diff options
Diffstat (limited to 'config-mgmt-nshd.PKGBUILD')
| -rw-r--r-- | config-mgmt-nshd.PKGBUILD | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/config-mgmt-nshd.PKGBUILD b/config-mgmt-nshd.PKGBUILD index b3336e3..cd16f17 100644 --- a/config-mgmt-nshd.PKGBUILD +++ b/config-mgmt-nshd.PKGBUILD @@ -1,5 +1,5 @@ . ${BUILDFILE%/*}/common.sh -pkgver=20170203.3 +pkgver=20170204.4 package() { preamble @@ -33,16 +33,19 @@ add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/nsswitch.conf.holoscript < #!/bin/sh sed 's/ ldap//' | sed -r '/^(passwd|group|shadow):/s/(files|compat)/files ldap/' EOF +add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/pam.d/passwd.holoscript <<EOF +#!/bin/sh +sed -e '/ldap/d' | +sed -e 's/^password required pam_unix[.]so/#&/' \\ + -e '\$apassword required pam_ldap.so minimum_uid=1000' +EOF # However, instead of running the normal `nslcd` LDAP client daemon, # the system has ben configured to run the [parabola-hackers-nshd][] # `nshd` daemon, which reads user infomation from the same # `hackers.git` checkout (configured the same way). This way we dn't # have to worry about keeping `/etc/passwd` in sync with -# `hackers.git`. To this end, PAM has also been configured to create -# a users home directory when they log in if it doesn't already exist. -# Because `hackers.git` doesn't store any password information, `nshd` -# stores password hashes in `/etc/nshd/shadow`. +# `hackers.git`. # # [parabola-hackers-nshd]: https://www.parabola.nu/packages/libre/x86_64/parabola-hackers-nshd/ add-unit etc/systemd/system/sockets.target.wants/nshd.socket @@ -50,12 +53,16 @@ add-unit etc/systemd/system/dbus.service.wants/nshd.service # (temporary [system # # [sytemd bug workaround][]: https://projects.parabola.nu/packages/parabola-hackers.git/tree/nshd.service.in#n19 -# Sometimes after something fails in PAM, you get a "User not known to -# the underlying authentication module" message. For exaple, the -# `pam_ldap.so.2` failed because you typed your password wrong, but -# the PAM caller thinks `pam_ldap` failed because it didn't "own" the -# user. I think that it's just a bug in PAM's message selection. But -# (TODO) we should actually track it down. +# To this end, PAM has also been configured to create a users home +# directory when they log in if it doesn't already exist. +add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/pam.d/system-login.holoscript <<EOF +#!/bin/sh +sed '/pam_mkhomedir/d' +echo 'session required pam_mkhomedir.so skel=/etc/skel umask=0077' +EOF + +# Because `hackers.git` doesn't store any password information, `nshd` +# stores password hashes in `/etc/nshd/shadow`. postamble } |