Topic: Credentials for Client Authentication:Ubuntu <> SME8b7

[fpausp]

Hi,

I used the howto "http://wiki.contribs.org/Client_Authentication:Ubuntu" to connect a Ubuntu Client to sme8b7.

Now I like to write a little scipt to automate these steps. I would like to grep some credentials with the commandline.

Code: [Select]

Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name,
<GROUPNAME> with the description of the ibay owner group. The description can be recovered with ...
I need that Info befor I can use the wbinfo-command.

Is there a SME-WAY for that ?

[cactus]

Now I like to write a little scipt to automate these steps. I would like to grep some credentials with the commandline.

IIRC the wbinfo is run on the client side and not on SME Server, since the client most likely is not aware of the variables needed I think it is very hard to script this without manual user interaction to input the proper values.

[fpausp]

Client-Side 1. Step - smbtree:

Code: [Select]

user@client:~$ smbtree
Enter user's password:
TEST
        \\SME8B7                        SME Server
                \\SME8B7\print$                 Printer drivers
                \\SME8B7\Primary                Primary i-bay
                \\SME8B7\i_ibay1                i_ibay1
                \\SME8B7\i_ibay2                i_ibay2
                \\SME8B7\i_ibay3                i_ibay3
                \\SME8B7\IPC$                   IPC Service (SME Server)

WORKGROUP=test
SAMBANAME=sme8b7
IBAY1=i_ibay1
IBAY2=i_ibay2
IBAY3=i_ibay3


Client-Side 2. Step - ping:

Code: [Select]

user@client:~$ ping sme8b7
PING sme8b7.test.lan (192.168.xxx.xxx) 56(84) bytes of data.
64 bytes from sme8b7.test.lan (192.168.xxx.xxx): icmp_seq=1 ttl=64 time=0.368 ms
64 bytes from sme8b7.test.lan (192.168.xxx.xxx): icmp_seq=2 ttl=64 time=0.357 ms
64 bytes from sme8b7.test.lan (192.168.xxx.xxx): icmp_seq=3 ttl=64 time=0.448 ms

SERVERNAME=sme8b7
DOMAIN=test.lan
FQDN=sme8b7.test.lan


What I cannot find out from the client side terminal are the sme-server-groups. I can of course
connect to the sme-server: ssh -p port root@servername command
but I do not know that command to extract the group-names. Do you understand me ?

[fpausp]

OK, I think I got it:

Code: [Select]

# users
ssh -p <port> root@<serverip> cat /home/e-smith/db/accounts | grep "=user" | awk -F= '{print $1}'

# groups
ssh -p <port> root@<serverip> cat /home/e-smith/db/accounts | grep "=group" | awk -F= '{print $1}'

# ibays
ssh -p <port> root@<serverip> cat /home/e-smith/db/accounts | grep "=ibay" | awk -F= '{print $1}'

...



[cactus]

Better IMHO would be to use the database functions:

Code: [Select]

ssh -p <port> root@<serverip> perl -e 'use esmith::AccountsDB; my $a=esmith::AccountsDB->open_ro; foreach ($a->users()) {print $_->key()."\n"; }'
ssh -p <port> root@<serverip> perl -e 'use esmith::AccountsDB; my $a=esmith::AccountsDB->open_ro; foreach ($a->groups()) {print $_->key()."\n"; }'
ssh -p <port> root@<serverip> perl -e 'use esmith::AccountsDB; my $a=esmith::AccountsDB->open_ro; foreach ($a->ibays()) {print $_->key()."\n"; }'


[fpausp]

Thanks for the Info, I have now the first working version of my script. Its quick and dirty version 0.1 but save me a lot of time.

I tested it on a sme8b7 with ldap on and a ubunu 10.04.2 client. On the Server I have three groups and ibays and a few users.

Code: [Select]

#!/bin/bash

# Installing
clear
echo ""
echo "Installing ... Please wait."
sleep 3

sudo apt-get install -y dialog auth-client-config winbind smbclient libpam-mount smbfs openssh-server

SERVERIP=$(dialog --inputbox "SME-ServerIP ?" 7 50 "10.0.0.1" 3>&1 1>&2 2>&3)
dialog --clear

SSHPORT=$(dialog --inputbox "SME-Server SSHPort ?" 7 50 "2222" 3>&1 1>&2 2>&3)
dialog --clear

# Clear Screen
clear

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

# copy some files
sudo scp -P $SSHPORT root@$SERVERIP:/home/e-smith/db/* /tmp/.

# ibays
sudo cat /tmp/accounts | grep "=ibay" | grep -v Primary | awk -F= '{print $1}' > /tmp/ibays

# groups
sudo cat /tmp/accounts | grep "=ibay" | grep -v Primary | awk 'BEGIN { FS = "|" } ; { print $7 }' > /tmp/groups

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

SERVERNAME=$(sudo cat /tmp/configuration | grep "smb=" | awk 'BEGIN { FS = "|" } ; { print $15 }')
DOMAIN=$(sudo cat /tmp/configuration | grep "DomainName=" | awk 'BEGIN { FS = "=" } ; { print $2 }')
FQDN=$SERVERNAME.$DOMAIN
HOSTLINE=$(sudo cat /etc/hosts | grep $SERVERIP)
RESOLVLINE=$(sudo cat /etc/resolv.conf | grep "nameserver $SERVERIP")
WORKGROUP=$(sudo cat /tmp/configuration | grep "smb=" | awk 'BEGIN { FS = "|" } ; { print $27 }')
SAMBANAME=$SERVERNAME

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

# /etc/hosts
if [ -z $HOSTLINE ]
then
sudo echo $SERVERIP $FQDN $SERVERNAME >> /etc/hosts
fi


# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

# /etc/resolv.conf
if [ -z /etc/resolv.conf-sich ]
then
sudo mv /etc/resolv.conf /etc/resolv.conf-sich
fi

if [ -z $RESOLVLINE ]
then
sudo cat >> /etc/resolv.conf << EOF
domain $DOMAIN
search $DOMAIN
nameserver $SERVERIP
EOF
fi

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

# smb.conf
if [ -z /etc/samba/smb.conf-sich ]
then
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf-sich
fi

sudo cat >> /etc/samba/smb.conf << EOF
[global]
workgroup = $WORKGROUP
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%U
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind separator = +
winbind use default domain = yes
security = domain
password server = *
encrypt passwords = yes
domain master = no
local master = no
preferred master = no
os level = 0
EOF

# restart winbind
sudo /etc/init.d/winbind restart

# join domain
sudo net rpc join -U admin

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

# /etc/nsswitch.conf
if [ -z /etc/nsswitch-sich ]
then
mv /etc/nsswitch.conf /etc/nsswitch-sich
fi

cat > /etc/nsswitch.conf << EOF
passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files wins dns mdns4_minimal [NOTFOUND=return] dns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
EOF

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

# restart winbind
/etc/init.d/winbind restart

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

## pam
# group.conf
echo "* ; * ; * ; Al0000-2400 ; floppy, audio, cdrom, video, usb, plugdev, users" >> /etc/security/group.conf

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

# start winbind later
mv /etc/rc2.d/S20winbind /etc/rc2.d/S90winbind
mv /etc/rc3.d/S20winbind /etc/rc3.d/S90winbind
mv /etc/rc4.d/S20winbind /etc/rc4.d/S90winbind
mv /etc/rc5.d/S20winbind /etc/rc5.d/S90winbind

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

/etc/init.d/winbind stop
/etc/init.d/winbind start

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

# acc-sme
if [ -z /etc/auth-client-config/profile.d/acc-sme-sich ]
then
mv /etc/auth-client-config/profile.d/acc-sme /etc/auth-client-config/profile.d/acc-sme-sich
fi

cat > /etc/auth-client-config/profile.d/acc-sme  << EOF
[sme]
nss_group=group:        compat winbind
nss_netgroup=netgroup:  nis
nss_passwd=passwd:      compat winbind
nss_shadow=shadow:      compat
pam_account=account  [success=2 new_authtok_reqd=done default=ignore]  pam_winbind.so
            account  [success=1 default=ignore]                        pam_unix.so use_first_pass use_authtok
            account  requisite                                         pam_deny.so
            account  required                                          pam_permit.so
pam_auth=auth [success=2 default=ignore]  pam_winbind.so
         auth [success=1 default=ignore]  pam_unix.so       nullok_secure  use_first_pass  use_authtok
         auth requisite             pam_deny.so
         auth required     pam_permit.so
         auth required     pam_securetty.so
         auth optional     pam_mount.so      enable_pam_password
pam_password=password [success=2 default=ignore]  pam_unix.so     obscure sha512
             password [success=1 default=ignore]  pam_winbind.so  use_first_pass  md5  use_authtok
             password requisite     pam_deny.so
             password required     pam_permit.so
             password optional             pam_gnome_keyring.so
pam_session=session  [default=1]  pam_permit.so
            session  requisite    pam_deny.so
            session  required     pam_permit.so
            session  optional     pam_winbind.so
            session  required     pam_unix.so
            session  required     pam_mkhomedir.so skel=/etc/skel umask=0022
            session  optional     pam_mount.so         enable_pam_password
            session  optional     pam_ck_connector.so  nox11
EOF

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

# apply the config
auth-client-config -a -p sme

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


# pam_mount.conf.xml
if [ -z /etc/security/pam_mount.conf.xml-sich ]
then
mv /etc/security/pam_mount.conf.xml /etc/security/pam_mount.conf.xml-sich
fi

cat > /etc/security/pam_mount.conf.xml << EOF
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->

<pam_mount>

<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->

<debug enable="0" />

<!-- Volume definitions -->
<volume fstype="cifs" server="$SAMBANAME" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
EOF

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

ANZAHL=$(cat -n /tmp/ibays | tail -n1 | awk '{print $1}')
for ((i = 1 ; i <=$ANZAHL ; i++ )) ; do
IBAY=$(cat /tmp/ibays | head -n $i | tail -n1)
GROUP=$(cat /tmp/groups | head -n $i | tail -n1)
cat >> /etc/security/pam_mount.conf.xml << EOF
<volume sgrp="$GROUP" fstype="cifs" server="$SAMBANAME" path="$IBAY" mountpoint="~/$IBAY" options="user=%(DOMAIN_USER),setuids,acl" />
EOF
done

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

cat >> /etc/security/pam_mount.conf.xml << EOF


<!-- pam_mount parameters: General tunables -->

<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>

<logout wait="0" hup="0" term="0" kill="0" />


<!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />


</pam_mount>
EOF

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

# admin rights for sme-admin user
# echo "# Allow "Domain Admins" from the SME domain to run all commands" >> /etc/sudoers
# echo "%$WORKGROUP\\Domain\ Admins  ALL=(ALL) ALL" >> /etc/sudoers

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

# hide users
# sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type Boolean --set /apps/gdm/simple-greeter/disable_user_list True

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
clear
echo ""
echo "Just try to logon one time with a SME-Server user, after that reboot the client !!!"

# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

exit 0


Maybe someone with better knowledge of scripting like to help me to improve this script ... ?