function build() { $sock = new sockets(); $EnableSambaActiveDirectory = $sock->GET_INFO("EnableSambaActiveDirectory"); $KerbAuthDisableNsswitch = $sock->GET_INFO("KerbAuthDisableNsswitch"); if (!is_numeric($EnableSambaActiveDirectory)) { $EnableSambaActiveDirectory = 0; } $EnableKerbAuth = $sock->GET_INFO("EnableKerbAuth"); if (!is_numeric($EnableKerbAuth)) { $EnableKerbAuth = 0; } if (!is_numeric($KerbAuthDisableNsswitch)) { $KerbAuthDisableNsswitch = 0; } $unix = new unix(); $winbindd = $unix->find_program("winbindd"); if (is_file($winbindd)) { if ($EnableKerbAuth == 1) { $EnableSambaActiveDirectory = 1; } } if ($KerbAuthDisableNsswitch == 1) { $EnableSambaActiveDirectory = 0; } if ($EnableSambaActiveDirectory == 0) { echo "Starting......: " . date("H:i:s") . " pam.d, ActiveDirectory is disabled\n"; } else { echo "Starting......: " . date("H:i:s") . " pam.d, ActiveDirectory is Enabled\n"; } $f[] = "@include common-auth"; $f[] = "@include common-account"; $f[] = "@include common-session"; @file_put_contents("/etc/pam.d/samba", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/samba\" done\n"; unset($f); if (is_file("/etc/pam.d/common-account")) { $f[] = "#"; $f[] = "# /etc/pam.d/common-account - authorization settings common to all services"; $f[] = "#"; $f[] = "# This file is included from other service-specific PAM config files,"; $f[] = "# and should contain a list of the authorization modules that define"; $f[] = "# the central access policy for use on the system. The default is to"; $f[] = "# only deny service to users whose accounts are expired in /etc/shadow."; $f[] = "#"; if ($EnableSambaActiveDirectory == 1) { $f[] = "account sufficient pam_winbind.so"; } $f[] = "account sufficient pam_ldap.so"; $f[] = "account required pam_unix.so try_first_pass"; $f[] = ""; @file_put_contents("/etc/pam.d/common-account", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-account\" done\n"; unset($f); } if (is_file("/etc/pam.d/common-auth")) { $f[] = "#"; $f[] = "# /etc/pam.d/common-auth - authentication settings common to all services"; $f[] = "#"; $f[] = "# This file is included from other service-specific PAM config files,"; $f[] = "# and should contain a list of the authentication modules that define"; $f[] = "# the central authentication scheme for use on the system"; $f[] = "# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the"; $f[] = "# traditional Unix authentication mechanisms."; $f[] = "#"; if ($EnableSambaActiveDirectory == 1) { $f[] = "auth sufficient pam_winbind.so"; } $f[] = "auth sufficient pam_ldap.so"; $f[] = "auth\trequisite\tpam_unix.so nullok_secure try_first_pass"; if (SearchLibrarySecurity("pam_smbpass.so")) { $f[] = "auth\toptional\tpam_smbpass.so migrate"; } $f[] = ""; @file_put_contents("/etc/pam.d/common-auth", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-auth\" done\n"; unset($f); } $f[] = "#%PAM-1.0"; $f[] = ""; $f[] = "#@include common-auth"; $f[] = "#@include common-account"; $f[] = "auth sufficient pam_unix.so "; $f[] = "auth required pam_unix.so"; $f[] = "session required pam_permit.so"; $f[] = "session required pam_limits.so"; $f[] = ""; @file_put_contents("/etc/pam.d/sudo", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/sudo\" done\n"; unset($f); if (is_file("/etc/pam.d/common-password")) { $sock = new sockets(); $PAMLdapPrio = $sock->GET_INFO("PAMLdapPrio"); if (!is_numeric($PAMLdapPrio)) { $PAMLdapPrio = 1; } echo "Starting......: " . date("H:i:s") . " pam.d,PAMLdapPrio={$PAMLdapPrio}\n"; $f[] = "#"; $f[] = "# /etc/pam.d/common-password - password-related modules common to all services"; if ($EnableSambaActiveDirectory == 1) { $f[] = "password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass"; } if ($PAMLdapPrio == 1) { $f[] = "password\tsufficient\tpam_ldap.so"; $f[] = "password\trequisite\tpam_unix.so nullok obscure md5 try_first_pass"; } else { $f[] = "password\tsufficient\tpam_unix.so md5 obscure min=4 max=8 nullok try_first_pass"; $f[] = "password\tsufficient\tpam_ldap.so"; } $f[] = ""; $f[] = "# Alternate strength checking for password. Note that this"; $f[] = "# requires the libpam-cracklib package to be installed."; $f[] = "# You will need to comment out the password line above and"; $f[] = "# uncomment the next two in order to use this."; $f[] = "# (Replaces the `OBSCURE_CHECKS_ENAB'', `CRACKLIB_DICTPATH'')"; $f[] = "#"; $f[] = "# password required\t pam_cracklib.so retry=3 minlen=6 difok=3"; $f[] = "# password required\t pam_unix.so use_authtok nullok md5 try_first_pass"; $f[] = ""; $f[] = "# minimally-intrusive inclusion of smbpass in the stack for"; $f[] = "# synchronization. If the module is absent or the passwords don''t"; $f[] = "# match, this module will be ignored without prompting; and if the "; $f[] = "# passwords do match, the NTLM hash for the user will be updated"; $f[] = "# automatically."; if (SearchLibrarySecurity("pam_smbpass.so")) { $f[] = "password optional pam_smbpass.so nullok use_authtok use_first_pass"; } $f[] = ""; @file_put_contents("/etc/pam.d/common-password", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-password\" done\n"; unset($f); } if (is_file("/etc/pam.d/common-session")) { $f[] = "# here are the per-package modules (the \"Primary\" block)"; $f[] = "session\t[default=1]\t\t\tpam_permit.so"; $f[] = "# here's the fallback if no module succeeds"; $f[] = "session\trequisite\t\t\tpam_deny.so"; $f[] = "# prime the stack with a positive return value if there isn't one already;"; $f[] = "# this avoids us returning an error just because nothing sets a success code"; $f[] = "# since the modules above will each just jump around"; $f[] = "session\trequired\t\t\tpam_permit.so"; $f[] = "# and here are more per-package modules (the \"Additional\" block)"; if (SearchLibrarySecurity("pam_krb5.so")) { $f[] = "session\toptional\t\t\tpam_krb5.so minimum_uid=1000"; } $f[] = "session\trequired\t\t\tpam_unix.so "; if (SearchLibrarySecurity("pam_winbind.so")) { $f[] = "session\toptional\t\t\tpam_winbind.so "; } $f[] = "session\toptional\t\t\tpam_ldap.so "; if (SearchLibrarySecurity("pam_mkhomedir.so")) { //------------$f[]="session required pam_mkhomedir.so skel=/etc/skel/ umask=0022"; } $f[] = "# end of pam-auth-update config"; $f[] = ""; @file_put_contents("/etc/pam.d/common-session", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-session\" done\n"; unset($f); } if (is_file("/etc/pam.d/system-auth-ac")) { $f[] = "#%PAM-1.0"; $f[] = "# This file is auto-generated."; $f[] = "# User changes will be destroyed the next time authconfig is run."; $f[] = "auth required pam_env.so"; $f[] = "auth sufficient pam_unix.so nullok try_first_pass"; $f[] = "auth requisite pam_succeed_if.so uid >= 500 quiet"; $f[] = "auth sufficient pam_ldap.so use_first_pass"; if ($EnableSambaActiveDirectory == 1) { $f[] = "auth sufficient pam_winbind.so use_first_pass"; } $f[] = "auth required pam_deny.so"; $f[] = ""; $f[] = "account required pam_unix.so"; $f[] = "account sufficient pam_succeed_if.so uid < 500 quiet"; $f[] = "account sufficient pam_ldap.so use_first_pass"; if ($EnableSambaActiveDirectory == 1) { $f[] = "account sufficient pam_winbind.so use_first_pass"; } $f[] = "account required pam_permit.so"; $f[] = ""; $f[] = "password requisite pam_cracklib.so try_first_pass retry=3"; $f[] = "password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok"; $f[] = "password sufficient pam_ldap.so use_first_pass"; if ($EnableSambaActiveDirectory == 1) { $f[] = "password sufficient pam_winbind.so use_first_pass"; } $f[] = "password required pam_deny.so"; $f[] = ""; $f[] = "session optional pam_keyinit.so revoke"; $f[] = "session required pam_limits.so"; $f[] = "session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid"; $f[] = "session optional pam_ldap.so use_first_pass"; if ($EnableSambaActiveDirectory == 1) { $f[] = "session optional pam_winbind.so use_first_pass"; } if (SearchLibrarySecurity("pam_mkhomedir.so")) { $f[] = "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022"; } $f[] = "session required pam_unix.so"; $f[] = ""; @file_put_contents("/etc/pam.d/system-auth-ac", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/system-auth-ac\" done\n"; unset($f); } ldap_conf(true); }
function build() { $sock = new sockets(); $EnableSambaActiveDirectory = $sock->GET_INFO("EnableSambaActiveDirectory"); $KerbAuthDisableNsswitch = $sock->GET_INFO("KerbAuthDisableNsswitch"); $nsswitchEnableLdap = intval($sock->GET_INFO("nsswitchEnableLdap")); $EnableIntelCeleron = intval($sock->GET_INFO("EnableIntelCeleron")); if (!is_numeric($EnableSambaActiveDirectory)) { $EnableSambaActiveDirectory = 0; } $EnableKerbAuth = $sock->GET_INFO("EnableKerbAuth"); if (!is_numeric($EnableKerbAuth)) { $EnableKerbAuth = 0; } if (!is_numeric($KerbAuthDisableNsswitch)) { $KerbAuthDisableNsswitch = 0; } $unix = new unix(); $winbindd = $unix->find_program("winbindd"); if (is_file($winbindd)) { if ($EnableKerbAuth == 1) { $EnableSambaActiveDirectory = 1; } } if ($KerbAuthDisableNsswitch == 1) { $EnableSambaActiveDirectory = 0; } if ($EnableIntelCeleron == 1) { $EnableSambaActiveDirectory = 0; $nsswitchEnableLdap = 0; } if ($EnableSambaActiveDirectory == 0) { echo "Starting......: " . date("H:i:s") . " pam.d, ActiveDirectory is disabled\n"; } else { echo "Starting......: " . date("H:i:s") . " pam.d, ActiveDirectory is Enabled\n"; } $f[] = "@include common-auth"; $f[] = "@include common-account"; $f[] = "@include common-session"; @file_put_contents("/etc/pam.d/samba", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/samba\" done\n"; unset($f); if (is_file("/etc/pam.d/common-account")) { if ($EnableSambaActiveDirectory == 1) { if (SearchLibrarySecurity("pam_winbind.so")) { $f[] = "account sufficient pam_winbind.so"; } } if ($nsswitchEnableLdap == 1) { $f[] = "account sufficient pam_ldap.so"; $f[] = "account required pam_unix.so try_first_pass"; } else { $f[] = "account\t[success=1 new_authtok_reqd=done default=ignore]\tpam_unix.so"; $f[] = "account\trequisite\t\t\tpam_deny.so"; $f[] = "account\trequired\t\t\tpam_permit.so"; } $f[] = ""; @file_put_contents("/etc/pam.d/common-account", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-account\" done\n"; unset($f); } //------------------------------------------------------------------------------------------------------------------- if (is_file("/etc/pam.d/common-auth")) { if ($EnableSambaActiveDirectory == 1) { if (SearchLibrarySecurity("pam_winbind.so")) { $f[] = "auth sufficient pam_winbind.so"; } } if ($nsswitchEnableLdap == 1) { $f[] = "auth sufficient pam_ldap.so"; } $f[] = "auth\trequisite\tpam_unix.so nullok_secure try_first_pass"; if ($nsswitchEnableLdap == 0) { $f[] = "auth\t[success=1 default=ignore]\tpam_unix.so nullok_secure"; $f[] = "auth\trequisite\t\t\tpam_deny.so"; $f[] = "auth\trequired\t\t\tpam_permit.so"; $f[] = "auth\toptional\t\t\tpam_cap.so"; } if ($EnableSambaActiveDirectory == 1) { if (SearchLibrarySecurity("pam_smbpass.so")) { $f[] = "auth\toptional\tpam_smbpass.so migrate"; } } $f[] = ""; @file_put_contents("/etc/pam.d/common-auth", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-auth\" done\n"; unset($f); } //------------------------------------------------------------------------------------------------------------------- $f[] = "#%PAM-1.0"; $f[] = ""; $f[] = "#@include common-auth"; $f[] = "#@include common-account"; $f[] = "auth sufficient pam_unix.so "; $f[] = "auth required pam_unix.so"; $f[] = "session required pam_permit.so"; $f[] = "session required pam_limits.so"; $f[] = ""; @file_put_contents("/etc/pam.d/sudo", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/sudo\" done\n"; unset($f); //------------------------------------------------------------------------------------------------------------------- if (is_file("/etc/pam.d/common-password")) { echo "Starting......: " . date("H:i:s") . " pam.d,nsswitchEnableLdap={$nsswitchEnableLdap}\n"; $f[] = "#"; $f[] = "# /etc/pam.d/common-password - password-related modules common to all services"; if ($EnableSambaActiveDirectory == 1) { $f[] = "password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass"; } if ($nsswitchEnableLdap == 1) { $f[] = "password\tsufficient\tpam_ldap.so"; $f[] = "password\trequisite\tpam_unix.so nullok obscure md5 try_first_pass"; } else { $f[] = "password\t[success=1 default=ignore]\tpam_unix.so obscure sha512"; $f[] = "password\trequisite\t\t\tpam_deny.so"; $f[] = "password\trequired\t\t\tpam_permit.so"; } if ($EnableSambaActiveDirectory == 1) { if (SearchLibrarySecurity("pam_smbpass.so")) { $f[] = "password optional pam_smbpass.so nullok use_authtok use_first_pass"; } } $f[] = ""; @file_put_contents("/etc/pam.d/common-password", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-password\" done\n"; unset($f); } //------------------------------------------------------------------------------------------------------------------- if (is_file("/etc/pam.d/common-session")) { $f[] = "session\trequired\t\t\tpam_unix.so "; if ($EnableSambaActiveDirectory == 1) { if (SearchLibrarySecurity("pam_krb5.so")) { $f[] = "session\toptional\t\t\tpam_krb5.so minimum_uid=1000"; } if (SearchLibrarySecurity("pam_winbind.so")) { $f[] = "session\toptional\t\t\tpam_winbind.so "; } } if ($nsswitchEnableLdap == 1) { $f[] = "session\toptional\t\t\tpam_ldap.so"; } else { $f[] = "session\t[default=1]\t\t\tpam_permit.so"; $f[] = "session\trequisite\t\t\tpam_deny.so"; $f[] = "session\trequired\t\t\tpam_permit.so"; $f[] = "session\trequired\tpam_unix.so"; if (SearchLibrarySecurity("pam_ck_connector.so")) { $f[] = "session\toptional\t\t\tpam_ck_connector.so nox11"; } } $f[] = ""; @file_put_contents("/etc/pam.d/common-session", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-session\" done\n"; unset($f); } //------------------------------------------------------------------------------------------------------------------- if (is_file("/etc/pam.d/common-session-noninteractive")) { $f[] = "session\t[default=1]\t\t\tpam_permit.so"; $f[] = "session\trequisite\t\t\tpam_deny.so"; $f[] = "session\trequired\t\t\tpam_permit.so"; $f[] = "session\trequired\t\t\tpam_unix.so"; if ($nsswitchEnableLdap == 1) { $f[] = "session\toptional\t\t\tpam_ldap.so "; } if ($EnableSambaActiveDirectory == 1) { $f[] = "session\toptional\t\t\tpam_winbind.so"; } $f[] = ""; @file_put_contents("/etc/pam.d/common-session-noninteractive", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-session\" done\n"; unset($f); } //------------------------------------------------------------------------------------------------------------------- if (is_file("/etc/pam.d/system-auth-ac")) { $f[] = "#%PAM-1.0"; $f[] = "# This file is auto-generated."; $f[] = "# User changes will be destroyed the next time authconfig is run."; $f[] = "auth required pam_env.so"; $f[] = "auth sufficient pam_unix.so nullok try_first_pass"; $f[] = "auth requisite pam_succeed_if.so uid >= 500 quiet"; $f[] = "auth sufficient pam_ldap.so use_first_pass"; if ($EnableSambaActiveDirectory == 1) { $f[] = "auth sufficient pam_winbind.so use_first_pass"; } $f[] = "auth required pam_deny.so"; $f[] = ""; $f[] = "account required pam_unix.so"; $f[] = "account sufficient pam_succeed_if.so uid < 500 quiet"; $f[] = "account sufficient pam_ldap.so use_first_pass"; if ($EnableSambaActiveDirectory == 1) { $f[] = "account sufficient pam_winbind.so use_first_pass"; } $f[] = "account required pam_permit.so"; $f[] = ""; $f[] = "password requisite pam_cracklib.so try_first_pass retry=3"; $f[] = "password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok"; $f[] = "password sufficient pam_ldap.so use_first_pass"; if ($EnableSambaActiveDirectory == 1) { $f[] = "password sufficient pam_winbind.so use_first_pass"; } $f[] = "password required pam_deny.so"; $f[] = ""; $f[] = "session optional pam_keyinit.so revoke"; $f[] = "session required pam_limits.so"; $f[] = "session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid"; $f[] = "session optional pam_ldap.so use_first_pass"; if ($EnableSambaActiveDirectory == 1) { $f[] = "session optional pam_winbind.so use_first_pass"; } if (SearchLibrarySecurity("pam_mkhomedir.so")) { $f[] = "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022"; } $f[] = "session required pam_unix.so"; $f[] = ""; @file_put_contents("/etc/pam.d/system-auth-ac", @implode("\n", $f)); echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/system-auth-ac\" done\n"; unset($f); } ldap_conf(true); }