PAM NCP authentification module

Some examples of zenscripts

Purpose:

In our environnment, Linux accounts are authenticated using the PAM_NCP authentification module and have their Unix home on a Linux NFS server.

Zenscripts are 6 shell scripts, located in /usr/local/bin that can be run at every Netware authenticated login by the PAM module, with current user's permissions . We use them here quite extensively to tune up user's rcfiles (kmail, netscape, openoffice...) with data read from NDS.

zenscript0, 1 and 2 are run in this order at login and zenscript3, 4 and 5 at logout.

There is no functional difference between zenscripts and scripts located in /etc/profile.d that are also run at every login (by /etc/bashrc) , except the following:

zensxripts are ran only once at login, during the session opening by PAM; scripts in /etc/profile.d are ran at login AND at every subsequent shell openings ( a new console in KDE, graphical applications or perl scripts spawning a shell or a command line utility.
users can turn off execution of /etc/profile.d scripts by erasing their $HOME/.bashrc that calls /etc/bashrc, but zenscripts processing cannot be turned off by users.
zenscripts will be run only for users authenticated by NDS, not for local users or users authenticated by other PAM modules (LDAP...). It will be quite important to us during our progressive migration from Netware based authentication to LDAP. New students accounts will be LDAP only, with no zenscripts and old ones will have zenscripts.

We are using the following "snippet" in all scripts located in /etc/profile.d :


 if [ -e $HOME/.nwinfos ]; then
	#Netware authenticated with forced creation of a $HOME/.nwinfos file ( zen flag I is turned on )
	source $HOME/.nwinfos
	#use $NDS_* values
else
	#LDAP or local account
fi

Requirements:

Using the PAM ncp snapin check execution of zenscripts for some users, or a NDS group .
Alternatively you may simply add flags -z012345 to the command line of the pam_ncp_auth module in /etc/pam.d files

Usage:

zenscripts are spawned by the PAM module during the session opening and session closing services. They receive on their command line the path to current user's Unix home ($HOME) and the name of the NDS information file (.nwinfos) that has been created by the PAM module with data extracted from NDS.

the .nwinfos file contains NDS fetched pertinent informations in 18 NDS_* variables (see the PAM module documentation for more details.

Here is a "real life example":

NDS_USER=flardet
NDS_GECOS="Florie Anne Lydie Lardet"
NDS_SHELL=/bin/bash
NDS_HOME=/cipc/eurinsa/2210126
NDS_UID=14694
NDS_GID=100
NDS_QFLAG=2033
NDS_HOME_SERVER=EURINSA
NDS_HOME_VOLUME=APPS
NDS_HOME_PATH=HOME/03/2210126
NDS_HOME_MNT_PNT=/mnt/ncp/flardet/nwhome
NDS_EMAIL=florie.lardet@insa-lyon.fr
NDS_EMAIL=florie.lardet@insa-lyon.fr
NDS_PREFERRED_SERVER=EURINSA
NDS_PREFERRED_TREE=INSA_ROOT
NDS_PREFERRED_NAME_CTX=PC
NDS_IS_NEW_USER=0
NDS_ZEN_FLAG=0xfc0c7101
NDS_BCAST=0

so standard heading for zenscripts is source $1/$2 to access to any NDS_* value.

Some real life examples:

Here most users are authenticated by the PAM module and Netware home is locally mounted in /mnt/ncp/$USER/nwhome directory (by using options -l -mnwhome ) of the PAM module. So a simple way to access this home is to create a symbolic link in user's $HOME. We do it by the following lines inserted in /usr/local/bin/zenscript0. Remember that we cannot mount Netware resources in $HOME if $HOME is NFS mounted. (see the FAQ )

#!/bin/sh
#zenscript0
#run at session opening by pam_ncp_auth.so for a new acccount
# standard heading
#run with user permissions
source $1/$2

#create a link in user's home  to the real mount point of his Netware home (the mount point is the same on every workstation)

[ ! -e $1/nwhome ] && ln -s $NDS_HOME_MNT_PNT $1/nwhome

And on every new student Desktop we copy(from /etc/skel/Desktop) a shortcut with a big red N icon and a link to a KDE application with the following command line:

Exec=kfmclient openURL '$HOME/nwhome'

A useful oneliner "zenscript5": (last run at logout).

The PAM module will automatically umount users' Netware home at logout, but not any other Netware resources that could have
been mounted during the session. So the following script will take care of closing all opened Netware connections:

#!/bin/sh
#zenscript5
#last run at session closing by pam_ncp_auth.so
# standard heading
source $1/$2

/usr/local/bin/ncplogout -a

Personnalization of KDE/KMAIL at first login: This script /etc/profile.d/kmail.sh will take care of it:

#!/bin/bash
#copy initial preferences for kde and kmail
#personnalize some files for current user
#PP 06/06/2002
#PP 26/09/02 ajout IMAP in Account 2

source /etc/profile.d/commun.cipc
#first login, no KDE config files
if [ ! -e $HOME/.kde ]; then
  cp -Rf /etc/skel/.kde $HOME
  cp -f  /etc/skel/.first_start_kde $HOME
fi
#copy initial Desktop with our specific icons
if [ ! -d $HOME/Desktop ]; then
  cp -Rf /etc/skel/Desktop $HOME
fi
# replace all __XXXX__ strings with current user's values in rc files just copied from /etc/skel
if [ ! -e $HOME/Mail ]; then
  changeini $HOME/.kde/share/config/emaildefaults   PROFILE_Default  EmailAddress   $EMAIL
  changeini $HOME/.kde/share/config/emaildefaults   PROFILE_Default  FullName   "$GECOS"

    mkdir "$HOME/Mail"
    chmod 700 "$HOME/Mail"
    [ ! -f $HOME/.kde/share/config/kmailrc ] && cp /etc/skel/.kde/share/config/kmailrc $HOME/.kde/share/config/
    changeini $HOME/.kde/share/config/kmailrc   "Account 1"  login   $USER
    changeini $HOME/.kde/share/config/kmailrc   "Account 1"  host   "$POPSERVER"
    changeini $HOME/.kde/share/config/kmailrc   "Account 2"  Name   "$EMAIL"
    changeini $HOME/.kde/share/config/kmailrc   "Account 2"  login   "$USER"
    changeini $HOME/.kde/share/config/kmailrc   "Addressbook"  default  "$HOME/.kde/share/apps/kmail/addressbook"
    changeini $HOME/.kde/share/config/kmailrc   "Identity"  "Email Address" $EMAIL
    changeini $HOME/.kde/share/config/kmailrc   "Identity"  "Reply-To Address" $EMAIL
    changeini $HOME/.kde/share/config/kmailrc   "Identity"  Name "$GECOS"
 fi

#common.cipc, included in all our /etc/profile.d scripts
if [ -e $HOME/.nwinfos ]; then
#login via ncpfs PAM module
        source  $HOME/.nwinfos
        GECOS=$NDS_GECOS
        POPSERVER="$NDS_PREFERRED_SERVER.insa-lyon.fr"
        if [ ! -z "$NDS_EMAIL" ]; then
            EMAIL="$NDS_EMAIL"
        else
            EMAIL="$NDS_USER@$POPSERVER"
        fi
else
#login via LDAP
        POPSERVER="xxxx.insa-lyon.fr"
        EMAIL="$USER@$POPSERVER"
        GECOS=`getgecos.pl $USER`
fi

changeini is a small pascal Object program (compile on Linux or Windows) that replace a string by another one in a section of a "Windows style inifile".

changetext is a small pascal Object program (compile on Linux or Windows) that replace all occurences of a string by another one in a text file.

History:

Zenflags and Zenscripts have been introduced in PAM module since revision 1.7

TODO:

Since most of us have the very same needs of automatic customization of "Linux newbies users", I would like to start a "repository" of clever zenscripts or /etc/profile.d/scripts that could benefit to the community.

Vous êtes notre eme visiteur