################################################################### # # This script is a part of the pam_script_ses_open script # and is not stand-alone! # # It will try to mount the home directories of students # under /home//PERSISTENT using cifs/kerberos. # # If cifs mount fails, nfs mount will be tried. # ################################################################### # Only run this if PAM_USER is not a local user. if ! grep -q "^${PAM_USER}:" "/etc/passwd"; then # determine fileserver and share for home directories ldapsearch -x -LLL uid="${PAM_USER}" rufHomepath homeDirectory rufFileserver> "/tmp/ldapsearch.${PAM_USER}" || \ { slxlog "pam-freiburg-ldapquery" "Could not query LDAP server for parameters of user '${PAM_USER}'."; exit 1; } CIFS_VOLUME=$(cat /tmp/ldapsearch.${PAM_USER} | grep rufHomepath | cut -d" " -f2 | tr '\\' '/') if [ ! -z "${CIFS_VOLUME}" ]; then # For passing back to pam auth script PERSISTENT_NETPATH="$CIFS_VOLUME" # now we can mount the home directory! MOUNT_OPTS="-t cifs -o uid=${USER_UID},gid=${USER_GID},forceuid,forcegid,file_mode=0700,dir_mode=0700,nobrl,noacl" export USER="${PAM_USER}" export PASSWD="${PAM_AUTHTOK}" SIGNAL=$(mktemp) MOUNT_OUTPUT=$(mktemp) rm -f -- "${SIGNAL}" ( mount -v ${MOUNT_OPTS} "${CIFS_VOLUME}" "${PERSISTENT_HOME_DIR}" > "$MOUNT_OUTPUT" 2>&1 || touch "${SIGNAL}" ) & MOUNT_PID=$! for COUNTER in 1 2 4 4; do kill -0 "${MOUNT_PID}" 2>/dev/null || break sleep "${COUNTER}" done if [ -e "${SIGNAL}" ]; then slxlog "pam-freiburg-cifs" "Mount of '${CIFS_VOLUME}' to '${PERSISTENT_HOME_DIR}' failed. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" rm -f -- "${SIGNAL}" elif kill -9 "${MOUNT_PID}" 2>/dev/null; then slxlog "pam-freiburg-cifs" "Mount of '${CIFS_VOLUME}' to '${PERSISTENT_HOME_DIR}' timed out. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" else PERSISTENT_OK=yes fi ( sleep 2; rm -f -- "$MOUNT_OUTPUT" ) & else slxlog "pam-freiburg-ldap-cifs-volume" "LDAP server did not provide 'rufHomepath'. Aborting mount for ${PAM_USER}." fi # unset credentials unset USER unset PASSWD # check if cifs mount worked. if [ -z "$PERSISTENT_OK" ]; then # determine the server and paths to the user's home directory FILESERVER=$(cat /tmp/ldapsearch.${PAM_USER} | grep rufFileserver | cut -d" " -f2) VOLUME=$(cat /tmp/ldapsearch.${PAM_USER} | grep homeDirectory | cut -d" " -f2) [ -z "${FILESERVER}" ] && slxlog "pam-freiburg-ldapfs" "LDAP server did not provide 'rufFileserver'. Aborting mount for ${PAM_USER}." && exit 1 [ -z "${VOLUME}" ] && slxlog "pam-freiburg-ldapvolume" "LDAP server did not provide 'homeDirectory'. Aborting mount for ${PAM_USER}." && exit 1 # generate keytab (try twice :)) sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab || \ sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab || \ { slxlog "pam-freiburg-sslconnect" "Could not get /etc/krb5.keytab from npserv.ruf.uni-freiburg.de"; [ ! -s /etc/krb5.keytab ] && exit 1; } chmod 600 /etc/krb5.keytab || \ { slxlog "pam-freiburg-keytab" "Could not run 'chmod 600 /etc/krb5.keytab'"; exit 1; } MOUNT_OPTS="-t nfs4 -o rw,nosuid,nodev,nolock,intr,hard,sloppy" if echo "$FILESERVER" | grep -q "sunfs6"; then MOUNT_OPTS="${MOUNT_OPTS},sec=krb5i" else MOUNT_OPTS="${MOUNT_OPTS},sec=krb5p" fi SIGNAL=$(mktemp) MOUNT_OUTPUT=$(mktemp) rm -f -- "${SIGNAL}" ( mount -v ${MOUNT_OPTS} "${FILESERVER}:${VOLUME}" "${PERSISTENT_HOME_DIR}" > "$MOUNT_OUTPUT" 2>&1 || touch "${SIGNAL}" ) & MOUNT_PID=$! for COUNTER in 1 2 4 4; do kill -0 "${MOUNT_PID}" 2>/dev/null || break sleep "${COUNTER}" done if [ -e "${SIGNAL}" ]; then slxlog "pam-freiburg-krb" "Mount of '${FILESERVER}:${VOLUME}' to '${PERSISTENT_HOME_DIR}' failed. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" rm -f -- "${SIGNAL}" elif kill -9 "${MOUNT_PID}" 2>/dev/null; then slxlog "pam-freiburg-krb" "Mount of '${FILESERVER}:${VOLUME}' to '${PERSISTENT_HOME_DIR}' timed out. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT" else # Override, cifs didn't work, maybe windows has the nfs client installed :> PERSISTENT_NETPATH="${FILESERVER}:${VOLUME}" PERSISTENT_OK=yes fi ( sleep 2; rm -f -- "$MOUNT_OUTPUT" ) & fi fi