diff options
-rw-r--r-- | .SRCINFO | 79 | ||||
-rw-r--r-- | 0001-platform-add-Arch-Linux-platform.patch | 205 | ||||
-rw-r--r-- | 0002-dogtag-vault-do-not-import-pki-in-makeapi.patch | 39 | ||||
-rw-r--r-- | 0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch | 29 | ||||
-rw-r--r-- | PKGBUILD | 168 | ||||
-rw-r--r-- | archlinux.patch | 376 | ||||
-rw-r--r-- | freeipa-client.install | 4 | ||||
-rwxr-xr-x | sss-auth-setup.py | 338 |
8 files changed, 454 insertions, 784 deletions
@@ -1,6 +1,6 @@ pkgbase = freeipa pkgdesc = The Identity, Policy and Audit system - pkgver = 4.2.3 + pkgver = 4.4.0 pkgrel = 1 url = http://www.freeipa.org/ arch = i686 @@ -18,13 +18,12 @@ pkgbase = freeipa makedepends = python2 makedepends = python2-ldap makedepends = python2-setuptools - makedepends = python2-krbv makedepends = python2-nss - makedepends = python2-cryptography + makedepends = python2-cryptography>=0.9 makedepends = python2-netaddr - makedepends = python2-kerberos>=1.1 - makedepends = sssd>=1.13.1 + makedepends = python2-gssapi>=1.1.2 makedepends = python2-memcached + makedepends = sssd>=1.14.0 makedepends = python2-lxml makedepends = python2-pyasn1>=0.0.9a makedepends = python2-qrcode @@ -32,21 +31,28 @@ pkgbase = freeipa makedepends = systemd makedepends = libunistring makedepends = python2-yubico>=1.2.3 - source = http://freeipa.org/downloads/src/freeipa-4.2.3.tar.gz - source = sss-auth-setup.py - source = archlinux.patch - sha256sums = 7b0e5cb834c6ca36bfe464ec4c6a226e44ce1948edd74b7c4344f43e75d9a133 - sha256sums = 012a11cdc42e0eb072eec3dd988fa910964f355ec2ae6b67ead373ad69e84e3e - sha256sums = 3e237f89fe2d806cdc2e4694233d0e01e01996aa41036dd520b99cb6dae71eed + makedepends = python2-six + makedepends = ding-libs>=0.5.0 + makedepends = python2-dbus + makedepends = python2-netifaces + source = http://freeipa.org/downloads/src/freeipa-4.4.0.tar.gz + source = 0001-platform-add-Arch-Linux-platform.patch + source = 0002-dogtag-vault-do-not-import-pki-in-makeapi.patch + source = 0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch + sha256sums = 5d846bbeb5bfe9121bd8e472385552a9ded5868d2d44e94cbe0ad9191a439b49 + sha256sums = de0de8d251fd93254518228d4aa82a01ec1bdce7741289a41de9ec694176ebe7 + sha256sums = 7cebbb95f71abe30f9f206129968341553ff688a4ce3c0bbf3ddb8219b2a799e + sha256sums = 5bb4e6ed7aa6d28ad1e8db93fb0f0a85c366bd6be3b2346891346de6ba33baee -pkgname = freeipa-python +pkgname = python2-ipalib pkgdesc = Python libraries used by IPA - depends = python2-kerberos>=1.1 + arch = any + depends = freeipa-common=4.4.0-1 + depends = python2-gssapi>=1.1.2 depends = gnupg - depends = iproute2 depends = keyutils depends = python2-nss>=0.16 - depends = python2-cryptography + depends = python2-cryptography>=0.9 depends = python2-lxml depends = python2-netaddr depends = sssd @@ -54,36 +60,63 @@ pkgname = freeipa-python depends = python2-pyasn1 depends = python2-dateutil depends = python2-yubico>=1.2.3 - depends = wget depends = python2-dbus depends = python2-setuptools + depends = python2-six + depends = python2-ldap>=2.4.15 + depends = python2-dnspython>=1.11.1 + depends = python2-netifaces>=0.10.4 + depends = python2-pyusb + provides = python2-ipapython=4.4.0-1 + provides = python2-ipaplatform=4.4.0-1 + conflicts = freeipa-python + replaces = freeipa-python + +pkgname = python2-ipaclient + pkgdesc = Python libraries used by IPA client + arch = any + depends = freeipa-client-common=4.4.0-1 + depends = freeipa-common=4.4.0-1 + depends = python2-ipalib=4.4.0-1 + depends = python2-dnspython>=1.11.1 + +pkgname = freeipa-common + pkgdesc = Common files used by IPA + arch = any + conflicts = freeipa-python + replaces = freeipa-python + +pkgname = freeipa-client-common + pkgdesc = Common files used by IPA client + arch = any pkgname = freeipa-client pkgdesc = IPA authentication for use on clients install = freeipa-client.install - depends = freeipa-python=4.2.3-1 + depends = freeipa-client-common=4.4.0-1 + depends = freeipa-common=4.4.0-1 + depends = python2-ipaclient=4.4.0-1 depends = python2-ldap depends = cyrus-sasl-gssapi depends = ntp depends = krb5 + depends = authconfig depends = pam-krb5 depends = curl>=7.21.7 depends = xmlrpc-c>=1.27.4 - depends = sssd>=1.13.1 + depends = sssd>=1.14.0 depends = certmonger>=0.78 depends = nss depends = bind-tools depends = oddjob - depends = python2-krbv - depends = python2-dnspython>=1.11.1 + depends = python2-gssapi>=1.1.2 depends = autofs depends = nfsidmap depends = nfs-utils pkgname = freeipa-admintools pkgdesc = IPA administrative tools - depends = freeipa-python=4.2.3-1 - depends = freeipa-client=4.2.3-1 - depends = python2-krbv + arch = any + depends = python2-ipaclient=4.4.0-1 depends = python2-ldap diff --git a/0001-platform-add-Arch-Linux-platform.patch b/0001-platform-add-Arch-Linux-platform.patch new file mode 100644 index 000000000000..167445accbe9 --- /dev/null +++ b/0001-platform-add-Arch-Linux-platform.patch @@ -0,0 +1,205 @@ +From 466e2dde63b1247902de1bbfa28628f4b875c61e Mon Sep 17 00:00:00 2001 +From: Xiao-Long Chen <chenxiaolong@cxl.epac.to> +Date: Wed, 16 Apr 2014 19:31:08 -0400 +Subject: [PATCH 1/3] platform: add Arch Linux platform + +This patch has been adapted from the patches provided with freeipa package +in the Arch User Repository (AUR). + +Signed-off-by: Jan Cholasta <jcholast@redhat.com> +--- + client/man/ipa-client-automount.1 | 4 ++-- + client/man/ipa-client-install.1 | 4 ++-- + ipaplatform/archlinux/__init__.py | 3 +++ + ipaplatform/archlinux/constants.py | 12 ++++++++++++ + ipaplatform/archlinux/paths.py | 22 ++++++++++++++++++++++ + ipaplatform/archlinux/services.py | 38 ++++++++++++++++++++++++++++++++++++++ + ipaplatform/archlinux/tasks.py | 16 ++++++++++++++++ + ipaplatform/setup.py.in | 1 + + 8 files changed, 96 insertions(+), 4 deletions(-) + create mode 100644 ipaplatform/archlinux/__init__.py + create mode 100644 ipaplatform/archlinux/constants.py + create mode 100644 ipaplatform/archlinux/paths.py + create mode 100644 ipaplatform/archlinux/services.py + create mode 100644 ipaplatform/archlinux/tasks.py + +diff --git a/client/man/ipa-client-automount.1 b/client/man/ipa-client-automount.1 +index 5b60503..16ccbea 100644 +--- a/client/man/ipa-client-automount.1 ++++ b/client/man/ipa-client-automount.1 +@@ -29,7 +29,7 @@ The automount configuration consists of three files: + .IP o + /etc/nsswitch.conf + .IP o +-/etc/sysconfig/autofs ++/etc/conf.d/autofs + .IP o + /etc/autofs_ldap_auth.conf + +@@ -79,7 +79,7 @@ Files that will be configured when SSSD is the automount client (default): + .TP + Files that will be configured when using the ldap automount client: + +-/etc/sysconfig/autofs ++/etc/conf.d/autofs + + /etc/autofs_ldap_auth.conf + +diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1 +index 7f490d1..5f0c379 100644 +--- a/client/man/ipa-client-install.1 ++++ b/client/man/ipa-client-install.1 +@@ -257,7 +257,7 @@ Files replaced if NTP is enabled: + + /etc/ntp.conf + .br +-/etc/sysconfig/ntpd ++/etc/conf.d/ntpd.conf + .br + /etc/ntp/step\-tickers + .TP +@@ -279,7 +279,7 @@ Files updated, existing content is maintained: + .br + /etc/krb5.keytab + .br +-/etc/sysconfig/network ++/etc/hostname + .SH "EXIT STATUS" + 0 if the installation was successful + +diff --git a/ipaplatform/archlinux/__init__.py b/ipaplatform/archlinux/__init__.py +new file mode 100644 +index 0000000..9da42e7 +--- /dev/null ++++ b/ipaplatform/archlinux/__init__.py +@@ -0,0 +1,3 @@ ++# ++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license ++# +diff --git a/ipaplatform/archlinux/constants.py b/ipaplatform/archlinux/constants.py +new file mode 100644 +index 0000000..148abd8 +--- /dev/null ++++ b/ipaplatform/archlinux/constants.py +@@ -0,0 +1,12 @@ ++# ++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license ++# ++ ++from ipaplatform.redhat.constants import RedHatConstantsNamespace ++ ++ ++class ArchLinuxConstantsNamespace(RedHatConstantsNamespace): ++ pass ++ ++ ++constants = ArchLinuxConstantsNamespace() +diff --git a/ipaplatform/archlinux/paths.py b/ipaplatform/archlinux/paths.py +new file mode 100644 +index 0000000..a7b8ea7 +--- /dev/null ++++ b/ipaplatform/archlinux/paths.py +@@ -0,0 +1,22 @@ ++# ++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license ++# ++ ++from ipaplatform.redhat.paths import RedHatPathNamespace ++ ++ ++class ArchLinuxPathNamespace(RedHatPathNamespace): ++ AUTOFS_LDAP_AUTH_CONF = "/etc/autofs/autofs_ldap_auth.conf" ++ CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s" ++ SYSCONFIG_NFS = "/etc/conf.d/nfs-common.conf" ++ SYSCONFIG_NTPD = "/etc/conf.d/ntpd.conf" ++ SYSCONFIG_AUTOFS = "/etc/default/autofs" ++ DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = ( ++ "/usr/lib/certmonger/certmonger/dogtag-ipa-ca-renew-agent-submit") ++ DOGTAG_IPA_RENEW_AGENT_SUBMIT = ( ++ "/usr/lib/certmonger/certmonger/dogtag-ipa-renew-agent-submit") ++ IPA_SERVER_GUARD = "/usr/lib/certmonger/certmonger/ipa-server-guard" ++ LIB64_FIREFOX = "/usr/lib/firefox" ++ ++ ++paths = ArchLinuxPathNamespace() +diff --git a/ipaplatform/archlinux/services.py b/ipaplatform/archlinux/services.py +new file mode 100644 +index 0000000..c0fb6fb +--- /dev/null ++++ b/ipaplatform/archlinux/services.py +@@ -0,0 +1,38 @@ ++# ++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license ++# ++ ++from ipaplatform.redhat.services import (RedHatService, ++ redhat_service_class_factory, ++ RedHatServices, ++ RedHatSSHService, ++ redhat_system_units, ++ timedate_services) ++ ++archlinux_system_units = dict(redhat_system_units) ++archlinux_system_units['messagebus'] = 'dbus.service' ++archlinux_system_units['rpcgssd'] = 'rpc-gssd.service' ++archlinux_system_units['rpcidmapd'] = 'rpc-idmapd.service' ++ ++ ++class ArchLinuxService(RedHatService): ++ system_units = archlinux_system_units ++ ++ ++class ArchLinuxSSHService(ArchLinuxService, RedHatSSHService): ++ pass ++ ++ ++def archlinux_service_class_factory(name): ++ if name == 'sshd': ++ return ArchLinuxSSHService(name) ++ return ArchLinuxService(name) ++ ++ ++class ArchLinuxServices(RedHatServices): ++ def service_class_factory(self, name): ++ return archlinux_service_class_factory(name) ++ ++ ++service = archlinux_service_class_factory ++knownservices = ArchLinuxServices() +diff --git a/ipaplatform/archlinux/tasks.py b/ipaplatform/archlinux/tasks.py +new file mode 100644 +index 0000000..cae3245 +--- /dev/null ++++ b/ipaplatform/archlinux/tasks.py +@@ -0,0 +1,16 @@ ++# ++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license ++# ++ ++from ipaplatform.archlinux.paths import paths ++from ipaplatform.redhat.tasks import RedHatTaskNamespace ++ ++ ++class ArchLinuxTaskNamespace(RedHatTaskNamespace): ++ def restore_network_configuration(self, fstore, statestore): ++ filepath = paths.ETC_HOSTNAME ++ if fstore.has_file(filepath): ++ fstore.restore_file(filepath) ++ ++ ++tasks = ArchLinuxTaskNamespace() +diff --git a/ipaplatform/setup.py.in b/ipaplatform/setup.py.in +index 11bb757..2d355fc 100644 +--- a/ipaplatform/setup.py.in ++++ b/ipaplatform/setup.py.in +@@ -65,6 +65,7 @@ def setup_package(): + classifiers=[line for line in CLASSIFIERS.split('\n') if line], + package_dir = {'ipaplatform': ''}, + packages = ["ipaplatform", ++ "ipaplatform.archlinux", + "ipaplatform.base", + "ipaplatform.fedora", + "ipaplatform.redhat", +-- +2.7.4 + diff --git a/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch b/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch new file mode 100644 index 000000000000..67f6fb8a6e9e --- /dev/null +++ b/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch @@ -0,0 +1,39 @@ +From 4efe2cba72d317a03abad3869532d97e1f0259a6 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta <jcholast@redhat.com> +Date: Tue, 2 Aug 2016 12:56:44 +0200 +Subject: [PATCH 2/3] dogtag, vault: do not import `pki` in makeapi + +--- + ipaserver/plugins/dogtag.py | 2 +- + ipaserver/plugins/vault.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py +index aef1e88..53c3270 100644 +--- a/ipaserver/plugins/dogtag.py ++++ b/ipaserver/plugins/dogtag.py +@@ -253,7 +253,7 @@ import ipapython.cookie + from ipapython import dogtag + from ipapython import ipautil + +-if api.env.in_server: ++if not api.env.validate_api: + import pki + from pki.client import PKIConnection + import pki.crypto as cryptoutil +diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py +index c9b7cb9..52cbf17 100644 +--- a/ipaserver/plugins/vault.py ++++ b/ipaserver/plugins/vault.py +@@ -35,7 +35,7 @@ from ipalib import _, ngettext + from ipapython import kerberos + from ipapython.dn import DN + +-if api.env.in_server: ++if not api.env.validate_api: + import pki.account + import pki.key + +-- +2.7.4 + diff --git a/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch b/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch new file mode 100644 index 000000000000..3377bb665e39 --- /dev/null +++ b/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch @@ -0,0 +1,29 @@ +From 124251f2d4bb915d69ef9e11e61494a27ef5b370 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta <jcholast@redhat.com> +Date: Tue, 2 Aug 2016 13:49:36 +0200 +Subject: [PATCH 3/3] client install: do not assume /etc/krb5.conf.d exists + +--- + client/ipa-client-install | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/client/ipa-client-install b/client/ipa-client-install +index cee202f..12c6153 100755 +--- a/client/ipa-client-install ++++ b/client/ipa-client-install +@@ -1066,8 +1066,10 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, + krbconf.setIndent((""," "," ")) + + opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'}, +- {'name':'empty', 'type':'empty'}, +- {'name':'includedir', 'type':'option', 'value':paths.COMMON_KRB5_CONF_DIR, 'delim':' '}] ++ {'name':'empty', 'type':'empty'}] ++ ++ if os.path.exists(paths.COMMON_KRB5_CONF_DIR): ++ opts.append({'name':'includedir', 'type':'option', 'value':paths.COMMON_KRB5_CONF_DIR, 'delim':' '}) + + # SSSD include dir + if options.sssd: +-- +2.7.4 + @@ -2,8 +2,13 @@ # Contributor: Xiao-Long Chen <chenxiaolong@cxl.epac.to> pkgbase=freeipa -pkgname=(freeipa-python freeipa-client freeipa-admintools) -pkgver=4.2.3 +pkgname=(python2-ipalib + python2-ipaclient + freeipa-common + freeipa-client-common + freeipa-client + freeipa-admintools) +pkgver=4.4.0 pkgrel=1 pkgdesc='The Identity, Policy and Audit system' arch=('i686' 'x86_64') @@ -21,33 +26,40 @@ makedepends=('nspr' 'python2' 'python2-ldap' 'python2-setuptools' - 'python2-krbv' 'python2-nss' - 'python2-cryptography' + 'python2-cryptography>=0.9' 'python2-netaddr' - 'python2-kerberos>=1.1' - 'sssd>=1.13.1' + 'python2-gssapi>=1.1.2' 'python2-memcached' + 'sssd>=1.14.0' 'python2-lxml' 'python2-pyasn1>=0.0.9a' 'python2-qrcode' 'python2-dnspython>=1.11.1' 'systemd' 'libunistring' - 'python2-yubico>=1.2.3') + 'python2-yubico>=1.2.3' + 'python2-six' + 'ding-libs>=0.5.0' + 'python2-dbus' + 'python2-netifaces') source=("http://freeipa.org/downloads/src/freeipa-$pkgver.tar.gz" - sss-auth-setup.py - archlinux.patch) -sha256sums=('7b0e5cb834c6ca36bfe464ec4c6a226e44ce1948edd74b7c4344f43e75d9a133' - '012a11cdc42e0eb072eec3dd988fa910964f355ec2ae6b67ead373ad69e84e3e' - '3e237f89fe2d806cdc2e4694233d0e01e01996aa41036dd520b99cb6dae71eed') + 0001-platform-add-Arch-Linux-platform.patch + 0002-dogtag-vault-do-not-import-pki-in-makeapi.patch + 0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch) +sha256sums=('5d846bbeb5bfe9121bd8e472385552a9ded5868d2d44e94cbe0ad9191a439b49' + 'de0de8d251fd93254518228d4aa82a01ec1bdce7741289a41de9ec694176ebe7' + '7cebbb95f71abe30f9f206129968341553ff688a4ce3c0bbf3ddb8219b2a799e' + '5bb4e6ed7aa6d28ad1e8db93fb0f0a85c366bd6be3b2346891346de6ba33baee') prepare() { cd "${pkgbase}-${pkgver}" rm -rf ipaplatform/archlinux - patch -p1 <"$srcdir"/archlinux.patch + patch -p1 <"$srcdir"/0001-platform-add-Arch-Linux-platform.patch + patch -p1 <"$srcdir"/0002-dogtag-vault-do-not-import-pki-in-makeapi.patch + patch -p1 <"$srcdir"/0003-client-install-do-not-assume-etc-krb5.conf.d-exists.patch } build() { @@ -67,30 +79,35 @@ build() { rm -f ipaplatform/paths.py rm -f ipaplatform/constants.py make version-update - cd ipa-client; ../autogen.sh --prefix=/usr --sysconfdir=/etc --sbindir=/usr/bin; cd .. + cd client; ../autogen.sh --prefix=/usr --sysconfdir=/etc --sbindir=/usr/bin; cd .. make IPA_VERSION_IS_GIT_SNAPSHOT=no client make client-install DESTDIR="$PWD"/_install + # Switch shebang of /usr/bin/ipa + # XXX: ipa cli is not stable enough for enabling py3 support, keep it in py2 + # in any case + sed -i -e'1s/python\(3\|$\)/python2/' _install/usr/bin/ipa + mkdir -p _install/usr/share/ipa mkdir -p _install/etc/ipa/ mkdir -p _install/etc/ipa/nssdb - mkdir -p _install/etc/ipa/dnssec mkdir -p _install/var/lib/ipa-client/sysrestore mkdir -p _install/etc/bash_completion.d install -pm 644 contrib/completion/ipa.bash_completion _install/etc/bash_completion.d/ipa } -package_freeipa-python() { +package_python2-ipalib() { pkgdesc='Python libraries used by IPA' - depends=('python2-kerberos>=1.1' + arch=('any') + depends=("freeipa-common=$pkgver-$pkgrel" + 'python2-gssapi>=1.1.2' 'gnupg' - 'iproute2' 'keyutils' 'python2-nss>=0.16' - 'python2-cryptography' + 'python2-cryptography>=0.9' 'python2-lxml' 'python2-netaddr' 'sssd' @@ -98,9 +115,17 @@ package_freeipa-python() { 'python2-pyasn1' 'python2-dateutil' 'python2-yubico>=1.2.3' - 'wget' 'python2-dbus' - 'python2-setuptools') + 'python2-setuptools' + 'python2-six' + 'python2-ldap>=2.4.15' + 'python2-dnspython>=1.11.1' + 'python2-netifaces>=0.10.4' + 'python2-pyusb') + provides=("python2-ipapython=$pkgver-$pkgrel" + "python2-ipaplatform=$pkgver-$pkgrel") + conflicts=('freeipa-python') + replaces=('freeipa-python') cd "${pkgbase}-${pkgver}" @@ -108,43 +133,103 @@ package_freeipa-python() { Contributors.txt local _file - for _file in _install/usr/share/locale/*/*/ipa.mo \ - _install/usr/lib/python2.*/site-packages/ipapython \ + for _file in _install/usr/lib/python2.*/site-packages/ipapython \ _install/usr/lib/python2.*/site-packages/ipalib \ _install/usr/lib/python2.*/site-packages/ipaplatform \ - _install/usr/lib/python2.*/site-packages/default_encoding_utf8.so \ - _install/usr/lib/python2.*/site-packages/_ipap11helper.so \ _install/usr/lib/python2.*/site-packages/ipapython-*.egg-info \ - _install/usr/lib/python2.*/site-packages/freeipa-*.egg-info \ - _install/usr/lib/python2.*/site-packages/ipaplatform-*.egg-info \ - _install/usr/lib/python2.*/site-packages/python_default_encoding-*.egg-info \ - _install/usr/lib/python2.*/site-packages/_ipap11helper-*.egg-info \ - _install/etc/ipa/nssdb \ - _install/etc/ipa/dnssec + _install/usr/lib/python2.*/site-packages/ipalib-*.egg-info \ + _install/usr/lib/python2.*/site-packages/ipaplatform-*.egg-info + do + _file="${_file#_install/}" + mkdir -p "$pkgdir"/"${_file%/*}" + mv _install/"$_file" "$pkgdir"/"$_file" + done +} + +package_python2-ipaclient() { + pkgdesc='Python libraries used by IPA client' + arch=('any') + depends=("freeipa-client-common=$pkgver-$pkgrel" + "freeipa-common=$pkgver-$pkgrel" + "python2-ipalib=$pkgver-$pkgrel" + 'python2-dnspython>=1.11.1') + + cd "${pkgbase}-${pkgver}" + + install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \ + Contributors.txt + + local _file + for _file in _install/usr/lib/python2.*/site-packages/ipaclient \ + _install/usr/lib/python2.*/site-packages/ipaclient-*.egg-info + do + _file="${_file#_install/}" + mkdir -p "$pkgdir"/"${_file%/*}" + mv _install/"$_file" "$pkgdir"/"$_file" + done +} + +package_freeipa-common() { + pkgdesc='Common files used by IPA' + arch=('any') + conflicts=('freeipa-python') + replaces=('freeipa-python') + + cd "${pkgbase}-${pkgver}" + + install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \ + Contributors.txt + + local _file + for _file in _install/usr/share/locale/*/*/ipa.mo + do + _file="${_file#_install/}" + mkdir -p "$pkgdir"/"${_file%/*}" + mv _install/"$_file" "$pkgdir"/"$_file" + done +} + +package_freeipa-client-common() { + pkgdesc='Common files used by IPA client' + arch=('any') + + cd "${pkgbase}-${pkgver}" + + install -D -m644 -t"$pkgdir"/usr/share/doc/$pkgname README \ + Contributors.txt + + local _file + for _file in _install/etc/ipa/nssdb \ + _install/usr/share/ipa \ + _install/var/lib/ipa-client/sysrestore \ + _install/usr/share/man/man5/default.conf.5.gz do _file="${_file#_install/}" mkdir -p "$pkgdir"/"${_file%/*}" mv _install/"$_file" "$pkgdir"/"$_file" done + } package_freeipa-client() { pkgdesc='IPA authentication for use on clients' - depends=("freeipa-python=$pkgver-$pkgrel" + depends=("freeipa-client-common=$pkgver-$pkgrel" + "freeipa-common=$pkgver-$pkgrel" + "python2-ipaclient=$pkgver-$pkgrel" 'python2-ldap' 'cyrus-sasl-gssapi' 'ntp' 'krb5' + 'authconfig' 'pam-krb5' 'curl>=7.21.7' 'xmlrpc-c>=1.27.4' - 'sssd>=1.13.1' + 'sssd>=1.14.0' 'certmonger>=0.78' 'nss' 'bind-tools' 'oddjob' - 'python2-krbv' - 'python2-dnspython>=1.11.1' + 'python2-gssapi>=1.1.2' 'autofs' 'nfsidmap' 'nfs-utils') @@ -162,30 +247,23 @@ package_freeipa-client() { _install/usr/bin/ipa-getkeytab \ _install/usr/bin/ipa-rmkeytab \ _install/usr/bin/ipa-join \ - _install/usr/share/ipa \ - _install/var/lib/ipa-client/sysrestore \ - _install/usr/lib/python2.*/site-packages/ipaclient \ _install/usr/share/man/man1/ipa-getkeytab.1.gz \ _install/usr/share/man/man1/ipa-rmkeytab.1.gz \ _install/usr/share/man/man1/ipa-client-install.1.gz \ _install/usr/share/man/man1/ipa-client-automount.1.gz \ _install/usr/share/man/man1/ipa-certupdate.1.gz \ - _install/usr/share/man/man1/ipa-join.1.gz \ - _install/usr/share/man/man5/default.conf.5.gz + _install/usr/share/man/man1/ipa-join.1.gz do _file="${_file#_install/}" mkdir -p "$pkgdir"/"${_file%/*}" mv _install/"$_file" "$pkgdir"/"$_file" done - - install -Dm755 "$srcdir"/sss-auth-setup.py "$pkgdir"/usr/bin/sss-auth-setup } package_freeipa-admintools() { pkgdesc="IPA administrative tools" - depends=("freeipa-python=$pkgver-$pkgrel" - "freeipa-client=$pkgver-$pkgrel" - 'python2-krbv' + arch=('any') + depends=("python2-ipaclient=$pkgver-$pkgrel" 'python2-ldap') cd "${pkgbase}-${pkgver}" diff --git a/archlinux.patch b/archlinux.patch deleted file mode 100644 index 5035bf3a90c0..000000000000 --- a/archlinux.patch +++ /dev/null @@ -1,376 +0,0 @@ -From 4578e73df81f2edc0e2d1dc6799be54ae4ed6971 Mon Sep 17 00:00:00 2001 -From: Xiao-Long Chen <chenxiaolong@cxl.epac.to> -Date: Wed, 16 Apr 2014 19:31:08 -0400 -Subject: [PATCH] Add Arch Linux Platform - -This patch has been adapted from the patches and sss-auth-setup.py script -provided with freeipa in AUR. - -Signed-off-by: Jan Cholasta <jcholast@redhat.com> ---- - ipa-client/ipa-install/ipa-client-install | 32 ------------------------------- - ipa-client/ipaclient/ipa_certupdate.py | 12 ------------ - ipa-client/ipaclient/ntpconf.py | 6 +++--- - ipa-client/man/ipa-client-automount.1 | 4 ++-- - ipa-client/man/ipa-client-install.1 | 5 ++--- - ipaplatform/archlinux/__init__.py | 3 +++ - ipaplatform/archlinux/authconfig.py | 22 +++++++++++++++++++++ - ipaplatform/archlinux/constants.py | 12 ++++++++++++ - ipaplatform/archlinux/paths.py | 21 ++++++++++++++++++++ - ipaplatform/archlinux/services.py | 29 ++++++++++++++++++++++++++++ - ipaplatform/archlinux/tasks.py | 16 ++++++++++++++++ - ipaplatform/setup.py.in | 1 + - ipapython/certmonger.py | 12 +++--------- - 13 files changed, 114 insertions(+), 61 deletions(-) - create mode 100644 ipaplatform/archlinux/__init__.py - create mode 100644 ipaplatform/archlinux/authconfig.py - create mode 100644 ipaplatform/archlinux/constants.py - create mode 100644 ipaplatform/archlinux/paths.py - create mode 100644 ipaplatform/archlinux/services.py - create mode 100644 ipaplatform/archlinux/tasks.py - -diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install -index 789ff59..1d57245 100755 ---- a/ipa-client/ipa-install/ipa-client-install -+++ b/ipa-client/ipa-install/ipa-client-install -@@ -536,7 +536,6 @@ def uninstall(options, env): - hostname = socket.getfqdn() - - ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) -- sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) - - cmonger = services.knownservices.certmonger - if ipa_db.has_nickname('Local IPA host'): -@@ -547,15 +546,6 @@ def uninstall(options, env): - root_logger.error("%s failed to stop tracking certificate: %s", - cmonger.service_name, e) - -- client_nss_nickname = 'IPA Machine Certificate - %s' % hostname -- if sys_db.has_nickname(client_nss_nickname): -- try: -- certmonger.stop_tracking(paths.NSS_DB_DIR, -- nickname=client_nss_nickname) -- except RuntimeError, e: -- root_logger.error("%s failed to stop tracking certificate: %s", -- cmonger.service_name, e) -- - # Remove our host cert and CA cert - try: - ipa_certs = ipa_db.list_certs() -@@ -570,15 +560,6 @@ def uninstall(options, env): - os.path.join(ipa_db.secdir, 'pwdfile.txt')): - remove_file(filename) - -- for nickname, trust_flags in ipa_certs: -- while sys_db.has_nickname(nickname): -- try: -- sys_db.delete_cert(nickname) -- except Exception, e: -- root_logger.error("Failed to remove %s from %s: %s", -- nickname, sys_db.secdir, e) -- break -- - # Remove any special principal names we added to the IPA CA helper - certmonger.remove_principal_from_cas() - -@@ -2883,19 +2864,6 @@ def install(options, env, fstore, statestore): - # Add the CA certificates to the platform-dependant systemwide CA store - tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs) - -- # Add the CA certificates to the default NSS database -- root_logger.debug( -- "Attempting to add CA certificates to the default NSS database.") -- sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) -- for cert, nickname, trust_flags in ca_certs_trust: -- try: -- sys_db.add_cert(cert, nickname, trust_flags) -- except CalledProcessError, e: -- root_logger.error( -- "Failed to add %s to the default NSS database.", nickname) -- return CLIENT_INSTALL_ERROR -- root_logger.info("Added CA certificates to the default NSS database.") -- - if not options.on_master: - client_dns(cli_server[0], hostname, options) - configure_certmonger(fstore, subject_base, cli_realm, hostname, -diff --git a/ipa-client/ipaclient/ipa_certupdate.py b/ipa-client/ipaclient/ipa_certupdate.py -index a953067..4cb8872 100644 ---- a/ipa-client/ipaclient/ipa_certupdate.py -+++ b/ipa-client/ipaclient/ipa_certupdate.py -@@ -94,17 +94,6 @@ class CertUpdate(admintool.AdminTool): - self.update_file(paths.IPA_CA_CRT, certs) - - ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) -- sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) -- -- # Remove IPA certs from /etc/pki/nssdb -- for nickname, trust_flags in ipa_db.list_certs(): -- while sys_db.has_nickname(nickname): -- try: -- sys_db.delete_cert(nickname) -- except ipautil.CalledProcessError, e: -- self.log.error("Failed to remove %s from %s: %s", -- nickname, sys_db.secdir, e) -- break - - # Remove old IPA certs from /etc/ipa/nssdb - for nickname in ('IPA CA', 'External CA cert'): -@@ -117,7 +106,6 @@ class CertUpdate(admintool.AdminTool): - break - - self.update_db(ipa_db.secdir, certs) -- self.update_db(sys_db.secdir, certs) - - tasks.remove_ca_certs_from_systemwide_ca_store() - tasks.insert_ca_certs_into_systemwide_ca_store(certs) -diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py -index 9a7db65..3c26eef 100644 ---- a/ipa-client/ipaclient/ntpconf.py -+++ b/ipa-client/ipaclient/ntpconf.py -@@ -112,9 +112,9 @@ def config_ntp(ntp_servers, fstore = None, sysstore = None): - if os.path.exists(path_step_tickers): - config_step_tickers = True - ns = ipautil.template_str(ntp_step_tickers, sub_dict) -- __backup_config(path_step_tickers, fstore) -- __write_config(path_step_tickers, ns) -- tasks.restore_context(path_step_tickers) -+ #__backup_config(path_step_tickers, fstore) -+ #__write_config(path_step_tickers, ns) -+ #tasks.restore_context(path_step_tickers) - - if sysstore: - module = 'ntp' -diff --git a/ipa-client/man/ipa-client-automount.1 b/ipa-client/man/ipa-client-automount.1 -index 5b60503..16ccbea 100644 ---- a/ipa-client/man/ipa-client-automount.1 -+++ b/ipa-client/man/ipa-client-automount.1 -@@ -29,7 +29,7 @@ The automount configuration consists of three files: - .IP o - /etc/nsswitch.conf - .IP o --/etc/sysconfig/autofs -+/etc/conf.d/autofs - .IP o - /etc/autofs_ldap_auth.conf - -@@ -79,7 +79,7 @@ Files that will be configured when SSSD is the automount client (default): - .TP - Files that will be configured when using the ldap automount client: - --/etc/sysconfig/autofs -+/etc/conf.d/autofs - - /etc/autofs_ldap_auth.conf - -diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 -index 0fafd8a..9ffcd05 100644 ---- a/ipa-client/man/ipa-client-install.1 -+++ b/ipa-client/man/ipa-client-install.1 -@@ -235,7 +235,7 @@ Files that will be replaced if they exist and SSSD is not configured (\-\-no\-ss - Files replaced if NTP is enabled: - - /etc/ntp.conf\p --/etc/sysconfig/ntpd\p -+/etc/conf.d/ntpd.conf\p - /etc/ntp/step\-tickers\p - .TP - Files always created (replacing existing content): -@@ -249,9 +249,8 @@ Files always created (replacing existing content): - Files updated, existing content is maintained: - - /etc/nsswitch.conf\p --/etc/pki/nssdb\p - /etc/krb5.keytab\p --/etc/sysconfig/network\p -+/etc/hostname\p - .SH "EXIT STATUS" - 0 if the installation was successful - -diff --git a/ipaplatform/archlinux/__init__.py b/ipaplatform/archlinux/__init__.py -new file mode 100644 -index 0000000..9da42e7 ---- /dev/null -+++ b/ipaplatform/archlinux/__init__.py -@@ -0,0 +1,3 @@ -+# -+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license -+# -diff --git a/ipaplatform/archlinux/authconfig.py b/ipaplatform/archlinux/authconfig.py -new file mode 100644 -index 0000000..620b057 ---- /dev/null -+++ b/ipaplatform/archlinux/authconfig.py -@@ -0,0 +1,22 @@ -+# -+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license -+# -+ -+from ipaplatform.base.authconfig import AuthConfig -+ -+ -+class ArchLinuxAuthConfig(AuthConfig): -+ """ -+ Arch Linux implementation of the AuthConfig class. -+ -+ The freeipa package includes a sss-auth-setup.py Python 2 script which -+ will set up both the NSS and PAM configuration. However, this script -+ modifies the PAM configuration files directly, so the changes need to -+ be undone before pacman updates anything in /etc/pam.d/ and if any new -+ configuration files are added. -+ -+ It's probably best to have this handled manually. -+ """ -+ -+ def execute(self): -+ raise NotImplementedError -diff --git a/ipaplatform/archlinux/constants.py b/ipaplatform/archlinux/constants.py -new file mode 100644 -index 0000000..459c22c ---- /dev/null -+++ b/ipaplatform/archlinux/constants.py -@@ -0,0 +1,12 @@ -+# -+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license -+# -+ -+from ipaplatform.base.constants import BaseConstantsNamespace -+ -+ -+class ArchLinuxConstantsNamespace(BaseConstantsNamespace): -+ pass -+ -+ -+constants = ArchLinuxConstantsNamespace() -diff --git a/ipaplatform/archlinux/paths.py b/ipaplatform/archlinux/paths.py -new file mode 100644 -index 0000000..d5b5da5 ---- /dev/null -+++ b/ipaplatform/archlinux/paths.py -@@ -0,0 +1,21 @@ -+# -+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license -+# -+ -+from ipaplatform.redhat.paths import RedHatPathNamespace -+ -+ -+class ArchLinuxPathNamespace(RedHatPathNamespace): -+ AUTOFS_LDAP_AUTH_CONF = "/etc/autofs/autofs_ldap_auth.conf" -+ SYSCONFIG_NFS = "/etc/conf.d/nfs-common.conf" -+ SYSCONFIG_NTPD = "/etc/conf.d/ntpd.conf" -+ SYSCONFIG_AUTOFS = "/etc/default/autofs" -+ DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = ( -+ "/usr/lib/certmonger/certmonger/dogtag-ipa-ca-renew-agent-submit") -+ DOGTAG_IPA_RENEW_AGENT_SUBMIT = ( -+ "/usr/lib/certmonger/certmonger/dogtag-ipa-renew-agent-submit") -+ IPA_SERVER_GUARD = "/usr/lib/certmonger/certmonger/ipa-server-guard" -+ LIB64_FIREFOX = "/usr/lib/firefox" -+ -+ -+paths = ArchLinuxPathNamespace() -diff --git a/ipaplatform/archlinux/services.py b/ipaplatform/archlinux/services.py -new file mode 100644 -index 0000000..4230e62 ---- /dev/null -+++ b/ipaplatform/archlinux/services.py -@@ -0,0 +1,29 @@ -+# -+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license -+# -+ -+from ipaplatform.redhat.services import ( -+ redhat_system_units, RedHatService, redhat_service_class_factory, -+ RedHatServices, timedate_services) -+ -+archlinux_system_units = dict(redhat_system_units) -+archlinux_system_units['messagebus'] = 'dbus.service' -+archlinux_system_units['rpcgssd'] = 'rpc-gssd.service' -+archlinux_system_units['rpcidmapd'] = 'rpc-idmapd.service' -+ -+ -+class ArchLinuxService(RedHatService): -+ system_units = archlinux_system_units -+ -+ -+def archlinux_service_class_factory(name): -+ return ArchLinuxService(name) -+ -+ -+class ArchLinuxServices(RedHatServices): -+ def service_class_factory(self, name): -+ return archlinux_service_class_factory(name) -+ -+ -+service = archlinux_service_class_factory -+knownservices = ArchLinuxServices() -diff --git a/ipaplatform/archlinux/tasks.py b/ipaplatform/archlinux/tasks.py -new file mode 100644 -index 0000000..654eb9a ---- /dev/null -+++ b/ipaplatform/archlinux/tasks.py -@@ -0,0 +1,16 @@ -+# -+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license -+# -+ -+from ipaplatform.archlinux.paths import paths -+from ipaplatform.base.tasks import BaseTaskNamespace -+ -+ -+class ArchLinuxTaskNamespace(BaseTaskNamespace): -+ def restore_network_configuration(self, fstore, statestore): -+ filepath = paths.ETC_HOSTNAME -+ if fstore.has_file(filepath): -+ fstore.restore_file(filepath) -+ -+ -+tasks = ArchLinuxTaskNamespace() -diff --git a/ipaplatform/setup.py.in b/ipaplatform/setup.py.in -index 944e686..1fcaab0 100644 ---- a/ipaplatform/setup.py.in -+++ b/ipaplatform/setup.py.in -@@ -66,6 +66,7 @@ def setup_package(): - classifiers=filter(None, CLASSIFIERS.split('\n')), - package_dir = {'ipaplatform': ''}, - packages = ["ipaplatform", -+ "ipaplatform.archlinux", - "ipaplatform.base", - "ipaplatform.fedora", - "ipaplatform.redhat", -diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py -index b376768..b22ce24 100644 ---- a/ipapython/certmonger.py -+++ b/ipapython/certmonger.py -@@ -418,7 +418,7 @@ def add_principal_to_cas(principal): - If the hostname we were passed to use in ipa-client-install doesn't - match the value of gethostname() then we need to append - -k host/HOSTNAME@REALM to the ca helper defined for -- /usr/libexec/certmonger/ipa-submit. -+ /usr/lib/certmonger/certmonger/ipa-submit. - - We also need to restore this on uninstall. - """ -@@ -493,18 +493,12 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command, - params['KEY_PIN_FILE'] = os.path.abspath(pinfile) - if pre_command: - if not os.path.isabs(pre_command): -- if sys.maxsize > 2**32L: -- libpath = 'lib64' -- else: -- libpath = 'lib' -+ libpath = 'lib' - pre_command = certmonger_cmd_template % (libpath, pre_command) - params['cert-presave-command'] = pre_command - if post_command: - if not os.path.isabs(post_command): -- if sys.maxsize > 2**32L: -- libpath = 'lib64' -- else: -- libpath = 'lib' -+ libpath = 'lib' - post_command = certmonger_cmd_template % (libpath, post_command) - params['cert-postsave-command'] = post_command - if profile: --- -2.6.4 - diff --git a/freeipa-client.install b/freeipa-client.install index 07a72603e788..d034848e6049 100644 --- a/freeipa-client.install +++ b/freeipa-client.install @@ -20,8 +20,8 @@ post_upgrade() { fi fi - if [ ! -f '/etc/ipa/nssdb/cert8.db' -a $restore -ge 2 ]; then - python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1 + if [ $restore -ge 2 ]; then + python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1 fi # Has the client been configured? diff --git a/sss-auth-setup.py b/sss-auth-setup.py deleted file mode 100755 index 38a0d435b54a..000000000000 --- a/sss-auth-setup.py +++ /dev/null @@ -1,338 +0,0 @@ -#!/usr/bin/env python2 - -# Written by: Xiao-Long Chen <chenxiaolong@cxl.epac.to> -# License: GPLv3 - -import base64 -import hashlib -import os -import re -import shutil - -nss_databases = ['passwd', 'group', 'services', 'netgroup', 'automount'] - -PAM_CONFIG_DIR = '/etc/pam.d/' - -def nss_enable_sss(): - if os.path.exists("/etc/nsswitch.conf.sss_tmp"): - os.remove("/etc/nsswitch.conf.sss_tmp") - - # Backup /etc/nsswitch.conf - shutil.copyfile("/etc/nsswitch.conf", "/etc/nsswitch.conf.sss_bak") - - nsswitch_orig = open("/etc/nsswitch.conf", 'r') - nsswitch_new = open("/etc/nsswitch.conf.sss_tmp", 'w') - - while True: - current_line = nsswitch_orig.readline() - if not current_line: - break - - if current_line != '\n' and current_line.split()[0][:-1] in nss_databases: - if "sss" in current_line: - print("sss is already enabled for the NSS " + - current_line.split()[0][:-1] + " database") - else: - print("Enabling sss support for the NSS " + - current_line.split()[0][:-1] + " database...") - if current_line[-1] == '\n': - current_line = current_line[:-1] + " sss\n" - else: - current_line += " sss" - - # Write new file - nsswitch_new.write(current_line) - - nsswitch_orig.close() - nsswitch_new.close() - - # Replace original /etc/nsswitch.conf - shutil.move("/etc/nsswitch.conf.sss_tmp", "/etc/nsswitch.conf") - -def nss_disable_sss(): - if os.path.exists("/etc/nsswitch.conf.sss_tmp"): - os.remove("/etc/nsswitch.conf.sss_tmp") - - nsswitch_orig = open("/etc/nsswitch.conf", 'r') - nsswitch_new = open("/etc/nsswitch.conf.sss_tmp", 'w') - - while True: - current_line = nsswitch_orig.readline() - if not current_line: - break - - if current_line != '\n' and current_line.split()[0][:-1] in nss_databases: - if "sss" in current_line: - print("Disabling sss for the NSS " + - current_line.split()[0][:-1] + " database...") - current_line = re.sub(r"[ \t]+sss[ \t]*", ' ', current_line) - # Remove extra spaces - current_line = re.sub(r"[ \t]+\n", '\n', current_line) - - # Write new file - nsswitch_new.write(current_line) - - nsswitch_orig.close() - nsswitch_new.close() - - # Replace original /etc/nsswitch.conf - shutil.move("/etc/nsswitch.conf.sss_tmp", "/etc/nsswitch.conf") - -def pam_check_header(pam_config): - pam_file = open(PAM_CONFIG_DIR + pam_config, 'r') - - inside_header = False - has_header = False - sha512sum = '' - base64enc = '' - returned = None - - while True: - current_line = pam_file.readline() - if not current_line: - break - - if current_line == '\n' or current_line == '# \n': - continue - - if current_line == '# -----BEGIN PAM BACKUP-----\n': - inside_header = True - - elif current_line == '# -----END PAM BACKUP-----\n': - if not inside_header: - # Invalid because the begin line is missing - returned = ('INVALID', None, None) - break - - has_header = True - break - - elif inside_header: - if current_line.startswith('# Hash: '): - sha512sum = current_line[8:-1] - elif current_line.startswith('# Data: '): - base64enc = current_line[8:-1] - else: - # Invalid because unknown data is in the header - returned = ('INVALID', None, None) - break - - pam_file.close() - - if has_header: - if sha512sum == hashlib.sha512(base64.b64decode(base64enc)).hexdigest(): - returned = ('VALID', sha512sum, base64enc) - else: - # Invalid because the checksum of the data does not match the hash - returned = ('INVALID', None, None) - - if not returned: - returned = ('NONE', None, None) - - return returned - -def pam_config_setup(pam_config): - pam_file_orig = open(PAM_CONFIG_DIR + pam_config, 'r') - pam_file_new = open(PAM_CONFIG_DIR + pam_config + '.sss_tmp', 'a') - - while True: - current_line = pam_file_orig.readline() - if not current_line: - break - - if current_line.startswith('#%PAM-1.0'): - continue - - if current_line != '\n' and current_line[0] != '#': - current_line_split = current_line.split() - - # Change 'required' to 'sufficient' for the pam_unix.so module - if current_line_split[2] == "pam_unix.so" and current_line_split[1] == "required": - #pam_file_new.write(current_line.replace("required", "sufficient")) - pam_file_new.write(current_line_split[0] + "\t\tinclude\t\tsss\n") - continue - - pam_file_new.write(current_line) - - pam_file_orig.close() - pam_file_new.close() - -def pam_enable_sss(): - print('Enabling sssd support in:') - - rows, columns = os.popen('stty size', 'r').read().split() - columns = int(columns) - 3 - - for fullpath, directories, files in os.walk(PAM_CONFIG_DIR): - files.sort() - for pam_config in files: - if pam_config == 'sss' or pam_config == 'sss.bak' or \ - pam_config.startswith('.') or pam_config.endswith('~'): - continue - - status = pam_check_header(pam_config)[0] - if status == 'NONE': - status_msg = 'done' - elif status == 'VALID': - status_msg = 'already enabled (skipping)' - elif status == 'INVALID': - status_msg = 'invalid backup header (skipping)' - - pam_config_path = PAM_CONFIG_DIR + pam_config - - if status == 'NONE': - pam_file = open(pam_config_path, 'rb') - - raw_content = pam_file.read() - sha512sum = hashlib.sha512(raw_content).hexdigest() - base64enc_raw = base64.b64encode(raw_content) - base64enc = base64enc_raw.decode('ascii') - - pam_file.close() - - tmp_file = open(pam_config_path + '.sss_tmp', 'w') - - tmp_file.write('#%PAM-1.0\n') - tmp_file.write('# -----BEGIN PAM BACKUP-----\n') - tmp_file.write('# Hash: ' + sha512sum + '\n') - tmp_file.write('# \n') - tmp_file.write('# Data: ' + base64enc + '\n') - tmp_file.write('# -----END PAM BACKUP-----\n') - tmp_file.write('\n') - - tmp_file.close() - - pam_config_setup(pam_config) - - shutil.move(pam_config_path + '.sss_tmp', pam_config_path) - - if len(pam_config_path + status_msg) > columns: - print(pam_config_path) - print(('{:>%is} ' % columns + 2).format(status_msg)) - else: - print((' {:<%is}{:>%is} ' % \ - (len(pam_config_path), columns - len(pam_config_path))). \ - format(pam_config_path, status_msg)) - - if os.path.exists(PAM_CONFIG_DIR + 'sss'): - print('%ssss already exists. Moving it to %ssss.bak' % \ - (PAM_CONFIG_DIR, PAM_CONFIG_DIR)) - shutil.move(PAM_CONFIG_DIR + 'sss', PAM_CONFIG_DIR + 'sss.bak') - - pam_sss = open(PAM_CONFIG_DIR + 'sss', 'w') - # Auth - pam_sss.write("auth sufficient pam_unix.so nullok try_first_pass\n") - pam_sss.write("auth sufficient pam_sss.so use_first_pass\n") - pam_sss.write("auth required pam_deny.so\n") - # Account - pam_sss.write("account required pam_unix.so\n") - pam_sss.write("#account [default=bad success=ok user_unknown=ignore] pam_sss.so\n") - pam_sss.write("account optional pam_sss.so\n") - # Password - pam_sss.write("password sufficient pam_unix.so try_first_pass nullok sha512 shadow\n") - pam_sss.write("password sufficient pam_sss.so use_authtok\n") - pam_sss.write("password required pam_deny.so\n") - # Session - pam_sss.write("session required pam_unix.so\n") - pam_sss.write("session optional pam_sss.so\n") - pam_sss.close() - -def pam_disable_sss(): - print('Disabling sssd support in:') - - rows, columns = os.popen('stty size', 'r').read().split() - columns = int(columns) - 3 - - for fullpath, directories, files in os.walk(PAM_CONFIG_DIR): - files.sort() - for pam_config in files: - if pam_config == 'sss' or pam_config == 'sss.bak' or \ - pam_config.startswith('.') or pam_config.endswith('~'): - continue - - status, sha512sum, base64enc = pam_check_header(pam_config) - if status == 'NONE': - status_msg = 'already disabled (skipping)' - elif status == 'VALID': - status_msg = 'done' - elif status == 'INVALID': - status_msg = 'invalid backup header (skipping)' - - pam_config_path = PAM_CONFIG_DIR + pam_config - - if status == 'VALID': - pam_file = open(pam_config_path + '.sss_tmp', 'wb') - pam_file.write(base64.b64decode(base64enc)) - pam_file.close() - shutil.move(pam_config_path + '.sss_tmp', pam_config_path) - - if len(pam_config_path + status_msg) > columns: - print(pam_config_path) - print(('{:>%is} ' % columns + 2).format(status_msg)) - else: - print((' {:<%is}{:>%is} ' % \ - (len(pam_config_path), columns - len(pam_config_path))). \ - format(pam_config_path, status_msg)) - - if os.path.exists(PAM_CONFIG_DIR + 'sss'): - os.remove(PAM_CONFIG_DIR + 'sss') - -def parse_arguments(): - import argparse - import textwrap - - arg_parser = argparse.ArgumentParser() - arg_parser.formatter_class = argparse.RawDescriptionHelpFormatter - arg_parser.description = textwrap.dedent(""" - Arch Linux sssd authentication setup helper for PAM and NSS - ----------------------------------------------------------- - """) - - nss_group = arg_parser.add_mutually_exclusive_group() - nss_group.add_argument("--enable-nss", - help="Enable support for SSSD in NSS", - action="store_true", - dest="nss_action", - default=None) - nss_group.add_argument("--disable-nss", - help="Disable support for SSSD in NSS", - action="store_false", - dest="nss_action", - default=None) - - pam_group = arg_parser.add_mutually_exclusive_group() - pam_group.add_argument("--enable-pam", - help="Enable support for SSSD in PAM", - action="store_true", - dest="pam_action", - default=None) - pam_group.add_argument("--disable-pam", - help="Disable support for SSSD in PAM", - action="store_false", - dest="pam_action", - default=None) - - args = arg_parser.parse_args() - - if args.nss_action == None and args.pam_action == None: - print("No action given!") - exit(1) - - if os.getuid() != 0: - print("sss-auth-setup must be run as root!") - exit(1) - - if args.nss_action != None: - if args.nss_action: - nss_enable_sss() - else: - nss_disable_sss() - - if args.pam_action != None: - if args.pam_action: - pam_enable_sss() - else: - pam_disable_sss() - -if __name__ == "__main__": - parse_arguments() |