1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
###################################################################
#
# This script is a part of the pam_script_ses_open script
# and is not stand-alone!
#
# It will try to mount the home directories of students
# under /home/<user>/PERSISTENT using cifs/kerberos.
#
# Only run this if PAM_USER is not a local user.
if ! grep -q "^${PAM_USER}:" "/etc/passwd"; then
# determine fileserver and share for home directories
ldapsearch -x -LLL uid="${PAM_USER}" rufHomepath homeDirectory rufFileserver> "/tmp/ldapsearch.${PAM_USER}" || \
{ slxlog "pam-freiburg-ldapquery" "Could not query LDAP server for parameters of user '${PAM_USER}'."; exit 1; }
CIFS_VOLUME=$(cat /tmp/ldapsearch.${PAM_USER} | grep rufHomepath | cut -d" " -f2 | tr '\\' '/')
if [ ! -z "${CIFS_VOLUME}" ]; then
# now we can mount the home directory!
MOUNT_OPTS="-t cifs -o uid=${USER_UID},gid=${USER_GID},forceuid,forcegid,file_mode=0700,dir_mode=0700,nobrl,noacl"
export USER="${PAM_USER}"
export PASSWD="${PAM_AUTHTOK}"
SIGNAL=$(mktemp)
MOUNT_OUTPUT=$(mktemp)
rm -f -- "${SIGNAL}"
( mount -v ${MOUNT_OPTS} "${CIFS_VOLUME}" "${PERSISTENT_HOME_DIR}" > "$MOUNT_OUTPUT" 2>&1 || touch "${SIGNAL}" ) &
MOUNT_PID=$!
for COUNTER in 1 2 4 4; do
kill -0 "${MOUNT_PID}" 2>/dev/null || break
sleep "${COUNTER}"
done
if [ -e "${SIGNAL}" ]; then
slxlog "pam-freiburg-cifs" "Mount of '${CIFS_VOLUME}' to '${PERSISTENT_HOME_DIR}' failed. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT"
rm -f -- "${SIGNAL}"
elif kill -9 "${MOUNT_PID}" 2>/dev/null; then
slxlog "pam-freiburg-cifs" "Mount of '${CIFS_VOLUME}' to '${PERSISTENT_HOME_DIR}' timed out. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT"
else
PERSISTENT_OK=yes
fi
( sleep 2; rm -f -- "$MOUNT_OUTPUT" ) &
else
slxlog "pam-freiburg-ldap-cifs-volume" "LDAP server did not provide 'rufHomepath'. Aborting mount for ${PAM_USER}."
fi
# unset credentials
unset USER
unset PASSWD
# check if cifs mount worked.
if [ -z "$PERSISTENT_OK" ]; then
# determine the server and paths to the user's home directory
FILESERVER=$(cat /tmp/ldapsearch.${PAM_USER} | grep rufFileserver | cut -d" " -f2)
VOLUME=$(cat /tmp/ldapsearch.${PAM_USER} | grep homeDirectory | cut -d" " -f2)
[ -z "${FILESERVER}" ] && slxlog "pam-freiburg-ldapfs" "LDAP server did not provide 'rufFileserver'. Aborting mount for ${PAM_USER}." && exit 1
[ -z "${VOLUME}" ] && slxlog "pam-freiburg-ldapvolume" "LDAP server did not provide 'homeDirectory'. Aborting mount for ${PAM_USER}." && exit 1
# generate keytab (try twice :))
sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab || \
sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab || \
{ slxlog "pam-freiburg-sslconnect" "Could not get /etc/krb5.keytab from npserv.ruf.uni-freiburg.de"; [ ! -s /etc/krb5.keytab ] && exit 1; }
chmod 600 /etc/krb5.keytab || \
{ slxlog "pam-freiburg-keytab" "Could not run 'chmod 600 /etc/krb5.keytab'"; exit 1; }
MOUNT_OPTS="-t nfs4 -o rw,nosuid,nodev,nolock,intr,hard,sloppy"
if echo "$FILESERVER" | grep -q "sunfs6"; then
MOUNT_OPTS="${MOUNT_OPTS},sec=krb5i"
else
MOUNT_OPTS="${MOUNT_OPTS},sec=krb5p"
fi
SIGNAL=$(mktemp)
MOUNT_OUTPUT=$(mktemp)
rm -f -- "${SIGNAL}"
( mount -v ${MOUNT_OPTS} "${FILESERVER}:${VOLUME}" "${PERSISTENT_HOME_DIR}" > "$MOUNT_OUTPUT" 2>&1 || touch "${SIGNAL}" ) &
MOUNT_PID=$!
for COUNTER in 1 2 4 4; do
kill -0 "${MOUNT_PID}" 2>/dev/null || break
sleep "${COUNTER}"
done
if [ -e "${SIGNAL}" ]; then
slxlog "pam-freiburg-krb" "Mount of '${FILESERVER}:${VOLUME}' to '${PERSISTENT_HOME_DIR}' failed. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT"
rm -f -- "${SIGNAL}"
elif kill -9 "${MOUNT_PID}" 2>/dev/null; then
slxlog "pam-freiburg-krb" "Mount of '${FILESERVER}:${VOLUME}' to '${PERSISTENT_HOME_DIR}' timed out. (Args: ${MOUNT_OPTS})" "$MOUNT_OUTPUT"
else
PERSISTENT_OK=yes
fi
( sleep 2; rm -f -- "$MOUNT_OUTPUT" ) &
fi
fi
|