From 7d3d231e5ba0874c11885095be68af429bb358d1 Mon Sep 17 00:00:00 2001 From: Jonathan Bauer Date: Wed, 4 Feb 2015 13:37:25 +0100 Subject: [auth-freiburg] renamed 'pam-freiburg' to 'auth-freiburg' since the module does more than just pam --- server/modules/auth-freiburg/etc/gssapi_mech.conf | 21 +++++ server/modules/auth-freiburg/etc/idmapd.conf | 12 +++ server/modules/auth-freiburg/etc/krb5.conf | 28 ++++++ server/modules/auth-freiburg/etc/ldap/ldap.conf | 11 +++ server/modules/auth-freiburg/etc/nsswitch.conf | 19 ++++ .../modules/auth-freiburg/etc/pam.d/common-account | 26 ++++++ server/modules/auth-freiburg/etc/pam.d/common-auth | 28 ++++++ .../auth-freiburg/etc/pam.d/common-password | 33 +++++++ .../modules/auth-freiburg/etc/pam.d/common-session | 37 ++++++++ .../etc/pam.d/common-session-noninteractive | 30 ++++++ server/modules/auth-freiburg/etc/pam.d/kdm | 10 ++ server/modules/auth-freiburg/etc/pam.d/kdm-np | 11 +++ server/modules/auth-freiburg/etc/pam.d/login | 101 +++++++++++++++++++++ server/modules/auth-freiburg/etc/pam.d/other | 10 ++ server/modules/auth-freiburg/etc/pam.d/passwd | 6 ++ server/modules/auth-freiburg/etc/pam.d/sshd | 41 +++++++++ .../modules/auth-freiburg/etc/pam.d/vmware-authd | 6 ++ server/modules/auth-freiburg/etc/pam.d/xdm | 6 ++ .../auth-freiburg/etc/profile.d/00-autostart.sh | 40 ++++++++ server/modules/auth-freiburg/etc/sssd/sssd.conf | 60 ++++++++++++ .../system/getty.target.wants/rpc-gssd.service | 1 + .../system/getty.target.wants/rpc-idmapd.service | 1 + .../etc/systemd/system/rpc-gssd.service | 7 ++ .../etc/systemd/system/rpc-idmapd.service | 7 ++ .../etc/systemd/system/run-rpc_pipefs.mount | 7 ++ .../openslx/scripts/pam_script_mount_persistent | 99 ++++++++++++++++++++ server/modules/pam-freiburg/etc/gssapi_mech.conf | 21 ----- server/modules/pam-freiburg/etc/idmapd.conf | 12 --- server/modules/pam-freiburg/etc/krb5.conf | 28 ------ server/modules/pam-freiburg/etc/ldap/ldap.conf | 11 --- server/modules/pam-freiburg/etc/nsswitch.conf | 19 ---- .../modules/pam-freiburg/etc/pam.d/common-account | 26 ------ server/modules/pam-freiburg/etc/pam.d/common-auth | 28 ------ .../modules/pam-freiburg/etc/pam.d/common-password | 33 ------- .../modules/pam-freiburg/etc/pam.d/common-session | 37 -------- .../etc/pam.d/common-session-noninteractive | 30 ------ server/modules/pam-freiburg/etc/pam.d/kdm | 10 -- server/modules/pam-freiburg/etc/pam.d/kdm-np | 11 --- server/modules/pam-freiburg/etc/pam.d/login | 101 --------------------- server/modules/pam-freiburg/etc/pam.d/other | 10 -- server/modules/pam-freiburg/etc/pam.d/passwd | 6 -- server/modules/pam-freiburg/etc/pam.d/sshd | 41 --------- server/modules/pam-freiburg/etc/pam.d/vmware-authd | 6 -- server/modules/pam-freiburg/etc/pam.d/xdm | 6 -- .../pam-freiburg/etc/profile.d/00-autostart.sh | 40 -------- server/modules/pam-freiburg/etc/sssd/sssd.conf | 60 ------------ .../system/getty.target.wants/rpc-gssd.service | 1 - .../system/getty.target.wants/rpc-idmapd.service | 1 - .../etc/systemd/system/rpc-gssd.service | 7 -- .../etc/systemd/system/rpc-idmapd.service | 7 -- .../etc/systemd/system/run-rpc_pipefs.mount | 7 -- .../openslx/scripts/pam_script_mount_persistent | 99 -------------------- 52 files changed, 658 insertions(+), 658 deletions(-) create mode 100644 server/modules/auth-freiburg/etc/gssapi_mech.conf create mode 100644 server/modules/auth-freiburg/etc/idmapd.conf create mode 100644 server/modules/auth-freiburg/etc/krb5.conf create mode 100644 server/modules/auth-freiburg/etc/ldap/ldap.conf create mode 100644 server/modules/auth-freiburg/etc/nsswitch.conf create mode 100644 server/modules/auth-freiburg/etc/pam.d/common-account create mode 100644 server/modules/auth-freiburg/etc/pam.d/common-auth create mode 100644 server/modules/auth-freiburg/etc/pam.d/common-password create mode 100644 server/modules/auth-freiburg/etc/pam.d/common-session create mode 100644 server/modules/auth-freiburg/etc/pam.d/common-session-noninteractive create mode 100644 server/modules/auth-freiburg/etc/pam.d/kdm create mode 100644 server/modules/auth-freiburg/etc/pam.d/kdm-np create mode 100644 server/modules/auth-freiburg/etc/pam.d/login create mode 100644 server/modules/auth-freiburg/etc/pam.d/other create mode 100644 server/modules/auth-freiburg/etc/pam.d/passwd create mode 100644 server/modules/auth-freiburg/etc/pam.d/sshd create mode 100644 server/modules/auth-freiburg/etc/pam.d/vmware-authd create mode 100644 server/modules/auth-freiburg/etc/pam.d/xdm create mode 100755 server/modules/auth-freiburg/etc/profile.d/00-autostart.sh create mode 100644 server/modules/auth-freiburg/etc/sssd/sssd.conf create mode 120000 server/modules/auth-freiburg/etc/systemd/system/getty.target.wants/rpc-gssd.service create mode 120000 server/modules/auth-freiburg/etc/systemd/system/getty.target.wants/rpc-idmapd.service create mode 100644 server/modules/auth-freiburg/etc/systemd/system/rpc-gssd.service create mode 100644 server/modules/auth-freiburg/etc/systemd/system/rpc-idmapd.service create mode 100644 server/modules/auth-freiburg/etc/systemd/system/run-rpc_pipefs.mount create mode 100644 server/modules/auth-freiburg/opt/openslx/scripts/pam_script_mount_persistent delete mode 100644 server/modules/pam-freiburg/etc/gssapi_mech.conf delete mode 100644 server/modules/pam-freiburg/etc/idmapd.conf delete mode 100644 server/modules/pam-freiburg/etc/krb5.conf delete mode 100644 server/modules/pam-freiburg/etc/ldap/ldap.conf delete mode 100644 server/modules/pam-freiburg/etc/nsswitch.conf delete mode 100644 server/modules/pam-freiburg/etc/pam.d/common-account delete mode 100644 server/modules/pam-freiburg/etc/pam.d/common-auth delete mode 100644 server/modules/pam-freiburg/etc/pam.d/common-password delete mode 100644 server/modules/pam-freiburg/etc/pam.d/common-session delete mode 100644 server/modules/pam-freiburg/etc/pam.d/common-session-noninteractive delete mode 100644 server/modules/pam-freiburg/etc/pam.d/kdm delete mode 100644 server/modules/pam-freiburg/etc/pam.d/kdm-np delete mode 100644 server/modules/pam-freiburg/etc/pam.d/login delete mode 100644 server/modules/pam-freiburg/etc/pam.d/other delete mode 100644 server/modules/pam-freiburg/etc/pam.d/passwd delete mode 100644 server/modules/pam-freiburg/etc/pam.d/sshd delete mode 100644 server/modules/pam-freiburg/etc/pam.d/vmware-authd delete mode 100644 server/modules/pam-freiburg/etc/pam.d/xdm delete mode 100755 server/modules/pam-freiburg/etc/profile.d/00-autostart.sh delete mode 100644 server/modules/pam-freiburg/etc/sssd/sssd.conf delete mode 120000 server/modules/pam-freiburg/etc/systemd/system/getty.target.wants/rpc-gssd.service delete mode 120000 server/modules/pam-freiburg/etc/systemd/system/getty.target.wants/rpc-idmapd.service delete mode 100644 server/modules/pam-freiburg/etc/systemd/system/rpc-gssd.service delete mode 100644 server/modules/pam-freiburg/etc/systemd/system/rpc-idmapd.service delete mode 100644 server/modules/pam-freiburg/etc/systemd/system/run-rpc_pipefs.mount delete mode 100644 server/modules/pam-freiburg/opt/openslx/scripts/pam_script_mount_persistent diff --git a/server/modules/auth-freiburg/etc/gssapi_mech.conf b/server/modules/auth-freiburg/etc/gssapi_mech.conf new file mode 100644 index 00000000..ac41f5fd --- /dev/null +++ b/server/modules/auth-freiburg/etc/gssapi_mech.conf @@ -0,0 +1,21 @@ +# Example /etc/gssapi_mech.conf file +# +# GSSAPI Mechanism Definitions +# +# This configuration file determines which GSS-API mechanisms +# the gssd code should use +# +# NOTE: +# The initiaiization function "mechglue_internal_krb5_init" +# is used for the MIT krb5 gssapi mechanism. This special +# function name indicates that an internal function should +# be used to determine the entry points for the MIT gssapi +# mechanism funtions. +# +# library initialization function +# ================================ ========================== +# The MIT K5 gssapi library, use special function for initialization. +libgssapi_krb5.so.2 mechglue_internal_krb5_init +# +# The SPKM3 gssapi library function. Use the function spkm3_gss_initialize. +# /usr/local/gss_mechs/spkm/spkm3/libgssapi_spkm3.so spkm3_gss_initialize diff --git a/server/modules/auth-freiburg/etc/idmapd.conf b/server/modules/auth-freiburg/etc/idmapd.conf new file mode 100644 index 00000000..2253cf0d --- /dev/null +++ b/server/modules/auth-freiburg/etc/idmapd.conf @@ -0,0 +1,12 @@ +[General] + +Verbosity = 0 +Pipefs-Directory = /run/rpc_pipefs +# set your own domain here, if id differs from FQDN minus hostname +Domain = uni-freiburg.de +# localdomain + +[Mapping] + +Nobody-User = nobody +Nobody-Group = nogroup diff --git a/server/modules/auth-freiburg/etc/krb5.conf b/server/modules/auth-freiburg/etc/krb5.conf new file mode 100644 index 00000000..6fd49243 --- /dev/null +++ b/server/modules/auth-freiburg/etc/krb5.conf @@ -0,0 +1,28 @@ +# file copied from configuration package (rootfs/etc/krb5.conf) +######################################################################### +[libdefaults] + noaddresses = false + clockskew = 300 + default_realm = PUBLIC.ADS.UNI-FREIBURG.DE + forwardable = true + minimum_uid = 1000 + proxiable = false + renew_lifetime = 30d + retain_after_close = false + ticket_lifetime = 3d + use_shmem = sshd + allow_weak_crypto=true +######################################################################### +[realms] + PUBLIC.ADS.UNI-FREIBURG.DE = { + kdc = kerberos.uni-freiburg.de + default_domain = uni-freiburg.de + admin_server = kerberos.uni-freiburg.de + } +######################################################################### +[domain_realm] + uni-freiburg.de = PUBLIC.ADS.UNI-FREIBURG.DE + .uni-freiburg.de = PUBLIC.ADS.UNI-FREIBURG.DE +########################################################################## +[appdefaults] +######################################################################### diff --git a/server/modules/auth-freiburg/etc/ldap/ldap.conf b/server/modules/auth-freiburg/etc/ldap/ldap.conf new file mode 100644 index 00000000..3e7dad17 --- /dev/null +++ b/server/modules/auth-freiburg/etc/ldap/ldap.conf @@ -0,0 +1,11 @@ +URI ldaps://ldap.ruf.uni-freiburg.de ldaps://bv1.ruf.uni-freiburg.de ldaps://bv2.ruf.uni-freiburg.de ldaps://bv3.ruf.uni-freiburg.de +BASE ou=people,dc=uni-freiburg,dc=de +BIND_TIMELIMIT 5 +TIMELIMIT 10 +LOGDIR /tmp/ldap +TLS_REQCERT allow +nss_base_passwd ou=people,dc=uni-freiburg,dc=de?one?rufdienst=ldap*)(&(rufclienthome=*)(rufstatus=enabled) +nss_base_group ou=group,dc=uni-freiburg,dc=de?one +nss_map_attribute homeDirectory rufClientHome + +nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,distccd,games,git,gnats,hplip,irc,kdm,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,ntp,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data diff --git a/server/modules/auth-freiburg/etc/nsswitch.conf b/server/modules/auth-freiburg/etc/nsswitch.conf new file mode 100644 index 00000000..94e5c180 --- /dev/null +++ b/server/modules/auth-freiburg/etc/nsswitch.conf @@ -0,0 +1,19 @@ +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: cache compat sss +group: cache compat sss +shadow: compat + +hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis diff --git a/server/modules/auth-freiburg/etc/pam.d/common-account b/server/modules/auth-freiburg/etc/pam.d/common-account new file mode 100644 index 00000000..179158f7 --- /dev/null +++ b/server/modules/auth-freiburg/etc/pam.d/common-account @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so +account [success=1 new_authtok_reqd=done default=ignore] pam_sss.so use_first_pass +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/server/modules/auth-freiburg/etc/pam.d/common-auth b/server/modules/auth-freiburg/etc/pam.d/common-auth new file mode 100644 index 00000000..e04c5c74 --- /dev/null +++ b/server/modules/auth-freiburg/etc/pam.d/common-auth @@ -0,0 +1,28 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth [success=ok default=ignore] pam_krb5.so minimum_uid=1000 +auth [success=2 default=ignore] pam_unix.so try_first_pass +auth [success=1 default=ignore] pam_sss.so use_first_pass +# here's the fallback if no module succeeds +auth requisite pam_deny.so +auth optional pam_script.so expose=1 +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/server/modules/auth-freiburg/etc/pam.d/common-password b/server/modules/auth-freiburg/etc/pam.d/common-password new file mode 100644 index 00000000..cb8c7b71 --- /dev/null +++ b/server/modules/auth-freiburg/etc/pam.d/common-password @@ -0,0 +1,33 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password [success=1 default=ignore] pam_unix.so obscure sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/server/modules/auth-freiburg/etc/pam.d/common-session b/server/modules/auth-freiburg/etc/pam.d/common-session new file mode 100644 index 00000000..be55be0d --- /dev/null +++ b/server/modules/auth-freiburg/etc/pam.d/common-session @@ -0,0 +1,37 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session required pam_systemd.so +session optional pam_env.so readenv=1 +session optional pam_env.so readenv=1 envfile=/etc/default/locale +session optional pam_krb5.so minimum_uid=1000 +session [success=1] pam_unix.so +session [success=ok] pam_sss.so +session sufficient pam_script.so +session optional pam_mkhomedir.so skel=/etc/skel umask=0022 +# end of pam-auth-update config diff --git a/server/modules/auth-freiburg/etc/pam.d/common-session-noninteractive b/server/modules/auth-freiburg/etc/pam.d/common-session-noninteractive new file mode 100644 index 00000000..1fee2c4f --- /dev/null +++ b/server/modules/auth-freiburg/etc/pam.d/common-session-noninteractive @@ -0,0 +1,30 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +# end of pam-auth-update config diff --git a/server/modules/auth-freiburg/etc/pam.d/kdm b/server/modules/auth-freiburg/etc/pam.d/kdm new file mode 100644 index 00000000..e6a4ec9b --- /dev/null +++ b/server/modules/auth-freiburg/etc/pam.d/kdm @@ -0,0 +1,10 @@ +# +# /etc/pam.d/kdm - specify the PAM behaviour of kdm +# +auth required pam_nologin.so +auth required pam_env.so readenv=1 +auth required pam_env.so readenv=1 envfile=/etc/default/locale +auth include common-auth +account include common-account +password include common-password +session include common-session diff --git a/server/modules/auth-freiburg/etc/pam.d/kdm-np b/server/modules/auth-freiburg/etc/pam.d/kdm-np new file mode 100644 index 00000000..dc10e5b5 --- /dev/null +++ b/server/modules/auth-freiburg/etc/pam.d/kdm-np @@ -0,0 +1,11 @@ +# +# /etc/pam.d/kdm-np - specify the PAM behaviour of kdm for passwordless logins +# +auth required pam_nologin.so +auth required pam_env.so readenv=1 +auth required pam_env.so readenv=1 envfile=/etc/default/locale +session required pam_limits.so +account include common-account +password include common-password +session include common-session +auth required pam_permit.so diff --git a/server/modules/auth-freiburg/etc/pam.d/login b/server/modules/auth-freiburg/etc/pam.d/login new file mode 100644 index 00000000..1065f351 --- /dev/null +++ b/server/modules/auth-freiburg/etc/pam.d/login @@ -0,0 +1,101 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +# OpenSLX: Not Needed? +#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +auth include common-auth + +# TODO do we need this? +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +#auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# TODO do we need this? +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +#session required pam_limits.so + +# TODO check if this is needed +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Standard Un*x account and session +account include common-account +session include common-session +password include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/server/modules/auth-freiburg/etc/pam.d/other b/server/modules/auth-freiburg/etc/pam.d/other new file mode 100644 index 00000000..840eb77f --- /dev/null +++ b/server/modules/auth-freiburg/etc/pam.d/other @@ -0,0 +1,10 @@ +#%PAM-1.0 +auth required pam_warn.so +auth required pam_deny.so +account required pam_warn.so +account required pam_deny.so +password required pam_warn.so +password required pam_deny.so +session required pam_warn.so +session required pam_deny.so + diff --git a/server/modules/auth-freiburg/etc/pam.d/passwd b/server/modules/auth-freiburg/etc/pam.d/passwd new file mode 100644 index 00000000..32eaa3c6 --- /dev/null +++ b/server/modules/auth-freiburg/etc/pam.d/passwd @@ -0,0 +1,6 @@ +# +# The PAM configuration file for the Shadow `passwd' service +# + +password include common-password + diff --git a/server/modules/auth-freiburg/etc/pam.d/sshd b/server/modules/auth-freiburg/etc/pam.d/sshd new file mode 100644 index 00000000..8954d639 --- /dev/null +++ b/server/modules/auth-freiburg/etc/pam.d/sshd @@ -0,0 +1,41 @@ +# PAM configuration for the Secure Shell service + +# Read environment variables from /etc/environment and +# /etc/security/pam_env.conf. +auth required pam_env.so # [1] +# In Debian 4.0 (etch), locale-related environment variables were moved to +# /etc/default/locale, so read that as well. +auth required pam_env.so envfile=/etc/default/locale + +# Standard Un*x authentication. +auth include common-auth + +# Disallow non-root logins when /etc/nologin exists. +account required pam_nologin.so + +# Uncomment and edit /etc/security/access.conf if you need to set complex +# access limits that are hard to express in sshd_config. +# account required pam_access.so + +# Standard Un*x authorization. +account include common-account + +# Standard Un*x session setup and teardown. +session include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so # [1] + +# TODO do we need this? +# Print the status of the user's mailbox upon successful login. +#session optional pam_mail.so standard noenv # [1] + +# TODO do we need this? +# Set up user limits from /etc/security/limits.conf. +#session required pam_limits.so + +# Set up SELinux capabilities (need modified pam) +# session required pam_selinux.so multiple + +# Standard Un*x password updating. +password include common-password diff --git a/server/modules/auth-freiburg/etc/pam.d/vmware-authd b/server/modules/auth-freiburg/etc/pam.d/vmware-authd new file mode 100644 index 00000000..1f9b60f9 --- /dev/null +++ b/server/modules/auth-freiburg/etc/pam.d/vmware-authd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include common-auth +account include common-account +password include common-password +session include common-session + diff --git a/server/modules/auth-freiburg/etc/pam.d/xdm b/server/modules/auth-freiburg/etc/pam.d/xdm new file mode 100644 index 00000000..d21651db --- /dev/null +++ b/server/modules/auth-freiburg/etc/pam.d/xdm @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include common-auth +account include common-account +password include common-password +session required pam_loginuid.so +session include common-session diff --git a/server/modules/auth-freiburg/etc/profile.d/00-autostart.sh b/server/modules/auth-freiburg/etc/profile.d/00-autostart.sh new file mode 100755 index 00000000..642aa002 --- /dev/null +++ b/server/modules/auth-freiburg/etc/profile.d/00-autostart.sh @@ -0,0 +1,40 @@ +#!/bin/ash + +TEMP_HOME_DIR="$HOME" +PERSISTENT_HOME_DIR="$HOME/PERSISTENT" + +if [ -d "$PERSISTENT_HOME_DIR" ]; then + + # Persistent home was mounted, take care of some conveinience + # Dirs + for file in .vim .mozilla .thunderbird .config/chromium .config/htop .config/openslx .config/xfce4; do + [ -e "$TEMP_HOME_DIR/$file" ] && break + if [ "x$(dirname "$file")" != "x." ]; then + mkdir -p "$TEMP_HOME_DIR/$(dirname "$file")" + fi + if [ ! -d "$PERSISTENT_HOME_DIR/$file" ]; then + mkdir -p "$PERSISTENT_HOME_DIR/$file" + fi + ln -s "$PERSISTENT_HOME_DIR/$file" "$TEMP_HOME_DIR/$file" + done + # Files + for file in .bashrc .profile .vimrc .gitconfig; do + [ -e "$TEMP_HOME_DIR/$file" ] && break + if [ "x$(dirname "$file")" != "x." ]; then + mkdir -p "$TEMP_HOME_DIR/$(dirname "$file")" + fi + if [ ! -e "$PERSISTENT_HOME_DIR/$file" ]; then + touch "$PERSISTENT_HOME_DIR/$file" + fi + ln -s "$PERSISTENT_HOME_DIR/$file" "$TEMP_HOME_DIR/$file" + done + # Check if user has autostart script and run it (so they can create more symlinks etc.) + if [ -x "$PERSISTENT_HOME_DIR/AUTOSTART" ]; then + if cd "$TEMP_HOME_DIR"; then + "$PERSISTENT_HOME_DIR/AUTOSTART" + cd - >/dev/null 2>&1 + fi + fi + +fi + diff --git a/server/modules/auth-freiburg/etc/sssd/sssd.conf b/server/modules/auth-freiburg/etc/sssd/sssd.conf new file mode 100644 index 00000000..7b3d7b51 --- /dev/null +++ b/server/modules/auth-freiburg/etc/sssd/sssd.conf @@ -0,0 +1,60 @@ +[sssd] +config_file_version = 2 +services = nss, pam +#debug_level = 0xffff +# SSSD will not start if you do not configure any domains. +# Add new domain configurations as [domain/] sections, and +# then add the list of domains (in the order you want them to be +# queried) to the "domains" attribute below and uncomment it. +domains = LDAP + +[nss] +filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo + +[pam] + +# Example LDAP domain +[domain/LDAP] +id_provider = ldap +auth_provider = ldap +ldap_tls_reqcert = never +# ldap_schema can be set to "rfc2307", which stores group member names in the +# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in +# the "member" attribute. If you do not know this value, ask your LDAP +# administrator. +ldap_schema = rfc2307bis +ldap_uri = ldaps://ldap.ruf.uni-freiburg.de +ldap_backup_uri = ldaps://bv1.ruf.uni-freiburg.de,ldaps://bv2.ruf.uni-freiburg.de,ldaps://bv3.ruf.uni-freiburg.de +ldap_group_search_base = ou=group,dc=uni-freiburg,dc=de +ldap_user_search_base = ou=people,dc=uni-freiburg,dc=de +ldap_user_home_directory = rufClientHome +ldap_search_base = ou=people,dc=uni-freiburg,dc=de +# Note that enabling enumeration will have a moderate performance impact. +# Consequently, the default value for enumeration is FALSE. +# Refer to the sssd.conf man page for full details. +; enumerate = false +# Allow offline logins by locally storing password hashes (default: false). +cache_credentials = true + +# An example Active Directory domain. Please note that this configuration +# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis +# compliant attribute names. To support UNIX clients with AD 2003 or older, +# you must install Microsoft Services For Unix and map LDAP attributes onto +# msSFU30* attribute names. +;[domain/AD] +;id_provider = ldap +;auth_provider = krb5 +;chpass_provider = krb5 + +;ldap_uri = ldaps://bv1.ruf.uni-freiburg.de ldaps://bv2.ruf.uni-freiburg.de ldaps://bv3.ruf.uni-freiburg.de +;ldap_search_base = ou=people,dc=uni-freiburg,dc=de +;ldap_schema = rfc2307bis +;ldap_sasl_mech = GSSAPI +;ldap_user_object_class = user +;ldap_group_object_class = group +;ldap_user_principal = userPrincipalName +;ldap_account_expire_policy = ad +;ldap_force_upper_case_realm = true +; +; krb5_server = your.ad.example.com +; krb5_realm = EXAMPLE.COM diff --git a/server/modules/auth-freiburg/etc/systemd/system/getty.target.wants/rpc-gssd.service b/server/modules/auth-freiburg/etc/systemd/system/getty.target.wants/rpc-gssd.service new file mode 120000 index 00000000..194aba77 --- /dev/null +++ b/server/modules/auth-freiburg/etc/systemd/system/getty.target.wants/rpc-gssd.service @@ -0,0 +1 @@ +../rpc-gssd.service \ No newline at end of file diff --git a/server/modules/auth-freiburg/etc/systemd/system/getty.target.wants/rpc-idmapd.service b/server/modules/auth-freiburg/etc/systemd/system/getty.target.wants/rpc-idmapd.service new file mode 120000 index 00000000..66a28252 --- /dev/null +++ b/server/modules/auth-freiburg/etc/systemd/system/getty.target.wants/rpc-idmapd.service @@ -0,0 +1 @@ +../rpc-idmapd.service \ No newline at end of file diff --git a/server/modules/auth-freiburg/etc/systemd/system/rpc-gssd.service b/server/modules/auth-freiburg/etc/systemd/system/rpc-gssd.service new file mode 100644 index 00000000..79ffce8d --- /dev/null +++ b/server/modules/auth-freiburg/etc/systemd/system/rpc-gssd.service @@ -0,0 +1,7 @@ +[Unit] +Description=NFS rpcsec_gss daemon +Requires=run-rpc_pipefs.mount +After=run-rpc_pipefs.mount + +[Service] +ExecStart=/usr/sbin/rpc.gssd -f -vvv -p /run/rpc_pipefs diff --git a/server/modules/auth-freiburg/etc/systemd/system/rpc-idmapd.service b/server/modules/auth-freiburg/etc/systemd/system/rpc-idmapd.service new file mode 100644 index 00000000..c4da93e7 --- /dev/null +++ b/server/modules/auth-freiburg/etc/systemd/system/rpc-idmapd.service @@ -0,0 +1,7 @@ +[Unit] +Description=NFSv4 ID-name mapping daemon +Requires=network.target run-rpc_pipefs.mount +After=network.target + +[Service] +ExecStart=/usr/sbin/rpc.idmapd -f diff --git a/server/modules/auth-freiburg/etc/systemd/system/run-rpc_pipefs.mount b/server/modules/auth-freiburg/etc/systemd/system/run-rpc_pipefs.mount new file mode 100644 index 00000000..692adce8 --- /dev/null +++ b/server/modules/auth-freiburg/etc/systemd/system/run-rpc_pipefs.mount @@ -0,0 +1,7 @@ +[Unit] +Description=Pipefs RPC filesystem + +[Mount] +What=rpc_pipefs +Where=/run/rpc_pipefs +Type=rpc_pipefs diff --git a/server/modules/auth-freiburg/opt/openslx/scripts/pam_script_mount_persistent b/server/modules/auth-freiburg/opt/openslx/scripts/pam_script_mount_persistent new file mode 100644 index 00000000..dbe6ef01 --- /dev/null +++ b/server/modules/auth-freiburg/opt/openslx/scripts/pam_script_mount_persistent @@ -0,0 +1,99 @@ +################################################################### +# +# This script is a part of the pam_script_ses_open script +# and is not stand-alone! +# +# It will try to mount the home directories of students +# under /home//PERSISTENT using cifs/kerberos. +# + +# Only run this if PAM_USER is not a local user. +if ! grep -q "^${PAM_USER}:" "/etc/passwd"; then + + # determine fileserver and share for home directories + ldapsearch -x -LLL uid="${PAM_USER}" rufHomepath homeDirectory rufFileserver> "/tmp/ldapsearch.${PAM_USER}" || \ + { slxlog "pam-freiburg-ldapquery" "Could not query LDAP server for parameters of user '${PAM_USER}'."; exit 1; } + + CIFS_VOLUME=$(cat /tmp/ldapsearch.${PAM_USER} | grep rufHomepath | cut -d" " -f2 | tr '\\' '/') + + if [ ! -z "${CIFS_VOLUME}" ]; then + # now we can mount the home directory! + MOUNT_OPTS="-t cifs -o uid=${USER_UID},gid=${USER_GID},forceuid,forcegid,file_mode=0700,dir_mode=0700,nobrl,noacl" + export USER="${PAM_USER}" + export PASSWD="${PAM_AUTHTOK}" + + SIGNAL=$(mktemp) + MOUNT_OUTPUT=$(mktemp) + rm -f -- "${SIGNAL}" + ( mount -v ${MOUNT_OPTS} "${CIFS_VOLUME}" "${PERSISTENT_HOME_DIR}" > "$MOUNT_OUTPUT" 2>&1 || touch "${SIGNAL}" ) & + MOUNT_PID=$! + for COUNTER in 1 2 4 4; do + kill -0 "${MOUNT_PID}" 2>/dev/null || break + sleep "${COUNTER}" + done + + if [ -e "${SIGNAL}" ]; then + slxlog "pam-freiburg-cifs" "Mount of '${CIFS_VOLUME}' to '${PERSISTENT_HOME_DIR}' failed. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" + rm -f -- "${SIGNAL}" + elif kill -9 "${MOUNT_PID}" 2>/dev/null; then + slxlog "pam-freiburg-cifs" "Mount of '${CIFS_VOLUME}' to '${PERSISTENT_HOME_DIR}' timed out. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" + else + PERSISTENT_OK=yes + fi + ( sleep 2; rm -f -- "$MOUNT_OUTPUT" ) & + else + slxlog "pam-freiburg-ldap-cifs-volume" "LDAP server did not provide 'rufHomepath'. Aborting mount for ${PAM_USER}." + fi + + # unset credentials + unset USER + unset PASSWD + + # check if cifs mount worked. + if [ -z "$PERSISTENT_OK" ]; then + + # determine the server and paths to the user's home directory + FILESERVER=$(cat /tmp/ldapsearch.${PAM_USER} | grep rufFileserver | cut -d" " -f2) + VOLUME=$(cat /tmp/ldapsearch.${PAM_USER} | grep homeDirectory | cut -d" " -f2) + + [ -z "${FILESERVER}" ] && slxlog "pam-freiburg-ldapfs" "LDAP server did not provide 'rufFileserver'. Aborting mount for ${PAM_USER}." && exit 1 + [ -z "${VOLUME}" ] && slxlog "pam-freiburg-ldapvolume" "LDAP server did not provide 'homeDirectory'. Aborting mount for ${PAM_USER}." && exit 1 + + # generate keytab (try twice :)) + sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab || \ + sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab || \ + { slxlog "pam-freiburg-sslconnect" "Could not get /etc/krb5.keytab from npserv.ruf.uni-freiburg.de"; [ ! -s /etc/krb5.keytab ] && exit 1; } + + chmod 600 /etc/krb5.keytab || \ + { slxlog "pam-freiburg-keytab" "Could not run 'chmod 600 /etc/krb5.keytab'"; exit 1; } + + MOUNT_OPTS="-t nfs4 -o rw,nosuid,nodev,nolock,intr,hard,sloppy" + + if echo "$FILESERVER" | grep -q "sunfs6"; then + MOUNT_OPTS="${MOUNT_OPTS},sec=krb5i" + else + MOUNT_OPTS="${MOUNT_OPTS},sec=krb5p" + fi + + SIGNAL=$(mktemp) + MOUNT_OUTPUT=$(mktemp) + rm -f -- "${SIGNAL}" + ( mount -v ${MOUNT_OPTS} "${FILESERVER}:${VOLUME}" "${PERSISTENT_HOME_DIR}" > "$MOUNT_OUTPUT" 2>&1 || touch "${SIGNAL}" ) & + MOUNT_PID=$! + for COUNTER in 1 2 4 4; do + kill -0 "${MOUNT_PID}" 2>/dev/null || break + sleep "${COUNTER}" + done + + if [ -e "${SIGNAL}" ]; then + slxlog "pam-freiburg-krb" "Mount of '${FILESERVER}:${VOLUME}' to '${PERSISTENT_HOME_DIR}' failed. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" + rm -f -- "${SIGNAL}" + elif kill -9 "${MOUNT_PID}" 2>/dev/null; then + slxlog "pam-freiburg-krb" "Mount of '${FILESERVER}:${VOLUME}' to '${PERSISTENT_HOME_DIR}' timed out. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" + else + PERSISTENT_OK=yes + fi + ( sleep 2; rm -f -- "$MOUNT_OUTPUT" ) & + fi +fi + diff --git a/server/modules/pam-freiburg/etc/gssapi_mech.conf b/server/modules/pam-freiburg/etc/gssapi_mech.conf deleted file mode 100644 index ac41f5fd..00000000 --- a/server/modules/pam-freiburg/etc/gssapi_mech.conf +++ /dev/null @@ -1,21 +0,0 @@ -# Example /etc/gssapi_mech.conf file -# -# GSSAPI Mechanism Definitions -# -# This configuration file determines which GSS-API mechanisms -# the gssd code should use -# -# NOTE: -# The initiaiization function "mechglue_internal_krb5_init" -# is used for the MIT krb5 gssapi mechanism. This special -# function name indicates that an internal function should -# be used to determine the entry points for the MIT gssapi -# mechanism funtions. -# -# library initialization function -# ================================ ========================== -# The MIT K5 gssapi library, use special function for initialization. -libgssapi_krb5.so.2 mechglue_internal_krb5_init -# -# The SPKM3 gssapi library function. Use the function spkm3_gss_initialize. -# /usr/local/gss_mechs/spkm/spkm3/libgssapi_spkm3.so spkm3_gss_initialize diff --git a/server/modules/pam-freiburg/etc/idmapd.conf b/server/modules/pam-freiburg/etc/idmapd.conf deleted file mode 100644 index 2253cf0d..00000000 --- a/server/modules/pam-freiburg/etc/idmapd.conf +++ /dev/null @@ -1,12 +0,0 @@ -[General] - -Verbosity = 0 -Pipefs-Directory = /run/rpc_pipefs -# set your own domain here, if id differs from FQDN minus hostname -Domain = uni-freiburg.de -# localdomain - -[Mapping] - -Nobody-User = nobody -Nobody-Group = nogroup diff --git a/server/modules/pam-freiburg/etc/krb5.conf b/server/modules/pam-freiburg/etc/krb5.conf deleted file mode 100644 index 6fd49243..00000000 --- a/server/modules/pam-freiburg/etc/krb5.conf +++ /dev/null @@ -1,28 +0,0 @@ -# file copied from configuration package (rootfs/etc/krb5.conf) -######################################################################### -[libdefaults] - noaddresses = false - clockskew = 300 - default_realm = PUBLIC.ADS.UNI-FREIBURG.DE - forwardable = true - minimum_uid = 1000 - proxiable = false - renew_lifetime = 30d - retain_after_close = false - ticket_lifetime = 3d - use_shmem = sshd - allow_weak_crypto=true -######################################################################### -[realms] - PUBLIC.ADS.UNI-FREIBURG.DE = { - kdc = kerberos.uni-freiburg.de - default_domain = uni-freiburg.de - admin_server = kerberos.uni-freiburg.de - } -######################################################################### -[domain_realm] - uni-freiburg.de = PUBLIC.ADS.UNI-FREIBURG.DE - .uni-freiburg.de = PUBLIC.ADS.UNI-FREIBURG.DE -########################################################################## -[appdefaults] -######################################################################### diff --git a/server/modules/pam-freiburg/etc/ldap/ldap.conf b/server/modules/pam-freiburg/etc/ldap/ldap.conf deleted file mode 100644 index 3e7dad17..00000000 --- a/server/modules/pam-freiburg/etc/ldap/ldap.conf +++ /dev/null @@ -1,11 +0,0 @@ -URI ldaps://ldap.ruf.uni-freiburg.de ldaps://bv1.ruf.uni-freiburg.de ldaps://bv2.ruf.uni-freiburg.de ldaps://bv3.ruf.uni-freiburg.de -BASE ou=people,dc=uni-freiburg,dc=de -BIND_TIMELIMIT 5 -TIMELIMIT 10 -LOGDIR /tmp/ldap -TLS_REQCERT allow -nss_base_passwd ou=people,dc=uni-freiburg,dc=de?one?rufdienst=ldap*)(&(rufclienthome=*)(rufstatus=enabled) -nss_base_group ou=group,dc=uni-freiburg,dc=de?one -nss_map_attribute homeDirectory rufClientHome - -nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,distccd,games,git,gnats,hplip,irc,kdm,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,ntp,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data diff --git a/server/modules/pam-freiburg/etc/nsswitch.conf b/server/modules/pam-freiburg/etc/nsswitch.conf deleted file mode 100644 index 94e5c180..00000000 --- a/server/modules/pam-freiburg/etc/nsswitch.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/nsswitch.conf -# -# Example configuration of GNU Name Service Switch functionality. -# If you have the `glibc-doc-reference' and `info' packages installed, try: -# `info libc "Name Service Switch"' for information about this file. - -passwd: cache compat sss -group: cache compat sss -shadow: compat - -hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 -networks: files - -protocols: db files -services: db files -ethers: db files -rpc: db files - -netgroup: nis diff --git a/server/modules/pam-freiburg/etc/pam.d/common-account b/server/modules/pam-freiburg/etc/pam.d/common-account deleted file mode 100644 index 179158f7..00000000 --- a/server/modules/pam-freiburg/etc/pam.d/common-account +++ /dev/null @@ -1,26 +0,0 @@ -# -# /etc/pam.d/common-account - authorization settings common to all services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of the authorization modules that define -# the central access policy for use on the system. The default is to -# only deny service to users whose accounts are expired in /etc/shadow. -# -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. -# - -# here are the per-package modules (the "Primary" block) -account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so -account [success=1 new_authtok_reqd=done default=ignore] pam_sss.so use_first_pass -# here's the fallback if no module succeeds -account requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -account required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config diff --git a/server/modules/pam-freiburg/etc/pam.d/common-auth b/server/modules/pam-freiburg/etc/pam.d/common-auth deleted file mode 100644 index e04c5c74..00000000 --- a/server/modules/pam-freiburg/etc/pam.d/common-auth +++ /dev/null @@ -1,28 +0,0 @@ -# -# /etc/pam.d/common-auth - authentication settings common to all services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of the authentication modules that define -# the central authentication scheme for use on the system -# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the -# traditional Unix authentication mechanisms. -# -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. - -# here are the per-package modules (the "Primary" block) -auth [success=ok default=ignore] pam_krb5.so minimum_uid=1000 -auth [success=2 default=ignore] pam_unix.so try_first_pass -auth [success=1 default=ignore] pam_sss.so use_first_pass -# here's the fallback if no module succeeds -auth requisite pam_deny.so -auth optional pam_script.so expose=1 -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -auth required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config diff --git a/server/modules/pam-freiburg/etc/pam.d/common-password b/server/modules/pam-freiburg/etc/pam.d/common-password deleted file mode 100644 index cb8c7b71..00000000 --- a/server/modules/pam-freiburg/etc/pam.d/common-password +++ /dev/null @@ -1,33 +0,0 @@ -# -# /etc/pam.d/common-password - password-related modules common to all services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of modules that define the services to be -# used to change user passwords. The default is pam_unix. - -# Explanation of pam_unix options: -# -# The "sha512" option enables salted SHA512 passwords. Without this option, -# the default is Unix crypt. Prior releases used the option "md5". -# -# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in -# login.defs. -# -# See the pam_unix manpage for other options. - -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. - -# here are the per-package modules (the "Primary" block) -password [success=1 default=ignore] pam_unix.so obscure sha512 -# here's the fallback if no module succeeds -password requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -password required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config diff --git a/server/modules/pam-freiburg/etc/pam.d/common-session b/server/modules/pam-freiburg/etc/pam.d/common-session deleted file mode 100644 index be55be0d..00000000 --- a/server/modules/pam-freiburg/etc/pam.d/common-session +++ /dev/null @@ -1,37 +0,0 @@ -# -# /etc/pam.d/common-session - session-related modules common to all services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of modules that define tasks to be performed -# at the start and end of sessions of *any* kind (both interactive and -# non-interactive). -# -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. - -# here are the per-package modules (the "Primary" block) -session [default=1] pam_permit.so -# here's the fallback if no module succeeds -session requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -session required pam_permit.so -# The pam_umask module will set the umask according to the system default in -# /etc/login.defs and user settings, solving the problem of different -# umask settings with different shells, display managers, remote sessions etc. -# See "man pam_umask". -session optional pam_umask.so -# and here are more per-package modules (the "Additional" block) -session required pam_systemd.so -session optional pam_env.so readenv=1 -session optional pam_env.so readenv=1 envfile=/etc/default/locale -session optional pam_krb5.so minimum_uid=1000 -session [success=1] pam_unix.so -session [success=ok] pam_sss.so -session sufficient pam_script.so -session optional pam_mkhomedir.so skel=/etc/skel umask=0022 -# end of pam-auth-update config diff --git a/server/modules/pam-freiburg/etc/pam.d/common-session-noninteractive b/server/modules/pam-freiburg/etc/pam.d/common-session-noninteractive deleted file mode 100644 index 1fee2c4f..00000000 --- a/server/modules/pam-freiburg/etc/pam.d/common-session-noninteractive +++ /dev/null @@ -1,30 +0,0 @@ -# -# /etc/pam.d/common-session-noninteractive - session-related modules -# common to all non-interactive services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of modules that define tasks to be performed -# at the start and end of all non-interactive sessions. -# -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. - -# here are the per-package modules (the "Primary" block) -session [default=1] pam_permit.so -# here's the fallback if no module succeeds -session requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -session required pam_permit.so -# The pam_umask module will set the umask according to the system default in -# /etc/login.defs and user settings, solving the problem of different -# umask settings with different shells, display managers, remote sessions etc. -# See "man pam_umask". -session optional pam_umask.so -# and here are more per-package modules (the "Additional" block) -session required pam_unix.so -# end of pam-auth-update config diff --git a/server/modules/pam-freiburg/etc/pam.d/kdm b/server/modules/pam-freiburg/etc/pam.d/kdm deleted file mode 100644 index e6a4ec9b..00000000 --- a/server/modules/pam-freiburg/etc/pam.d/kdm +++ /dev/null @@ -1,10 +0,0 @@ -# -# /etc/pam.d/kdm - specify the PAM behaviour of kdm -# -auth required pam_nologin.so -auth required pam_env.so readenv=1 -auth required pam_env.so readenv=1 envfile=/etc/default/locale -auth include common-auth -account include common-account -password include common-password -session include common-session diff --git a/server/modules/pam-freiburg/etc/pam.d/kdm-np b/server/modules/pam-freiburg/etc/pam.d/kdm-np deleted file mode 100644 index dc10e5b5..00000000 --- a/server/modules/pam-freiburg/etc/pam.d/kdm-np +++ /dev/null @@ -1,11 +0,0 @@ -# -# /etc/pam.d/kdm-np - specify the PAM behaviour of kdm for passwordless logins -# -auth required pam_nologin.so -auth required pam_env.so readenv=1 -auth required pam_env.so readenv=1 envfile=/etc/default/locale -session required pam_limits.so -account include common-account -password include common-password -session include common-session -auth required pam_permit.so diff --git a/server/modules/pam-freiburg/etc/pam.d/login b/server/modules/pam-freiburg/etc/pam.d/login deleted file mode 100644 index 1065f351..00000000 --- a/server/modules/pam-freiburg/etc/pam.d/login +++ /dev/null @@ -1,101 +0,0 @@ -# -# The PAM configuration file for the Shadow `login' service -# - -# Enforce a minimal delay in case of failure (in microseconds). -# (Replaces the `FAIL_DELAY' setting from login.defs) -# Note that other modules may require another minimal delay. (for example, -# to disable any delay, you should add the nodelay option to pam_unix) -auth optional pam_faildelay.so delay=3000000 - -# Outputs an issue file prior to each login prompt (Replaces the -# ISSUE_FILE option from login.defs). Uncomment for use -# auth required pam_issue.so issue=/etc/issue - -# Disallows root logins except on tty's listed in /etc/securetty -# (Replaces the `CONSOLE' setting from login.defs) -# -# With the default control of this module: -# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] -# root will not be prompted for a password on insecure lines. -# if an invalid username is entered, a password is prompted (but login -# will eventually be rejected) -# -# You can change it to a "requisite" module if you think root may mis-type -# her login and should not be prompted for a password in that case. But -# this will leave the system as vulnerable to user enumeration attacks. -# -# You can change it to a "required" module if you think it permits to -# guess valid user names of your system (invalid user names are considered -# as possibly being root on insecure lines), but root passwords may be -# communicated over insecure lines. -auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so - -# Disallows other than root logins when /etc/nologin exists -# (Replaces the `NOLOGINS_FILE' option from login.defs) -auth requisite pam_nologin.so - -# SELinux needs to be the first session rule. This ensures that any -# lingering context has been cleared. Without out this it is possible -# that a module could execute code in the wrong domain. -# When the module is present, "required" would be sufficient (When SELinux -# is disabled, this returns success.) -# OpenSLX: Not Needed? -#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close - -# This module parses environment configuration file(s) -# and also allows you to use an extended config -# file /etc/security/pam_env.conf. -# -# parsing /etc/environment needs "readenv=1" -session required pam_env.so readenv=1 -# locale variables are also kept into /etc/default/locale in etch -# reading this file *in addition to /etc/environment* does not hurt -session required pam_env.so readenv=1 envfile=/etc/default/locale - -# Standard Un*x authentication. -auth include common-auth - -# TODO do we need this? -# This allows certain extra groups to be granted to a user -# based on things like time of day, tty, service, and user. -# Please edit /etc/security/group.conf to fit your needs -# (Replaces the `CONSOLE_GROUPS' option in login.defs) -#auth optional pam_group.so - -# Uncomment and edit /etc/security/time.conf if you need to set -# time restrainst on logins. -# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs -# as well as /etc/porttime) -# account requisite pam_time.so - -# Uncomment and edit /etc/security/access.conf if you need to -# set access limits. -# (Replaces /etc/login.access file) -# account required pam_access.so - -# TODO do we need this? -# Sets up user limits according to /etc/security/limits.conf -# (Replaces the use of /etc/limits in old login) -#session required pam_limits.so - -# TODO check if this is needed -# Prints the last login info upon succesful login -# (Replaces the `LASTLOG_ENAB' option from login.defs) -session optional pam_lastlog.so - -# Prints the motd upon succesful login -# (Replaces the `MOTD_FILE' option in login.defs) -session optional pam_motd.so - -# Standard Un*x account and session -account include common-account -session include common-session -password include common-password - -# SELinux needs to intervene at login time to ensure that the process -# starts in the proper default security context. Only sessions which are -# intended to run in the user's context should be run after this. -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -# When the module is present, "required" would be sufficient (When SELinux -# is disabled, this returns success.) diff --git a/server/modules/pam-freiburg/etc/pam.d/other b/server/modules/pam-freiburg/etc/pam.d/other deleted file mode 100644 index 840eb77f..00000000 --- a/server/modules/pam-freiburg/etc/pam.d/other +++ /dev/null @@ -1,10 +0,0 @@ -#%PAM-1.0 -auth required pam_warn.so -auth required pam_deny.so -account required pam_warn.so -account required pam_deny.so -password required pam_warn.so -password required pam_deny.so -session required pam_warn.so -session required pam_deny.so - diff --git a/server/modules/pam-freiburg/etc/pam.d/passwd b/server/modules/pam-freiburg/etc/pam.d/passwd deleted file mode 100644 index 32eaa3c6..00000000 --- a/server/modules/pam-freiburg/etc/pam.d/passwd +++ /dev/null @@ -1,6 +0,0 @@ -# -# The PAM configuration file for the Shadow `passwd' service -# - -password include common-password - diff --git a/server/modules/pam-freiburg/etc/pam.d/sshd b/server/modules/pam-freiburg/etc/pam.d/sshd deleted file mode 100644 index 8954d639..00000000 --- a/server/modules/pam-freiburg/etc/pam.d/sshd +++ /dev/null @@ -1,41 +0,0 @@ -# PAM configuration for the Secure Shell service - -# Read environment variables from /etc/environment and -# /etc/security/pam_env.conf. -auth required pam_env.so # [1] -# In Debian 4.0 (etch), locale-related environment variables were moved to -# /etc/default/locale, so read that as well. -auth required pam_env.so envfile=/etc/default/locale - -# Standard Un*x authentication. -auth include common-auth - -# Disallow non-root logins when /etc/nologin exists. -account required pam_nologin.so - -# Uncomment and edit /etc/security/access.conf if you need to set complex -# access limits that are hard to express in sshd_config. -# account required pam_access.so - -# Standard Un*x authorization. -account include common-account - -# Standard Un*x session setup and teardown. -session include common-session - -# Print the message of the day upon successful login. -session optional pam_motd.so # [1] - -# TODO do we need this? -# Print the status of the user's mailbox upon successful login. -#session optional pam_mail.so standard noenv # [1] - -# TODO do we need this? -# Set up user limits from /etc/security/limits.conf. -#session required pam_limits.so - -# Set up SELinux capabilities (need modified pam) -# session required pam_selinux.so multiple - -# Standard Un*x password updating. -password include common-password diff --git a/server/modules/pam-freiburg/etc/pam.d/vmware-authd b/server/modules/pam-freiburg/etc/pam.d/vmware-authd deleted file mode 100644 index 1f9b60f9..00000000 --- a/server/modules/pam-freiburg/etc/pam.d/vmware-authd +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include common-auth -account include common-account -password include common-password -session include common-session - diff --git a/server/modules/pam-freiburg/etc/pam.d/xdm b/server/modules/pam-freiburg/etc/pam.d/xdm deleted file mode 100644 index d21651db..00000000 --- a/server/modules/pam-freiburg/etc/pam.d/xdm +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include common-auth -account include common-account -password include common-password -session required pam_loginuid.so -session include common-session diff --git a/server/modules/pam-freiburg/etc/profile.d/00-autostart.sh b/server/modules/pam-freiburg/etc/profile.d/00-autostart.sh deleted file mode 100755 index 642aa002..00000000 --- a/server/modules/pam-freiburg/etc/profile.d/00-autostart.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/ash - -TEMP_HOME_DIR="$HOME" -PERSISTENT_HOME_DIR="$HOME/PERSISTENT" - -if [ -d "$PERSISTENT_HOME_DIR" ]; then - - # Persistent home was mounted, take care of some conveinience - # Dirs - for file in .vim .mozilla .thunderbird .config/chromium .config/htop .config/openslx .config/xfce4; do - [ -e "$TEMP_HOME_DIR/$file" ] && break - if [ "x$(dirname "$file")" != "x." ]; then - mkdir -p "$TEMP_HOME_DIR/$(dirname "$file")" - fi - if [ ! -d "$PERSISTENT_HOME_DIR/$file" ]; then - mkdir -p "$PERSISTENT_HOME_DIR/$file" - fi - ln -s "$PERSISTENT_HOME_DIR/$file" "$TEMP_HOME_DIR/$file" - done - # Files - for file in .bashrc .profile .vimrc .gitconfig; do - [ -e "$TEMP_HOME_DIR/$file" ] && break - if [ "x$(dirname "$file")" != "x." ]; then - mkdir -p "$TEMP_HOME_DIR/$(dirname "$file")" - fi - if [ ! -e "$PERSISTENT_HOME_DIR/$file" ]; then - touch "$PERSISTENT_HOME_DIR/$file" - fi - ln -s "$PERSISTENT_HOME_DIR/$file" "$TEMP_HOME_DIR/$file" - done - # Check if user has autostart script and run it (so they can create more symlinks etc.) - if [ -x "$PERSISTENT_HOME_DIR/AUTOSTART" ]; then - if cd "$TEMP_HOME_DIR"; then - "$PERSISTENT_HOME_DIR/AUTOSTART" - cd - >/dev/null 2>&1 - fi - fi - -fi - diff --git a/server/modules/pam-freiburg/etc/sssd/sssd.conf b/server/modules/pam-freiburg/etc/sssd/sssd.conf deleted file mode 100644 index 7b3d7b51..00000000 --- a/server/modules/pam-freiburg/etc/sssd/sssd.conf +++ /dev/null @@ -1,60 +0,0 @@ -[sssd] -config_file_version = 2 -services = nss, pam -#debug_level = 0xffff -# SSSD will not start if you do not configure any domains. -# Add new domain configurations as [domain/] sections, and -# then add the list of domains (in the order you want them to be -# queried) to the "domains" attribute below and uncomment it. -domains = LDAP - -[nss] -filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo - -[pam] - -# Example LDAP domain -[domain/LDAP] -id_provider = ldap -auth_provider = ldap -ldap_tls_reqcert = never -# ldap_schema can be set to "rfc2307", which stores group member names in the -# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in -# the "member" attribute. If you do not know this value, ask your LDAP -# administrator. -ldap_schema = rfc2307bis -ldap_uri = ldaps://ldap.ruf.uni-freiburg.de -ldap_backup_uri = ldaps://bv1.ruf.uni-freiburg.de,ldaps://bv2.ruf.uni-freiburg.de,ldaps://bv3.ruf.uni-freiburg.de -ldap_group_search_base = ou=group,dc=uni-freiburg,dc=de -ldap_user_search_base = ou=people,dc=uni-freiburg,dc=de -ldap_user_home_directory = rufClientHome -ldap_search_base = ou=people,dc=uni-freiburg,dc=de -# Note that enabling enumeration will have a moderate performance impact. -# Consequently, the default value for enumeration is FALSE. -# Refer to the sssd.conf man page for full details. -; enumerate = false -# Allow offline logins by locally storing password hashes (default: false). -cache_credentials = true - -# An example Active Directory domain. Please note that this configuration -# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis -# compliant attribute names. To support UNIX clients with AD 2003 or older, -# you must install Microsoft Services For Unix and map LDAP attributes onto -# msSFU30* attribute names. -;[domain/AD] -;id_provider = ldap -;auth_provider = krb5 -;chpass_provider = krb5 - -;ldap_uri = ldaps://bv1.ruf.uni-freiburg.de ldaps://bv2.ruf.uni-freiburg.de ldaps://bv3.ruf.uni-freiburg.de -;ldap_search_base = ou=people,dc=uni-freiburg,dc=de -;ldap_schema = rfc2307bis -;ldap_sasl_mech = GSSAPI -;ldap_user_object_class = user -;ldap_group_object_class = group -;ldap_user_principal = userPrincipalName -;ldap_account_expire_policy = ad -;ldap_force_upper_case_realm = true -; -; krb5_server = your.ad.example.com -; krb5_realm = EXAMPLE.COM diff --git a/server/modules/pam-freiburg/etc/systemd/system/getty.target.wants/rpc-gssd.service b/server/modules/pam-freiburg/etc/systemd/system/getty.target.wants/rpc-gssd.service deleted file mode 120000 index 194aba77..00000000 --- a/server/modules/pam-freiburg/etc/systemd/system/getty.target.wants/rpc-gssd.service +++ /dev/null @@ -1 +0,0 @@ -../rpc-gssd.service \ No newline at end of file diff --git a/server/modules/pam-freiburg/etc/systemd/system/getty.target.wants/rpc-idmapd.service b/server/modules/pam-freiburg/etc/systemd/system/getty.target.wants/rpc-idmapd.service deleted file mode 120000 index 66a28252..00000000 --- a/server/modules/pam-freiburg/etc/systemd/system/getty.target.wants/rpc-idmapd.service +++ /dev/null @@ -1 +0,0 @@ -../rpc-idmapd.service \ No newline at end of file diff --git a/server/modules/pam-freiburg/etc/systemd/system/rpc-gssd.service b/server/modules/pam-freiburg/etc/systemd/system/rpc-gssd.service deleted file mode 100644 index 79ffce8d..00000000 --- a/server/modules/pam-freiburg/etc/systemd/system/rpc-gssd.service +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -Description=NFS rpcsec_gss daemon -Requires=run-rpc_pipefs.mount -After=run-rpc_pipefs.mount - -[Service] -ExecStart=/usr/sbin/rpc.gssd -f -vvv -p /run/rpc_pipefs diff --git a/server/modules/pam-freiburg/etc/systemd/system/rpc-idmapd.service b/server/modules/pam-freiburg/etc/systemd/system/rpc-idmapd.service deleted file mode 100644 index c4da93e7..00000000 --- a/server/modules/pam-freiburg/etc/systemd/system/rpc-idmapd.service +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -Description=NFSv4 ID-name mapping daemon -Requires=network.target run-rpc_pipefs.mount -After=network.target - -[Service] -ExecStart=/usr/sbin/rpc.idmapd -f diff --git a/server/modules/pam-freiburg/etc/systemd/system/run-rpc_pipefs.mount b/server/modules/pam-freiburg/etc/systemd/system/run-rpc_pipefs.mount deleted file mode 100644 index 692adce8..00000000 --- a/server/modules/pam-freiburg/etc/systemd/system/run-rpc_pipefs.mount +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -Description=Pipefs RPC filesystem - -[Mount] -What=rpc_pipefs -Where=/run/rpc_pipefs -Type=rpc_pipefs diff --git a/server/modules/pam-freiburg/opt/openslx/scripts/pam_script_mount_persistent b/server/modules/pam-freiburg/opt/openslx/scripts/pam_script_mount_persistent deleted file mode 100644 index dbe6ef01..00000000 --- a/server/modules/pam-freiburg/opt/openslx/scripts/pam_script_mount_persistent +++ /dev/null @@ -1,99 +0,0 @@ -################################################################### -# -# This script is a part of the pam_script_ses_open script -# and is not stand-alone! -# -# It will try to mount the home directories of students -# under /home//PERSISTENT using cifs/kerberos. -# - -# Only run this if PAM_USER is not a local user. -if ! grep -q "^${PAM_USER}:" "/etc/passwd"; then - - # determine fileserver and share for home directories - ldapsearch -x -LLL uid="${PAM_USER}" rufHomepath homeDirectory rufFileserver> "/tmp/ldapsearch.${PAM_USER}" || \ - { slxlog "pam-freiburg-ldapquery" "Could not query LDAP server for parameters of user '${PAM_USER}'."; exit 1; } - - CIFS_VOLUME=$(cat /tmp/ldapsearch.${PAM_USER} | grep rufHomepath | cut -d" " -f2 | tr '\\' '/') - - if [ ! -z "${CIFS_VOLUME}" ]; then - # now we can mount the home directory! - MOUNT_OPTS="-t cifs -o uid=${USER_UID},gid=${USER_GID},forceuid,forcegid,file_mode=0700,dir_mode=0700,nobrl,noacl" - export USER="${PAM_USER}" - export PASSWD="${PAM_AUTHTOK}" - - SIGNAL=$(mktemp) - MOUNT_OUTPUT=$(mktemp) - rm -f -- "${SIGNAL}" - ( mount -v ${MOUNT_OPTS} "${CIFS_VOLUME}" "${PERSISTENT_HOME_DIR}" > "$MOUNT_OUTPUT" 2>&1 || touch "${SIGNAL}" ) & - MOUNT_PID=$! - for COUNTER in 1 2 4 4; do - kill -0 "${MOUNT_PID}" 2>/dev/null || break - sleep "${COUNTER}" - done - - if [ -e "${SIGNAL}" ]; then - slxlog "pam-freiburg-cifs" "Mount of '${CIFS_VOLUME}' to '${PERSISTENT_HOME_DIR}' failed. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" - rm -f -- "${SIGNAL}" - elif kill -9 "${MOUNT_PID}" 2>/dev/null; then - slxlog "pam-freiburg-cifs" "Mount of '${CIFS_VOLUME}' to '${PERSISTENT_HOME_DIR}' timed out. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" - else - PERSISTENT_OK=yes - fi - ( sleep 2; rm -f -- "$MOUNT_OUTPUT" ) & - else - slxlog "pam-freiburg-ldap-cifs-volume" "LDAP server did not provide 'rufHomepath'. Aborting mount for ${PAM_USER}." - fi - - # unset credentials - unset USER - unset PASSWD - - # check if cifs mount worked. - if [ -z "$PERSISTENT_OK" ]; then - - # determine the server and paths to the user's home directory - FILESERVER=$(cat /tmp/ldapsearch.${PAM_USER} | grep rufFileserver | cut -d" " -f2) - VOLUME=$(cat /tmp/ldapsearch.${PAM_USER} | grep homeDirectory | cut -d" " -f2) - - [ -z "${FILESERVER}" ] && slxlog "pam-freiburg-ldapfs" "LDAP server did not provide 'rufFileserver'. Aborting mount for ${PAM_USER}." && exit 1 - [ -z "${VOLUME}" ] && slxlog "pam-freiburg-ldapvolume" "LDAP server did not provide 'homeDirectory'. Aborting mount for ${PAM_USER}." && exit 1 - - # generate keytab (try twice :)) - sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab || \ - sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab || \ - { slxlog "pam-freiburg-sslconnect" "Could not get /etc/krb5.keytab from npserv.ruf.uni-freiburg.de"; [ ! -s /etc/krb5.keytab ] && exit 1; } - - chmod 600 /etc/krb5.keytab || \ - { slxlog "pam-freiburg-keytab" "Could not run 'chmod 600 /etc/krb5.keytab'"; exit 1; } - - MOUNT_OPTS="-t nfs4 -o rw,nosuid,nodev,nolock,intr,hard,sloppy" - - if echo "$FILESERVER" | grep -q "sunfs6"; then - MOUNT_OPTS="${MOUNT_OPTS},sec=krb5i" - else - MOUNT_OPTS="${MOUNT_OPTS},sec=krb5p" - fi - - SIGNAL=$(mktemp) - MOUNT_OUTPUT=$(mktemp) - rm -f -- "${SIGNAL}" - ( mount -v ${MOUNT_OPTS} "${FILESERVER}:${VOLUME}" "${PERSISTENT_HOME_DIR}" > "$MOUNT_OUTPUT" 2>&1 || touch "${SIGNAL}" ) & - MOUNT_PID=$! - for COUNTER in 1 2 4 4; do - kill -0 "${MOUNT_PID}" 2>/dev/null || break - sleep "${COUNTER}" - done - - if [ -e "${SIGNAL}" ]; then - slxlog "pam-freiburg-krb" "Mount of '${FILESERVER}:${VOLUME}' to '${PERSISTENT_HOME_DIR}' failed. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" - rm -f -- "${SIGNAL}" - elif kill -9 "${MOUNT_PID}" 2>/dev/null; then - slxlog "pam-freiburg-krb" "Mount of '${FILESERVER}:${VOLUME}' to '${PERSISTENT_HOME_DIR}' timed out. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" - else - PERSISTENT_OK=yes - fi - ( sleep 2; rm -f -- "$MOUNT_OUTPUT" ) & - fi -fi - -- cgit v1.2.3-55-g7522