blob: 99d5716e7d4bece0517b0678cf0ca0e96b14d65d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
# Copyright (c) 2010 - OpenSLX GmbH
#
# This program/file is free software distributed under the GPL version 2.
# See http://openslx.org/COPYING
#
# If you have any feedback please consult http://openslx.org/feedback and
# send your feedback to feedback@openslx.org
#
# General information about OpenSLX can be found at http://openslx.org
#
# script is included from init via the "." load function - thus it has all
# variables and functions available
# check if the configuration file is available
if [ -e /initramfs/plugin-conf/auth.conf ]; then
. /etc/openslx.conf
ETCDIR=/mnt/${OPENSLX_DEFAULT_CONFDIR}
PLUGINCONFDIR=${ETCDIR}/plugins/auth
BINDIR=/mnt/${OPENSLX_DEFAULT_BINDIR}
PLUGINDIR=/mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth
VIRTDIR=/mnt/${OPENSLX_DEFAULT_VIRTDIR}
# load needed variables
. /initramfs/plugin-conf/auth.conf
# get distribution info; has also version if needed...
. /etc/slxsystem.conf
distro=$slxconf_distro_name
distro_version=$slxconf_distro_ver
# Test if this plugin is activated... more or less useless with the
# new plugin system
if [ $auth_active -ne 0 ]; then
[ $DEBUGLEVEL -gt 0 ] && echo "executing the 'auth' os-plugin ...";
# load general configuration
. /initramfs/machine-setup
# Passwd: todo: move somewhere else
chown root:shadow /mnt/etc/shadow
chmod 0640 /mnt/etc/shadow
chown root:root /mnt/etc/paswd
chmod 0644 /mnt/etc/passwd
#sed -i 's/auth_rootpwd.*/auth_rootpwd=*********/' $PLUGINCONFDIR/auth.conf
# set authentication to passwd and group which is default
sed -i 's/^passwd:.*/passwd: files/' /mnt/etc/nsswitch.conf
sed -i 's/^group:.*/group: files/' /mnt/etc/nsswitch.conf
if [ $auth_ldap -eq 1 ]; then
cp ${PLUGINDIR}/ldap.conf.slx /mnt/etc/ldap/ldap.conf
cp ${PLUGINDIR}/ldap.conf.slx /mnt/etc/openldap/ldap.conf # required for openSUSE 11.4
# even if their syntax can differ, we copy them (and hope no nss_* attributes where used)
cp ${PLUGINDIR}/ldap.conf.slx /mnt/etc/nslcd.conf # required for openSUSE 11.4
cp ${PLUGINDIR}/ldap.conf.slx /mnt/etc/ldap.conf
# PAM: add ldap conf before pam_unix(2).so; SuSE: ...-pc
sed -i \
'/^account.*req.*pam_unix/ s/^/account sufficient pam_ldap.so\n/' \
/mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-account-pc
sed -i \
'/^auth.*req.*pam_unix/ s/^/auth sufficient pam_ldap.so\n/' \
/mnt/etc/pam.d/common-auth /mnt/etc/pam.d/common-auth-pc
sed -i 's/^\(passwd:.*\)/\1 ldap/' /mnt/etc/nsswitch.conf
sed -i 's/^\(group:.*\)/\1 ldap/' /mnt/etc/nsswitch.conf
case "$distro" in
suse)
rllinker "nslcd" 20 8 # req. with OpenSuSE 11.4
;;
esac
# just to be on the save side... usually nslcd isn't used.
sed -i "s/^\(nss_.*\)/#XX_auth.sh#\1/" /mnt/etc/nslcd.conf
# hack. if we want to have totally custom ldap.conf files...
if [ -f ${PLUGINDIR}/ldap.conf ]; then
cp ${PLUGINDIR}/ldap.conf /mnt/etc/ldap.conf
cp ${PLUGINDIR}/ldap.conf /mnt/etc/ldap/ldap.conf
cp ${PLUGINDIR}/ldap.conf /mnt/etc/openldap/ldap.conf # required for openSUSE 11.4
chmod 644 /mnt/etc/ldap.conf /mnt/etc/ldap/ldap.conf
fi
# similiar to ldap.conf, but just similiar
if [ -f ${PLUGINDIR}/nslcd.conf ]; then
cp ${PLUGINDIR}/nslcd.conf /mnt/etc/nslcd.conf # openSUSE 11.4
fi
fi
# configure automount
if [ $auth_automount -eq 1 ]; then
cp ${PLUGINDIR}/auto.master /mnt/etc
cp ${PLUGINDIR}/auto.slx /mnt/etc
if [! -d /mnt/$auth_automnt_dir ]; then
mkdir -p /mnt/$auth_automnt_dir
fi
config_portmap # distro specific configuration :(
config_automount # distro specific configuration :(
config_nfs # distro specific config... activates gssd and idmapd
#maybe we need the following, same at auth_nfs4. also OS depending
#rllinker "autofs" 15 7
# hack for ubuntu
if [ $distro = "ubuntu" ]; then
sed -e 's,start on ,start on filesystem #,' \
-i /mnt/etc/init/statd.conf
echo -e "alias autofs autofs4" >>/mnt/etc/modprobe.d/aliases.conf
fi
fi
# configure nfs4
if [ $auth_nfs4 -eq 1 ]; then
testmkd /mnt/var/lib/nfs/rpc_pipefs
echo -e "rpc_pipefs\t/var/lib/nfs/rpc_pipefs rpc_pipefs defaults\t 0 0 nfsd\t\t/proc/fs/nfsd\tnfsd\t\tdefaults\t 0 0" >>/etc/fstab
echo -e "rpc_pipefs\t/var/lib/nfs/rpc_pipefs rpc_pipefs defaults\t 0 0 nfsd\t\t/proc/fs/nfsd\tnfsd\t\tdefaults\t 0 0" >>/mnt/etc/fstab
mount -t rpc_pipefs rpc_pipefs /var/lib/nfs/rpc_pipefs
mount -t nfsd nfsd /proc/fs/nfsd
touch /mnt/var/lib/nfs/state
config_portmap # distro specific config. maybe double usage with automount
#rllinker "portmap" 2 20
# starts rpc.idmapd, maybe portmap... nfs-init.d-hell...
case "$distro" in
suse)
rllinker "nfs" 14 8
;;
ubuntu)
rllinker "nfs-common" 14 8
sed -i 's/^NEED_IDMAPD=.*/NEED_IDMAPD=yes/' /mnt/etc/default/nfs-common
;;
*)
# we don't know it, so lets use all... hopefully one will work ;-)
rllinker "nfs" 14 8
rllinker "nfs-common" 14 8
;;
esac
sed -i \
"s/^Domain.*/Domain = ${auth_idmap_domain}/" \
/mnt/etc/idmapd.conf
#maybe we need the following, same at auth_nfs4. also OS depending
#rllinker "autofs" 15 7
fi
# configure automnt_script
if [ $auth_automnt_script ]; then
chmod 755 /mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_automnt_script
fi
# configure KerberOS
if [ $auth_krb -eq 1 ]; then
cp ${PLUGINDIR}/krb5.conf /mnt/etc
chmod 644 /mnt/etc/krb5.conf
# PAM: add krb conf after pam_unix(2).so; SuSE: ...-pc
sed -i \
'/^account.*req.*pam_unix/ s/^/account [success=ok new_authtok_reqd=ok ignore=ignore default=bad user_unknown=ignore] pam_krb5.so use_first_pass\n/' \
/mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-account-pc
sed -i \
'/^account.*req.*pam_unix/ s/^/auth sufficient pam_krb5.so use_first_pass\n/' \
/mnt/etc/pam.d/common-account /mnt/etc/pam.d/common-auth-pc
echo "session optional pam_krb5.so" >> /mnt/etc/pam.d/common-session
echo "session optional pam_krb5.so" >> /mnt/etc/pam.d/common-session-pc
# script to get keytab or do other magic things
if [ -n $auth_krbscript ]; then
echo "# auth-plugin: start custom kerberOS script
/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_krbscript
chmod 600 /etc/krb5.keytab # if a user forget to change it the $auth_krbscript" \
>> /mnt/etc/init.d/boot.slx
chmod 755 /mnt/${OPENSLX_DEFAULT_DIR}/plugin-repo/auth/$auth_krbscript
# just krb5.conf perm
rllinker "boot.slx" 2 20
fi
# maybe not needed in every case. depends how $HOME gets mounted... but required for nfs & automount at least with nfsv4
if [ $distro = "ubuntu" ]; then
sed -i 's/^NEED_GSSD.*/NEED_GSSD=yes/' /mnt/etc/default/nfs-common
fi
if [ $distro = "suse" ]; then
sed -i 's/^NFS_START_SERVICES.*/NFS_START_SERVICES="yes"/' /mnt/etc/sysconfig/nfs
sed -i 's/^NFS_SECURITY_GSS.*/NFS_SECURITY_GSS="yes"/' /mnt/etc/sysconfig/nfs
fi
fi
fi
# hack. if we want to have totally custom pam-files...
if [ -d ${PLUGINDIR}/pam.d/ ]; then
cp ${PLUGINDIR}/pam.d/* /mnt/etc/pam.d/
fi
# hack. if we want to have totally custom nsswitch.conf file...
if [ -f ${PLUGINDIR}/nsswitch.conf ]; then
cp ${PLUGINDIR}/nsswitch.conf /mnt/etc/nsswitch.conf
chmod 644 /mnt/etc/nsswitch.conf
fi
# just for development purpose, can be deleted later
rllinker "syslog" 2 20
else
[ $DEBUGLEVEL -gt 0 ] && echo " * Configuration of auth plugin failed"
fi
|
