[PC-BSD Commits] r17789 - pcbsd-projects/AD_4_PCBSD/scripts

Author: johnh
Date: 2012-07-17 03:58:18 +0000 (Tue, 17 Jul 2012)
New Revision: 17789

Modified:
   pcbsd-projects/AD_4_PCBSD/scripts/pc-adctl
   pcbsd-projects/AD_4_PCBSD/scripts/pc-nsswitch
   pcbsd-projects/AD_4_PCBSD/scripts/pc-pam
Log:
Make PAM and NSS work.

Modified: pcbsd-projects/AD_4_PCBSD/scripts/pc-adctl
===================================================================
--- pcbsd-projects/AD_4_PCBSD/scripts/pc-adctl	2012-07-17 03:44:47 UTC (rev 17788)
+++ pcbsd-projects/AD_4_PCBSD/scripts/pc-adctl	2012-07-17 03:58:18 UTC (rev 17789)
 <at>  <at>  -25,7 +25,7  <at>  <at> 
 	then
 		ad_assert service pc-kerberos start
 		ad_assert service pc-nsswitch start
-		#service pc-pam start
+		ad_assert service pc-pam start
 		#service pc-samba start
 		#service pc-kinit start
 		#service pc-kinit status

Modified: pcbsd-projects/AD_4_PCBSD/scripts/pc-nsswitch
===================================================================
--- pcbsd-projects/AD_4_PCBSD/scripts/pc-nsswitch	2012-07-17 03:44:47 UTC (rev 17788)
+++ pcbsd-projects/AD_4_PCBSD/scripts/pc-nsswitch	2012-07-17 03:58:18 UTC (rev 17789)
 <at>  <at>  -12,7 +12,7  <at>  <at> 
 : ${PATH_NS_CONF:="/etc/nsswitch.conf"}
 : ${NSSCONF:="/usr/local/bin/nssconf"}

-nsswitch_conf_start()
+ad_nsswitch_conf_start()
 {
 	if checkyesno activedirectory_enable 2>/dev/null
 	then
 <at>  <at>  -35,7 +35,7  <at>  <at> 
 	return 0
 }

-nsswitch_conf_stop()
+ad_nsswitch_conf_stop()
 {
 	if checkyesno activedirectory_enable 2>/dev/null
 	then
 <at>  <at>  -59,8 +59,8  <at>  <at> 
 }

 name="pc-nsswitch"
-start_cmd='nsswitch_conf_start'
-stop_cmd='nsswitch_conf_stop'
+start_cmd='ad_nsswitch_conf_start'
+stop_cmd='ad_nsswitch_conf_stop'

 load_rc_config $name
 run_rc_command "$1"

Modified: pcbsd-projects/AD_4_PCBSD/scripts/pc-pam
===================================================================
--- pcbsd-projects/AD_4_PCBSD/scripts/pc-pam	2012-07-17 03:44:47 UTC (rev 17788)
+++ pcbsd-projects/AD_4_PCBSD/scripts/pc-pam	2012-07-17 03:58:18 UTC (rev 17789)
 <at>  <at>  -3,111 +3,148  <at>  <at> 
 # $FreeBSD$
 #

-# PROVIDE: ix-pam
+# PROVIDE: pc-pam
 # REQUIRE: root
-# REQUIRE: ix-nsswitch
+# REQUIRE: pc-nsswitch
 # BEFORE: NETWORK

-. /etc/rc.subr
+. /usr/local/etc/rc.AD

-: ${PAM_TEMPLATE_DIR:="/etc/ix/templates/pam.d"}
-: ${PAM_DIR:="/etc/pam.d"}
+: ${DEFAULT_PAM_SERVICES:="ftp login passwd sshd su telnetd"}
+: ${PAMDIR:="/etc/pam.d"}
+: ${PAMCONF:="/usr/local/bin/pamconf"}

-generate_pam_service_file()
+: ${active_directory_pam_services:="${DEFAULT_PAM_SERVICES}"}
+
+ad_pam_start()
 {
-	local service="${1}"
-	local winbind="${2}"
-	local ldap="${3}"
-	local template
-	local temp
-	local file
+	if checkyesno activedirectory_enable 2>/dev/null
+	then
+		local tmpdir=$(mktemp -d /tmp/pam.XXXXXX)
+		local errors=0

-	template="${PAM_TEMPLATE_DIR}/${service}"
-	temp="/tmp/.tmp.${service}"
-	file="${PAM_DIR}/${service}"
+		for s in ${active_directory_pam_services}
+		do
+			local tmp="${tmpdir}/${s}"
+			local sfile="${PAMDIR}/${s}"

-	if [ ! -f "${template}" ]
-	then
-		return 1
-	fi
+			cp "${sfile}" "${tmpdir}/${s}.orig"
+			${PAMCONF} -f "${sfile}" \
+				-m
"+2auth:sufficient:/usr/local/lib/pam_winbind.so:silent:try_first_pass:krb5_auth:krb5_ccache_type=FILE" \
+				-m
"+2account:sufficient:/usr/local/lib/pam_winbind.so:krb5_auth:krb5_ccache_type=FILE" \
+				-m "+session:required:/usr/local/lib/pam_mkhomedir.so" \
+				-m "+0password:sufficient:/usr/local/lib/pam_winbind.so:try_first_pass:krb5_auth
krb5_ccache_type=FILE" \
+				-o "${tmp}"

-	awk -v ldap="${ldap}" -v winbind="${winbind}" '{
-		if (/^#.* <at>  <at> LDAP <at>  <at> / && ldap) {
-			gsub("^#.* <at>  <at> LDAP <at>  <at> [^a-zA-Z0-9]+", "");
-			print $0;
-		} else if (/^#.* <at>  <at> WINBIND <at>  <at> / && winbind) {
-			gsub("^#.* <at>  <at> WINBIND <at>  <at> [^a-zA-Z0-9]+", "");
-			print $0;
-		} else if (/^#.* <at>  <at> MKHOMEDIR <at>  <at> / && (ldap || winbind)) {
-			gsub("^#.* <at>  <at> MKHOMEDIR <at>  <at> [^a-zA-Z0-9]+", "");
-			print $0;
-		} else if (/^#.* <at>  <at> .* <at>  <at> /) {
-		} else {
-			print $0;
-		}
-	}' < "${template}" > "${temp}"
+				if [ "$?" != "0" -o ! -s "${tmp}" ]
+				then
+					errors=1
+					break
+				fi
+		done

-	if [ -f "${temp}" ]
-	then
-		mv "${temp}" "${file}" >/dev/null 2>&1
-		if [ "$?" != "0" ]
+		if [ "${errors}" = "0" ]
 		then
-			rm -f "${temp}"
+			for s in $(ls ${tmpdir}|grep -v '.orig')
+			do
+				local sfile="${PAMDIR}/${s}"
+
+				mv "${tmpdir}/${s}" "${sfile}"
+				if [ "$?" != "0" ]
+				then
+					errors=1
+					break
+				fi
+			done
+		fi
+
+		if [ "${errors}" = "1" ]
+		then
+			for s in $(ls ${tmpdir}/*.orig)
+			do
+				local sfile="${PAMDIR}/$(echo ${s}|sed 's/.orig//')"
+				local orig="${tmpdir}/${s}"
+
+				mv ${orig} ${sfile}
+			done
+
+			rm -rf "${tmpdir}" >/dev/null 2>&1
 			return 1
 		fi
+
+		rm -rf "${tmpdir}" >/dev/null 2>&1
+		return 0
 	fi

 	return 0
 }

-
-generate_pam_files()
+ad_pam_stop()
 {
-	local ldap=0
-	local winbind=0
-
-	if [ ! -d "${PAM_TEMPLATE_DIR}" -o ! -d "${PAM_DIR}" ]
+	if checkyesno activedirectory_enable 2>/dev/null
 	then
-		return 1
-	fi
+		local tmpdir=$(mktemp -d /tmp/pam.XXXXXX)
+		local errors=0

-	while read line
-	do
-		local var=$(echo "${line}"|cut -s -f1 -d'|')
-		local val=$(echo "${line}"|cut -s -f2 -d'|')
+		for s in ${active_directory_pam_services}
+		do
+			local tmp="${tmpdir}/${s}"
+			local sfile="${PAMDIR}/${s}"

-		case "${var}" in
-			activedirectory) winbind="${val}" ;;
-			ldap) ldap="${val}" ;;
-		esac
+			cp "${sfile}" "${tmpdir}/${s}.orig"
+			${PAMCONF} -f "${sfile}" \
+				-m '-auth:sufficient:/usr/local/lib/pam_winbind.so' \
+				-m '-account:sufficient:/usr/local/lib/pam_winbind.so' \
+				-m '-session:required:/usr/local/lib/pam_mkhomedir.so' \
+				-m '-password:sufficient:/usr/local/lib/pam_winbind.so' \
+				-o "${tmp}"

-	done <<EOF
-	$(${FREENAS_SQLITE_CMD} ${FREENAS_CONFIG} "
-	SELECT
-		srv_service,
-		srv_enable
+				if [ "$?" != "0" -o ! -s "${tmp}" ]
+				then
+					errors=1
+					break
+				fi
+		done

-	FROM
-		services_services
+		if [ "${errors}" = "0" ]
+		then
+			for s in $(ls ${tmpdir}|grep -v '.orig')
+			do
+				local sfile="${PAMDIR}/${s}"

-	WHERE
-		srv_service IN (
-			'ldap',
-			'activedirectory'
-	)")
-EOF
+				mv "${tmpdir}/${s}" "${sfile}"
+				if [ "$?" != "0" ]
+				then
+					errors=1
+					break
+				fi
+			done
+		fi

-	for service in $(ls "${PAM_TEMPLATE_DIR}")
-	do
-		generate_pam_service_file "${service}" "${winbind}" "${ldap}"
-	done
+		if [ "${errors}" = "1" ]
+		then
+			for s in $(ls ${tmpdir}/*.orig)
+			do
+				local sfile="${PAMDIR}/$(echo ${s}|sed 's/.orig//')"
+				local orig="${tmpdir}/${s}"

+				mv ${orig} ${sfile}
+			done
+
+			rm -rf "${tmpdir}" >/dev/null 2>&1
+			return 1
+		fi
+
+		rm -rf "${tmpdir}" >/dev/null 2>&1
+		return 0
+	fi
+
 	return 0
 }

-name="ix-pam"
-start_cmd='generate_pam_files'
-stop_cmd=':'
+name="pc-pam"
+start_cmd='ad_pam_start'
+stop_cmd='ad_pam_stop'

 load_rc_config $name
 run_rc_command "$1"