debian/examples: Ship Kerberos hook scripts (cudos to Debian Edu).
Mike Gabriel
3 years ago
0 | #!/bin/sh | |
1 | ||
2 | set -e | |
3 | ||
4 | ## This script is run by www-data using sudo. Keep that in mind! | |
5 | ## Make sure that malicious execution cannot hurt. | |
6 | ## | |
7 | ## This script creates the principals for hosts added with FusionDirectory. | |
8 | ||
9 | HOSTNAME=$1 | |
10 | DOMAIN=informatik.uni-kiel.de | |
11 | FQDN=$1.$DOMAIN | |
12 | ||
13 | ## lookup user and create home directory and principal: | |
14 | ldapsearch -xLLL "(&(|(cn=$HOSTNAME)(cn=$FQDN))(|(objectClass=GOHard)(objectClass=ipHost)))" \ | |
15 | cn ipHostNumber macAddress 2>/dev/null | perl -p00e 's/\r?\n //g' | \ | |
16 | while read KEY VALUE ; do | |
17 | case "$KEY" in | |
18 | dn:) HOSTNAME= ; IP= ; HOSTDN="dn=$VALUE" ;; | |
19 | cn:) HOSTNAME="$VALUE" ;; | |
20 | ipHostNumber:) IP="$VALUE" ;; | |
21 | macAddress:) MAC="$VALUE" ;; | |
22 | "") | |
23 | FQDN=$HOSTNAME.$DOMAIN | |
24 | kadmin.local -q "add_principal -policy hosts -randkey -x $HOSTDN host/$FQDN" && logger -p notice Krb5 principal \'host/$FQDN\' created. | |
25 | kadmin.local -q "add_principal -policy service -randkey -x $HOSTDN nfs/$FQDN" && logger -p notice Krb5 principal \'nfs/$FQDN\' created. | |
26 | ;; | |
27 | esac | |
28 | done | |
29 | ||
30 | exit 0 |
0 | #!/bin/sh | |
1 | ||
2 | set -e | |
3 | ||
4 | ## This script is run by www-data using sudo. Keep that in mind! | |
5 | ## Make sure that malicious execution cannot hurt. | |
6 | ## | |
7 | ## This script creates the home directories and principals for users | |
8 | ## added with gosa. There are some tests that make sure only | |
9 | ## non-existent home directories are created. Malicious execution | |
10 | ## cannot hurt, because either the user is missing in ldap or his home | |
11 | ## directory already exists. In both cases nothing should happen. | |
12 | ||
13 | PREFIX=/net | |
14 | HOSTNAME=$(hostname -s) | |
15 | USERID="$1" | |
16 | ||
17 | if which nscd 1>/dev/null; then | |
18 | nscd -i passwd | |
19 | nscd -i group | |
20 | fi | |
21 | ||
22 | ## lookup user and create home directory and principal: | |
23 | ldapsearch -xLLL "(&(uid=$USERID)(objectClass=posixAccount))" \ | |
24 | cn homeDirectory gidNumber 2>/dev/null | perl -p00e 's/\r?\n //g' | \ | |
25 | while read KEY VALUE; do | |
26 | case "$KEY" in | |
27 | dn:) USERNAME= ; HOMEDIR= ; GROUPID= ; USERDN="dn=$VALUE" ;; | |
28 | cn:) USERNAME="$VALUE" ;; | |
29 | homeDirectory:) HOMEDIR="$VALUE" ;; | |
30 | gidNumber:) GROUPID="$VALUE" ;; | |
31 | "") | |
32 | test "$HOMEDIR" || continue | |
33 | echo "$HOMEDIR" | grep -q "^$PREFIX/$HOSTNAME" && HOMEDIR=/home/$USERID || continue | |
34 | test -e "$HOMEDIR" || { | |
35 | cp -r /etc/skel $HOMEDIR | |
36 | chown -R $USERID:$GROUPID $HOMEDIR | |
37 | echo "Home directory '$HOMEDIR' created.<br />" | |
38 | } | |
39 | kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID" 1>/dev/null 2>/dev/null && echo "Krb5 principal '$USERID' created.<br />" | |
40 | x2godbadmin --adduser "$USERID" 1>/dev/null 2>/dev/null && echo "Enabled X2Go for user '$USERID'.<br />" | |
41 | ;; | |
42 | esac | |
43 | done | |
44 | ||
45 | exit 0 |
0 | #!/bin/sh | |
1 | ||
2 | set -xe | |
3 | ||
4 | ## This script is run by www-data using sudo. Keep that in mind! | |
5 | ## Make sure that malicious execution cannot hurt. | |
6 | ## | |
7 | ## This script removes the home directories and principals for users removed with gosa. | |
8 | ## Home directories are not purged immediately, but marked with a time stamp. Next time | |
9 | ## this script is run it looks for all home directories marked for removal and removes | |
10 | ## directories older than the given age $MAXAGE. | |
11 | ## | |
12 | ## Malicious execution can mark directories for purging, but if $MAXAGE is chosen not | |
13 | ## too short, this will be detected by the owner and no data will get lost. | |
14 | ||
15 | USERID=$1 | |
16 | MOUNTED_HOMEDIR=$2 | |
17 | ||
18 | ## minimum age to keep a directory before it is purged | |
19 | ## in days (only integer values): | |
20 | ||
21 | MAXAGE_DAYS=500 | |
22 | ||
23 | #################################### | |
24 | ||
25 | MAXAGE_SEC=$(( $MAXAGE_DAYS*24*60*60 )) | |
26 | ||
27 | [ -d $HOMEDIR ] || exit 1 | |
28 | ||
29 | PREFIX=/net | |
30 | HOSTNAME=$(hostname -s) | |
31 | echo "$MOUNTED_HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*$USERID" || exit 1 | |
32 | ||
33 | HOMEDIR="$MOUNTED_HOMEDIR" | |
34 | ||
35 | ## move mail directory to home directory | |
36 | if [ -d /var/mail/$USERID ]; then | |
37 | mkdir -p $HOMEDIR/Maildir/ | |
38 | mv /var/mail/$USERID/* $HOMEDIR/Maildir/ | |
39 | rmdir /var/mail/$USERID | |
40 | fi | |
41 | ||
42 | ## rename home directory and delete principal: | |
43 | HOME=`dirname $HOMEDIR` | |
44 | RM_HOMEDIR="$HOME/rm_"`date "+%Y%m%d"`"_"`basename $HOMEDIR` | |
45 | mv $HOMEDIR $RM_HOMEDIR | |
46 | ||
47 | chown root:root $RM_HOMEDIR | |
48 | chmod go-rwx $RM_HOMEDIR | |
49 | ||
50 | kadmin.local -q "delete_principal -force $USERID" | |
51 | logger -p notice Home directory \'$HOMEDIR\' marked for deletion and principal \'$USERID\' removed. | |
52 | for DIR in `find $HOME -maxdepth 1 -type d -regextype posix-egrep -regex ".*/rm_[0-9]{8}_[^/]+"` ; do | |
53 | RMDATE=`echo $DIR | sed "s/.*rm_\([0-9]\{8\}\)_.*/\1/"` | |
54 | AGE=$(( `date +"%s"`-`date +"%s" -d $RMDATE` )) | |
55 | if [ $AGE -gt $MAXAGE_SEC ] ; then | |
56 | rm -rf $DIR | |
57 | echo logger -p notice Home directory \'$DIR\' purged. | |
58 | fi | |
59 | done | |
60 | ||
61 | exit 0 |
0 | #!/bin/sh | |
1 | ||
2 | set -ex | |
3 | ||
4 | ## This script is run by www-data using sudo. Keep that in mind! | |
5 | ## Make sure that malicious execution cannot hurt. | |
6 | ## | |
7 | ## This script synchronizes the kerberos password of principals to the posix password | |
8 | ## whenever the password is changed in ldap by gosa. To make sure only authorized | |
9 | ## changes happen, it is tested if the supplied password corresponds to the supplied | |
10 | ## distinguished name in ldap. | |
11 | ## | |
12 | ## A caller not knowing the correct ldap password cannot change the principal's one. | |
13 | ||
14 | USERDN="$1" | |
15 | set +x | |
16 | NEWPW="$USERPASSWORD" | |
17 | set -x | |
18 | USERID=`echo $USERDN | tr A-Z a-z | sed "s/^uid=\([^,]*\),.*$/\1/"` | |
19 | PATH="/usr/bin:/usr/sbin:/bin:/sbin" | |
20 | ||
21 | ## check if provided password corresponds to hash saved in ldap database: | |
22 | #set +e | |
23 | #IAM=`ldapwhoami -x -Z -w "$NEWPW" -D "$USERDN" 2>/dev/null | perl -p00e 's/\r?\n //g' | tr [A-Z] [a-z]` | |
24 | #if [ "$IAM" = "dn:$USERDN" ] ; then | |
25 | # set -e | |
26 | kadmin.local -q "change_password -pw \"$NEWPW\" \"$USERID\"" 1>/dev/null && echo "Updated Kerberos password for user '$USERID'.<br />" | |
27 | logger -t FusionDirectory-PwHook "Updated Kerberos password for user '$USERID'." | |
28 | #else | |
29 | # echo "Warning: Could not verify password for '$USERID'. Nothing done.<br />" | |
30 | # logger -t FusionDirectory-PwHook "Warning: Could not verify password for '$USERID'. Nothing done." | |
31 | # exit 1 | |
32 | #fi | |
33 | ||
34 | exit 0 |