diff options
Diffstat (limited to 'server/modules/auth-freiburg/opt/openslx/scripts/pam_script_mount_persistent')
| -rw-r--r-- | server/modules/auth-freiburg/opt/openslx/scripts/pam_script_mount_persistent | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/server/modules/auth-freiburg/opt/openslx/scripts/pam_script_mount_persistent b/server/modules/auth-freiburg/opt/openslx/scripts/pam_script_mount_persistent new file mode 100644 index 00000000..dbe6ef01 --- /dev/null +++ b/server/modules/auth-freiburg/opt/openslx/scripts/pam_script_mount_persistent @@ -0,0 +1,99 @@ +################################################################### +# +# This script is a part of the pam_script_ses_open script +# and is not stand-alone! +# +# It will try to mount the home directories of students +# under /home/<user>/PERSISTENT using cifs/kerberos. +# + +# Only run this if PAM_USER is not a local user. +if ! grep -q "^${PAM_USER}:" "/etc/passwd"; then + + # determine fileserver and share for home directories + ldapsearch -x -LLL uid="${PAM_USER}" rufHomepath homeDirectory rufFileserver> "/tmp/ldapsearch.${PAM_USER}" || \ + { slxlog "pam-freiburg-ldapquery" "Could not query LDAP server for parameters of user '${PAM_USER}'."; exit 1; } + + CIFS_VOLUME=$(cat /tmp/ldapsearch.${PAM_USER} | grep rufHomepath | cut -d" " -f2 | tr '\\' '/') + + if [ ! -z "${CIFS_VOLUME}" ]; then + # now we can mount the home directory! + MOUNT_OPTS="-t cifs -o uid=${USER_UID},gid=${USER_GID},forceuid,forcegid,file_mode=0700,dir_mode=0700,nobrl,noacl" + export USER="${PAM_USER}" + export PASSWD="${PAM_AUTHTOK}" + + SIGNAL=$(mktemp) + MOUNT_OUTPUT=$(mktemp) + rm -f -- "${SIGNAL}" + ( mount -v ${MOUNT_OPTS} "${CIFS_VOLUME}" "${PERSISTENT_HOME_DIR}" > "$MOUNT_OUTPUT" 2>&1 || touch "${SIGNAL}" ) & + MOUNT_PID=$! + for COUNTER in 1 2 4 4; do + kill -0 "${MOUNT_PID}" 2>/dev/null || break + sleep "${COUNTER}" + done + + if [ -e "${SIGNAL}" ]; then + slxlog "pam-freiburg-cifs" "Mount of '${CIFS_VOLUME}' to '${PERSISTENT_HOME_DIR}' failed. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" + rm -f -- "${SIGNAL}" + elif kill -9 "${MOUNT_PID}" 2>/dev/null; then + slxlog "pam-freiburg-cifs" "Mount of '${CIFS_VOLUME}' to '${PERSISTENT_HOME_DIR}' timed out. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" + else + PERSISTENT_OK=yes + fi + ( sleep 2; rm -f -- "$MOUNT_OUTPUT" ) & + else + slxlog "pam-freiburg-ldap-cifs-volume" "LDAP server did not provide 'rufHomepath'. Aborting mount for ${PAM_USER}." + fi + + # unset credentials + unset USER + unset PASSWD + + # check if cifs mount worked. + if [ -z "$PERSISTENT_OK" ]; then + + # determine the server and paths to the user's home directory + FILESERVER=$(cat /tmp/ldapsearch.${PAM_USER} | grep rufFileserver | cut -d" " -f2) + VOLUME=$(cat /tmp/ldapsearch.${PAM_USER} | grep homeDirectory | cut -d" " -f2) + + [ -z "${FILESERVER}" ] && slxlog "pam-freiburg-ldapfs" "LDAP server did not provide 'rufFileserver'. Aborting mount for ${PAM_USER}." && exit 1 + [ -z "${VOLUME}" ] && slxlog "pam-freiburg-ldapvolume" "LDAP server did not provide 'homeDirectory'. Aborting mount for ${PAM_USER}." && exit 1 + + # generate keytab (try twice :)) + sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab || \ + sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab || \ + { slxlog "pam-freiburg-sslconnect" "Could not get /etc/krb5.keytab from npserv.ruf.uni-freiburg.de"; [ ! -s /etc/krb5.keytab ] && exit 1; } + + chmod 600 /etc/krb5.keytab || \ + { slxlog "pam-freiburg-keytab" "Could not run 'chmod 600 /etc/krb5.keytab'"; exit 1; } + + MOUNT_OPTS="-t nfs4 -o rw,nosuid,nodev,nolock,intr,hard,sloppy" + + if echo "$FILESERVER" | grep -q "sunfs6"; then + MOUNT_OPTS="${MOUNT_OPTS},sec=krb5i" + else + MOUNT_OPTS="${MOUNT_OPTS},sec=krb5p" + fi + + SIGNAL=$(mktemp) + MOUNT_OUTPUT=$(mktemp) + rm -f -- "${SIGNAL}" + ( mount -v ${MOUNT_OPTS} "${FILESERVER}:${VOLUME}" "${PERSISTENT_HOME_DIR}" > "$MOUNT_OUTPUT" 2>&1 || touch "${SIGNAL}" ) & + MOUNT_PID=$! + for COUNTER in 1 2 4 4; do + kill -0 "${MOUNT_PID}" 2>/dev/null || break + sleep "${COUNTER}" + done + + if [ -e "${SIGNAL}" ]; then + slxlog "pam-freiburg-krb" "Mount of '${FILESERVER}:${VOLUME}' to '${PERSISTENT_HOME_DIR}' failed. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" + rm -f -- "${SIGNAL}" + elif kill -9 "${MOUNT_PID}" 2>/dev/null; then + slxlog "pam-freiburg-krb" "Mount of '${FILESERVER}:${VOLUME}' to '${PERSISTENT_HOME_DIR}' timed out. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" + else + PERSISTENT_OK=yes + fi + ( sleep 2; rm -f -- "$MOUNT_OUTPUT" ) & + fi +fi + |