From 0928db5dc3076437dbbc9b3888533ba7cda8fa28 Mon Sep 17 00:00:00 2001
From: Jonathan Bauer
Date: Thu, 27 Jun 2013 18:21:49 +0200
Subject: [pam] krb5 support for home

---
 remote/modules/pam/data/etc/pam-script/pam_script_ses_close | 2 ++
 remote/modules/pam/data/etc/pam-script/pam_script_ses_open  | 9 +++++++--
 remote/modules/pam/data/etc/pam.d/common-auth               | 3 ++-
 remote/modules/pam/data/etc/pam.d/common-session            | 4 +++-
 4 files changed, 14 insertions(+), 4 deletions(-)

(limited to 'remote/modules/pam/data')

diff --git a/remote/modules/pam/data/etc/pam-script/pam_script_ses_close b/remote/modules/pam/data/etc/pam-script/pam_script_ses_close
index b5fa5ba7..8bc8d3bb 100755
--- a/remote/modules/pam/data/etc/pam-script/pam_script_ses_close
+++ b/remote/modules/pam/data/etc/pam-script/pam_script_ses_close
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/bin:/opt/openslx/sbin:/opt/openslx/usr/bin:/opt/openslx/usr/sbin"
+
 echo "[$PAM_TYPE] Closing session for $PAM_USER"
 
 [ $(id -g $PAM_USER) -eq 1001 ] && umount /home/$PAM_USER
diff --git a/remote/modules/pam/data/etc/pam-script/pam_script_ses_open b/remote/modules/pam/data/etc/pam-script/pam_script_ses_open
index 4acc74cc..79a94169 100755
--- a/remote/modules/pam/data/etc/pam-script/pam_script_ses_open
+++ b/remote/modules/pam/data/etc/pam-script/pam_script_ses_open
@@ -19,7 +19,12 @@ if [ $(id -g $PAM_USER) -eq 1001 ]; then
 
 	# now we can mount the home directory
 	mkdir -p /home/$PAM_USER
-	mount -t nfs4 -o rw,nosuid,nodev,nolock,intr,hard,sloppy,sec=krb5p "$FILESERVER":"$VOLUME" /home/"$PAM_USER" \
-		|| echo "[$PAM_TYPE] Failed to mount home directory for $PAM_USER"
+	if mount -t nfs4 -o rw,nosuid,nodev,nolock,intr,hard,sloppy,sec=krb5p "$FILESERVER":"$VOLUME" /home/"$PAM_USER"; then
+		exit 0
+	else
+		echo "Failed to mount home directory for $PAM_USER"
+		exit 1
+	fi
+	
 fi
 
diff --git a/remote/modules/pam/data/etc/pam.d/common-auth b/remote/modules/pam/data/etc/pam.d/common-auth
index 1fa577e7..5b544395 100644
--- a/remote/modules/pam/data/etc/pam.d/common-auth
+++ b/remote/modules/pam/data/etc/pam.d/common-auth
@@ -14,7 +14,8 @@
 # pam-auth-update(8) for details.
 
 # here are the per-package modules (the "Primary" block)
-auth	[success=2 default=ignore]	pam_unix.so
+auth	[success=3 default=ignore]	pam_krb5.so minimum_uid=1000
+auth	[success=2 default=ignore]	pam_unix.so try_first_pass
 auth	[success=1 default=ignore]	pam_ldap.so use_first_pass nullok_secure
 # here's the fallback if no module succeeds
 auth	requisite			pam_deny.so
diff --git a/remote/modules/pam/data/etc/pam.d/common-session b/remote/modules/pam/data/etc/pam.d/common-session
index c5813892..9210dfbb 100644
--- a/remote/modules/pam/data/etc/pam.d/common-session
+++ b/remote/modules/pam/data/etc/pam.d/common-session
@@ -26,8 +26,10 @@ session	required			pam_permit.so
 # See "man pam_umask".
 session optional			pam_umask.so
 # and here are more per-package modules (the "Additional" block)
+session	required	pam_systemd.so
+session	optional	pam_krb5.so minimum_uid=1000
 session	[success=1]	pam_unix.so 
 session [success=ok]	pam_ldap.so
+session	sufficient	pam_script.so
 session optional 	pam_mkhomedir.so skel=/etc/skel umask=0022
-session	required	pam_systemd.so kill-session-processes=1
 # end of pam-auth-update config
-- 
cgit v1.2.3-55-g7522