipefs
+# set your own domain here, if id differs from FQDN minus hostname
+Domain = uni-freiburg.de
+# localdomain
+
+[Mapping]
+
+Nobody-User = nobody
+Nobody-Group = nogroup
diff --git a/remote/modules/pam/data/etc/krb5.conf b/remote/modules/pam/data/etc/krb5.conf
new file mode 100644
index 00000000..6fd49243
--- /dev/null
+++ b/remote/modules/pam/data/etc/krb5.conf
@@ -0,0 +1,28 @@
+# file copied from configuration package (rootfs/etc/krb5.conf)
+#########################################################################
+[libdefaults]
+    noaddresses = false
+    clockskew = 300
+    default_realm = PUBLIC.ADS.UNI-FREIBURG.DE
+    forwardable = true
+    minimum_uid = 1000
+    proxiable = false
+    renew_lifetime = 30d
+    retain_after_close = false
+    ticket_lifetime = 3d
+    use_shmem = sshd
+    allow_weak_crypto=true
+#########################################################################
+[realms]
+    PUBLIC.ADS.UNI-FREIBURG.DE = {
+        kdc = kerberos.uni-freiburg.de
+        default_domain = uni-freiburg.de
+        admin_server = kerberos.uni-freiburg.de
+    }
+#########################################################################
+[domain_realm]
+    uni-freiburg.de  = PUBLIC.ADS.UNI-FREIBURG.DE
+    .uni-freiburg.de = PUBLIC.ADS.UNI-FREIBURG.DE
+##########################################################################
+[appdefaults]
+#########################################################################
diff --git a/remote/modules/pam/data/etc/pam-script/pam_script_ses_close b/remote/modules/pam/data/etc/pam-script/pam_script_ses_close
new file mode 100755
index 00000000..48e778e2
--- /dev/null
+++ b/remote/modules/pam/data/etc/pam-script/pam_script_ses_close
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo "[$PAM_TYPE] Closing session for $PAM_USER"
+
+umount /home/$PAM_USER
diff --git a/remote/modules/pam/data/etc/pam-script/pam_script_ses_open b/remote/modules/pam/data/etc/pam-script/pam_script_ses_open
new file mode 100755
index 00000000..86386267
--- /dev/null
+++ b/remote/modules/pam/data/etc/pam-script/pam_script_ses_open
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/bin:/opt/openslx/sbin:/opt/openslx/usr/bin:/opt/openslx/usr/sbin"
+
+echo "[$PAM_TYPE] Opening session for $PAM_USER"
+echo "[$PAM_TYPE] Mounting home directory for $PAM_USER"
+
+# generate keytab
+sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab
+chmod 600 /etc/krb5.keytab
+
+# determine fileserver and share for home directories
+ldapsearch -x -LLL uid="$PAM_USER" homeDirectory rufFileserver > /tmp/ldapsearch."$PAM_USER"
+
+FILESERVER=$(cat /tmp/ldapsearch.$PAM_USER | grep rufFileserver | cut -d" " -f2)
+VOLUME=$(cat /tmp/ldapsearch.$PAM_USER | grep homeDirectory | cut -d" " -f2)
+
+# now we can mount the home directory
+mkdir -p /home/$PAM_USER
+mount -t nfs4 -o rw,nosuid,nodev,nolock,intr,hard,sloppy,sec=krb5p "$FILESERVER":"$VOLUME" /home/"$PAM_USER" \
+	|| echo "[$PAM_TYPE] Failed to mount home directory for $PAM_USER"
diff --git a/remote/modules/pam/data/etc/pam.d/common-account b/remote/modules/pam/data/etc/pam.d/common-account
index 3a5d5a14..26055551 100644
--- a/remote/modules/pam/data/etc/pam.d/common-account
+++ b/remote/modules/pam/data/etc/pam.d/common-account
@@ -23,4 +23,5 @@ account	requisite			pam_deny.so
 # since the modules above will each just jump around
 account	required			pam_permit.so
 # and here are more per-package modules (the "Additional" block)
+account required			pam_krb5.so
 # end of pam-auth-update config
diff --git a/remote/modules/pam/data/etc/pam.d/common-auth b/remote/modules/pam/data/etc/pam.d/common-auth
index 1fa577e7..088ed13f 100644
--- a/remote/modules/pam/data/etc/pam.d/common-auth
+++ b/remote/modules/pam/data/etc/pam.d/common-auth
@@ -14,7 +14,8 @@
 # pam-auth-update(8) for details.
 
 # here are the per-package modules (the "Primary" block)
-auth	[success=2 default=ignore]	pam_unix.so
+auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
+auth	[success=2 default=ignore]	pam_unix.so try_first_pass
 auth	[success=1 default=ignore]	pam_ldap.so use_first_pass nullok_secure
 # here's the fallback if no module succeeds
 auth	requisite			pam_deny.so
diff --git a/remote/modules/pam/data/etc/pam.d/common-session b/remote/modules/pam/data/etc/pam.d/common-session
index c5813892..e3180dd4 100644
--- a/remote/modules/pam/data/etc/pam.d/common-session
+++ b/remote/modules/pam/data/etc/pam.d/common-session
@@ -26,8 +26,10 @@ session	required			pam_permit.so
 # See "man pam_umask".
 session optional			pam_umask.so
 # and here are more per-package modules (the "Additional" block)
-session	[success=1]	pam_unix.so 
-session [success=ok]	pam_ldap.so
+session	[success=3]	pam_unix.so 
+session	[success=2]	pam_krb5.so minimum_uid=1000
+session [success=1]	pam_ldap.so
 session optional 	pam_mkhomedir.so skel=/etc/skel umask=0022
+session optional	pam_script.so
 session	required	pam_systemd.so kill-session-processes=1
 # end of pam-auth-update config
diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service
new file mode 120000
index 00000000..194aba77
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service
@@ -0,0 +1 @@
+../rpc-gssd.service
\ No newline at end of file
diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service
new file mode 120000
index 00000000..66a28252
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service
@@ -0,0 +1 @@
+../rpc-idmapd.service
\ No newline at end of file
diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service b/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service
new file mode 100644
index 00000000..6623428d
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=NFS rpcsec_gss daemon
+Requires=run-rpc_pipefs.mount
+After=run-rpc_pipefs.mount
+
+[Service]
+ExecStart=/usr/sbin/rpc.gssd -f -vvv
diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service b/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service
new file mode 100644
index 00000000..c4da93e7
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=NFSv4 ID-name mapping daemon
+Requires=network.target run-rpc_pipefs.mount
+After=network.target
+
+[Service]
+ExecStart=/usr/sbin/rpc.idmapd -f
diff --git a/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount b/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount
new file mode 100644
index 00000000..692adce8
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount
@@ -0,0 +1,7 @@
+[Unit]
+Description=Pipefs RPC filesystem
+
+[Mount]
+What=rpc_pipefs
+Where=/run/rpc_pipefs
+Type=rpc_pipefs
diff --git a/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close
new file mode 120000
index 00000000..a12002a7
--- /dev/null
+++ b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close
@@ -0,0 +1 @@
+/etc/pam-script/pam_script_ses_close
\ No newline at end of file
diff --git a/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open
new file mode 120000
index 00000000..783d5605
--- /dev/null
+++ b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open
@@ -0,0 +1 @@
+/etc/pam-script/pam_script_ses_open
\ No newline at end of file
diff --git a/remote/modules/pam/pam.build b/remote/modules/pam/pam.build
index 4392e64d..d3c0dd88 100644
--- a/remote/modules/pam/pam.build
+++ b/remote/modules/pam/pam.build
@@ -3,9 +3,26 @@ fetch_source() {
 }
 
 build() {
-	tarcopy "$(list_packet_files | sort -u)" "${MODULE_BUILD_DIR}"	
+	mkdir -p "$MODULE_BUILD_DIR/opt/openslx/bin"
+	gcc -o "$MODULE_BUILD_DIR/opt/openslx/bin/sslconnect" "$MODULE_DIR/sslconnect.c" -lssl -lcrypto -O3 || perror "Could not compile sslconnect.c"
+	local COPYLIST="$MODULE_BUILD_DIR/list_packet_files"
+	list_packet_files | sort -u > "$COPYLIST"
+	tarcopy "$(cat "$COPYLIST")" "${MODULE_BUILD_DIR}"
 }
 
 post_copy() {	
-	:
+	if [ ! -d "${TARGET_BUILD_DIR}/run/rpc_pipefs" ]; then
+		mkdir -p "${TARGET_BUILD_DIR}/run/rpc_pipefs" || pwarning "Could not mkdir ${TARGET_BUILD_DIR}/run/rpc_pipefs"
+	fi
+	
+	# find libnfsidmap run-time library directory
+	#local COPYLIST="$MODULE_BUILD_DIR/list_packet_files"
+	#local SEARCH=$(grep "/libsnfsidmap/" "$COPYLIST" | head -1)
+	#[ -z "$SEARCH" ] && perror "Hä"
+	#SEARCH=$(dirname "$SEARCH")
+	#if [ -d "${SEARCH}" ]; then
+	#	tarcopy "${SEARCH}" "${TARGET_BUILD_DIR}" || pinfo "Something went wrong copying $SEARCH"
+	#fi
+
+	
 }
diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf
index 94356d45..bbdd610f 100644
--- a/remote/modules/pam/pam.conf
+++ b/remote/modules/pam/pam.conf
@@ -1,37 +1,61 @@
-REQUIRED_INSTALLED_PACKAGES=" libpam-ldap
-			libnss-ldap
-			libpam-script
-			krb5-user
-			krb5-config
-			libpam-krb5
-			libpam-mount"
-REQUIRED_CONTENT_PACKAGES="	libpam0g
-			libpam-modules
-			libpam-ck-connector
-			libpam-cap
-			libpam-script
-			libldap-2.4-2
-			libpam-ldap
-			libnss-ldap
-			krb5-user
-			krb5-config
-			libpam-krb5
-			libpam-mount"
-REQUIRED_BINARIES="	mount.crypt
-			umount.crypt 
-			mount.crypt_LUKS
-			umount.crypt_LUKS
-			mount.crypto_LUKS
-			umount.crypto_LUKS
-			perl"
-REQUIRED_SYSTEM_FILES="	/lib/security/pam_mount.so"
-REQUIRED_DIRECTORIES="	/lib
-			/usr/lib
-			/etc/security"
-REQUIRED_SYSTEM_FILES="	/sbin/mkhomedir_helper
-			/etc/pam.conf
-			/etc/login.defs
-			/etc/securetty
-			/etc/default/locale
-			/lib/security
-			/lib/${ARCH_TRIPLET}/security"
+REQUIRED_INSTALLED_PACKAGES="
+	libpam-ldap
+	libnss-ldap
+	libpam-script
+	krb5-user
+	krb5-config
+	libpam-krb5
+	libssl-dev
+	ldap-utils
+	libnfsidmap2
+	nfs-common
+"
+REQUIRED_CONTENT_PACKAGES="
+	libpam0g
+	libpam-modules
+	libpam-ck-connector
+	libpam-cap
+	libpam-script
+	libldap-2.4-2
+	libpam-ldap
+	libnss-ldap
+	krb5-user
+	krb5-config
+	libpam-krb5
+	libpam-mount
+	ldap-utils
+	libnfsidmap2
+	nfs-common
+"
+REQUIRED_BINARIES="
+	rpc.gssd
+	rpc.idmapd
+	sslconnect
+	mount.crypt
+	umount.crypt 
+	mount.crypt_LUKS
+	umount.crypt_LUKS
+	mount.crypto_LUKS
+	umount.crypto_LUKS
+	ldapsearch
+"
+REQUIRED_LIBRARIES="
+	nsswitch
+	static
+	umich_ldap
+	libnfsidmap
+"
+REQUIRED_DIRECTORIES="
+	/lib
+	/usr/lib
+	/etc/security
+"
+REQUIRED_SYSTEM_FILES="
+	/sbin/mkhomedir_helper
+	/etc/pam.conf
+	/etc/login.defs
+	/etc/securetty
+	/etc/default/locale
+	/lib/security
+	/lib/${ARCH_TRIPLET}/security
+"
diff --git a/remote/modules/pam/pam.conf.zypper b/remote/modules/pam/pam.conf.zypper
index 2defe1bb..48dc1d52 100644
--- a/remote/modules/pam/pam.conf.zypper
+++ b/remote/modules/pam/pam.conf.zypper
@@ -1,10 +1,36 @@
-REQUIRED_INSTALLED_PACKAGES=" pam_ldap pam pam-devel nss_ldap pam-modules"
-REQUIRED_CONTENT_PACKAGES="	pam_ldap pam pam-devel nss_ldap pam-modules nss-mdns"
-REQUIRED_BINARIES="	mkhomedir_helper"
-REQUIRED_DIRECTORIES="	/$LIB64
-			/usr/$LIB64
-			/etc/security"
-REQUIRED_SYSTEM_FILES=" /etc/login.defs
-                        /etc/securetty
-                        /$LIB64/security"
+REQUIRED_INSTALLED_PACKAGES="
+	pam_ldap
+	pam
+	pam-devel
+	nss_ldap
+	pam-modules
+	libopenssl-devel
+	openldap2-client
+	nfsidmap
+"
+REQUIRED_CONTENT_PACKAGES="
+	pam_ldap
+	pam
+	pam-devel
+	nss_ldap
+	pam-modules
+	nss-mdns
+	openldap2-client
+	nfsidmap
+"
+REQUIRED_BINARIES="
+	sslconnect
+	ldapsearch
+	mkhomedir_helper
+"
+REQUIRED_DIRECTORIES="
+	/$LIB64
+	/usr/$LIB64
+	/etc/security
+"
+REQUIRED_SYSTEM_FILES="
+	/etc/login.defs
+	/etc/securetty
+	/$LIB64/security
+"
 
diff --git a/remote/modules/pam/sslconnect.c b/remote/modules/pam/sslconnect.c
new file mode 100644
index 00000000..af43093c
--- /dev/null
+++ b/remote/modules/pam/sslconnect.c
@@ -0,0 +1,201 @@
+/************************
+ * sslconnect 0.2
+ * Last Change: 2013-06-17
+ * C Implementation by Simon Rettberg
+ * Original sslconnect 0.1 was written in perl by Martin Walter
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include <netdb.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <openssl/bio.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+/* Init libs and data strctures */
+void init();
+/* print error report of something failed */
+void ssl_error();
+/* connect via ssl */
+SSL* ssl_connect(char * host, uint16_t port, uint16_t local_port, SSL_CTX ** ctx);
+/* read from ssl connection */
+ssize_t ssl_read(SSL * bio, char * buffer, ssize_t length);
+/* write to ssl connection */
+int ssl_write(SSL * bio, char * buffer, ssize_t length);
+
+int main(int argc, char ** argv);
+
+void init()
+{
+	SSL_load_error_strings();
+	SSL_library_init();
+	OpenSSL_add_all_algorithms();
+}
+
+void ssl_error(char* message)
+{
+	fprintf(stderr, message);
+	fprintf(stderr, "\n%s\n", ERR_error_string(ERR_get_error(), NULL));
+	fprintf(stderr, "Details: %s\n", ERR_reason_error_string(ERR_get_error()));
+	ERR_print_errors_fp(stderr);
+}
+
+SSL* ssl_connect(char * host, uint16_t port, uint16_t local_port, SSL_CTX ** ctx)
+{
+	int ret = 0;
+	/* create socket. needs to be done manually in order to bind to local port */
+	int fd = socket(AF_INET, SOCK_STREAM, 0);
+	if (fd < 0) {
+		fprintf(stderr, "Could not create socket.\n");
+		return NULL;
+	}
+
+	struct sockaddr_in sa_dest, sa_local;
+	memset(&sa_local, 0, sizeof(sa_local));
+	memset(&sa_dest, 0, sizeof(sa_dest));
+
+	sa_local.sin_family = AF_INET;
+	sa_local.sin_port = htons(local_port);
+	ret = bind(fd, (struct sockaddr *)&sa_local, sizeof(struct sockaddr));
+	if (ret == -1) {
+		fprintf(stderr, "Could not bind local socket to 0.0.0.0:%d (%d)\n", (int)local_port, (int)errno);
+		close(fd);
+		return NULL;
+	}
+
+	sa_dest.sin_family = AF_INET;
+	sa_dest.sin_port = htons(port);
+	struct hostent * rec;
+	rec = gethostbyname(host);
+	if (rec == NULL) {
+		fprintf(stderr, "Error: Invalid host: %s\n", host);
+		return NULL;
+	}
+	memcpy(&(sa_dest.sin_addr), rec->h_addr, sizeof(struct in_addr));
+
+	ret = connect(fd, (struct sockaddr *)&sa_dest, sizeof(struct sockaddr));
+	if (ret == -1) {
+		fprintf(stderr, "Could not connect to %s:%d (%d)\n", host, (int)port, (int)errno);
+		close(fd);
+		return NULL;
+	}
+
+	/* openssl part */
+	SSL * ssl;
+
+	/* Set up the SSL pointers */
+	*ctx = SSL_CTX_new(SSLv23_client_method());
+	ssl = SSL_new(*ctx);
+	SSL_set_fd(ssl, fd);
+	ret = SSL_connect(ssl);
+
+	if (ret <= 0) {
+		ssl_error("Unable to SSL_connect");
+		return NULL;
+	}
+
+	SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+
+	return ssl;
+}
+
+ssize_t ssl_read(SSL * ssl, char * buffer, ssize_t length)
+{
+	ssize_t ret = -1;
+	int retries = 10;
+
+	while (ret < 0 && --retries > 0) {
+
+		ret = SSL_read(ssl, buffer, length);
+		if (ret >= 0) {
+			return ret;
+		}
+
+		ssl_error("SSL_read failed");
+		return -1;
+
+	}
+
+	return -1;
+}
+
+int ssl_write(SSL * ssl, char * buffer, ssize_t length)
+{
+	ssize_t ret = -1;
+	int retries = 10;
+
+	while (ret < 0 && --retries > 0) {
+
+		ret = SSL_write(ssl, buffer, length);
+		if (ret >= 0) {
+			return ret;
+		}
+
+		ssl_error("SSL_write failed");
+		return -1;
+
+	}
+
+	return -1;
+}
+
+#define READBUF 5000
+int main(int argc, char ** argv)
+{
+	if (argc < 2) {
+		fprintf(stderr, "Usage: %s host:port\n", argv[0]);
+		return 1;
+	}
+
+	init();
+
+	char buffer[READBUF];
+	SSL_CTX * ctx = NULL;
+	SSL * ssl;
+	ssize_t len;
+	size_t ret;
+	char * pos;
+	int port, lport;
+	pos = strchr(argv[1], ':');
+	if (pos == NULL) {
+		fprintf(stderr, "Error: No Port given.\n");
+		return 5;
+	}
+	port = atoi(pos+1);
+	*pos = '\0';
+
+	lport = rand() % 800 + 95;
+
+	ssl = ssl_connect(argv[1], (uint16_t)port, (uint16_t)lport, &ctx);
+	if (ssl == NULL) {
+		return 2;
+	}
+
+	ssl_write(ssl, "", 0);
+	for (;;) {
+		len = ssl_read(ssl, buffer, READBUF);
+		if (len <= 0) {
+			break;
+		}
+		ret = fwrite(buffer, 1, len, stdout);
+		if (ret != len) {
+			fprintf(stderr, "Error: fwrite could not write all received data to stdout.\n");
+			return 3;
+		}
+	}
+
+	if (len < 0) {
+		return 4;
+	}
+
+	return 0;
+}
+
diff --git a/remote/modules/policykit/policykit.build b/remote/modules/policykit/policykit.build
index 591c180f..52be1221 100644
--- a/remote/modules/policykit/policykit.build
+++ b/remote/modules/policykit/policykit.build
@@ -14,6 +14,7 @@ build () {
 }
 
 post_copy() {
+        COPYLIST="$MODULE_DIR/list_dpkg_output"
 	local POLPATH="$(grep '/polkitd$' "$COPYLIST" | head -1 | sed -e 's/[\/&]/\\&/g')"
 	[ -n "$POLPATH" ] && sed -i "s/%%POLKITD%%/${POLPATH}/g" "$TARGET_BUILD_DIR/etc/systemd/system/polkitd.service"
 	#Add Polkit User/Group/Shadow to Stage3.2
diff --git a/remote/modules/redsocks/data/etc/redsocks.conf b/remote/modules/redsocks/data/etc/redsocks.conf
new file mode 100644
index 00000000..c783258f
--- /dev/null
+++ b/remote/modules/redsocks/data/etc/redsocks.conf
@@ -0,0 +1,56 @@
+base {
+	// debug: connection progress & client list on SIGUSR1
+	log_debug = off;
+
+	// info: start and end of client session
+	log_info = off;
+
+	/* possible `log' values are:
+	 *   stderr
+	 *   "file:/path/to/file"
+	 *   syslog:FACILITY  facility is any of "daemon", "local0"..."local7"
+	 */
+	log = "file:/root/redsocks.log";
+
+	// detach from console
+	daemon = on;
+
+	/* Change uid, gid and root directory, these options require root
+	 * privilegies on startup.
+	 * Note, your chroot may requre /etc/localtime if you write log to syslog.
+	 * Log is opened before chroot & uid changing.
+	 */
+	user = nobody;
+	group = nogroup;
+	// chroot = "/var/chroot";
+
+	/* possible `redirector' values are:
+	 *   iptables   - for Linux
+	 *   ipf        - for FreeBSD
+	 *   pf         - for OpenBSD
+	 *   generic    - some generic redirector that MAY work
+	 */
+	redirector = iptables;
+}
+
+redsocks {
+	/* `local_ip' defaults to 127.0.0.1 for security reasons,
+	 * use 0.0.0.0 if you want to listen on every interface.
+	 * `local_*' are used as port to redirect to.
+	 */
+	local_ip = 0.0.0.0;
+	local_port = 12345;
+
+	// `ip' and `port' are IP and tcp-port of proxy-server
+	ip = %%PROXY_IP%%;
+	port = %%PROXY_PORT%%;
+
+
+	// known types: socks4, socks5, http-connect, http-relay
+	// type = http-connect;
+	type = %%PROXY_TYPE%%;
+
+	// login = "foobar";
+	// password = "baz";
+}
+
diff --git a/remote/modules/redsocks/data/etc/systemd/system/basic.target.wants/setup_proxy.service b/remote/modules/redsocks/data/etc/systemd/system/basic.target.wants/setup_proxy.service
new file mode 120000
index 00000000..0c7dc84b
--- /dev/null
+++ b/remote/modules/redsocks/data/etc/systemd/system/basic.target.wants/setup_proxy.service
@@ -0,0 +1 @@
+../setup_proxy.service
\ No newline at end of file
diff --git a/remote/modules/redsocks/data/etc/systemd/system/redsocks.service b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service
new file mode 100644
index 00000000..4b30d09e
--- /dev/null
+++ b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Transparent redirector of any TCP connection to proxy using your firewall
+
+[Service]
+Type=forking
+PIDFile=/run/redsocks.pid
+ExecStart=/sbin/redsocks -c /etc/redsocks.conf -p /run/redsocks.pid
+ExecStopPost=/bin/rm /run/redsocks.pid
+Restart=on-abort
diff --git a/remote/modules/redsocks/data/etc/systemd/system/setup_proxy.service b/remote/modules/redsocks/data/etc/systemd/system/setup_proxy.service
new file mode 100644
index 00000000..885e72dc
--- /dev/null
+++ b/remote/modules/redsocks/data/etc/systemd/system/setup_proxy.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Proxy setup detection
+Before=sysinit.target shutdown.target
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+ExecStart=/opt/openslx/bin/setup_proxy
+RemainAfterExit=yes
diff --git a/remote/modules/redsocks/data/opt/openslx/bin/setup_proxy b/remote/modules/redsocks/data/opt/openslx/bin/setup_proxy
new file mode 100755
index 00000000..5dc22a14
--- /dev/null
+++ b/remote/modules/redsocks/data/opt/openslx/bin/setup_proxy
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+. /opt/openslx/config || echo "Error sourcing config for setup_proxy"
+
+[ -z "$SLX_PROXY_MODE" -o "x$SLX_PROXY_MODE" == "xoff" ] && echo "proxy mode disabled." && exit 0
+
+PROXY=off
+if [ "$SLX_PROXY_MODE" == "on" ]; then
+	PROXY=on
+elif [ "$SLX_PROXY_MODE" == "auto" -a -n "$SLX_PXE_CLIENT_IP" ]; then
+	[[ "$SLX_PXE_CLIENT_IP" =~ ^10\. ]] && PROXY=on
+	[[ "$SLX_PXE_CLIENT_IP" =~ ^192\.168\. ]] && PROXY=on
+	[[ "$SLX_PXE_CLIENT_IP" =~ ^172\.[123] ]] && PROXY=on
+fi
+
+[ "$PROXY" == "off" ] && echo "Proxy mode not required." && exit 0
+
+sed -i "s/%%PROXY_IP%%/$SLX_PROXY_IP/g;s/%%PROXY_PORT%%/$SLX_PROXY_PORT/g;s/%%PROXY_TYPE%%/$SLX_PROXY_TYPE/g" /etc/redsocks.conf
+
+systemctl start redsocks
+
+iptables -t nat -N REDSOCKS
+iptables -t nat -A REDSOCKS -d "$SLX_PROXY_IP" -j RETURN
+iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
+iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
+iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
+iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
+iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
+iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
+iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
+iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
+if [ -n "$SLX_PROXY_BLACKLIST" ]; then
+	for ADDR in $SLX_PROXY_BLACKLIST; do
+		iptables -t nat -A REDSOCKS -d "$ADDR" -j RETURN
+	done
+fi
+iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-port 12345
+iptables -t nat -A PREROUTING -p tcp -j REDSOCKS
+iptables -t nat -A OUTPUT -p tcp -j REDSOCKS
+iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
+iptables -A INPUT -i br0 -p tcp --dport 12345 -j DROP
+
diff --git a/remote/modules/redsocks/redsocks.build b/remote/modules/redsocks/redsocks.build
new file mode 100644
index 00000000..eb5c238d
--- /dev/null
+++ b/remote/modules/redsocks/redsocks.build
@@ -0,0 +1,24 @@
+#tool/distro specific functions for fetching, building and installing dependencies
+	
+
+fetch_source () {
+	mkdir -p src
+	cd src || perror "Could not cd to src"
+	if [ ! -d "redsocks" ]; then
+		git clone "$REQUIRED_GIT" "redsocks" || perror "Could not clone redoscks from github"
+	fi
+	cd redsocks || perror "Could not cd to src/redsocks"
+	git checkout "$REQUIRED_REVISION" || perror "Could not checkout revision $REQUIRED_REVISION"
+}	
+
+build () {
+	cd "$MODULE_DIR/src/redsocks" || perror "src/redsocks not found"
+	make || perror "make failed."
+	mkdir -p "$MODULE_BUILD_DIR/sbin"
+	cp "redsocks" "$MODULE_BUILD_DIR/sbin/" || perror "Could not copy redsocks binary to build dir"
+}
+
+post_copy() {
+	:
+}
+
diff --git a/remote/modules/redsocks/redsocks.conf b/remote/modules/redsocks/redsocks.conf
new file mode 100644
index 00000000..db7bcfa3
--- /dev/null
+++ b/remote/modules/redsocks/redsocks.conf
@@ -0,0 +1,10 @@
+REQUIRED_GIT="git://github.com/darkk/redsocks.git"
+REQUIRED_REVISION="2e3f648809e27cc19cb7a8702f19b553a7ef9a81"
+
+REQUIRED_INSTALLED_PACKAGES="
+	libevent-dev
+"
+REQUIRED_BINARIES="
+	redsocks
+"
+
diff --git a/remote/modules/systemd/systemd.build b/remote/modules/systemd/systemd.build
index 027024cf..8f4081e3 100644
--- a/remote/modules/systemd/systemd.build
+++ b/remote/modules/systemd/systemd.build
@@ -21,7 +21,7 @@ build () {
 	pinfo "Building systemd"
 	cd "${MODULE_DIR}/src/$REQUIRED_VERSION"
 	pinfo "calling configure"
-	./configure --disable-manpages --enable-split-usr --sysconfdir="/etc" --enable-gtk-doc-html=no --disable-nls --disable-microhttpd --disable-bootchart --disable-quotacheck --disable-hostnamed --disable-timedated --disable-localed --disable-coredump --disable-keymap --without-python --enable-blkid --enable-acl || perror "configure failed."
+	./configure --disable-manpages --enable-split-usr --sysconfdir="/etc" --enable-gtk-doc-html=no --disable-nls --disable-microhttpd --disable-bootchart --disable-quotacheck --disable-hostnamed --disable-timedated --disable-localed --disable-coredump --disable-keymap --without-python --enable-blkid --enable-acl --enable-pam|| perror "configure failed."
 	pinfo "calling make"
 	make || perror "make failed."
 	pinfo "calling make install"
diff --git a/remote/modules/systemd/systemd.conf b/remote/modules/systemd/systemd.conf
index 2a81a5b9..8a9d0042 100644
--- a/remote/modules/systemd/systemd.conf
+++ b/remote/modules/systemd/systemd.conf
@@ -35,10 +35,10 @@ REQUIRED_INSTALLED_PACKAGES="
 			xsltproc
 			libblkid-dev
 			libacl1-dev
+			libpam-dev
 "
-REQUIRED_BINARIES="	hostnamectl
+REQUIRED_BINARIES="
 			journalctl
-			localectl
 			loginctl
 			systemctl
 			systemd-analyze
@@ -46,7 +46,6 @@ REQUIRED_BINARIES="	hostnamectl
 			systemd-cat
 			systemd-cgls
 			systemd-cgtop
-			systemd-coredumpctl
 			systemd-delta
 			systemd-detect-virt
 			systemd-inhibit
@@ -56,23 +55,17 @@ REQUIRED_BINARIES="	hostnamectl
 			systemd-stdio-bridge
 			systemd-tmpfiles
 			systemd-tty-ask-password-agent
-			timedatectl
 			udevadm
 			systemd
 			systemd-ac-power
 			systemd-binfmt
-			systemd-bootchart
 			systemd-cgroups-agent
-			systemd-coredump
 			systemd-fsck
-			systemd-hostnamed
 			systemd-initctl
 			systemd-journald
-			systemd-localed
 			systemd-logind
 			systemd-modules-load
 			systemd-multi-seat-x
-			systemd-quotacheck
 			systemd-random-seed
 			systemd-readahead
 			systemd-remount-fs
@@ -81,7 +74,6 @@ REQUIRED_BINARIES="	hostnamectl
 			systemd-shutdownd
 			systemd-sleep
 			systemd-sysctl
-			systemd-timedated
 			systemd-timestamp
 			systemd-udevd
 			systemd-update-utmp
@@ -95,7 +87,6 @@ REQUIRED_BINARIES="	hostnamectl
 			ata_id
 			cdrom_id
 			collect
-			keymap
 			mtd_probe
 			scsi_id
 			v4l_id"
diff --git a/remote/modules/vmchooser/data/opt/openslx/bin/run-virt.sh b/remote/modules/vmchooser/data/opt/openslx/bin/run-virt.sh
index 6c08653f..84ece685 100755
--- a/remote/modules/vmchooser/data/opt/openslx/bin/run-virt.sh
+++ b/remote/modules/vmchooser/data/opt/openslx/bin/run-virt.sh
@@ -376,15 +376,20 @@ writelog "\tVM Hostname:\t\t$hostname"
 ################################################################################
 ### Setup the rest of the environment and run the configured vm
 ################################################################################
-
+# 8086:1e20
+if lspci -n | grep -E -i '8086:1e20( |$)'; then
+	VOL="100%" # bwPC 4: Speaker too quiet :-(
+else
+	VOL="80%"
+fi
 # Adjust sound volume
 #writelog "Unmuting sound...\c "
-amixer -q sset Master 80% unmute 2>/dev/null
-amixer -q sset PCM 80% unmute 2>/dev/null
-amixer -q sset CD 80% unmute 2>/dev/null
-amixer -q sset Headphone 80% unmute 2>/dev/null
-amixer -q sset Front 80% unmute 2>/dev/null      # in SUSE 11.0 it's headphone
-amixer -q sset Speaker 80% unmute 2>/dev/null       # annoying built-in speaker
+amixer -q sset Master "$VOL" unmute 2>/dev/null
+amixer -q sset PCM "$VOL" unmute 2>/dev/null
+amixer -q sset CD "$VOL" unmute 2>/dev/null
+amixer -q sset Headphone "$VOL" unmute 2>/dev/null
+amixer -q sset Front "$VOL" unmute 2>/dev/null      # in SUSE 11.0 it's headphone
+amixer -q sset Speaker "$VOL" unmute 2>/dev/null       # annoying built-in speaker
 #writelog "finished\n"
 
 # Copy guest configuration (with added information) config.xml to be accessed
diff --git a/remote/rootfs/rootfs-stage31/rootfs-stage31.conf b/remote/rootfs/rootfs-stage31/rootfs-stage31.conf
index b493c370..47f77c0a 100644
--- a/remote/rootfs/rootfs-stage31/rootfs-stage31.conf
+++ b/remote/rootfs/rootfs-stage31/rootfs-stage31.conf
@@ -55,7 +55,7 @@ REQUIRED_FIRMWARE="     3com/
                         RTL8192SE/
                         rtl_nic/
                         tigon/"
-REQUIRED_FILES="        /etc/netconfig
-                        /etc/networks
-                        /etc/protocols
-                        /etc/services"
+REQUIRED_FILES="
+	/etc/protocols
+	/etc/services
+"
diff --git a/remote/rootfs/rootfs-stage32/rootfs-stage32.conf b/remote/rootfs/rootfs-stage32/rootfs-stage32.conf
index 049c9e08..a7261422 100644
--- a/remote/rootfs/rootfs-stage32/rootfs-stage32.conf
+++ b/remote/rootfs/rootfs-stage32/rootfs-stage32.conf
@@ -1,5 +1,10 @@
 REQUIRED_MODULES="	kernel"
-REQUIRED_INSTALLED_PACKAGES="nfs-common squashfs-tools whois xfsprogs"
+REQUIRED_INSTALLED_PACKAGES="
+				nfs-common
+				squashfs-tools
+				whois
+				xfsprogs
+"
 REQUIRED_BINARIES="
 			bash
 			more
@@ -31,6 +36,10 @@ REQUIRED_BINARIES="
 			mkdosfs
 			amixer
 			iptables
+			host
+			rpc.gssd
+			rpc.idmapd
+			ntpdate
 "
 REQUIRED_LIBRARIES="	libcap
 			libcidn
diff --git a/remote/setup_target b/remote/setup_target
index b0565550..da4b7701 100755
--- a/remote/setup_target
+++ b/remote/setup_target
@@ -53,7 +53,7 @@
 #
 MODE_DIR="${ROOT_DIR}/remote"
 MODULES_DIR="${MODE_DIR}/modules"
-
+EXPORT_DIR="/export/build"
 # Keep track of processed modules
 PROCESSED_MODULES=""
 
@@ -93,6 +93,13 @@ read_build () {
 	. "${BUILD_SCRIPT}" || perror "Sourcing '${BUILD_SCRIPT}' failed."
 }
 
+export_builds() {
+	[ ! -d "${MODE_DIR}/builds" ] && perror "No ${MODE_DIR}/builds, nothing to export."
+	pinfo "Mounting ${MODE_DIR}/builds to ${EXPORT_DIR}. This will make the local builds syncable from another machine."
+        [ ! -d "${EXPORT_DIR}" ] && mkdir -p "${EXPORT_DIR}"
+        mount --bind ${MODE_DIR}/builds ${EXPORT_DIR} || perror "Failed to bind mount ${MODE_DIR}/builds to ${EXPORT_DIR}"
+}
+
 #
 # main function which copies all files, directories, binaries and external libraries to TARGET_BUILD_DIR
 #
@@ -128,6 +135,8 @@ copy_files_with_deps () {
 			else
 				pdebug "\tFound ${FILENAME} at ${FILE}"
 			fi
+		elif [ "$(echo $FILE_CANDIDATES | wc -w)" -eq 0 ]; then
+			perror "Could not find required binary $FILENAME"
 		else
 			# one candidate
 			FINAL_LIST=${FILE_CANDIDATES}
@@ -314,7 +323,12 @@ post_process_target() {
 		rm -r "${TARGET_BUILD_DIR}/lib/systemd"
 	fi
 
-	ldconfig -r "${TARGET_BUILD_DIR}"
+	# figure out all relevant ld-paths
+	local LDTEMP="$TARGET_BUILD_DIR/ldconf-temp"
+	grep -h '^\s*/' /etc/ld.so.conf /etc/ld.so.conf.d/* > "$LDTEMP"
+	# TODO: Echo other stuff to $LDTEMP (but figure out if first or last match wins)
+	ldconfig -v -r "${TARGET_BUILD_DIR}" -f "/ldconf-temp"
+	unlink "$LDTEMP"
 
 }