From cf35ac015534781cc3abdee8e0114a4842d9543d Mon Sep 17 00:00:00 2001 From: Jonathan Bauer Date: Fri, 14 Jun 2013 17:04:38 +0200 Subject: [systemd] enable pam support (fixes pam_systemd.so missing) --- remote/modules/systemd/systemd.build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'remote/modules') diff --git a/remote/modules/systemd/systemd.build b/remote/modules/systemd/systemd.build index 027024cf..8f4081e3 100644 --- a/remote/modules/systemd/systemd.build +++ b/remote/modules/systemd/systemd.build @@ -21,7 +21,7 @@ build () { pinfo "Building systemd" cd "${MODULE_DIR}/src/$REQUIRED_VERSION" pinfo "calling configure" - ./configure --disable-manpages --enable-split-usr --sysconfdir="/etc" --enable-gtk-doc-html=no --disable-nls --disable-microhttpd --disable-bootchart --disable-quotacheck --disable-hostnamed --disable-timedated --disable-localed --disable-coredump --disable-keymap --without-python --enable-blkid --enable-acl || perror "configure failed." + ./configure --disable-manpages --enable-split-usr --sysconfdir="/etc" --enable-gtk-doc-html=no --disable-nls --disable-microhttpd --disable-bootchart --disable-quotacheck --disable-hostnamed --disable-timedated --disable-localed --disable-coredump --disable-keymap --without-python --enable-blkid --enable-acl --enable-pam|| perror "configure failed." pinfo "calling make" make || perror "make failed." pinfo "calling make install" -- cgit v1.2.3-55-g7522 From bf735f4076f7703dee868346a76697c968fd4371 Mon Sep 17 00:00:00 2001 From: Jonathan Bauer Date: Fri, 14 Jun 2013 17:51:12 +0200 Subject: [systemd] add missing pam header --- remote/modules/systemd/systemd.conf | 1 + 1 file changed, 1 insertion(+) (limited to 'remote/modules') diff --git a/remote/modules/systemd/systemd.conf b/remote/modules/systemd/systemd.conf index 2a81a5b9..fbe5cb8b 100644 --- a/remote/modules/systemd/systemd.conf +++ b/remote/modules/systemd/systemd.conf @@ -35,6 +35,7 @@ REQUIRED_INSTALLED_PACKAGES=" xsltproc libblkid-dev libacl1-dev + libpam-dev " REQUIRED_BINARIES=" hostnamectl journalctl -- cgit v1.2.3-55-g7522 From a208dd09784bef03c8ba80ae77c8aac7cdf0a3f0 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Mon, 17 Jun 2013 12:04:16 +0200 Subject: [pam] Add C implementation of sslconnect for UFR-Kerberos --- remote/modules/pam/pam.build | 2 + remote/modules/pam/pam.conf | 52 ++++++---- remote/modules/pam/pam.conf.zypper | 38 +++++-- remote/modules/pam/sslconnect.c | 201 +++++++++++++++++++++++++++++++++++++ 4 files changed, 263 insertions(+), 30 deletions(-) create mode 100644 remote/modules/pam/sslconnect.c (limited to 'remote/modules') diff --git a/remote/modules/pam/pam.build b/remote/modules/pam/pam.build index 4392e64d..ee4ad89a 100644 --- a/remote/modules/pam/pam.build +++ b/remote/modules/pam/pam.build @@ -3,6 +3,8 @@ fetch_source() { } build() { + mkdir -p "$MODULE_BUILD_DIR/opt/openslx/bin" + gcc -o "$MODULE_BUILD_DIR/opt/openslx/bin/sslconnect" "$MODULE_DIR/sslconnect.c" -lssl -lcrypto -O3 || perror "Could not compile sslconnect.c" tarcopy "$(list_packet_files | sort -u)" "${MODULE_BUILD_DIR}" } diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf index 2d334b52..3b7e78ff 100644 --- a/remote/modules/pam/pam.conf +++ b/remote/modules/pam/pam.conf @@ -1,21 +1,31 @@ -REQUIRED_INSTALLED_PACKAGES=" libpam-ldap - libnss-ldap - libpam-script" -REQUIRED_CONTENT_PACKAGES=" libpam0g - libpam-modules - libpam-ck-connector - libpam-cap - libpam-script - libldap-2.4-2 - libpam-ldap - libnss-ldap" -REQUIRED_DIRECTORIES=" /lib - /usr/lib - /etc/security" -REQUIRED_SYSTEM_FILES=" /sbin/mkhomedir_helper - /etc/pam.conf - /etc/login.defs - /etc/securetty - /etc/default/locale - /lib/security - /lib/${ARCH_TRIPLET}/security" +REQUIRED_INSTALLED_PACKAGES=" + libpam-ldap + libnss-ldap + libpam-script + libssl-dev +" +REQUIRED_CONTENT_PACKAGES=" + libpam0g + libpam-modules + libpam-ck-connector + libpam-cap + libpam-script + libldap-2.4-2 + libpam-ldap + libnss-ldap +" +REQUIRED_DIRECTORIES=" + /lib + /usr/lib + /etc/security +" +REQUIRED_SYSTEM_FILES=" + /sbin/mkhomedir_helper + /etc/pam.conf + /etc/login.defs + /etc/securetty + /etc/default/locale + /lib/security + /lib/${ARCH_TRIPLET}/security +" + diff --git a/remote/modules/pam/pam.conf.zypper b/remote/modules/pam/pam.conf.zypper index 2defe1bb..29dabc14 100644 --- a/remote/modules/pam/pam.conf.zypper +++ b/remote/modules/pam/pam.conf.zypper @@ -1,10 +1,30 @@ -REQUIRED_INSTALLED_PACKAGES=" pam_ldap pam pam-devel nss_ldap pam-modules" -REQUIRED_CONTENT_PACKAGES=" pam_ldap pam pam-devel nss_ldap pam-modules nss-mdns" -REQUIRED_BINARIES=" mkhomedir_helper" -REQUIRED_DIRECTORIES=" /$LIB64 - /usr/$LIB64 - /etc/security" -REQUIRED_SYSTEM_FILES=" /etc/login.defs - /etc/securetty - /$LIB64/security" +REQUIRED_INSTALLED_PACKAGES=" + pam_ldap + pam + pam-devel + nss_ldap + pam-modules + libopenssl-devel +" +REQUIRED_CONTENT_PACKAGES=" + pam_ldap + pam + pam-devel + nss_ldap + pam-modules + nss-mdns +" +REQUIRED_BINARIES=" + mkhomedir_helper +" +REQUIRED_DIRECTORIES=" + /$LIB64 + /usr/$LIB64 + /etc/security +" +REQUIRED_SYSTEM_FILES=" + /etc/login.defs + /etc/securetty + /$LIB64/security +" diff --git a/remote/modules/pam/sslconnect.c b/remote/modules/pam/sslconnect.c new file mode 100644 index 00000000..af43093c --- /dev/null +++ b/remote/modules/pam/sslconnect.c @@ -0,0 +1,201 @@ +/************************ + * sslconnect 0.2 + * Last Change: 2013-06-17 + * C Implementation by Simon Rettberg + * Original sslconnect 0.1 was written in perl by Martin Walter + */ + +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include +#include +#include + +/* Init libs and data strctures */ +void init(); +/* print error report of something failed */ +void ssl_error(); +/* connect via ssl */ +SSL* ssl_connect(char * host, uint16_t port, uint16_t local_port, SSL_CTX ** ctx); +/* read from ssl connection */ +ssize_t ssl_read(SSL * bio, char * buffer, ssize_t length); +/* write to ssl connection */ +int ssl_write(SSL * bio, char * buffer, ssize_t length); + +int main(int argc, char ** argv); + +void init() +{ + SSL_load_error_strings(); + SSL_library_init(); + OpenSSL_add_all_algorithms(); +} + +void ssl_error(char* message) +{ + fprintf(stderr, message); + fprintf(stderr, "\n%s\n", ERR_error_string(ERR_get_error(), NULL)); + fprintf(stderr, "Details: %s\n", ERR_reason_error_string(ERR_get_error())); + ERR_print_errors_fp(stderr); +} + +SSL* ssl_connect(char * host, uint16_t port, uint16_t local_port, SSL_CTX ** ctx) +{ + int ret = 0; + /* create socket. needs to be done manually in order to bind to local port */ + int fd = socket(AF_INET, SOCK_STREAM, 0); + if (fd < 0) { + fprintf(stderr, "Could not create socket.\n"); + return NULL; + } + + struct sockaddr_in sa_dest, sa_local; + memset(&sa_local, 0, sizeof(sa_local)); + memset(&sa_dest, 0, sizeof(sa_dest)); + + sa_local.sin_family = AF_INET; + sa_local.sin_port = htons(local_port); + ret = bind(fd, (struct sockaddr *)&sa_local, sizeof(struct sockaddr)); + if (ret == -1) { + fprintf(stderr, "Could not bind local socket to 0.0.0.0:%d (%d)\n", (int)local_port, (int)errno); + close(fd); + return NULL; + } + + sa_dest.sin_family = AF_INET; + sa_dest.sin_port = htons(port); + struct hostent * rec; + rec = gethostbyname(host); + if (rec == NULL) { + fprintf(stderr, "Error: Invalid host: %s\n", host); + return NULL; + } + memcpy(&(sa_dest.sin_addr), rec->h_addr, sizeof(struct in_addr)); + + ret = connect(fd, (struct sockaddr *)&sa_dest, sizeof(struct sockaddr)); + if (ret == -1) { + fprintf(stderr, "Could not connect to %s:%d (%d)\n", host, (int)port, (int)errno); + close(fd); + return NULL; + } + + /* openssl part */ + SSL * ssl; + + /* Set up the SSL pointers */ + *ctx = SSL_CTX_new(SSLv23_client_method()); + ssl = SSL_new(*ctx); + SSL_set_fd(ssl, fd); + ret = SSL_connect(ssl); + + if (ret <= 0) { + ssl_error("Unable to SSL_connect"); + return NULL; + } + + SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); + + return ssl; +} + +ssize_t ssl_read(SSL * ssl, char * buffer, ssize_t length) +{ + ssize_t ret = -1; + int retries = 10; + + while (ret < 0 && --retries > 0) { + + ret = SSL_read(ssl, buffer, length); + if (ret >= 0) { + return ret; + } + + ssl_error("SSL_read failed"); + return -1; + + } + + return -1; +} + +int ssl_write(SSL * ssl, char * buffer, ssize_t length) +{ + ssize_t ret = -1; + int retries = 10; + + while (ret < 0 && --retries > 0) { + + ret = SSL_write(ssl, buffer, length); + if (ret >= 0) { + return ret; + } + + ssl_error("SSL_write failed"); + return -1; + + } + + return -1; +} + +#define READBUF 5000 +int main(int argc, char ** argv) +{ + if (argc < 2) { + fprintf(stderr, "Usage: %s host:port\n", argv[0]); + return 1; + } + + init(); + + char buffer[READBUF]; + SSL_CTX * ctx = NULL; + SSL * ssl; + ssize_t len; + size_t ret; + char * pos; + int port, lport; + pos = strchr(argv[1], ':'); + if (pos == NULL) { + fprintf(stderr, "Error: No Port given.\n"); + return 5; + } + port = atoi(pos+1); + *pos = '\0'; + + lport = rand() % 800 + 95; + + ssl = ssl_connect(argv[1], (uint16_t)port, (uint16_t)lport, &ctx); + if (ssl == NULL) { + return 2; + } + + ssl_write(ssl, "", 0); + for (;;) { + len = ssl_read(ssl, buffer, READBUF); + if (len <= 0) { + break; + } + ret = fwrite(buffer, 1, len, stdout); + if (ret != len) { + fprintf(stderr, "Error: fwrite could not write all received data to stdout.\n"); + return 3; + } + } + + if (len < 0) { + return 4; + } + + return 0; +} + -- cgit v1.2.3-55-g7522 From 263788d5e2e74ad6352797b13baff626da190724 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Mon, 17 Jun 2013 12:06:47 +0200 Subject: ° --- remote/modules/pam/pam.conf | 3 +++ remote/modules/pam/pam.conf.zypper | 1 + 2 files changed, 4 insertions(+) (limited to 'remote/modules') diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf index 3b7e78ff..d76224a4 100644 --- a/remote/modules/pam/pam.conf +++ b/remote/modules/pam/pam.conf @@ -14,6 +14,9 @@ REQUIRED_CONTENT_PACKAGES=" libpam-ldap libnss-ldap " +REQUIRED_BINARIES=" + sslconnect +" REQUIRED_DIRECTORIES=" /lib /usr/lib diff --git a/remote/modules/pam/pam.conf.zypper b/remote/modules/pam/pam.conf.zypper index 29dabc14..698aa1c4 100644 --- a/remote/modules/pam/pam.conf.zypper +++ b/remote/modules/pam/pam.conf.zypper @@ -15,6 +15,7 @@ REQUIRED_CONTENT_PACKAGES=" nss-mdns " REQUIRED_BINARIES=" + sslconnect mkhomedir_helper " REQUIRED_DIRECTORIES=" -- cgit v1.2.3-55-g7522 From 3cb8d05cf0f3fa1bcd3fee2ac804ae6c5b2a1939 Mon Sep 17 00:00:00 2001 From: Jonathan Bauer Date: Tue, 18 Jun 2013 13:06:22 +0200 Subject: merge --- remote/modules/pam/pam.build | 5 ++++- remote/modules/pam/pam.conf | 3 ++- remote/rootfs/rootfs-stage32/rootfs-stage32.conf | 5 ++++- 3 files changed, 10 insertions(+), 3 deletions(-) (limited to 'remote/modules') diff --git a/remote/modules/pam/pam.build b/remote/modules/pam/pam.build index 4392e64d..f9a3a213 100644 --- a/remote/modules/pam/pam.build +++ b/remote/modules/pam/pam.build @@ -7,5 +7,8 @@ build() { } post_copy() { - : + if [ ! -d "${TARGET_BUILD_DIR}/run/rpc_pipefs" ]; then + mkdir -p "${TARGET_BUILD_DIR}/run/rpc_pipefs" || pwarning "Could not mkdir ${TARGET_BUILD_DIR}/run/rpc_pipefs" + fi + } diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf index 94356d45..3239f9dd 100644 --- a/remote/modules/pam/pam.conf +++ b/remote/modules/pam/pam.conf @@ -23,7 +23,8 @@ REQUIRED_BINARIES=" mount.crypt umount.crypt_LUKS mount.crypto_LUKS umount.crypto_LUKS - perl" + rpc.gssd + rpc.idmapd" REQUIRED_SYSTEM_FILES=" /lib/security/pam_mount.so" REQUIRED_DIRECTORIES=" /lib /usr/lib diff --git a/remote/rootfs/rootfs-stage32/rootfs-stage32.conf b/remote/rootfs/rootfs-stage32/rootfs-stage32.conf index 049c9e08..e2bfbd4a 100644 --- a/remote/rootfs/rootfs-stage32/rootfs-stage32.conf +++ b/remote/rootfs/rootfs-stage32/rootfs-stage32.conf @@ -1,6 +1,9 @@ REQUIRED_MODULES=" kernel" REQUIRED_INSTALLED_PACKAGES="nfs-common squashfs-tools whois xfsprogs" -REQUIRED_BINARIES=" +REQUIRED_BINARIES=" perl + host + rpc.gssd + rpc.idmapd bash more less -- cgit v1.2.3-55-g7522 From f5e7c73cdfc14dcf21193a8b22a611f34db815fe Mon Sep 17 00:00:00 2001 From: Jonathan Bauer Date: Tue, 18 Jun 2013 13:10:29 +0200 Subject: [pam] fix bad commit --- remote/modules/pam/pam.conf | 45 ++------------------------------------------- 1 file changed, 2 insertions(+), 43 deletions(-) (limited to 'remote/modules') diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf index 04b299ab..5f762481 100644 --- a/remote/modules/pam/pam.conf +++ b/remote/modules/pam/pam.conf @@ -1,43 +1,3 @@ -<<<<<<< HEAD -REQUIRED_INSTALLED_PACKAGES=" libpam-ldap - libnss-ldap - libpam-script - krb5-user - krb5-config - libpam-krb5 - libpam-mount" -REQUIRED_CONTENT_PACKAGES=" libpam0g - libpam-modules - libpam-ck-connector - libpam-cap - libpam-script - libldap-2.4-2 - libpam-ldap - libnss-ldap - krb5-user - krb5-config - libpam-krb5 - libpam-mount" -REQUIRED_BINARIES=" mount.crypt - umount.crypt - mount.crypt_LUKS - umount.crypt_LUKS - mount.crypto_LUKS - umount.crypto_LUKS - rpc.gssd - rpc.idmapd" -REQUIRED_SYSTEM_FILES=" /lib/security/pam_mount.so" -REQUIRED_DIRECTORIES=" /lib - /usr/lib - /etc/security" -REQUIRED_SYSTEM_FILES=" /sbin/mkhomedir_helper - /etc/pam.conf - /etc/login.defs - /etc/securetty - /etc/default/locale - /lib/security - /lib/${ARCH_TRIPLET}/security" -======= REQUIRED_INSTALLED_PACKAGES=" libpam-ldap libnss-ldap @@ -45,7 +5,6 @@ REQUIRED_INSTALLED_PACKAGES=" krb5-user krb5-config libpam-krb5 - libpam-mount libssl-dev " REQUIRED_CONTENT_PACKAGES=" @@ -63,6 +22,8 @@ REQUIRED_CONTENT_PACKAGES=" libpam-mount " REQUIRED_BINARIES=" + rpc.gssd + rpc.idmapd sslconnect mount.crypt umount.crypt @@ -85,5 +46,3 @@ REQUIRED_SYSTEM_FILES=" /lib/security /lib/${ARCH_TRIPLET}/security " - ->>>>>>> b7cbad98534b00134197f4ebbf4eed416de8a654 -- cgit v1.2.3-55-g7522 From 48e0da0a1006ad9babdf9d3356a5c68069bb8244 Mon Sep 17 00:00:00 2001 From: Jonathan Bauer Date: Tue, 18 Jun 2013 13:11:12 +0200 Subject: [pam] add config files for rpc services --- remote/modules/pam/data/etc/gssapi_mech.conf | 21 +++++++++++++++++++++ remote/modules/pam/data/etc/idmapd.conf | 12 ++++++++++++ .../system/getty.target.wants/rpc-sercices.service | 1 + .../data/etc/systemd/system/rpc-sercices.service | 8 ++++++++ 4 files changed, 42 insertions(+) create mode 100644 remote/modules/pam/data/etc/gssapi_mech.conf create mode 100644 remote/modules/pam/data/etc/idmapd.conf create mode 120000 remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service create mode 100644 remote/modules/pam/data/etc/systemd/system/rpc-sercices.service (limited to 'remote/modules') diff --git a/remote/modules/pam/data/etc/gssapi_mech.conf b/remote/modules/pam/data/etc/gssapi_mech.conf new file mode 100644 index 00000000..ac41f5fd --- /dev/null +++ b/remote/modules/pam/data/etc/gssapi_mech.conf @@ -0,0 +1,21 @@ +# Example /etc/gssapi_mech.conf file +# +# GSSAPI Mechanism Definitions +# +# This configuration file determines which GSS-API mechanisms +# the gssd code should use +# +# NOTE: +# The initiaiization function "mechglue_internal_krb5_init" +# is used for the MIT krb5 gssapi mechanism. This special +# function name indicates that an internal function should +# be used to determine the entry points for the MIT gssapi +# mechanism funtions. +# +# library initialization function +# ================================ ========================== +# The MIT K5 gssapi library, use special function for initialization. +libgssapi_krb5.so.2 mechglue_internal_krb5_init +# +# The SPKM3 gssapi library function. Use the function spkm3_gss_initialize. +# /usr/local/gss_mechs/spkm/spkm3/libgssapi_spkm3.so spkm3_gss_initialize diff --git a/remote/modules/pam/data/etc/idmapd.conf b/remote/modules/pam/data/etc/idmapd.conf new file mode 100644 index 00000000..61cfe2d9 --- /dev/null +++ b/remote/modules/pam/data/etc/idmapd.conf @@ -0,0 +1,12 @@ +[General] + +Verbosity = 0 +Pipefs-Directory = /run/rpc_pipefs +# set your own domain here, if id differs from FQDN minus hostname +Domain = uni-freiburg.de + # localdomain + +[Mapping] + +Nobody-User = nobody +Nobody-Group = nogroup diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service new file mode 120000 index 00000000..f68f14b9 --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service @@ -0,0 +1 @@ +../rpc-sercices.service \ No newline at end of file diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service b/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service new file mode 100644 index 00000000..db6b115a --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service @@ -0,0 +1,8 @@ +[Unit] +Description=Start RPC services +Requires=activate-nss-ldap.service +After=activate-nss-ldap.service + +[Service] +ExecStart=/usr/sbin/rpc.gssd +ExecStart=/usr/sbin/rpc.idmapd -- cgit v1.2.3-55-g7522 From 079ffa40d9683dee8afe474e13c7f72ca576980d Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Tue, 18 Jun 2013 16:23:56 +0200 Subject: [vmchooser] run-virt.sh: Set volume to 100% instead of 80% on bwPC 4 [pölkit] Fix replacement of polkitd path in systemd service file --- remote/modules/policykit/policykit.build | 1 + .../vmchooser/data/opt/openslx/bin/run-virt.sh | 19 ++++++++++++------- 2 files changed, 13 insertions(+), 7 deletions(-) (limited to 'remote/modules') diff --git a/remote/modules/policykit/policykit.build b/remote/modules/policykit/policykit.build index 591c180f..52be1221 100644 --- a/remote/modules/policykit/policykit.build +++ b/remote/modules/policykit/policykit.build @@ -14,6 +14,7 @@ build () { } post_copy() { + COPYLIST="$MODULE_DIR/list_dpkg_output" local POLPATH="$(grep '/polkitd$' "$COPYLIST" | head -1 | sed -e 's/[\/&]/\\&/g')" [ -n "$POLPATH" ] && sed -i "s/%%POLKITD%%/${POLPATH}/g" "$TARGET_BUILD_DIR/etc/systemd/system/polkitd.service" #Add Polkit User/Group/Shadow to Stage3.2 diff --git a/remote/modules/vmchooser/data/opt/openslx/bin/run-virt.sh b/remote/modules/vmchooser/data/opt/openslx/bin/run-virt.sh index 6c08653f..84ece685 100755 --- a/remote/modules/vmchooser/data/opt/openslx/bin/run-virt.sh +++ b/remote/modules/vmchooser/data/opt/openslx/bin/run-virt.sh @@ -376,15 +376,20 @@ writelog "\tVM Hostname:\t\t$hostname" ################################################################################ ### Setup the rest of the environment and run the configured vm ################################################################################ - +# 8086:1e20 +if lspci -n | grep -E -i '8086:1e20( |$)'; then + VOL="100%" # bwPC 4: Speaker too quiet :-( +else + VOL="80%" +fi # Adjust sound volume #writelog "Unmuting sound...\c " -amixer -q sset Master 80% unmute 2>/dev/null -amixer -q sset PCM 80% unmute 2>/dev/null -amixer -q sset CD 80% unmute 2>/dev/null -amixer -q sset Headphone 80% unmute 2>/dev/null -amixer -q sset Front 80% unmute 2>/dev/null # in SUSE 11.0 it's headphone -amixer -q sset Speaker 80% unmute 2>/dev/null # annoying built-in speaker +amixer -q sset Master "$VOL" unmute 2>/dev/null +amixer -q sset PCM "$VOL" unmute 2>/dev/null +amixer -q sset CD "$VOL" unmute 2>/dev/null +amixer -q sset Headphone "$VOL" unmute 2>/dev/null +amixer -q sset Front "$VOL" unmute 2>/dev/null # in SUSE 11.0 it's headphone +amixer -q sset Speaker "$VOL" unmute 2>/dev/null # annoying built-in speaker #writelog "finished\n" # Copy guest configuration (with added information) config.xml to be accessed -- cgit v1.2.3-55-g7522 From 0686831e2f60f0f6dd77130d4fd1a57b49277168 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Tue, 18 Jun 2013 17:41:06 +0200 Subject: [redsocks] NEW MODULE Transparent proxy support module. Works with http-connect, socks, and some others --- remote/modules/redsocks/data/etc/redsocks.conf | 56 ++++++++++++++++++++++ .../system/basic.target.wants/setup_proxy.service | 1 + .../data/etc/systemd/system/redsocks.service | 9 ++++ .../data/etc/systemd/system/setup_proxy.service | 9 ++++ .../redsocks/data/opt/openslx/bin/setup_proxy | 41 ++++++++++++++++ remote/modules/redsocks/redsocks.build | 24 ++++++++++ remote/modules/redsocks/redsocks.conf | 10 ++++ 7 files changed, 150 insertions(+) create mode 100644 remote/modules/redsocks/data/etc/redsocks.conf create mode 120000 remote/modules/redsocks/data/etc/systemd/system/basic.target.wants/setup_proxy.service create mode 100644 remote/modules/redsocks/data/etc/systemd/system/redsocks.service create mode 100644 remote/modules/redsocks/data/etc/systemd/system/setup_proxy.service create mode 100755 remote/modules/redsocks/data/opt/openslx/bin/setup_proxy create mode 100644 remote/modules/redsocks/redsocks.build create mode 100644 remote/modules/redsocks/redsocks.conf (limited to 'remote/modules') diff --git a/remote/modules/redsocks/data/etc/redsocks.conf b/remote/modules/redsocks/data/etc/redsocks.conf new file mode 100644 index 00000000..c783258f --- /dev/null +++ b/remote/modules/redsocks/data/etc/redsocks.conf @@ -0,0 +1,56 @@ +base { + // debug: connection progress & client list on SIGUSR1 + log_debug = off; + + // info: start and end of client session + log_info = off; + + /* possible `log' values are: + * stderr + * "file:/path/to/file" + * syslog:FACILITY facility is any of "daemon", "local0"..."local7" + */ + log = "file:/root/redsocks.log"; + + // detach from console + daemon = on; + + /* Change uid, gid and root directory, these options require root + * privilegies on startup. + * Note, your chroot may requre /etc/localtime if you write log to syslog. + * Log is opened before chroot & uid changing. + */ + user = nobody; + group = nogroup; + // chroot = "/var/chroot"; + + /* possible `redirector' values are: + * iptables - for Linux + * ipf - for FreeBSD + * pf - for OpenBSD + * generic - some generic redirector that MAY work + */ + redirector = iptables; +} + +redsocks { + /* `local_ip' defaults to 127.0.0.1 for security reasons, + * use 0.0.0.0 if you want to listen on every interface. + * `local_*' are used as port to redirect to. + */ + local_ip = 0.0.0.0; + local_port = 12345; + + // `ip' and `port' are IP and tcp-port of proxy-server + ip = %%PROXY_IP%%; + port = %%PROXY_PORT%%; + + + // known types: socks4, socks5, http-connect, http-relay + // type = http-connect; + type = %%PROXY_TYPE%%; + + // login = "foobar"; + // password = "baz"; +} + diff --git a/remote/modules/redsocks/data/etc/systemd/system/basic.target.wants/setup_proxy.service b/remote/modules/redsocks/data/etc/systemd/system/basic.target.wants/setup_proxy.service new file mode 120000 index 00000000..0c7dc84b --- /dev/null +++ b/remote/modules/redsocks/data/etc/systemd/system/basic.target.wants/setup_proxy.service @@ -0,0 +1 @@ +../setup_proxy.service \ No newline at end of file diff --git a/remote/modules/redsocks/data/etc/systemd/system/redsocks.service b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service new file mode 100644 index 00000000..6f207586 --- /dev/null +++ b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service @@ -0,0 +1,9 @@ +[Unit] +Description=Transparent redirector of any TCP connection to proxy using your firewall + +[Service] +Type=forking +PIDFile=/run/redsocks.pid +ExecStart=/bin/redsocks -c /etc/redsocks.conf -p /run/redsocks.pid +ExecStopPost=/bin/rm /run/redsocks.pid +Restart=on-abort diff --git a/remote/modules/redsocks/data/etc/systemd/system/setup_proxy.service b/remote/modules/redsocks/data/etc/systemd/system/setup_proxy.service new file mode 100644 index 00000000..885e72dc --- /dev/null +++ b/remote/modules/redsocks/data/etc/systemd/system/setup_proxy.service @@ -0,0 +1,9 @@ +[Unit] +Description=Proxy setup detection +Before=sysinit.target shutdown.target +DefaultDependencies=no + +[Service] +Type=oneshot +ExecStart=/opt/openslx/bin/setup_proxy +RemainAfterExit=yes diff --git a/remote/modules/redsocks/data/opt/openslx/bin/setup_proxy b/remote/modules/redsocks/data/opt/openslx/bin/setup_proxy new file mode 100755 index 00000000..8fa5721c --- /dev/null +++ b/remote/modules/redsocks/data/opt/openslx/bin/setup_proxy @@ -0,0 +1,41 @@ +#!/bin/bash + +. /opt/openslx/config || echo "Error sourcing config for setup_proxy" + +[ -z "$SLX_PROXY_MODE" -o "x$SLX_PROXY_MODE" == "xoff" ] && echo "proxy mode disabled." && exit 0 + +PROXY=off +if [ "$SLX_PROXY_MODE" == "on" ]; then + PROXY=on +elif [ "$SLX_PROXY_MODE" == "auto" -a -n "$SLX_PXE_CLIENT_IP" ]; then + [[ "$SLX_PXE_CLIENT_IP" =~ ^10\. ]] && PROXY=on + [[ "$SLX_PXE_CLIENT_IP" =~ ^192\.168\. ]] && PROXY=on + [[ "$SLX_PXE_CLIENT_IP" =~ ^172\.[123] ]] && PROXY=on +fi + +[ "$PROXY" == "off" ] && echo "Proxy mode not required." && exit 0 + +sed -i "s/%%PROXY_IP%%/$SLX_PROXY_IP/g;s/%%PROXY_PORT%%/$SLX_PROXY_PORT/g;s/%%PROXY_TYPE%%/$SLX_PROXY_TYPE/g" /etc/redsocks.conf + +systemctl start redsocks + +iptables -t nat -N REDSOCKS +iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN +iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN +iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN +iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN +iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN +iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN +iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN +iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN +if [ -n "$SLX_PROXY_BLACKLIST" ]; then + for ADDR in $SLX_PROXY_BLACKLIST; do + iptables -t nat -A REDSOCKS -d "$ADDR" -j RETURN + done +fi +iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-port 12345 +iptables -t nat -A PREROUTING -p tcp -j REDSOCKS +iptables -t nat -A OUTPUT -p tcp -j REDSOCKS +iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE +iptables -A INPUT -i br0 -p tcp --dport 12345 -j DROP + diff --git a/remote/modules/redsocks/redsocks.build b/remote/modules/redsocks/redsocks.build new file mode 100644 index 00000000..eb5c238d --- /dev/null +++ b/remote/modules/redsocks/redsocks.build @@ -0,0 +1,24 @@ +#tool/distro specific functions for fetching, building and installing dependencies + + +fetch_source () { + mkdir -p src + cd src || perror "Could not cd to src" + if [ ! -d "redsocks" ]; then + git clone "$REQUIRED_GIT" "redsocks" || perror "Could not clone redoscks from github" + fi + cd redsocks || perror "Could not cd to src/redsocks" + git checkout "$REQUIRED_REVISION" || perror "Could not checkout revision $REQUIRED_REVISION" +} + +build () { + cd "$MODULE_DIR/src/redsocks" || perror "src/redsocks not found" + make || perror "make failed." + mkdir -p "$MODULE_BUILD_DIR/sbin" + cp "redsocks" "$MODULE_BUILD_DIR/sbin/" || perror "Could not copy redsocks binary to build dir" +} + +post_copy() { + : +} + diff --git a/remote/modules/redsocks/redsocks.conf b/remote/modules/redsocks/redsocks.conf new file mode 100644 index 00000000..db7bcfa3 --- /dev/null +++ b/remote/modules/redsocks/redsocks.conf @@ -0,0 +1,10 @@ +REQUIRED_GIT="git://github.com/darkk/redsocks.git" +REQUIRED_REVISION="2e3f648809e27cc19cb7a8702f19b553a7ef9a81" + +REQUIRED_INSTALLED_PACKAGES=" + libevent-dev +" +REQUIRED_BINARIES=" + redsocks +" + -- cgit v1.2.3-55-g7522 From 24023c6869de453e675d77be97f7e6cf48ed3a39 Mon Sep 17 00:00:00 2001 From: Jonathan Bauer Date: Tue, 18 Jun 2013 19:08:00 +0200 Subject: [pam] home directory per kerberos (alpha) --- remote/modules/pam/data/etc/idmapd.conf | 2 +- remote/modules/pam/data/etc/pam.d/common-account | 1 + remote/modules/pam/data/etc/pam.d/common-auth | 3 ++- remote/modules/pam/data/etc/pam.d/common-session | 6 ++++-- .../data/etc/systemd/system/getty.target.wants/rpc-gssd.service | 1 + .../data/etc/systemd/system/getty.target.wants/rpc-idmapd.service | 1 + .../etc/systemd/system/getty.target.wants/rpc-sercices.service | 1 - remote/modules/pam/data/etc/systemd/system/rpc-gssd.service | 7 +++++++ remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service | 7 +++++++ remote/modules/pam/data/etc/systemd/system/rpc-sercices.service | 8 -------- remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount | 7 +++++++ .../modules/pam/data/usr/share/libpam-script/pam_script_ses_close | 1 + .../modules/pam/data/usr/share/libpam-script/pam_script_ses_open | 1 + remote/modules/pam/pam.conf | 2 ++ 14 files changed, 35 insertions(+), 13 deletions(-) create mode 120000 remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service create mode 120000 remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service delete mode 120000 remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service create mode 100644 remote/modules/pam/data/etc/systemd/system/rpc-gssd.service create mode 100644 remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service delete mode 100644 remote/modules/pam/data/etc/systemd/system/rpc-sercices.service create mode 100644 remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount create mode 120000 remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close create mode 120000 remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open (limited to 'remote/modules') diff --git a/remote/modules/pam/data/etc/idmapd.conf b/remote/modules/pam/data/etc/idmapd.conf index 61cfe2d9..2253cf0d 100644 --- a/remote/modules/pam/data/etc/idmapd.conf +++ b/remote/modules/pam/data/etc/idmapd.conf @@ -4,7 +4,7 @@ Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs # set your own domain here, if id differs from FQDN minus hostname Domain = uni-freiburg.de - # localdomain +# localdomain [Mapping] diff --git a/remote/modules/pam/data/etc/pam.d/common-account b/remote/modules/pam/data/etc/pam.d/common-account index 3a5d5a14..26055551 100644 --- a/remote/modules/pam/data/etc/pam.d/common-account +++ b/remote/modules/pam/data/etc/pam.d/common-account @@ -23,4 +23,5 @@ account requisite pam_deny.so # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) +account required pam_krb5.so # end of pam-auth-update config diff --git a/remote/modules/pam/data/etc/pam.d/common-auth b/remote/modules/pam/data/etc/pam.d/common-auth index 1fa577e7..088ed13f 100644 --- a/remote/modules/pam/data/etc/pam.d/common-auth +++ b/remote/modules/pam/data/etc/pam.d/common-auth @@ -14,7 +14,8 @@ # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) -auth [success=2 default=ignore] pam_unix.so +auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 +auth [success=2 default=ignore] pam_unix.so try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so diff --git a/remote/modules/pam/data/etc/pam.d/common-session b/remote/modules/pam/data/etc/pam.d/common-session index c5813892..e3180dd4 100644 --- a/remote/modules/pam/data/etc/pam.d/common-session +++ b/remote/modules/pam/data/etc/pam.d/common-session @@ -26,8 +26,10 @@ session required pam_permit.so # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) -session [success=1] pam_unix.so -session [success=ok] pam_ldap.so +session [success=3] pam_unix.so +session [success=2] pam_krb5.so minimum_uid=1000 +session [success=1] pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=0022 +session optional pam_script.so session required pam_systemd.so kill-session-processes=1 # end of pam-auth-update config diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service new file mode 120000 index 00000000..194aba77 --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service @@ -0,0 +1 @@ +../rpc-gssd.service \ No newline at end of file diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service new file mode 120000 index 00000000..66a28252 --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service @@ -0,0 +1 @@ +../rpc-idmapd.service \ No newline at end of file diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service deleted file mode 120000 index f68f14b9..00000000 --- a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-sercices.service +++ /dev/null @@ -1 +0,0 @@ -../rpc-sercices.service \ No newline at end of file diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service b/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service new file mode 100644 index 00000000..6623428d --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service @@ -0,0 +1,7 @@ +[Unit] +Description=NFS rpcsec_gss daemon +Requires=run-rpc_pipefs.mount +After=run-rpc_pipefs.mount + +[Service] +ExecStart=/usr/sbin/rpc.gssd -f -vvv diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service b/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service new file mode 100644 index 00000000..c4da93e7 --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service @@ -0,0 +1,7 @@ +[Unit] +Description=NFSv4 ID-name mapping daemon +Requires=network.target run-rpc_pipefs.mount +After=network.target + +[Service] +ExecStart=/usr/sbin/rpc.idmapd -f diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service b/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service deleted file mode 100644 index db6b115a..00000000 --- a/remote/modules/pam/data/etc/systemd/system/rpc-sercices.service +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=Start RPC services -Requires=activate-nss-ldap.service -After=activate-nss-ldap.service - -[Service] -ExecStart=/usr/sbin/rpc.gssd -ExecStart=/usr/sbin/rpc.idmapd diff --git a/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount b/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount new file mode 100644 index 00000000..692adce8 --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount @@ -0,0 +1,7 @@ +[Unit] +Description=Pipefs RPC filesystem + +[Mount] +What=rpc_pipefs +Where=/run/rpc_pipefs +Type=rpc_pipefs diff --git a/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close new file mode 120000 index 00000000..a12002a7 --- /dev/null +++ b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close @@ -0,0 +1 @@ +/etc/pam-script/pam_script_ses_close \ No newline at end of file diff --git a/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open new file mode 120000 index 00000000..783d5605 --- /dev/null +++ b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open @@ -0,0 +1 @@ +/etc/pam-script/pam_script_ses_open \ No newline at end of file diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf index 5f762481..38600f01 100644 --- a/remote/modules/pam/pam.conf +++ b/remote/modules/pam/pam.conf @@ -6,6 +6,7 @@ REQUIRED_INSTALLED_PACKAGES=" krb5-config libpam-krb5 libssl-dev + ldap-utils " REQUIRED_CONTENT_PACKAGES=" libpam0g @@ -31,6 +32,7 @@ REQUIRED_BINARIES=" umount.crypt_LUKS mount.crypto_LUKS umount.crypto_LUKS + ldapsearch " REQUIRED_DIRECTORIES=" /lib -- cgit v1.2.3-55-g7522 From 4bdc2a150ad01d08fdff3654629552f13ec13052 Mon Sep 17 00:00:00 2001 From: Jonathan Bauer Date: Wed, 19 Jun 2013 10:41:24 +0200 Subject: [pam] scripts to be executed on session open/close by pam-script module --- .../pam/data/etc/pam-script/pam_script_ses_close | 3 +++ .../pam/data/etc/pam-script/pam_script_ses_open | 21 +++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100755 remote/modules/pam/data/etc/pam-script/pam_script_ses_close create mode 100755 remote/modules/pam/data/etc/pam-script/pam_script_ses_open (limited to 'remote/modules') diff --git a/remote/modules/pam/data/etc/pam-script/pam_script_ses_close b/remote/modules/pam/data/etc/pam-script/pam_script_ses_close new file mode 100755 index 00000000..13311eea --- /dev/null +++ b/remote/modules/pam/data/etc/pam-script/pam_script_ses_close @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "[$PAM_TYPE] Closing session for $PAM_USER" diff --git a/remote/modules/pam/data/etc/pam-script/pam_script_ses_open b/remote/modules/pam/data/etc/pam-script/pam_script_ses_open new file mode 100755 index 00000000..86386267 --- /dev/null +++ b/remote/modules/pam/data/etc/pam-script/pam_script_ses_open @@ -0,0 +1,21 @@ +#!/bin/bash + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/bin:/opt/openslx/sbin:/opt/openslx/usr/bin:/opt/openslx/usr/sbin" + +echo "[$PAM_TYPE] Opening session for $PAM_USER" +echo "[$PAM_TYPE] Mounting home directory for $PAM_USER" + +# generate keytab +sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab +chmod 600 /etc/krb5.keytab + +# determine fileserver and share for home directories +ldapsearch -x -LLL uid="$PAM_USER" homeDirectory rufFileserver > /tmp/ldapsearch."$PAM_USER" + +FILESERVER=$(cat /tmp/ldapsearch.$PAM_USER | grep rufFileserver | cut -d" " -f2) +VOLUME=$(cat /tmp/ldapsearch.$PAM_USER | grep homeDirectory | cut -d" " -f2) + +# now we can mount the home directory +mkdir -p /home/$PAM_USER +mount -t nfs4 -o rw,nosuid,nodev,nolock,intr,hard,sloppy,sec=krb5p "$FILESERVER":"$VOLUME" /home/"$PAM_USER" \ + || echo "[$PAM_TYPE] Failed to mount home directory for $PAM_USER" -- cgit v1.2.3-55-g7522 From 635919e8647c0be5e605ee7f8f3324d172e271cf Mon Sep 17 00:00:00 2001 From: Jonathan Bauer Date: Wed, 19 Jun 2013 19:25:39 +0200 Subject: [pam] umount home dir upon session close --- remote/modules/pam/data/etc/pam-script/pam_script_ses_close | 2 ++ 1 file changed, 2 insertions(+) (limited to 'remote/modules') diff --git a/remote/modules/pam/data/etc/pam-script/pam_script_ses_close b/remote/modules/pam/data/etc/pam-script/pam_script_ses_close index 13311eea..48e778e2 100755 --- a/remote/modules/pam/data/etc/pam-script/pam_script_ses_close +++ b/remote/modules/pam/data/etc/pam-script/pam_script_ses_close @@ -1,3 +1,5 @@ #!/bin/bash echo "[$PAM_TYPE] Closing session for $PAM_USER" + +umount /home/$PAM_USER -- cgit v1.2.3-55-g7522 From 60ccf93389f79118357fca96f2be4966f30fbfb8 Mon Sep 17 00:00:00 2001 From: Jonathan Bauer Date: Wed, 19 Jun 2013 23:03:34 +0200 Subject: [pam] added missing config file, added missing packets --- remote/modules/pam/data/etc/krb5.conf | 28 ++++++++++++++++++++++++++++ remote/modules/pam/pam.build | 10 +++++++++- remote/modules/pam/pam.conf | 2 ++ 3 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 remote/modules/pam/data/etc/krb5.conf (limited to 'remote/modules') diff --git a/remote/modules/pam/data/etc/krb5.conf b/remote/modules/pam/data/etc/krb5.conf new file mode 100644 index 00000000..6fd49243 --- /dev/null +++ b/remote/modules/pam/data/etc/krb5.conf @@ -0,0 +1,28 @@ +# file copied from configuration package (rootfs/etc/krb5.conf) +######################################################################### +[libdefaults] + noaddresses = false + clockskew = 300 + default_realm = PUBLIC.ADS.UNI-FREIBURG.DE + forwardable = true + minimum_uid = 1000 + proxiable = false + renew_lifetime = 30d + retain_after_close = false + ticket_lifetime = 3d + use_shmem = sshd + allow_weak_crypto=true +######################################################################### +[realms] + PUBLIC.ADS.UNI-FREIBURG.DE = { + kdc = kerberos.uni-freiburg.de + default_domain = uni-freiburg.de + admin_server = kerberos.uni-freiburg.de + } +######################################################################### +[domain_realm] + uni-freiburg.de = PUBLIC.ADS.UNI-FREIBURG.DE + .uni-freiburg.de = PUBLIC.ADS.UNI-FREIBURG.DE +########################################################################## +[appdefaults] +######################################################################### diff --git a/remote/modules/pam/pam.build b/remote/modules/pam/pam.build index 292171a2..1fc65091 100644 --- a/remote/modules/pam/pam.build +++ b/remote/modules/pam/pam.build @@ -5,6 +5,7 @@ fetch_source() { build() { mkdir -p "$MODULE_BUILD_DIR/opt/openslx/bin" gcc -o "$MODULE_BUILD_DIR/opt/openslx/bin/sslconnect" "$MODULE_DIR/sslconnect.c" -lssl -lcrypto -O3 || perror "Could not compile sslconnect.c" + list_packet_files > /tmp/jonathan tarcopy "$(list_packet_files | sort -u)" "${MODULE_BUILD_DIR}" } @@ -12,5 +13,12 @@ post_copy() { if [ ! -d "${TARGET_BUILD_DIR}/run/rpc_pipefs" ]; then mkdir -p "${TARGET_BUILD_DIR}/run/rpc_pipefs" || pwarning "Could not mkdir ${TARGET_BUILD_DIR}/run/rpc_pipefs" fi - + + # find libnfsidmap run-time library directory + SEARCH=$(dirname "$(list_packet_files | sort -u | grep "/libsnfsidmap/"|head -1)") + if [ -d "${SEARCH}" ]; then + tarcopy "${SEARCH}" "${TARGET_BUILD_DIR}" || pinfo "Something went wrong copying $SEARCH" + fi + + } diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf index 38600f01..f932749c 100644 --- a/remote/modules/pam/pam.conf +++ b/remote/modules/pam/pam.conf @@ -7,6 +7,7 @@ REQUIRED_INSTALLED_PACKAGES=" libpam-krb5 libssl-dev ldap-utils + libnfsidmap2 " REQUIRED_CONTENT_PACKAGES=" libpam0g @@ -21,6 +22,7 @@ REQUIRED_CONTENT_PACKAGES=" krb5-config libpam-krb5 libpam-mount + libnfsidmap2 " REQUIRED_BINARIES=" rpc.gssd -- cgit v1.2.3-55-g7522 From bac5a509c31ac3bdede3a4e3129f45dc9eb7dfcf Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Wed, 19 Jun 2013 23:08:24 +0200 Subject: [pam] added ldapserach for suse --- remote/modules/pam/pam.conf.zypper | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'remote/modules') diff --git a/remote/modules/pam/pam.conf.zypper b/remote/modules/pam/pam.conf.zypper index 698aa1c4..48dc1d52 100644 --- a/remote/modules/pam/pam.conf.zypper +++ b/remote/modules/pam/pam.conf.zypper @@ -5,6 +5,8 @@ REQUIRED_INSTALLED_PACKAGES=" nss_ldap pam-modules libopenssl-devel + openldap2-client + nfsidmap " REQUIRED_CONTENT_PACKAGES=" pam_ldap @@ -13,9 +15,12 @@ REQUIRED_CONTENT_PACKAGES=" nss_ldap pam-modules nss-mdns + openldap2-client + nfsidmap " REQUIRED_BINARIES=" sslconnect + ldapsearch mkhomedir_helper " REQUIRED_DIRECTORIES=" -- cgit v1.2.3-55-g7522 From 719b3be14f5689d750e898fd7c9ac2fb6cd9c18f Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Wed, 19 Jun 2013 23:09:05 +0200 Subject: [pam] remove old test --- remote/modules/pam/pam.build | 1 - 1 file changed, 1 deletion(-) (limited to 'remote/modules') diff --git a/remote/modules/pam/pam.build b/remote/modules/pam/pam.build index 1fc65091..60e18414 100644 --- a/remote/modules/pam/pam.build +++ b/remote/modules/pam/pam.build @@ -5,7 +5,6 @@ fetch_source() { build() { mkdir -p "$MODULE_BUILD_DIR/opt/openslx/bin" gcc -o "$MODULE_BUILD_DIR/opt/openslx/bin/sslconnect" "$MODULE_DIR/sslconnect.c" -lssl -lcrypto -O3 || perror "Could not compile sslconnect.c" - list_packet_files > /tmp/jonathan tarcopy "$(list_packet_files | sort -u)" "${MODULE_BUILD_DIR}" } -- cgit v1.2.3-55-g7522 From ff7e7157315fd4be295dfaee3b1ea6a9c1fd65fd Mon Sep 17 00:00:00 2001 From: Jonathan Bauer Date: Thu, 20 Jun 2013 00:03:13 +0200 Subject: [pam] TODO suse krb5 mounts --- remote/modules/pam/TODO | 1 + 1 file changed, 1 insertion(+) create mode 100644 remote/modules/pam/TODO (limited to 'remote/modules') diff --git a/remote/modules/pam/TODO b/remote/modules/pam/TODO new file mode 100644 index 00000000..6f95e62d --- /dev/null +++ b/remote/modules/pam/TODO @@ -0,0 +1 @@ +suse krb5 mount home dirs -- cgit v1.2.3-55-g7522 From d1010614fea8d05a267a9fa188be0b54dc851447 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Thu, 20 Jun 2013 12:20:44 +0200 Subject: [pam] Add missing content packages [redsocks] fix path of redsocks binary, exclude proxy IP from redirection --- remote/modules/pam/pam.build | 15 ++++++++++----- remote/modules/pam/pam.conf | 9 +++++++++ .../redsocks/data/etc/systemd/system/redsocks.service | 2 +- remote/modules/redsocks/data/opt/openslx/bin/setup_proxy | 1 + remote/setup_target | 2 ++ 5 files changed, 23 insertions(+), 6 deletions(-) (limited to 'remote/modules') diff --git a/remote/modules/pam/pam.build b/remote/modules/pam/pam.build index 60e18414..d3c0dd88 100644 --- a/remote/modules/pam/pam.build +++ b/remote/modules/pam/pam.build @@ -5,7 +5,9 @@ fetch_source() { build() { mkdir -p "$MODULE_BUILD_DIR/opt/openslx/bin" gcc -o "$MODULE_BUILD_DIR/opt/openslx/bin/sslconnect" "$MODULE_DIR/sslconnect.c" -lssl -lcrypto -O3 || perror "Could not compile sslconnect.c" - tarcopy "$(list_packet_files | sort -u)" "${MODULE_BUILD_DIR}" + local COPYLIST="$MODULE_BUILD_DIR/list_packet_files" + list_packet_files | sort -u > "$COPYLIST" + tarcopy "$(cat "$COPYLIST")" "${MODULE_BUILD_DIR}" } post_copy() { @@ -14,10 +16,13 @@ post_copy() { fi # find libnfsidmap run-time library directory - SEARCH=$(dirname "$(list_packet_files | sort -u | grep "/libsnfsidmap/"|head -1)") - if [ -d "${SEARCH}" ]; then - tarcopy "${SEARCH}" "${TARGET_BUILD_DIR}" || pinfo "Something went wrong copying $SEARCH" - fi + #local COPYLIST="$MODULE_BUILD_DIR/list_packet_files" + #local SEARCH=$(grep "/libsnfsidmap/" "$COPYLIST" | head -1) + #[ -z "$SEARCH" ] && perror "Hä" + #SEARCH=$(dirname "$SEARCH") + #if [ -d "${SEARCH}" ]; then + # tarcopy "${SEARCH}" "${TARGET_BUILD_DIR}" || pinfo "Something went wrong copying $SEARCH" + #fi } diff --git a/remote/modules/pam/pam.conf b/remote/modules/pam/pam.conf index f932749c..bbdd610f 100644 --- a/remote/modules/pam/pam.conf +++ b/remote/modules/pam/pam.conf @@ -8,6 +8,7 @@ REQUIRED_INSTALLED_PACKAGES=" libssl-dev ldap-utils libnfsidmap2 + nfs-common " REQUIRED_CONTENT_PACKAGES=" libpam0g @@ -22,7 +23,9 @@ REQUIRED_CONTENT_PACKAGES=" krb5-config libpam-krb5 libpam-mount + ldap-utils libnfsidmap2 + nfs-common " REQUIRED_BINARIES=" rpc.gssd @@ -36,6 +39,12 @@ REQUIRED_BINARIES=" umount.crypto_LUKS ldapsearch " +REQUIRED_LIBRARIES=" + nsswitch + static + umich_ldap + libnfsidmap +" REQUIRED_DIRECTORIES=" /lib /usr/lib diff --git a/remote/modules/redsocks/data/etc/systemd/system/redsocks.service b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service index 6f207586..4b30d09e 100644 --- a/remote/modules/redsocks/data/etc/systemd/system/redsocks.service +++ b/remote/modules/redsocks/data/etc/systemd/system/redsocks.service @@ -4,6 +4,6 @@ Description=Transparent redirector of any TCP connection to proxy using your fir [Service] Type=forking PIDFile=/run/redsocks.pid -ExecStart=/bin/redsocks -c /etc/redsocks.conf -p /run/redsocks.pid +ExecStart=/sbin/redsocks -c /etc/redsocks.conf -p /run/redsocks.pid ExecStopPost=/bin/rm /run/redsocks.pid Restart=on-abort diff --git a/remote/modules/redsocks/data/opt/openslx/bin/setup_proxy b/remote/modules/redsocks/data/opt/openslx/bin/setup_proxy index 8fa5721c..5dc22a14 100755 --- a/remote/modules/redsocks/data/opt/openslx/bin/setup_proxy +++ b/remote/modules/redsocks/data/opt/openslx/bin/setup_proxy @@ -20,6 +20,7 @@ sed -i "s/%%PROXY_IP%%/$SLX_PROXY_IP/g;s/%%PROXY_PORT%%/$SLX_PROXY_PORT/g;s/%%PR systemctl start redsocks iptables -t nat -N REDSOCKS +iptables -t nat -A REDSOCKS -d "$SLX_PROXY_IP" -j RETURN iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN diff --git a/remote/setup_target b/remote/setup_target index d193638a..da4b7701 100755 --- a/remote/setup_target +++ b/remote/setup_target @@ -135,6 +135,8 @@ copy_files_with_deps () { else pdebug "\tFound ${FILENAME} at ${FILE}" fi + elif [ "$(echo $FILE_CANDIDATES | wc -w)" -eq 0 ]; then + perror "Could not find required binary $FILENAME" else # one candidate FINAL_LIST=${FILE_CANDIDATES} -- cgit v1.2.3-55-g7522 From 667c6e8875010f3dbba9ec09ee0c7942ec1facaa Mon Sep 17 00:00:00 2001 From: Jonathan Bauer Date: Thu, 20 Jun 2013 13:07:25 +0200 Subject: [systemd] remove missing binaries from config file --- remote/modules/systemd/systemd.conf | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) (limited to 'remote/modules') diff --git a/remote/modules/systemd/systemd.conf b/remote/modules/systemd/systemd.conf index fbe5cb8b..8a9d0042 100644 --- a/remote/modules/systemd/systemd.conf +++ b/remote/modules/systemd/systemd.conf @@ -37,9 +37,8 @@ REQUIRED_INSTALLED_PACKAGES=" libacl1-dev libpam-dev " -REQUIRED_BINARIES=" hostnamectl +REQUIRED_BINARIES=" journalctl - localectl loginctl systemctl systemd-analyze @@ -47,7 +46,6 @@ REQUIRED_BINARIES=" hostnamectl systemd-cat systemd-cgls systemd-cgtop - systemd-coredumpctl systemd-delta systemd-detect-virt systemd-inhibit @@ -57,23 +55,17 @@ REQUIRED_BINARIES=" hostnamectl systemd-stdio-bridge systemd-tmpfiles systemd-tty-ask-password-agent - timedatectl udevadm systemd systemd-ac-power systemd-binfmt - systemd-bootchart systemd-cgroups-agent - systemd-coredump systemd-fsck - systemd-hostnamed systemd-initctl systemd-journald - systemd-localed systemd-logind systemd-modules-load systemd-multi-seat-x - systemd-quotacheck systemd-random-seed systemd-readahead systemd-remount-fs @@ -82,7 +74,6 @@ REQUIRED_BINARIES=" hostnamectl systemd-shutdownd systemd-sleep systemd-sysctl - systemd-timedated systemd-timestamp systemd-udevd systemd-update-utmp @@ -96,7 +87,6 @@ REQUIRED_BINARIES=" hostnamectl ata_id cdrom_id collect - keymap mtd_probe scsi_id v4l_id" -- cgit v1.2.3-55-g7522