Skip to content

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also .
  • 3 commits
  • 25 files changed
  • 0 commit comments
  • 1 contributor
View
6 debian/changelog
@@ -0,0 +1,6 @@
+linuxmuster-client-auth (0.1-precise6) testing; urgency=low
+
+ * initial-release
+ * deleted stuff
+
+ -- Frank Schiebel <frank@linuxmuster.net> Fri, 13 Apr 2012 14:01:38 +0200
View
1 debian/compat
@@ -0,0 +1 @@
+8
View
14 debian/control
@@ -0,0 +1,14 @@
+Source: linuxmuster-client-auth
+Section: debian-linuxmuster
+Priority: optional
+Maintainer: Frank Schiebel <frank@linuxmuster.net>
+Build-Depends: debhelper (>= 4.0.0)
+Standards-Version: 3.6.0
+
+Package: linuxmuster-client-auth
+Architecture: all
+Conflicts: linuxmuster-clientconfig, linuxmuster-base, ivman
+Replaces: ivman
+Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-ldap, libnss-ldap, nscd, libpam-mount, rsync, smbfs
+Description: Linux-Musterloesung client configuration for auth only
+
View
9 debian/copyright
@@ -0,0 +1,9 @@
+The copyright of this package is GPL, version 2 or later.
+On Debian systems the complete text of the GPL is in
+/usr/share/common-licenses/GPL
+
+ Pedants who belive I cannot legally say that code I have written is in
+ the public domain may consider them instead to be licensed as follows:
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted under any circumstances. No warranty.
View
0 debian/dirs
No changes.
View
1 debian/files
@@ -0,0 +1 @@
+linuxmuster-client-auth_0.1-precise6_all.deb debian-linuxmuster optional
View
2 debian/install
@@ -0,0 +1,2 @@
+etc/* /etc/
+var/lib/linuxmuster-client/templates/* /var/lib/linuxmuster-client/templates/
View
0 debian/links
No changes.
View
63 debian/po/de.po
@@ -0,0 +1,63 @@
+
+#. Type: string
+#. Description
+#: ../templates:1
+msgid "LDAP Server host."
+msgstr "LDAP-Server."
+
+#. Type: string
+#. Description
+#: ../templates:1
+msgid ""
+"The address of the LDAP server used. "
+"Note: It is always a good idea to use an IP address, it reduces risks of failure."
+msgstr ""
+"Die IP-Adresse des verwendeten LDAP-Servers. "
+"Es wird empfohlen die IP-Adresse zu verwenden, das vermindert das Ausfallrisiko."
+
+#. Type: string
+#. Description
+#: ../templates:2
+msgid "The distinguished name of the search base."
+msgstr "Der eindeutige Name (DN) der Suchbasis."
+
+#. Type: string
+#. Description
+#: ../templates:3
+msgid "Login name of template user."
+msgstr "Login des Vorlagen-Benutzers fuer Profile."
+
+#. Type: string
+#. Description
+#: ../templates:3
+msgid ""
+"Template user from who certain profile directories were copied to the user's home."
+msgstr ""
+"Vorlagen-Benutzer, von dem bestimmte Profilverzeichnisse in das Benutzerprofil kopiert werden."
+
+#. Type: boolean
+#. Description
+#: ../templates:4
+msgid "Copy initial Firefox profile to user's home?"
+msgstr "Soll das Firefox-Profil des Vorlagen-Benutzers als Startprofil verwendet werden?"
+
+#. Type: string
+#. Description
+#: ../templates:5
+msgid "Name of the folder which contains the user files."
+msgstr "Verzeichnisname fuer die Benutzerdateien (z.B. Eigene Dateien)."
+
+#. Type: string
+#. Description
+#: ../templates:5
+msgid ""
+"Folder will be created in user's home if it does not exist and linked to the desktop."
+msgstr ""
+"Verzeichnis wird -falls nicht vorhanden - im Benutzerhome erstellt."
+
+#. Type: string
+#. Description
+#: ../templates:6
+msgid "Name of the folder in user's home which will contain the application settings (Firefox etc.)."
+msgstr "Name des Verzeichnisses im Benutzerhome, das Anwendungseinstellungen enthaelt (fuer Firefox z.B.)."
+
View
151 debian/postinst
@@ -0,0 +1,151 @@
+#!/bin/bash
+#
+# postinst script for linuxmuster-client
+#
+# Thomas Schmitt <schmitt@lmz-bw.de>
+# 18.12.2009
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+#
+
+# read debconf stuff
+. /usr/share/debconf/confmodule
+
+case "$1" in
+
+ configure)
+
+ # read default variables
+ . /etc/linuxmuster-client-auth/config || exit 1
+
+ # check the distribution and do specific stuff
+ binpath=bin
+ cups=cupsys
+
+ # adding administrator and pgmadmin to sudoers
+ if [ -e /etc/sudoers ]; then
+ for admin in $ADMINISTRATOR $PGMADMIN; do
+ if ! grep -q ^$admin /etc/sudoers; then
+ echo "Adding $admin to sudoers ..."
+ echo >> /etc/sudoers
+ echo "# linuxmuster: $admin may gain root privileges" >> /etc/sudoers
+ echo "$admin ALL=(ALL) ALL" >> /etc/sudoers
+ fi
+ done
+ fi
+
+ # configure package
+ PRIORITY="critical"
+ db_title "linuxmuster-client-auth Konfiguration"
+
+ # ldap server uri
+ db_get ldap-auth-config/ldapns/ldap-server || true
+ URI=$RET
+ IP=$(echo $URI \
+ | sed 's/\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*/_\1/' \
+ | sed 's/.*_//' \
+ | sed -n 's/\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\)/\1/p' \
+ )
+ if [ -n "$IP" ]; then
+ db_set shared/ldapns/ldap-server $IP || true
+ fi
+ while [ -z "$IP_NEW" ]; do
+ db_input $PRIORITY shared/ldapns/ldap-server || true
+ db_go || true
+ db_get shared/ldapns/ldap-server || true
+ IP_NEW=$RET
+ done
+ URI_NEW=ldap://$IP_NEW/
+ if [ "$URI" != "$URI_NEW" ]; then
+ db_set ldap-auth-config/ldapns/ldap-server $URI_NEW || true
+ fi
+
+ # ldap basedn
+ db_get ldap-auth-config/ldapns/base-dn || true
+ BASEDN=$RET
+ if [ -n "$BASEDN" ]; then
+ db_set shared/ldapns/base-dn $BASEDN || true
+ fi
+ while [ -z "$BASEDN_NEW" ]; do
+ db_input $PRIORITY shared/ldapns/base-dn || true
+ db_go || true
+ db_get shared/ldapns/base-dn || true
+ BASEDN_NEW=$RET
+ done
+ if [ "$BASEDN" != "$BASEDN_NEW" ]; then
+ db_set ldap-auth-config/ldapns/base-dn $BASEDN_NEW || true
+ fi
+
+ # basedn
+ db_get shared/ldapns/ldap-server || true
+ serverip=$RET
+ if [ -z "$serverip" ]; then
+ echo "Cannot get the ip for the ldap server! Skipping configuration!"
+ exit 0
+ fi
+
+ # serverip
+ db_get shared/ldapns/base-dn || true
+ basedn=$RET
+ if [ -z "$basedn" ]; then
+ echo "Cannot get ldap basedn! Skipping configuration!"
+ exit 0
+ fi
+
+ # patching configuration files
+ echo "Patching configuration ..."
+ cd /var/lib/linuxmuster-client/templates
+ find -type f | xargs -i -t sh -c \
+ "sed -e 's%@@basedn@@%${basedn}%g
+ s%@@administrator@@%${ADMINISTRATOR}%g
+ s%@@pgmadmin@@%${PGMADMIN}%g
+ s%@@serverip@@%${serverip}%g' {} > /{}" 2> /dev/null 1> /dev/null
+ cd ../../
+
+ # fixing ldap.conf to ignore self signed server certificate with queries from localhost
+ conffile=/etc/ldap/ldap.conf
+ if ! grep -q "TLS_REQCERT never" $conffile &> /dev/null; then
+ echo "Fixing $conffile ..."
+ cp $conffile ${conffile}.dpkg-old
+ echo "TLS_REQCERT never" >> $conffile
+ fi
+
+ echo "Note: You have to reboot the client if you have installed the package for the first time!"
+
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+
+ ;;
+
+ *)
+
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+
+ ;;
+
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+db_stop
+
+exit 0
+
View
110 debian/rules
@@ -0,0 +1,110 @@
+#!/usr/bin/make -f
+# Sample debian/rules that uses debhelper.
+# GNU copyright 1997 by Joey Hess.
+#
+# This version is for a hypothetical package that builds an
+# architecture-dependant package, as well as an architecture-independent
+# package.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+# This is the debhelper compatibility version to use.
+export DH_COMPAT=8
+
+ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS)))
+ CFLAGS += -g
+endif
+ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
+ INSTALL_PROGRAM += -s
+endif
+
+configure: configure-stamp
+configure-stamp:
+ dh_testdir
+ # Add here commands to configure the package.
+
+ touch configure-stamp
+
+
+build-arch: configure-stamp build-arch-stamp
+build-arch-stamp:
+ dh_testdir
+
+ # Add here command to compile/build the package.
+ #$(MAKE)
+
+ touch build-arch-stamp
+
+build-indep: configure-stamp build-indep-stamp
+build-indep-stamp:
+ dh_testdir
+
+ # Add here command to compile/build the arch indep package.
+ # It's ok not to do anything here, if you don't need to build
+ # anything for this package.
+
+ touch build-indep-stamp
+
+build: build-arch build-indep
+
+clean: clean1
+clean1:
+ dh_testdir
+ dh_testroot
+ rm -f build-indep-stamp build-arch-stamp configure-stamp
+
+ # Add here commands to clean up after the build process.
+ #-$(MAKE) clean
+
+ dh_clean
+
+
+install: DH_OPTIONS=
+install: build
+ dh_testdir
+ dh_testroot
+ dh_clean -k
+ dh_installdirs
+
+ # Add here commands to install the package.
+ dh_install
+ rm -rf `find debian/linuxmuster-client -name .svn`
+ rm -f `find debian/linuxmuster-client -name .directory`
+
+# Build architecture-independent files here.
+# Pass -i to all debhelper commands in this target to reduce clutter.
+binary-indep: build install
+ dh_testdir
+ dh_testroot
+ dh_installdirs
+ dh_installdebconf
+ dh_installdocs
+# dh_installexamples -i
+# dh_installmenu -i
+ dh_installlogrotate -i
+# dh_installemacsen -i
+# dh_installpam -i
+# dh_installmime -i
+ dh_installinit -i --no-start
+# dh_installcron -i
+# dh_installman -i
+# dh_installinfo -i
+# dh_undocumented -i
+ dh_installchangelogs
+ dh_link
+ dh_compress
+ dh_fixperms
+ dh_installdeb
+# dh_perl -i
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+# Build architecture-dependent files here.
+binary-arch: install
+# We have nothing to do by default.
+
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install configure clean1
View
35 debian/templates
@@ -0,0 +1,35 @@
+Template: shared/ldapns/ldap-server
+Type: string
+Default: 10.16.1.1
+_Description: LDAP Server host.
+ The address of the LDAP server used.
+ Note: It is always a good idea to use an IP address, it reduces risks of failure.
+
+Template: shared/ldapns/base-dn
+Type: string
+Default: dc=linuxmuster,dc=local
+_Description: The distinguished name of the search base.
+
+Template: linuxmuster-client/template_user
+Type: string
+Default: linuxadmin
+_Description: Login name of template user.
+ Template user from who certain profile directories were copied to the user's home.
+
+Template: linuxmuster-client/firefox
+Type: boolean
+Default: false
+_Description: Copy initial Firefox profile to user's home?
+
+Template: linuxmuster-client/myfiles
+Type: string
+Default: Eigene Dateien
+_Description: Name of the folder which contains the user files.
+ Folder will be created in user's home if it does not exist and linked to the desktop.
+
+Template: linuxmuster-client/apps_basedir
+Type: string
+Default: Einstellungen
+_Description: Name of the folder in user's home which will contain the application settings (Firefox etc.).
+ Folder will be created in user's home if it does not exist.
+
View
297 var/lib/linuxmuster-client/templates/etc/ldap.conf
@@ -0,0 +1,297 @@
+###DEBCONF###
+##
+## Configuration of this file will be managed by debconf as long as the
+## first line of the file says '###DEBCONF###'
+##
+## You should use dpkg-reconfigure to configure this file via debconf
+##
+
+#
+# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
+#
+# This is the configuration file for the LDAP nameservice
+# switch library and the LDAP PAM module.
+#
+# PADL Software
+# http://www.padl.com
+#
+
+# Your LDAP server. Must be resolvable without using LDAP.
+# Multiple hosts may be specified, each separated by a
+# space. How long nss_ldap takes to failover depends on
+# whether your LDAP client library supports configurable
+# network or connect timeouts (see bind_timelimit).
+#host 127.0.0.1
+
+# The distinguished name of the search base.
+base @@basedn@@
+
+# Another way to specify your LDAP server is to provide an
+uri ldap://@@serverip@@/
+# Unix Domain Sockets to connect to a local LDAP Server.
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+ldap_version 3
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+#binddn cn=proxyuser,dc=padl,dc=com
+
+# The credentials to bind with.
+# Optional: default is no credential.
+#bindpw secret
+
+# The distinguished name to bind to the server with
+# if the effective user ID is root. Password is
+# stored in /etc/ldap.secret (mode 600)
+#rootbinddn cn=manager,dc=padl,dc=com
+
+# The port.
+# Optional: default is 389.
+#port 389
+
+# The search scope.
+#scope sub
+#scope one
+#scope base
+
+# Search timelimit
+#timelimit 30
+
+# Bind/connect timelimit
+#bind_timelimit 30
+
+# Reconnect policy: hard (default) will retry connecting to
+# the software with exponential backoff, soft will fail
+# immediately.
+#bind_policy hard
+
+# Idle timelimit; client will close connections
+# (nss_ldap only) if the server has not been contacted
+# for the number of seconds specified below.
+#idle_timelimit 3600
+
+# Filter to AND with uid=%s
+#pam_filter objectclass=account
+
+# The user ID attribute (defaults to uid)
+#pam_login_attribute uid
+
+# Search the root DSE for the password policy (works
+# with Netscape Directory Server)
+#pam_lookup_policy yes
+
+# Check the 'host' attribute for access control
+# Default is no; if set to yes, and user has no
+# value for the host attribute, and pam_ldap is
+# configured for account management (authorization)
+# then the user will not be allowed to login.
+#pam_check_host_attr yes
+
+# Check the 'authorizedService' attribute for access
+# control
+# Default is no; if set to yes, and the user has no
+# value for the authorizedService attribute, and
+# pam_ldap is configured for account management
+# (authorization) then the user will not be allowed
+# to login.
+#pam_check_service_attr yes
+
+# Group to enforce membership of
+#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
+
+# Group member attribute
+#pam_member_attribute uniquemember
+
+# Specify a minium or maximum UID number allowed
+#pam_min_uid 0
+#pam_max_uid 0
+
+# Template login attribute, default template user
+# (can be overriden by value of former attribute
+# in user's entry)
+#pam_login_attribute userPrincipalName
+#pam_template_login_attribute uid
+#pam_template_login nobody
+
+# HEADS UP: the pam_crypt, pam_nds_passwd,
+# and pam_ad_passwd options are no
+# longer supported.
+#
+# Do not hash the password at all; presume
+# the directory server will do it, if
+# necessary. This is the default.
+pam_password md5
+
+# Hash password locally; required for University of
+# Michigan LDAP server, and works with Netscape
+# Directory Server if you're using the UNIX-Crypt
+# hash mechanism and not using the NT Synchronization
+# service.
+#pam_password crypt
+
+# Remove old password first, then update in
+# cleartext. Necessary for use with Novell
+# Directory Services (NDS)
+#pam_password clear_remove_old
+#pam_password nds
+
+# RACF is an alias for the above. For use with
+# IBM RACF
+#pam_password racf
+
+# Update Active Directory password, by
+# creating Unicode password and updating
+# unicodePwd attribute.
+#pam_password ad
+
+# Use the OpenLDAP password change
+# extended operation to update the password.
+#pam_password exop
+
+# Redirect users to a URL or somesuch on password
+# changes.
+#pam_password_prohibit_message Please visit http://internal to change your password.
+
+# RFC2307bis naming contexts
+# Syntax:
+# nss_base_XXX base?scope?filter
+# where scope is {base,one,sub}
+# and filter is a filter to be &'d with the
+# default filter.
+# You can omit the suffix eg:
+# nss_base_passwd ou=People,
+# to append the default base DN but this
+# may incur a small performance impact.
+#nss_base_passwd ou=People,dc=padl,dc=com?one
+#nss_base_shadow ou=People,dc=padl,dc=com?one
+#nss_base_group ou=Group,dc=padl,dc=com?one
+#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
+#nss_base_services ou=Services,dc=padl,dc=com?one
+#nss_base_networks ou=Networks,dc=padl,dc=com?one
+#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
+#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
+#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
+#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
+#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
+#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
+#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
+
+# attribute/objectclass mapping
+# Syntax:
+#nss_map_attribute rfc2307attribute mapped_attribute
+#nss_map_objectclass rfc2307objectclass mapped_objectclass
+
+# configure --enable-nds is no longer supported.
+# NDS mappings
+#nss_map_attribute uniqueMember member
+
+# Services for UNIX 3.5 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount User
+#nss_map_attribute uid msSFU30Name
+#nss_map_attribute uniqueMember msSFU30PosixMember
+#nss_map_attribute userPassword msSFU30Password
+#nss_map_attribute homeDirectory msSFU30HomeDirectory
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_objectclass posixGroup Group
+#pam_login_attribute msSFU30Name
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-mssfu-schema is no longer supported.
+# Services for UNIX 2.0 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid msSFUName
+#nss_map_attribute uniqueMember posixMember
+#nss_map_attribute userPassword msSFUPassword
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup Group
+#nss_map_attribute cn msSFUName
+#pam_login_attribute msSFUName
+#pam_filter objectclass=User
+#pam_password ad
+
+# RFC 2307 (AD) mappings
+#nss_map_objectclass posixAccount user
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid sAMAccountName
+#nss_map_attribute homeDirectory unixHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup group
+#nss_map_attribute uniqueMember member
+#pam_login_attribute sAMAccountName
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-authpassword is no longer supported
+# AuthPassword mappings
+#nss_map_attribute userPassword authPassword
+
+# AIX SecureWay mappings
+#nss_map_objectclass posixAccount aixAccount
+#nss_base_passwd ou=aixaccount,?one
+#nss_map_attribute uid userName
+#nss_map_attribute gidNumber gid
+#nss_map_attribute uidNumber uid
+#nss_map_attribute userPassword passwordChar
+#nss_map_objectclass posixGroup aixAccessGroup
+#nss_base_group ou=aixgroup,?one
+#nss_map_attribute cn groupName
+#nss_map_attribute uniqueMember member
+#pam_login_attribute userName
+#pam_filter objectclass=aixAccount
+#pam_password clear
+
+# Netscape SDK LDAPS
+#ssl on
+
+# Netscape SDK SSL options
+#sslpath /etc/ssl/certs
+
+# OpenLDAP SSL mechanism
+# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
+ssl start_tls
+#ssl on
+
+# OpenLDAP SSL options
+# Require and verify server certificate (yes/no)
+# Default is to use libldap's default behavior, which can be configured in
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
+tls_checkpeer no
+
+# CA certificates for server certificate verification
+# At least one of these are required if tls_checkpeer is "yes"
+#tls_cacertfile /etc/ssl/ca.cert
+#tls_cacertdir /etc/ssl/certs
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# Disable SASL security layers. This is needed for AD.
+#sasl_secprops maxssf=0
+
+# Override the default Kerberos ticket cache location.
+#krb5_ccname FILE:/etc/.ldapcache
+
+# SASL mechanism for PAM authentication - use is experimental
+# at present and does not support password policy control
+#pam_sasl_mech DIGEST-MD5
+nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,saned,sshd,sync,sys,syslog,uucp,vboxadd,www-data
View
5 var/lib/linuxmuster-client/templates/etc/lightdm/lightdm.conf
@@ -0,0 +1,5 @@
+[SeatDefaults]
+greeter-session=unity-greeter
+user-session=ubuntu
+allow-guest=false
+greeter-hide-users=true
View
20 var/lib/linuxmuster-client/templates/etc/nsswitch.conf
@@ -0,0 +1,20 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd: compat ldap
+group: compat ldap
+shadow: compat
+
+hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
+networks: files
+
+protocols: db files
+services: db files
+ethers: db files
+rpc: db files
+
+netgroup: nis
+
View
26 var/lib/linuxmuster-client/templates/etc/pam.d/common-account
@@ -0,0 +1,26 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system. The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
+account [success=1 default=ignore] pam_ldap.so
+# here's the fallback if no module succeeds
+account requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config
View
29 var/lib/linuxmuster-client/templates/etc/pam.d/common-auth
@@ -0,0 +1,29 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+auth [success=2 default=ignore] pam_unix.so nullok_secure
+auth [success=1 default=ignore] pam_ldap.so use_first_pass
+# here's the fallback if no module succeeds
+auth requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config
+
+auth optional pam_group.so
+
View
23 var/lib/linuxmuster-client/templates/etc/pam.d/common-pammount
@@ -0,0 +1,23 @@
+# Include this file in every /etc/pam.d/SERVICE you use for login:
+# [...]
+# @include common-auth
+# @include common-session
+# [...]
+# # added for libpam-mount
+# @include common-pammount
+#
+# Make sure that the common-auth and common-session includes are
+# above the common-pammount include (just as in the example above).
+
+# replace "optional" with "required" if a user must mount the specified
+# volumes, for example the home directory
+
+# make sure that there is no PAM module loaded with a "sufficient"
+# priority before these entries, else the pam_mount module is not
+# executed
+
+# for configuration details about different login programs see
+# /usr/share/doc/libpam-mount/README.Debian.gz
+#
+# Diese Datei ist leer
+
View
34 var/lib/linuxmuster-client/templates/etc/pam.d/common-password
@@ -0,0 +1,34 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords. The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords. Without this option,
+# the default is Unix crypt. Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+password [success=2 default=ignore] pam_unix.so obscure sha512
+password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
+# here's the fallback if no module succeeds
+password requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config
View
29 var/lib/linuxmuster-client/templates/etc/pam.d/common-session
@@ -0,0 +1,29 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session [default=1] pam_permit.so
+# here's the fallback if no module succeeds
+session requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required pam_unix.so
+# im auth paket: benutzerhome wird beim anmelden aus /etc/skel angelegt
+session required pam_mkhomedir.so skel=/etc/skel umask=0022
+session optional pam_ldap.so
+session optional pam_ck_connector.so nox11
+# end of pam-auth-update config
View
15 var/lib/linuxmuster-client/templates/etc/pam.d/lightdm
@@ -0,0 +1,15 @@
+#%PAM-1.0
+auth requisite pam_nologin.so
+auth required pam_env.so readenv=1
+auth required pam_env.so readenv=1 envfile=/etc/default/locale
+#auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
+@include common-auth
+auth optional pam_gnome_keyring.so
+@include common-account
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session required pam_limits.so
+@include common-session
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+session optional pam_gnome_keyring.so auto_start
+@include common-password
+@include common-pammount
View
91 var/lib/linuxmuster-client/templates/etc/pam.d/login
@@ -0,0 +1,91 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth optional pam_faildelay.so delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth required pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth requisite pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain. (When SELinux
+# is disabled, this returns success.)
+session required pam_selinux.so close
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+#
+# parsing /etc/environment needs "readenv=1"
+session required pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session required pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth optional pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account requisite pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account required pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session required pam_limits.so
+
+# Prints the last login info upon succesful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session optional pam_lastlog.so
+
+# Prints the motd upon succesful login
+# (Replaces the `MOTD_FILE' option in login.defs)
+session optional pam_motd.so
+
+# Prints the status of the user's mailbox upon succesful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session optional pam_mail.so standard
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password
+@include common-pammount
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this. (When
+# SELinux is disabled, this returns success.)
+session required pam_selinux.so open
View
63 var/lib/linuxmuster-client/templates/etc/security/group.conf
@@ -0,0 +1,63 @@
+##
+## Note, to get this to work as it is currently typed you need
+##
+## 1. to run an application as root
+## 2. add the following groups to the /etc/group file:
+## floppy, games, sound
+##
+#
+# *** Please note that giving group membership on a session basis is
+# *** NOT inherently secure. If a user can create an executable that
+# *** is setgid a group that they are infrequently given membership
+# *** of, they can basically obtain group membership any time they
+# *** like. Example: games are allowed between the hours of 6pm and 6am
+# *** user joe logs in at 7pm writes a small C-program toplay.c that
+# *** invokes their favorite shell, compiles it and does
+# *** "chgrp games toplay; chmod g+s toplay". They are basically able
+# *** to play games any time... You have been warned. AGM
+#
+# this is an example configuration file for the pam_group module. Its
+# syntax is based on that of the pam_time module and (at some point in
+# the distant past was inspired by the 'shadow' package)
+#
+# the syntax of the lines is as follows:
+#
+# services;ttys;users;times;groups
+#
+# white space is ignored and lines maybe extended with '\\n' (escaped
+# newlines). From reading these comments, it is clear that
+# text following a '#' is ignored to the end of the line.
+#
+# the first four fields are described in the pam_time directory.
+# The only difference for these is how the time field is interpretted:
+# it is used to indicate "when" these groups are to be given to the user.
+#
+# groups
+# The (comma or space separated) list of groups that the user
+# inherits membership of. These groups are added if the previous
+# fields are satisfied by the user's request
+#
+
+#
+# Here is a simple example: running 'xsh' on tty* (any ttyXXX device),
+# the user 'us' is given access to the floppy (through membership of
+# the floppy group)
+#
+
+#xsh;tty*&!ttyp*;us;Al0000-2400;floppy
+# another example: running 'xsh' on tty* (any ttyXXX device),
+# the user 'sword' is given access to games (through membership of
+# the sound and play group) after work hours. (The games group owns
+# high-score files and so on, so don't ever give users access to it.)
+#
+
+#xsh; tty* ;sword;!Wk0900-1800;sound, play
+#xsh; tty* ;*;Al0900-1800;floppy
+
+*;*;*;Al0000-2400;dialout,cdrom,floppy,audio,dip,video,plugdev
+*;*;@@administrator@@;Al0000-2400;adm,admin,lpadmin
+*;*;@@pgmadmin@@;Al0000-2400;adm,admin,lpadmin
+
+#
+# End of group.conf file
+#
View
4 var/lib/linuxmuster-client/templates/etc/udev/rules.d/70-persistent-net.rules
@@ -0,0 +1,4 @@
+# This file was automatically generated by the /lib/udev/write_net_rules
+# program, probably run by the persistent-net-generator.rules rules file.
+#
+# You can modify it, as long as you keep each rule on a single line.
View
20 var/lib/linuxmuster-client/templates/etc/udev/rules.d/75-persistent-net-generator.rules
@@ -0,0 +1,20 @@
+# these rules generate rules for persistent network device naming
+
+#ACTION=="add", SUBSYSTEM=="net", KERNEL=="eth*|ath*|wlan*|ra*|sta*" \
+ NAME!="?*", DRIVERS=="?*", GOTO="persistent_net_generator_do"
+
+GOTO="persistent_net_generator_end"
+LABEL="persistent_net_generator_do"
+
+# build device description string to add a comment the generated rule
+SUBSYSTEMS=="pci", ENV{COMMENT}="PCI device $attr{vendor}:$attr{device} ($attr{driver})"
+SUBSYSTEMS=="usb", ENV{COMMENT}="USB device 0x$attr{idVendor}:0x$attr{idProduct} ($attr{driver})"
+SUBSYSTEMS=="ieee1394", ENV{COMMENT}="Firewire device $attr{host_id})"
+SUBSYSTEMS=="xen", ENV{COMMENT}="Xen virtual device"
+ENV{COMMENT}=="", ENV{COMMENT}="$env{SUBSYSTEM} device ($attr{driver})"
+
+IMPORT{program}="write_net_rules $attr{address}"
+ENV{INTERFACE_NEW}=="?*", NAME="$env{INTERFACE_NEW}"
+
+LABEL="persistent_net_generator_end"
+

No commit comments for this range

Something went wrong with that request. Please try again.