summaryrefslogblamecommitdiffstats
path: root/src/os-plugins/plugins/auth/XX_auth.sh
blob: 99d5716e7d4bece0517b0678cf0ca0e96b14d65d (plain) (tree) 
749263cb ^






















































































































































































































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214






















































































































































































































                                                                                                                                                                   
        # Copyright (c) 2010 - OpenSLX GmbH
#
# This program/file is free software distributed under the GPL version 2.
# See http://openslx.org/COPYING
#
# If you have any feedback please consult http://openslx.org/feedback and
# send your feedback to feedback@openslx.org
#
# General information about OpenSLX can be found at http://openslx.org
#
# script is included from init via the "." load function - thus it has all
# variables and functions available

# check if the configuration file is available
if [ -e /initramfs/plugin-conf/auth.conf ]; then

  . /etc/openslx.conf
  ETCDIR=/mnt/${OPENSLX_DEFAULT_CONFDIR}
  PLUGINCONFDIR=${ETCDIR}/plugins/auth
  BINDIR=/mnt/${OPENSLX_DEFAULT_BINDIR}
  PLUGINDIR=/mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth
  VIRTDIR=/mnt/${OPENSLX_DEFAULT_VIRTDIR}

  # load needed variables
  . /initramfs/plugin-conf/auth.conf

  # get distribution info; has also version if needed...
  . /etc/slxsystem.conf
  distro=$slxconf_distro_name
  distro_version=$slxconf_distro_ver

  # Test if this plugin is activated... more or less useless with the
  # new plugin system
  if [ $auth_active -ne 0 ]; then
    [ $DEBUGLEVEL -gt 0 ] && echo "executing the 'auth' os-plugin ...";
    # load general configuration
    . /initramfs/machine-setup

    # Passwd: todo: move somewhere else
    chown root:shadow /mnt/etc/shadow
    chmod 0640 /mnt/etc/shadow
    chown root:root /mnt/etc/paswd
    chmod 0644 /mnt/etc/passwd
    #sed -i 's/auth_rootpwd.*/auth_rootpwd=*********/' $PLUGINCONFDIR/auth.conf

    # set authentication to passwd and group which is default
    sed -i  's/^passwd:.*/passwd: files/' /mnt/etc/nsswitch.conf
    sed -i  's/^group:.*/group: files/' /mnt/etc/nsswitch.conf

    if [ $auth_ldap -eq 1 ]; then
      cp ${PLUGINDIR}/ldap.conf.slx /mnt/etc/ldap/ldap.conf
      cp ${PLUGINDIR}/ldap.conf.slx /mnt/etc/openldap/ldap.conf # required for openSUSE 11.4
      # even if their syntax can differ, we copy them (and hope no nss_* attributes where used)
      cp ${PLUGINDIR}/ldap.conf.slx /mnt/etc/nslcd.conf # required for openSUSE 11.4
      cp ${PLUGINDIR}/ldap.conf.slx /mnt/etc/ldap.conf

      # PAM: add ldap conf before pam_unix(2).so; SuSE: ...-pc
      sed -i \
        '/^account.*req.*pam_unix/ s/^/account sufficient pam_ldap.so\n/' \
        /mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-account-pc
      sed -i \
        '/^auth.*req.*pam_unix/ s/^/auth sufficient pam_ldap.so\n/' \
        /mnt/etc/pam.d/common-auth /mnt/etc/pam.d/common-auth-pc

      sed -i  's/^\(passwd:.*\)/\1 ldap/' /mnt/etc/nsswitch.conf
      sed -i  's/^\(group:.*\)/\1 ldap/' /mnt/etc/nsswitch.conf

      case "$distro" in
        suse)
          rllinker "nslcd" 20 8  # req. with OpenSuSE 11.4
          ;;
      esac

      # just to be on the save side... usually nslcd isn't used.
      sed -i "s/^\(nss_.*\)/#XX_auth.sh#\1/" /mnt/etc/nslcd.conf
        
  
      # hack. if we want to have totally custom ldap.conf files...
      if [ -f ${PLUGINDIR}/ldap.conf ]; then
        cp ${PLUGINDIR}/ldap.conf /mnt/etc/ldap.conf
        cp ${PLUGINDIR}/ldap.conf /mnt/etc/ldap/ldap.conf
        cp ${PLUGINDIR}/ldap.conf /mnt/etc/openldap/ldap.conf # required for openSUSE 11.4
        chmod 644 /mnt/etc/ldap.conf /mnt/etc/ldap/ldap.conf
      fi
      # similiar to ldap.conf, but just similiar
      if [ -f ${PLUGINDIR}/nslcd.conf ]; then
        cp ${PLUGINDIR}/nslcd.conf /mnt/etc/nslcd.conf # openSUSE 11.4
      fi

    fi

    # configure automount
    if [ $auth_automount -eq 1 ]; then
      cp ${PLUGINDIR}/auto.master /mnt/etc
      cp ${PLUGINDIR}/auto.slx /mnt/etc
      if [! -d /mnt/$auth_automnt_dir ]; then
        mkdir -p /mnt/$auth_automnt_dir
      fi

      config_portmap # distro specific configuration :(
      config_automount # distro specific configuration :(
      config_nfs # distro specific config... activates gssd and idmapd

      #maybe we need the following, same at auth_nfs4. also OS depending
      #rllinker "autofs" 15 7
  
      # hack for ubuntu
      if [ $distro = "ubuntu" ]; then
        sed -e 's,start on ,start on filesystem #,' \
          -i /mnt/etc/init/statd.conf
        echo -e "alias autofs autofs4" >>/mnt/etc/modprobe.d/aliases.conf
      fi
    fi

    # configure nfs4
    if [ $auth_nfs4 -eq 1 ]; then
      testmkd /mnt/var/lib/nfs/rpc_pipefs
      echo -e "rpc_pipefs\t/var/lib/nfs/rpc_pipefs rpc_pipefs defaults\t 0 0 nfsd\t\t/proc/fs/nfsd\tnfsd\t\tdefaults\t 0 0" >>/etc/fstab
      echo -e "rpc_pipefs\t/var/lib/nfs/rpc_pipefs rpc_pipefs defaults\t 0 0 nfsd\t\t/proc/fs/nfsd\tnfsd\t\tdefaults\t 0 0" >>/mnt/etc/fstab
      mount -t rpc_pipefs rpc_pipefs /var/lib/nfs/rpc_pipefs
      mount -t nfsd nfsd /proc/fs/nfsd
      touch /mnt/var/lib/nfs/state
      config_portmap # distro specific config. maybe double usage with automount
      #rllinker "portmap" 2 20
      
      # starts rpc.idmapd, maybe portmap... nfs-init.d-hell...
      case "$distro" in
        suse)
          rllinker "nfs" 14 8
          ;;
        ubuntu)
          rllinker "nfs-common" 14 8
          sed -i 's/^NEED_IDMAPD=.*/NEED_IDMAPD=yes/' /mnt/etc/default/nfs-common
          ;;
        *)
          # we don't know it, so lets use all... hopefully one will work ;-)
          rllinker "nfs" 14 8
          rllinker "nfs-common" 14 8
          ;;
      esac

      sed -i \
        "s/^Domain.*/Domain = ${auth_idmap_domain}/" \
        /mnt/etc/idmapd.conf


      #maybe we need the following, same at auth_nfs4. also OS depending
      #rllinker "autofs" 15 7
    fi

    # configure automnt_script
    if [ $auth_automnt_script ]; then
      chmod 755 /mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_automnt_script
    fi
   

    
    # configure KerberOS
    if [ $auth_krb -eq 1 ]; then
      cp ${PLUGINDIR}/krb5.conf /mnt/etc
      chmod 644 /mnt/etc/krb5.conf
      
      # PAM: add krb conf after pam_unix(2).so; SuSE: ...-pc
      sed -i \
        '/^account.*req.*pam_unix/ s/^/account [success=ok new_authtok_reqd=ok ignore=ignore default=bad user_unknown=ignore]  pam_krb5.so     use_first_pass\n/' \
        /mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-account-pc
      sed -i \
        '/^account.*req.*pam_unix/ s/^/auth    sufficient      pam_krb5.so     use_first_pass\n/' \
        /mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-auth-pc
      echo "session optional        pam_krb5.so" >>  /mnt/etc/pam.d/common-session
      echo "session optional        pam_krb5.so" >>  /mnt/etc/pam.d/common-session-pc

      # script to get keytab or do other magic things
      if [ -n $auth_krbscript ]; then
        echo "# auth-plugin: start custom kerberOS script
          /${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_krbscript
          chmod 600 /etc/krb5.keytab # if a user forget to change it the $auth_krbscript" \
          >>  /mnt/etc/init.d/boot.slx
        chmod 755 /mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_krbscript
        # just krb5.conf perm
        rllinker "boot.slx" 2 20
      fi

      # maybe not needed in every case. depends how $HOME gets mounted... but required for nfs & automount at least with nfsv4
      if [ $distro = "ubuntu" ]; then
        sed -i 's/^NEED_GSSD.*/NEED_GSSD=yes/' /mnt/etc/default/nfs-common
      fi
      if [ $distro = "suse" ]; then
        sed -i 's/^NFS_START_SERVICES.*/NFS_START_SERVICES="yes"/' /mnt/etc/sysconfig/nfs
        sed -i 's/^NFS_SECURITY_GSS.*/NFS_SECURITY_GSS="yes"/' /mnt/etc/sysconfig/nfs
      fi

    fi

  fi
  
  # hack. if we want to have totally custom pam-files...
  if [ -d ${PLUGINDIR}/pam.d/ ]; then
    cp ${PLUGINDIR}/pam.d/* /mnt/etc/pam.d/
  fi
  
  # hack. if we want to have totally custom nsswitch.conf file...
  if [ -f ${PLUGINDIR}/nsswitch.conf ]; then
    cp ${PLUGINDIR}/nsswitch.conf /mnt/etc/nsswitch.conf
    chmod 644 /mnt/etc/nsswitch.conf
  fi


  # just for development purpose, can be deleted later
  rllinker "syslog" 2 20

else
  [ $DEBUGLEVEL -gt 0 ] && echo "  * Configuration of auth plugin failed"
fi
generated by cgit v1.2.3-55-g7522 (git 2.39.0) at 2024-05-28 22:59:51 +0200