From 48e0da0a1006ad9babdf9d3356a5c68069bb8244 Mon Sep 17 00:00:00 2001
From: Jonathan Bauer
Date: Tue, 18 Jun 2013 13:11:12 +0200
Subject: [pam] add config files for rpc services

---
 remote/modules/pam/data/etc/gssapi_mech.conf        | 21 +++++++++++++++++++++
 remote/modules/pam/data/etc/idmapd.conf             | 12 ++++++++++++
 .../system/getty.target.wants/rpc-sercices.service  |  1 +
 .../data/etc/systemd/system/rpc-sercices.service    |  8 ++++++++
 4 files changed, 42 insertions(+)
 create mode 100644 remote/modules/pam/data/etc/gssapi_mech.conf
 create mode 100644 remote/modules/pam/data/etc/idmapd.conf
 create mode 120000 remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service
 create mode 100644 remote/modules/pam/data/etc/systemd/system/rpc-sercices.service

(limited to 'remote/modules/pam/data')

diff --git a/remote/modules/pam/data/etc/gssapi_mech.conf b/remote/modules/pam/data/etc/gssapi_mech.conf
new file mode 100644
index 00000000..ac41f5fd
--- /dev/null
+++ b/remote/modules/pam/data/etc/gssapi_mech.conf
@@ -0,0 +1,21 @@
+# Example /etc/gssapi_mech.conf file
+#
+# GSSAPI Mechanism Definitions
+#
+# This configuration file determines which GSS-API mechanisms
+# the gssd code should use
+#
+# NOTE:
+# The initiaiization function "mechglue_internal_krb5_init"
+# is used for the MIT krb5 gssapi mechanism.  This special
+# function name indicates that an internal function should
+# be used to determine the entry points for the MIT gssapi
+# mechanism funtions.
+#
+# library                               initialization function
+# ================================	==========================
+# The MIT K5 gssapi library, use special function for initialization.
+libgssapi_krb5.so.2			mechglue_internal_krb5_init
+#
+# The SPKM3 gssapi library function.  Use the function spkm3_gss_initialize.
+# /usr/local/gss_mechs/spkm/spkm3/libgssapi_spkm3.so    spkm3_gss_initialize
diff --git a/remote/modules/pam/data/etc/idmapd.conf b/remote/modules/pam/data/etc/idmapd.conf
new file mode 100644
index 00000000..61cfe2d9
--- /dev/null
+++ b/remote/modules/pam/data/etc/idmapd.conf
@@ -0,0 +1,12 @@
+[General]
+
+Verbosity = 0
+Pipefs-Directory = /run/rpc_pipefs
+# set your own domain here, if id differs from FQDN minus hostname
+Domain = uni-freiburg.de
+ # localdomain
+
+[Mapping]
+
+Nobody-User = nobody
+Nobody-Group = nogroup
diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service
new file mode 120000
index 00000000..f68f14b9
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service
@@ -0,0 +1 @@
+../rpc-sercices.service
\ No newline at end of file
diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service b/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service
new file mode 100644
index 00000000..db6b115a
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Start RPC services
+Requires=activate-nss-ldap.service
+After=activate-nss-ldap.service
+
+[Service]
+ExecStart=/usr/sbin/rpc.gssd
+ExecStart=/usr/sbin/rpc.idmapd
-- 
cgit v1.2.3-55-g7522


From 24023c6869de453e675d77be97f7e6cf48ed3a39 Mon Sep 17 00:00:00 2001
From: Jonathan Bauer
Date: Tue, 18 Jun 2013 19:08:00 +0200
Subject: [pam] home directory per kerberos (alpha)

---
 remote/modules/pam/data/etc/idmapd.conf                           | 2 +-
 remote/modules/pam/data/etc/pam.d/common-account                  | 1 +
 remote/modules/pam/data/etc/pam.d/common-auth                     | 3 ++-
 remote/modules/pam/data/etc/pam.d/common-session                  | 6 ++++--
 .../data/etc/systemd/system/getty.target.wants/rpc-gssd.service   | 1 +
 .../data/etc/systemd/system/getty.target.wants/rpc-idmapd.service | 1 +
 .../etc/systemd/system/getty.target.wants/rpc-sercices.service    | 1 -
 remote/modules/pam/data/etc/systemd/system/rpc-gssd.service       | 7 +++++++
 remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service     | 7 +++++++
 remote/modules/pam/data/etc/systemd/system/rpc-sercices.service   | 8 --------
 remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount   | 7 +++++++
 .../modules/pam/data/usr/share/libpam-script/pam_script_ses_close | 1 +
 .../modules/pam/data/usr/share/libpam-script/pam_script_ses_open  | 1 +
 remote/modules/pam/pam.conf                                       | 2 ++
 14 files changed, 35 insertions(+), 13 deletions(-)
 create mode 120000 remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service
 create mode 120000 remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service
 delete mode 120000 remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service
 create mode 100644 remote/modules/pam/data/etc/systemd/system/rpc-gssd.service
 create mode 100644 remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service
 delete mode 100644 remote/modules/pam/data/etc/systemd/system/rpc-sercices.service
 create mode 100644 remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount
 create mode 120000 remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close
 create mode 120000 remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open

(limited to 'remote/modules/pam/data')

diff --git a/remote/modules/pam/data/etc/idmapd.conf b/remote/modules/pam/data/etc/idmapd.conf
index 61cfe2d9..2253cf0d 100644
--- a/remote/modules/pam/data/etc/idmapd.conf
+++ b/remote/modules/pam/data/etc/idmapd.conf
@@ -4,7 +4,7 @@ Verbosity = 0
 Pipefs-Directory = /run/rpc_pipefs
 # set your own domain here, if id differs from FQDN minus hostname
 Domain = uni-freiburg.de
- # localdomain
+# localdomain
 
 [Mapping]
 
diff --git a/remote/modules/pam/data/etc/pam.d/common-account b/remote/modules/pam/data/etc/pam.d/common-account
index 3a5d5a14..26055551 100644
--- a/remote/modules/pam/data/etc/pam.d/common-account
+++ b/remote/modules/pam/data/etc/pam.d/common-account
@@ -23,4 +23,5 @@ account	requisite			pam_deny.so
 # since the modules above will each just jump around
 account	required			pam_permit.so
 # and here are more per-package modules (the "Additional" block)
+account required			pam_krb5.so
 # end of pam-auth-update config
diff --git a/remote/modules/pam/data/etc/pam.d/common-auth b/remote/modules/pam/data/etc/pam.d/common-auth
index 1fa577e7..088ed13f 100644
--- a/remote/modules/pam/data/etc/pam.d/common-auth
+++ b/remote/modules/pam/data/etc/pam.d/common-auth
@@ -14,7 +14,8 @@
 # pam-auth-update(8) for details.
 
 # here are the per-package modules (the "Primary" block)
-auth	[success=2 default=ignore]	pam_unix.so
+auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
+auth	[success=2 default=ignore]	pam_unix.so try_first_pass
 auth	[success=1 default=ignore]	pam_ldap.so use_first_pass nullok_secure
 # here's the fallback if no module succeeds
 auth	requisite			pam_deny.so
diff --git a/remote/modules/pam/data/etc/pam.d/common-session b/remote/modules/pam/data/etc/pam.d/common-session
index c5813892..e3180dd4 100644
--- a/remote/modules/pam/data/etc/pam.d/common-session
+++ b/remote/modules/pam/data/etc/pam.d/common-session
@@ -26,8 +26,10 @@ session	required			pam_permit.so
 # See "man pam_umask".
 session optional			pam_umask.so
 # and here are more per-package modules (the "Additional" block)
-session	[success=1]	pam_unix.so 
-session [success=ok]	pam_ldap.so
+session	[success=3]	pam_unix.so 
+session	[success=2]	pam_krb5.so minimum_uid=1000
+session [success=1]	pam_ldap.so
 session optional 	pam_mkhomedir.so skel=/etc/skel umask=0022
+session optional	pam_script.so
 session	required	pam_systemd.so kill-session-processes=1
 # end of pam-auth-update config
diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service
new file mode 120000
index 00000000..194aba77
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service
@@ -0,0 +1 @@
+../rpc-gssd.service
\ No newline at end of file
diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service
new file mode 120000
index 00000000..66a28252
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service
@@ -0,0 +1 @@
+../rpc-idmapd.service
\ No newline at end of file
diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service
deleted file mode 120000
index f68f14b9..00000000
--- a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service
+++ /dev/null
@@ -1 +0,0 @@
-../rpc-sercices.service
\ No newline at end of file
diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service b/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service
new file mode 100644
index 00000000..6623428d
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=NFS rpcsec_gss daemon
+Requires=run-rpc_pipefs.mount
+After=run-rpc_pipefs.mount
+
+[Service]
+ExecStart=/usr/sbin/rpc.gssd -f -vvv
diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service b/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service
new file mode 100644
index 00000000..c4da93e7
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=NFSv4 ID-name mapping daemon
+Requires=network.target run-rpc_pipefs.mount
+After=network.target
+
+[Service]
+ExecStart=/usr/sbin/rpc.idmapd -f
diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service b/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service
deleted file mode 100644
index db6b115a..00000000
--- a/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-Description=Start RPC services
-Requires=activate-nss-ldap.service
-After=activate-nss-ldap.service
-
-[Service]
-ExecStart=/usr/sbin/rpc.gssd
-ExecStart=/usr/sbin/rpc.idmapd
diff --git a/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount b/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount
new file mode 100644
index 00000000..692adce8
--- /dev/null
+++ b/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount
@@ -0,0 +1,7 @@
+[Unit]
+Description=Pipefs RPC filesystem
+
+[Mount]
+What=rpc_pipefs
+Where=/run/rpc_pipefs
+Type=rpc_pipefs
diff --git a/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close
new file mode 120000
index 00000000..a12002a7
--- /dev/null
+++ b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close
@@ -0,0 +1 @@
+/etc/pam-script/pam_script_ses_close
\ No newline at end of file
diff --git a/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open
new file mode 120000
index 00000000..783d5605
--- /dev/null
+++ b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open
@@ -0,0 +1 @@
+/etc/pam-script/pam_script_ses_open
\ No newline at end of file
diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf
index 5f762481..38600f01 100644
--- a/remote/modules/pam/pam.conf
+++ b/remote/modules/pam/pam.conf
@@ -6,6 +6,7 @@ REQUIRED_INSTALLED_PACKAGES="
 	krb5-config
 	libpam-krb5
 	libssl-dev
+	ldap-utils
 "
 REQUIRED_CONTENT_PACKAGES="
 	libpam0g
@@ -31,6 +32,7 @@ REQUIRED_BINARIES="
 	umount.crypt_LUKS
 	mount.crypto_LUKS
 	umount.crypto_LUKS
+	ldapsearch
 "
 REQUIRED_DIRECTORIES="
 	/lib
-- 
cgit v1.2.3-55-g7522


From 4bdc2a150ad01d08fdff3654629552f13ec13052 Mon Sep 17 00:00:00 2001
From: Jonathan Bauer
Date: Wed, 19 Jun 2013 10:41:24 +0200
Subject: [pam] scripts to be executed on session open/close by pam-script
 module

---
 .../pam/data/etc/pam-script/pam_script_ses_close    |  3 +++
 .../pam/data/etc/pam-script/pam_script_ses_open     | 21 +++++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100755 remote/modules/pam/data/etc/pam-script/pam_script_ses_close
 create mode 100755 remote/modules/pam/data/etc/pam-script/pam_script_ses_open

(limited to 'remote/modules/pam/data')

diff --git a/remote/modules/pam/data/etc/pam-script/pam_script_ses_close b/remote/modules/pam/data/etc/pam-script/pam_script_ses_close
new file mode 100755
index 00000000..13311eea
--- /dev/null
+++ b/remote/modules/pam/data/etc/pam-script/pam_script_ses_close
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "[$PAM_TYPE] Closing session for $PAM_USER"
diff --git a/remote/modules/pam/data/etc/pam-script/pam_script_ses_open b/remote/modules/pam/data/etc/pam-script/pam_script_ses_open
new file mode 100755
index 00000000..86386267
--- /dev/null
+++ b/remote/modules/pam/data/etc/pam-script/pam_script_ses_open
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/bin:/opt/openslx/sbin:/opt/openslx/usr/bin:/opt/openslx/usr/sbin"
+
+echo "[$PAM_TYPE] Opening session for $PAM_USER"
+echo "[$PAM_TYPE] Mounting home directory for $PAM_USER"
+
+# generate keytab
+sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab
+chmod 600 /etc/krb5.keytab
+
+# determine fileserver and share for home directories
+ldapsearch -x -LLL uid="$PAM_USER" homeDirectory rufFileserver > /tmp/ldapsearch."$PAM_USER"
+
+FILESERVER=$(cat /tmp/ldapsearch.$PAM_USER | grep rufFileserver | cut -d" " -f2)
+VOLUME=$(cat /tmp/ldapsearch.$PAM_USER | grep homeDirectory | cut -d" " -f2)
+
+# now we can mount the home directory
+mkdir -p /home/$PAM_USER
+mount -t nfs4 -o rw,nosuid,nodev,nolock,intr,hard,sloppy,sec=krb5p "$FILESERVER":"$VOLUME" /home/"$PAM_USER" \
+	|| echo "[$PAM_TYPE] Failed to mount home directory for $PAM_USER"
-- 
cgit v1.2.3-55-g7522


From 635919e8647c0be5e605ee7f8f3324d172e271cf Mon Sep 17 00:00:00 2001
From: Jonathan Bauer
Date: Wed, 19 Jun 2013 19:25:39 +0200
Subject: [pam] umount home dir upon session close

---
 remote/modules/pam/data/etc/pam-script/pam_script_ses_close | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'remote/modules/pam/data')

diff --git a/remote/modules/pam/data/etc/pam-script/pam_script_ses_close b/remote/modules/pam/data/etc/pam-script/pam_script_ses_close
index 13311eea..48e778e2 100755
--- a/remote/modules/pam/data/etc/pam-script/pam_script_ses_close
+++ b/remote/modules/pam/data/etc/pam-script/pam_script_ses_close
@@ -1,3 +1,5 @@
 #!/bin/bash
 
 echo "[$PAM_TYPE] Closing session for $PAM_USER"
+
+umount /home/$PAM_USER
-- 
cgit v1.2.3-55-g7522


From 60ccf93389f79118357fca96f2be4966f30fbfb8 Mon Sep 17 00:00:00 2001
From: Jonathan Bauer
Date: Wed, 19 Jun 2013 23:03:34 +0200
Subject: [pam] added missing config file, added missing packets

---
 remote/modules/pam/data/etc/krb5.conf | 28 ++++++++++++++++++++++++++++
 remote/modules/pam/pam.build          | 10 +++++++++-
 remote/modules/pam/pam.conf           |  2 ++
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 remote/modules/pam/data/etc/krb5.conf

(limited to 'remote/modules/pam/data')

diff --git a/remote/modules/pam/data/etc/krb5.conf b/remote/modules/pam/data/etc/krb5.conf
new file mode 100644
index 00000000..6fd49243
--- /dev/null
+++ b/remote/modules/pam/data/etc/krb5.conf
@@ -0,0 +1,28 @@
+# file copied from configuration package (rootfs/etc/krb5.conf)
+#########################################################################
+[libdefaults]
+    noaddresses = false
+    clockskew = 300
+    default_realm = PUBLIC.ADS.UNI-FREIBURG.DE
+    forwardable = true
+    minimum_uid = 1000
+    proxiable = false
+    renew_lifetime = 30d
+    retain_after_close = false
+    ticket_lifetime = 3d
+    use_shmem = sshd
+    allow_weak_crypto=true
+#########################################################################
+[realms]
+    PUBLIC.ADS.UNI-FREIBURG.DE = {
+        kdc = kerberos.uni-freiburg.de
+        default_domain = uni-freiburg.de
+        admin_server = kerberos.uni-freiburg.de
+    }
+#########################################################################
+[domain_realm]
+    uni-freiburg.de  = PUBLIC.ADS.UNI-FREIBURG.DE
+    .uni-freiburg.de = PUBLIC.ADS.UNI-FREIBURG.DE
+##########################################################################
+[appdefaults]
+#########################################################################
diff --git a/remote/modules/pam/pam.build b/remote/modules/pam/pam.build
index 292171a2..1fc65091 100644
--- a/remote/modules/pam/pam.build
+++ b/remote/modules/pam/pam.build
@@ -5,6 +5,7 @@ fetch_source() {
 build() {
 	mkdir -p "$MODULE_BUILD_DIR/opt/openslx/bin"
 	gcc -o "$MODULE_BUILD_DIR/opt/openslx/bin/sslconnect" "$MODULE_DIR/sslconnect.c" -lssl -lcrypto -O3 || perror "Could not compile sslconnect.c"
+	list_packet_files > /tmp/jonathan
 	tarcopy "$(list_packet_files | sort -u)" "${MODULE_BUILD_DIR}"	
 }
 
@@ -12,5 +13,12 @@ post_copy() {
 	if [ ! -d "${TARGET_BUILD_DIR}/run/rpc_pipefs" ]; then
 		mkdir -p "${TARGET_BUILD_DIR}/run/rpc_pipefs" || pwarning "Could not mkdir ${TARGET_BUILD_DIR}/run/rpc_pipefs"
 	fi
-		
+	
+	# find libnfsidmap run-time library directory
+	SEARCH=$(dirname "$(list_packet_files | sort -u | grep "/libsnfsidmap/"|head -1)")
+	if [ -d "${SEARCH}" ]; then
+		tarcopy "${SEARCH}" "${TARGET_BUILD_DIR}" || pinfo "Something went wrong copying $SEARCH"
+	fi
+
+	
 }
diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf
index 38600f01..f932749c 100644
--- a/remote/modules/pam/pam.conf
+++ b/remote/modules/pam/pam.conf
@@ -7,6 +7,7 @@ REQUIRED_INSTALLED_PACKAGES="
 	libpam-krb5
 	libssl-dev
 	ldap-utils
+	libnfsidmap2
 "
 REQUIRED_CONTENT_PACKAGES="
 	libpam0g
@@ -21,6 +22,7 @@ REQUIRED_CONTENT_PACKAGES="
 	krb5-config
 	libpam-krb5
 	libpam-mount
+	libnfsidmap2
 "
 REQUIRED_BINARIES="
 	rpc.gssd
-- 
cgit v1.2.3-55-g7522