blob: 320bcb8426637efb12b9aff266a729d22097fb15 (
plain) (
tree)
|
|
# Copyright (c) 2010 - OpenSLX GmbH
#
# This program/file is free software distributed under the GPL version 2.
# See http://openslx.org/COPYING
#
# If you have any feedback please consult http://openslx.org/feedback and
# send your feedback to feedback@openslx.org
#
# General information about OpenSLX can be found at http://openslx.org
#
# script is included from init via the "." load function - thus it has all
# variables and functions available
# check if the configuration file is available
if [ -e /initramfs/plugin-conf/auth.conf ]; then
. /etc/openslx.conf
ETCDIR=/mnt/${OPENSLX_DEFAULT_CONFDIR}
PLUGINCONFDIR=${ETCDIR}/plugins/auth
BINDIR=/mnt/${OPENSLX_DEFAULT_BINDIR}
PLUGINDIR=/mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth
VIRTDIR=/mnt/${OPENSLX_DEFAULT_VIRTDIR}
# load needed variables
. /initramfs/plugin-conf/auth.conf
# get distribution info; has also version if needed...
. /etc/slxsystem.conf
distro=$slxconf_distro_name
distro_version=$slxconf_distro_ver
# Test if this plugin is activated... more or less useless with the
# new plugin system
if [ $auth_active -ne 0 ]; then
[ $DEBUGLEVEL -gt 0 ] && echo "executing the 'auth' os-plugin ...";
# load general configuration
. /initramfs/machine-setup
# Passwd: todo: move somewhere else
chown root:shadow /mnt/etc/shadow
chmod 0640 /mnt/etc/shadow
chown root:root /mnt/etc/paswd
chmod 0644 /mnt/etc/passwd
#sed -i 's/auth_rootpwd.*/auth_rootpwd=*********/' $PLUGINCONFDIR/auth.conf
# set authentication to passwd and group which is default
sed -i 's/^passwd:.*/passwd: files/' /mnt/etc/nsswitch.conf
sed -i 's/^group:.*/group: files/' /mnt/etc/nsswitch.conf
# general requirement
rllinker "nscd" 16 8
######
# LDAP
######
if [ $auth_ldap -eq 1 ]; then
cp ${PLUGINDIR}/ldap.conf.slx /mnt/etc/ldap.conf
ln -sf /etc/ldap.conf /mnt/etc/openldap/ldap.conf # required for openSUSE 11.4
# even if their syntax can differ, we copy them
# (and hope no nss_* attributes where used)
echo "# Created by XX_auth.sh (auth-plugin) for compatibility reasons" \
> /mnt/etc/nslcd.conf
cat ${PLUGINDIR}/ldap.conf.slx >> /mnt/etc/nslcd.conf # required for openSUSE 11.4
ln -sf /etc/ldap.conf /mnt/etc/ldap/ldap.conf
# PAM: add ldap conf before pam_unix(2).so; SuSE: ...-pc
sed -i \
'/^account.*req.*pam_unix/ s/^/account sufficient pam_ldap.so\n/' \
/mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-account-pc
sed -i \
'/^auth.*req.*pam_unix/ s/^/auth sufficient pam_ldap.so\n/' \
/mnt/etc/pam.d/common-auth /mnt/etc/pam.d/common-auth-pc
sed -i 's/^\(passwd:.*\)/\1 ldap/' /mnt/etc/nsswitch.conf
sed -i 's/^\(group:.*\)/\1 ldap/' /mnt/etc/nsswitch.conf
case "$distro" in
suse)
rllinker "nslcd" 20 8 # req. with OpenSuSE 11.4
;;
esac
# just to be on the save side... usually nslcd isn't used.
sed -i "s/^\(nss_.*\)/#XX_auth.sh#\1/" /mnt/etc/nslcd.conf
# hack. if we want to have totally custom ldap.conf files...
if [ -f ${PLUGINDIR}/ldap.conf ]; then
echo "# copied from auth::files (default: /root/auth-plugin)" \
> /mnt/etc/ldap.conf
cat ${PLUGINDIR}/ldap.conf >> /mnt/etc/ldap.conf
fi
# similiar to ldap.conf, but just similiar
if [ -f ${PLUGINDIR}/nslcd.conf ]; then
echo "# copied from auth::files (default: /root/auth-plugin)" \
> /mnt/etc/nslcd.conf
cat ${PLUGINDIR}/nslcd.conf >> /mnt/etc/nslcd.conf # openSUSE 11.4
fi
fi
########################
# AUTOMOUNT, NFS partial
########################
if [ $auth_automount -eq 1 ]; then
cp ${PLUGINDIR}/auto.master /mnt/etc
cp ${PLUGINDIR}/auto.slx /mnt/etc
if [! -d /mnt/$auth_automnt_dir ]; then
mkdir -p /mnt/$auth_automnt_dir
fi
# config_portmap # distro specific configuration :(
# config_automount # distro specific configuration :(
# config_nfs # distro specific config... activates gssd and idmapd
# ubuntu
case $distro in
ubuntu)
sed -e 's,start on ,start on filesystem #,' \
-i /mnt/etc/init/statd.conf
echo -e "alias autofs autofs4" >>/mnt/etc/modprobe.d/aliases.conf
# no nfs-common initscirpt at 10.04, but other ones
# statd not required for NFSv4..
sed -i 's/^NEED_STATD=.*/NEED_STATD=yes/' /mnt/etc/default/nfs-common
# optional, but helps in the future to move stuff out of OpenSLX to distri-tools
rllinker "portmap" 12 8 # required 10.04+11.04 with nfs to start rpc.statd
rllinker "portmap-wait" 12 8 # required 10.04+11.04 with nfs to start rpc.statd
rllinker "rpc_pipefs" 14 8
rllinker "statd" 13 8 #fails
rllinker "autofs" 14 8
# workaround for not starting statd. 10.04 affected, 11.04 not affected!?!
echo " # auth-plugin: workaround for statd
#mount -t rpc_pipefs rpc_pipefs /var/lib/nfs/rpc_pipefs
rpc.statd -L" \
>> /mnt/etc/init.d/boot.slx
rllinker "boot.slx" 2 20
;;
suse)
# enable generall nfs support
sed -i 's/^NFS_START_SERVICES.*/NFS_START_SERVICES="yes"/' /mnt/etc/sysconfig/nfs
rllinker "rpcbind" 4 21
rllinker "nfs" 14 20
rllinker "autofs" 18 4
;;
esac
fi
#######
# NFSv4
#######
if [ $auth_nfs4 -eq 1 ]; then
# /etc/init-hell
case "$distro" in
suse)
# for idmap
sed -i 's/^NFS_START_SERVICES.*/NFS_START_SERVICES="yes"/' /mnt/etc/sysconfig/nfs
# optional, but may help in the future to move stuff out of OpenSLX to distri-tools
rllinker "rpcbind" 4 21
rllinker "nfs" 14 8 # handles idmap & gssd
;;
ubuntu)
# nfs-common: somewhere before 10.04, not available with 10.04ff
rllinker "nfs-common" 16 8
# enable idmapd
sed -i 's/^NEED_IDMAPD=.*/NEED_IDMAPD=yes/' /mnt/etc/default/nfs-common
# rpc_pipefs, portmap and idmap rllinker are optional
# but may help in the future to move stuff out of OpenSLX to distri-tools
rllinker "rpc_pipefs" 13 8 #doenst work somehow. could be mount/not mounted quirks
rllinker "portmap" 14 8
# optional, but helps in the future to move stuff out of OpenSLX to distri-tools
rllinker "idmapd" 17 8
# somehow idmapd doesnt want to start, because rpc_pipefs, even if enabled, doesn't
# mount the required path. happend with a cloned ubuntu 10.04. therefore a workaround
echo " # auth-plugin: workaround for idmapd
mount -t rpc_pipefs rpc_pipefs /var/lib/nfs/rpc_pipefs
# doesn't matter if already running
echo \"start idmapd (again)\"
service idmapd start" \
>> /mnt/etc/init.d/boot.slx
rllinker "boot.slx" 2 20
;;
esac
sed -i \
"s/^Domain.*/Domain = ${auth_idmap_domain}/" \
/mnt/etc/idmapd.conf
fi
# configure automnt_script
if [ $auth_automnt_script ]; then
chmod 700 /mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_automnt_script
sed -i -e '/^\/home.*$/d' /mnt/etc/auto.master
echo "/home program:${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_automnt_script" \
>> /mnt/etc/auto.master
fi
# configure KerberOS
if [ $auth_krb -eq 1 ]; then
echo "# copied from auth::files (default: /root/auth-plugin)" \
> /mnt/etc/krb5.conf
cat ${PLUGINDIR}/krb5.conf >> /mnt/etc/krb5.conf
# PAM: add krb conf after pam_unix(2).so; SuSE: ...-pc
sed -i \
'/^account.*req.*pam_unix/ s/^/account [success=ok new_authtok_reqd=ok ignore=ignore default=bad user_unknown=ignore] pam_krb5.so use_first_pass\n/' \
/mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-account-pc
sed -i \
'/^account.*req.*pam_unix/ s/^/auth sufficient pam_krb5.so use_first_pass\n/' \
/mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-auth-pc
echo "session optional pam_krb5.so" >> /mnt/etc/pam.d/common-session
echo "session optional pam_krb5.so" >> /mnt/etc/pam.d/common-session-pc
# script to get keytab or do other magic things
if [ -n $auth_krbscript ]; then
echo "# auth-plugin: start custom kerberOS script
echo "Start krbscript"
/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_krbscript
chmod 600 /etc/krb5.keytab # if a user forget to change it the $auth_krbscript" \
>> /mnt/etc/init.d/boot.slx
chmod 700 /mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_krbscript
# just krb5.conf perm
rllinker "boot.slx" 2 20
fi
# maybe not needed in every case. depends how $HOME gets mounted... but required for nfs & automount at least with nfsv4
case "$distro" in
ubuntu)
sed -i 's/^NEED_GSSD.*/NEED_GSSD=yes/' /mnt/etc/default/nfs-common
# optional, but wont hurt if the previous fails
rllinker "gssd" 16 8
;;
suse)
# for idmap and gss
sed -i 's/^NFS_START_SERVICES.*/NFS_START_SERVICES="yes"/' /mnt/etc/sysconfig/nfs
sed -i 's/^NFS_SECURITY_GSS.*/NFS_SECURITY_GSS="yes"/' /mnt/etc/sysconfig/nfs
;;
esac
fi
fi
# hack. if we want to have totally custom pam-files...
if [ -d ${PLUGINDIR}/pam.d/ ]; then
cp ${PLUGINDIR}/pam.d/* /mnt/etc/pam.d/
fi
# hack. if we want to have totally custom nsswitch.conf file...
if [ -f ${PLUGINDIR}/nsswitch.conf ]; then
echo "# copied from auth::files (default: /root/auth-plugin)" \
> /mnt/etc/nsswitch.conf
cat ${PLUGINDIR}/nsswitch.conf >> /mnt/etc/nsswitch.conf
fi
else
[ $DEBUGLEVEL -gt 0 ] && echo " * Configuration of auth plugin failed"
fi
|
