From 32dc5354e2916387a2c62eadae0a4568023f1151 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Tue, 3 Jun 2014 16:47:36 +0200 Subject: Initial commit --- data/ad/common-account | 9 ++++ data/ad/common-auth | 12 ++++++ data/ad/common-password | 11 +++++ data/ad/common-session | 22 ++++++++++ data/ad/common-session-noninteractive | 17 ++++++++ data/ad/mountscript | 49 ++++++++++++++++++++++ data/ad/nsswitch.conf | 14 +++++++ data/pxemenu.template | 78 +++++++++++++++++++++++++++++++++++ 8 files changed, 212 insertions(+) create mode 100644 data/ad/common-account create mode 100644 data/ad/common-auth create mode 100644 data/ad/common-password create mode 100644 data/ad/common-session create mode 100644 data/ad/common-session-noninteractive create mode 100644 data/ad/mountscript create mode 100644 data/ad/nsswitch.conf create mode 100644 data/pxemenu.template (limited to 'data') diff --git a/data/ad/common-account b/data/ad/common-account new file mode 100644 index 0000000..e06e539 --- /dev/null +++ b/data/ad/common-account @@ -0,0 +1,9 @@ +account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so +account [success=1 default=ignore] pam_ldap.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so + diff --git a/data/ad/common-auth b/data/ad/common-auth new file mode 100644 index 0000000..c83e66e --- /dev/null +++ b/data/ad/common-auth @@ -0,0 +1,12 @@ +auth [success=2 default=ignore] pam_unix.so nullok_secure +auth [success=1 default=ignore] pam_ldap.so use_first_pass +# here's the fallback if no module succeeds +auth requisite pam_deny.so +auth optional pam_script.so expose=1 +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +auth optional pam_cap.so + diff --git a/data/ad/common-password b/data/ad/common-password new file mode 100644 index 0000000..4cda16c --- /dev/null +++ b/data/ad/common-password @@ -0,0 +1,11 @@ +password [success=2 default=ignore] pam_unix.so obscure sha512 +password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +password optional pam_gnome_keyring.so + diff --git a/data/ad/common-session b/data/ad/common-session new file mode 100644 index 0000000..942af33 --- /dev/null +++ b/data/ad/common-session @@ -0,0 +1,22 @@ +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +session required pam_systemd.so +session optional pam_env.so readenv=1 +session optional pam_env.so readenv=1 envfile=/etc/default/locale +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +session optional pam_ldap.so +session sufficient pam_script.so +session optional pam_xdg_support.so +session optional pam_ck_connector.so nox11 + diff --git a/data/ad/common-session-noninteractive b/data/ad/common-session-noninteractive new file mode 100644 index 0000000..0279a53 --- /dev/null +++ b/data/ad/common-session-noninteractive @@ -0,0 +1,17 @@ +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +session optional pam_ldap.so +session optional pam_xdg_support.so + diff --git a/data/ad/mountscript b/data/ad/mountscript new file mode 100644 index 0000000..2256904 --- /dev/null +++ b/data/ad/mountscript @@ -0,0 +1,49 @@ +################################################################### +# +# This script is a part of the pam_script_ses_open script +# and is not stand-alone! +# + +if ! grep -q "^${PAM_USER}:" "/etc/passwd"; then + + # determine fileserver and share for home directories + touch "/tmp/ldapsearch.${PAM_USER}" + chmod 0600 "/tmp/ldapsearch.${PAM_USER}" + ldapsearch -x -LLL uid="${PAM_USER}" homeMount > "/tmp/ldapsearch.${PAM_USER}" || \ + { slxlog "pam-ad-ldapquery" "Could not query LDAP server for parameters of user '${PAM_USER}'."; exit 1; } + VOLUME=$(cat "/tmp/ldapsearch.${PAM_USER}" | grep ^homeMount | head -n 1 | cut -d" " -f2) + [ -z "${VOLUME}" ] && slxlog "pam-ad-ldapvolume" "LDAP server did not provide 'homeMount'. Aborting mount for ${PAM_USER}." && exit 1 + + MOUNT_OPTS="-t cifs -o uid=${USER_UID},gid=${USER_GID},forceuid,forcegid,sec=ntlm" + + SIGNAL=$(mktemp) + rm -f -- "${SIGNAL}" + + export USER="${PAM_USER}" + export PASSWD="${PAM_AUTHTOK}" + + ( mount ${MOUNT_OPTS} "${VOLUME}" "${PERSISTENT_HOME_DIR}" > "/tmp/home.$PAM_USER" 2>&1 || touch "${SIGNAL}" ) & + MOUNT_PID=$! + for COUNTER in 1 2 4 4; do + kill -0 "${MOUNT_PID}" 2>/dev/null || break + sleep "${COUNTER}" + done + + if [ -e "${SIGNAL}" ]; then + slxlog "pam-reutlingen" "Mount of '${FILESERVER}/${PAM_USER}' to '${PERSISTENT_HOME_DIR}' failed. (Args: ${MOUNT_OPTS})" "/tmp/home.$PAM_USER" + sleep 1 + rm -f -- "${SIGNAL}" + elif kill -9 "${MOUNT_PID}" 2>/dev/null; then + slxlog "pam-reutlingen" "Mount of '${FILESERVER}/${PAM_USER}' to '${PERSISTENT_HOME_DIR}' timed out. (Args: ${MOUNT_OPTS})" "/tmp/home.$PAM_USER" + sleep 1 + else + PERSISTENT_OK=yes + chmod -R u+rw "${PERSISTENT_HOME_DIR}" 2>/dev/null + fi + + unset USER + unset PASSWD + + rm -f -- "/tmp/home.$PAM_USER" +fi + diff --git a/data/ad/nsswitch.conf b/data/ad/nsswitch.conf new file mode 100644 index 0000000..1909d49 --- /dev/null +++ b/data/ad/nsswitch.conf @@ -0,0 +1,14 @@ +passwd: compat ldap +group: compat ldap +shadow: compat + +hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis + diff --git a/data/pxemenu.template b/data/pxemenu.template new file mode 100644 index 0000000..2fcc88e --- /dev/null +++ b/data/pxemenu.template @@ -0,0 +1,78 @@ +DEFAULT vesamenu.c32 + +NOESCAPE 1 +PROMPT 0 + +MENU BACKGROUND openslx.png +MENU WIDTH 78 +MENU MARGIN 9 +MENU PASSWORDMARGIN 9 +MENU ROWS 10 +MENU TABMSGROW 16 +MENU CMDLINEROW 16 +MENU ENDROW -1 +MENU PASSWORDROW 16 +MENU TIMEOUTROW 20 +MENU HELPMSGROW 16 +MENU HELPMSGENDROW -1 +MENU HSHIFT 0 +MENU VSHIFT 7 + +menu color screen 37;40 #80ffffff #00000000 std +menu color border 37;40 #40000000 #ff8093a1 std +menu color title 1;37;40 #ffff8b00 #ff8093a1 std +menu color unsel 37;40 #fff0f0f0 #ff8093a1 std +menu color hotkey 1;37;40 #ffff8b00 #ff8093a1 std +menu color sel 7;37;40 #ff1c2a33 #667799bb all +menu color hotsel 1;7;37;40 #ffff8b00 #667799bb all +menu color disabled 1;37;40 #ffff8b00 #ff8093a1 std +menu color scrollbar 37;40 #40000000 #ee000000 std +menu color tabmsg 37;40 #ffff8b00 #ff8093a1 std +menu color cmdmark 1;37;40 #ffff8b00 #ff8093a1 std +menu color cmdline 37;40 #fff0f0f0 #ff8093a1 std +menu color pwdborder 37;40 #40000000 #ff8093a1 std +menu color pwdheader 37;40 #ffff8b00 #ff8093a1 std +menu color pwdentry 37;40 #ffff8b00 #ff8093a1 std +menu color timeout_msg 37;40 #fff0f0f0 #ff8093a1 std +menu color timeout 1;37;40 #ffff8b00 #ff8093a1 std +menu color help 37;40 #ff1c2a33 #00000000 none +MENU MSGCOLOR #ff1c2a33 #00000000 none + + +TIMEOUT %timeout% +TOTALTIMEOUT %totaltimeout% +MENU TITLE bwLehrpool BETA VERSION +MENU CLEAR +ONTIMEOUT %default% + + +LABEL shutdown + MENU HIDE + KERNEL kernel-shutdown + APPEND initrd=initramfs-shutdown quiet + + +LABEL net + MENU LABEL ^bwLehrpool-Umgebung starten + KERNEL http://%ip%/boot/default/kernel + INITRD http://%ip%/boot/default/initramfs-stage31 + APPEND slxsrv=%ip% slxbase=boot/default vga=current quiet splash + IPAPPEND 3 + %default-net% + + +LABEL hdd + MENU LABEL ^Lokales System starten + LOCALBOOT 0 + %default-hdd% + + +LABEL openslx-debug + MENU LABEL ^bwLehrpool-Umgebung starten (nosplash, debug) + KERNEL http://%ip%/boot/default/kernel + INITRD http://%ip%/boot/default/initramfs-stage31 + APPEND slxsrv=%ip% slxbase=boot/default + IPAPPEND 3 + +%custom% + -- cgit v1.2.3-55-g7522