function build()
{
$sock = new sockets();
$EnableSambaActiveDirectory = $sock->GET_INFO("EnableSambaActiveDirectory");
$KerbAuthDisableNsswitch = $sock->GET_INFO("KerbAuthDisableNsswitch");
if (!is_numeric($EnableSambaActiveDirectory)) {
$EnableSambaActiveDirectory = 0;
}
$EnableKerbAuth = $sock->GET_INFO("EnableKerbAuth");
if (!is_numeric($EnableKerbAuth)) {
$EnableKerbAuth = 0;
}
if (!is_numeric($KerbAuthDisableNsswitch)) {
$KerbAuthDisableNsswitch = 0;
}
$unix = new unix();
$winbindd = $unix->find_program("winbindd");
if (is_file($winbindd)) {
if ($EnableKerbAuth == 1) {
$EnableSambaActiveDirectory = 1;
}
}
if ($KerbAuthDisableNsswitch == 1) {
$EnableSambaActiveDirectory = 0;
}
if ($EnableSambaActiveDirectory == 0) {
echo "Starting......: " . date("H:i:s") . " pam.d, ActiveDirectory is disabled\n";
} else {
echo "Starting......: " . date("H:i:s") . " pam.d, ActiveDirectory is Enabled\n";
}
$f[] = "@include common-auth";
$f[] = "@include common-account";
$f[] = "@include common-session";
@file_put_contents("/etc/pam.d/samba", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/samba\" done\n";
unset($f);
if (is_file("/etc/pam.d/common-account")) {
$f[] = "#";
$f[] = "# /etc/pam.d/common-account - authorization settings common to all services";
$f[] = "#";
$f[] = "# This file is included from other service-specific PAM config files,";
$f[] = "# and should contain a list of the authorization modules that define";
$f[] = "# the central access policy for use on the system. The default is to";
$f[] = "# only deny service to users whose accounts are expired in /etc/shadow.";
$f[] = "#";
if ($EnableSambaActiveDirectory == 1) {
$f[] = "account sufficient pam_winbind.so";
}
$f[] = "account sufficient pam_ldap.so";
$f[] = "account required pam_unix.so try_first_pass";
$f[] = "";
@file_put_contents("/etc/pam.d/common-account", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-account\" done\n";
unset($f);
}
if (is_file("/etc/pam.d/common-auth")) {
$f[] = "#";
$f[] = "# /etc/pam.d/common-auth - authentication settings common to all services";
$f[] = "#";
$f[] = "# This file is included from other service-specific PAM config files,";
$f[] = "# and should contain a list of the authentication modules that define";
$f[] = "# the central authentication scheme for use on the system";
$f[] = "# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the";
$f[] = "# traditional Unix authentication mechanisms.";
$f[] = "#";
if ($EnableSambaActiveDirectory == 1) {
$f[] = "auth sufficient pam_winbind.so";
}
$f[] = "auth sufficient pam_ldap.so";
$f[] = "auth\trequisite\tpam_unix.so nullok_secure try_first_pass";
if (SearchLibrarySecurity("pam_smbpass.so")) {
$f[] = "auth\toptional\tpam_smbpass.so migrate";
}
$f[] = "";
@file_put_contents("/etc/pam.d/common-auth", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-auth\" done\n";
unset($f);
}
$f[] = "#%PAM-1.0";
$f[] = "";
$f[] = "#@include common-auth";
$f[] = "#@include common-account";
$f[] = "auth sufficient pam_unix.so ";
$f[] = "auth required pam_unix.so";
$f[] = "session required pam_permit.so";
$f[] = "session required pam_limits.so";
$f[] = "";
@file_put_contents("/etc/pam.d/sudo", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/sudo\" done\n";
unset($f);
if (is_file("/etc/pam.d/common-password")) {
$sock = new sockets();
$PAMLdapPrio = $sock->GET_INFO("PAMLdapPrio");
if (!is_numeric($PAMLdapPrio)) {
$PAMLdapPrio = 1;
}
echo "Starting......: " . date("H:i:s") . " pam.d,PAMLdapPrio={$PAMLdapPrio}\n";
$f[] = "#";
$f[] = "# /etc/pam.d/common-password - password-related modules common to all services";
if ($EnableSambaActiveDirectory == 1) {
$f[] = "password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass";
}
if ($PAMLdapPrio == 1) {
$f[] = "password\tsufficient\tpam_ldap.so";
$f[] = "password\trequisite\tpam_unix.so nullok obscure md5 try_first_pass";
} else {
$f[] = "password\tsufficient\tpam_unix.so md5 obscure min=4 max=8 nullok try_first_pass";
$f[] = "password\tsufficient\tpam_ldap.so";
}
$f[] = "";
$f[] = "# Alternate strength checking for password. Note that this";
$f[] = "# requires the libpam-cracklib package to be installed.";
$f[] = "# You will need to comment out the password line above and";
$f[] = "# uncomment the next two in order to use this.";
$f[] = "# (Replaces the `OBSCURE_CHECKS_ENAB'', `CRACKLIB_DICTPATH'')";
$f[] = "#";
$f[] = "# password required\t pam_cracklib.so retry=3 minlen=6 difok=3";
$f[] = "# password required\t pam_unix.so use_authtok nullok md5 try_first_pass";
$f[] = "";
$f[] = "# minimally-intrusive inclusion of smbpass in the stack for";
$f[] = "# synchronization. If the module is absent or the passwords don''t";
$f[] = "# match, this module will be ignored without prompting; and if the ";
$f[] = "# passwords do match, the NTLM hash for the user will be updated";
$f[] = "# automatically.";
if (SearchLibrarySecurity("pam_smbpass.so")) {
$f[] = "password optional pam_smbpass.so nullok use_authtok use_first_pass";
}
$f[] = "";
@file_put_contents("/etc/pam.d/common-password", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-password\" done\n";
unset($f);
}
if (is_file("/etc/pam.d/common-session")) {
$f[] = "# here are the per-package modules (the \"Primary\" block)";
$f[] = "session\t[default=1]\t\t\tpam_permit.so";
$f[] = "# here's the fallback if no module succeeds";
$f[] = "session\trequisite\t\t\tpam_deny.so";
$f[] = "# prime the stack with a positive return value if there isn't one already;";
$f[] = "# this avoids us returning an error just because nothing sets a success code";
$f[] = "# since the modules above will each just jump around";
$f[] = "session\trequired\t\t\tpam_permit.so";
$f[] = "# and here are more per-package modules (the \"Additional\" block)";
if (SearchLibrarySecurity("pam_krb5.so")) {
$f[] = "session\toptional\t\t\tpam_krb5.so minimum_uid=1000";
}
$f[] = "session\trequired\t\t\tpam_unix.so ";
if (SearchLibrarySecurity("pam_winbind.so")) {
$f[] = "session\toptional\t\t\tpam_winbind.so ";
}
$f[] = "session\toptional\t\t\tpam_ldap.so ";
if (SearchLibrarySecurity("pam_mkhomedir.so")) {
//------------$f[]="session required pam_mkhomedir.so skel=/etc/skel/ umask=0022";
}
$f[] = "# end of pam-auth-update config";
$f[] = "";
@file_put_contents("/etc/pam.d/common-session", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-session\" done\n";
unset($f);
}
if (is_file("/etc/pam.d/system-auth-ac")) {
$f[] = "#%PAM-1.0";
$f[] = "# This file is auto-generated.";
$f[] = "# User changes will be destroyed the next time authconfig is run.";
$f[] = "auth required pam_env.so";
$f[] = "auth sufficient pam_unix.so nullok try_first_pass";
$f[] = "auth requisite pam_succeed_if.so uid >= 500 quiet";
$f[] = "auth sufficient pam_ldap.so use_first_pass";
if ($EnableSambaActiveDirectory == 1) {
$f[] = "auth sufficient pam_winbind.so use_first_pass";
}
$f[] = "auth required pam_deny.so";
$f[] = "";
$f[] = "account required pam_unix.so";
$f[] = "account sufficient pam_succeed_if.so uid < 500 quiet";
$f[] = "account sufficient pam_ldap.so use_first_pass";
if ($EnableSambaActiveDirectory == 1) {
$f[] = "account sufficient pam_winbind.so use_first_pass";
}
$f[] = "account required pam_permit.so";
$f[] = "";
$f[] = "password requisite pam_cracklib.so try_first_pass retry=3";
$f[] = "password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok";
$f[] = "password sufficient pam_ldap.so use_first_pass";
if ($EnableSambaActiveDirectory == 1) {
$f[] = "password sufficient pam_winbind.so use_first_pass";
}
$f[] = "password required pam_deny.so";
$f[] = "";
$f[] = "session optional pam_keyinit.so revoke";
$f[] = "session required pam_limits.so";
$f[] = "session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid";
$f[] = "session optional pam_ldap.so use_first_pass";
if ($EnableSambaActiveDirectory == 1) {
$f[] = "session optional pam_winbind.so use_first_pass";
}
if (SearchLibrarySecurity("pam_mkhomedir.so")) {
$f[] = "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022";
}
$f[] = "session required pam_unix.so";
$f[] = "";
@file_put_contents("/etc/pam.d/system-auth-ac", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/system-auth-ac\" done\n";
unset($f);
}
ldap_conf(true);
}
function build()
{
$sock = new sockets();
$EnableSambaActiveDirectory = $sock->GET_INFO("EnableSambaActiveDirectory");
$KerbAuthDisableNsswitch = $sock->GET_INFO("KerbAuthDisableNsswitch");
$nsswitchEnableLdap = intval($sock->GET_INFO("nsswitchEnableLdap"));
$EnableIntelCeleron = intval($sock->GET_INFO("EnableIntelCeleron"));
if (!is_numeric($EnableSambaActiveDirectory)) {
$EnableSambaActiveDirectory = 0;
}
$EnableKerbAuth = $sock->GET_INFO("EnableKerbAuth");
if (!is_numeric($EnableKerbAuth)) {
$EnableKerbAuth = 0;
}
if (!is_numeric($KerbAuthDisableNsswitch)) {
$KerbAuthDisableNsswitch = 0;
}
$unix = new unix();
$winbindd = $unix->find_program("winbindd");
if (is_file($winbindd)) {
if ($EnableKerbAuth == 1) {
$EnableSambaActiveDirectory = 1;
}
}
if ($KerbAuthDisableNsswitch == 1) {
$EnableSambaActiveDirectory = 0;
}
if ($EnableIntelCeleron == 1) {
$EnableSambaActiveDirectory = 0;
$nsswitchEnableLdap = 0;
}
if ($EnableSambaActiveDirectory == 0) {
echo "Starting......: " . date("H:i:s") . " pam.d, ActiveDirectory is disabled\n";
} else {
echo "Starting......: " . date("H:i:s") . " pam.d, ActiveDirectory is Enabled\n";
}
$f[] = "@include common-auth";
$f[] = "@include common-account";
$f[] = "@include common-session";
@file_put_contents("/etc/pam.d/samba", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/samba\" done\n";
unset($f);
if (is_file("/etc/pam.d/common-account")) {
if ($EnableSambaActiveDirectory == 1) {
if (SearchLibrarySecurity("pam_winbind.so")) {
$f[] = "account sufficient pam_winbind.so";
}
}
if ($nsswitchEnableLdap == 1) {
$f[] = "account sufficient pam_ldap.so";
$f[] = "account required pam_unix.so try_first_pass";
} else {
$f[] = "account\t[success=1 new_authtok_reqd=done default=ignore]\tpam_unix.so";
$f[] = "account\trequisite\t\t\tpam_deny.so";
$f[] = "account\trequired\t\t\tpam_permit.so";
}
$f[] = "";
@file_put_contents("/etc/pam.d/common-account", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-account\" done\n";
unset($f);
}
//-------------------------------------------------------------------------------------------------------------------
if (is_file("/etc/pam.d/common-auth")) {
if ($EnableSambaActiveDirectory == 1) {
if (SearchLibrarySecurity("pam_winbind.so")) {
$f[] = "auth sufficient pam_winbind.so";
}
}
if ($nsswitchEnableLdap == 1) {
$f[] = "auth sufficient pam_ldap.so";
}
$f[] = "auth\trequisite\tpam_unix.so nullok_secure try_first_pass";
if ($nsswitchEnableLdap == 0) {
$f[] = "auth\t[success=1 default=ignore]\tpam_unix.so nullok_secure";
$f[] = "auth\trequisite\t\t\tpam_deny.so";
$f[] = "auth\trequired\t\t\tpam_permit.so";
$f[] = "auth\toptional\t\t\tpam_cap.so";
}
if ($EnableSambaActiveDirectory == 1) {
if (SearchLibrarySecurity("pam_smbpass.so")) {
$f[] = "auth\toptional\tpam_smbpass.so migrate";
}
}
$f[] = "";
@file_put_contents("/etc/pam.d/common-auth", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-auth\" done\n";
unset($f);
}
//-------------------------------------------------------------------------------------------------------------------
$f[] = "#%PAM-1.0";
$f[] = "";
$f[] = "#@include common-auth";
$f[] = "#@include common-account";
$f[] = "auth sufficient pam_unix.so ";
$f[] = "auth required pam_unix.so";
$f[] = "session required pam_permit.so";
$f[] = "session required pam_limits.so";
$f[] = "";
@file_put_contents("/etc/pam.d/sudo", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/sudo\" done\n";
unset($f);
//-------------------------------------------------------------------------------------------------------------------
if (is_file("/etc/pam.d/common-password")) {
echo "Starting......: " . date("H:i:s") . " pam.d,nsswitchEnableLdap={$nsswitchEnableLdap}\n";
$f[] = "#";
$f[] = "# /etc/pam.d/common-password - password-related modules common to all services";
if ($EnableSambaActiveDirectory == 1) {
$f[] = "password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass";
}
if ($nsswitchEnableLdap == 1) {
$f[] = "password\tsufficient\tpam_ldap.so";
$f[] = "password\trequisite\tpam_unix.so nullok obscure md5 try_first_pass";
} else {
$f[] = "password\t[success=1 default=ignore]\tpam_unix.so obscure sha512";
$f[] = "password\trequisite\t\t\tpam_deny.so";
$f[] = "password\trequired\t\t\tpam_permit.so";
}
if ($EnableSambaActiveDirectory == 1) {
if (SearchLibrarySecurity("pam_smbpass.so")) {
$f[] = "password optional pam_smbpass.so nullok use_authtok use_first_pass";
}
}
$f[] = "";
@file_put_contents("/etc/pam.d/common-password", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-password\" done\n";
unset($f);
}
//-------------------------------------------------------------------------------------------------------------------
if (is_file("/etc/pam.d/common-session")) {
$f[] = "session\trequired\t\t\tpam_unix.so ";
if ($EnableSambaActiveDirectory == 1) {
if (SearchLibrarySecurity("pam_krb5.so")) {
$f[] = "session\toptional\t\t\tpam_krb5.so minimum_uid=1000";
}
if (SearchLibrarySecurity("pam_winbind.so")) {
$f[] = "session\toptional\t\t\tpam_winbind.so ";
}
}
if ($nsswitchEnableLdap == 1) {
$f[] = "session\toptional\t\t\tpam_ldap.so";
} else {
$f[] = "session\t[default=1]\t\t\tpam_permit.so";
$f[] = "session\trequisite\t\t\tpam_deny.so";
$f[] = "session\trequired\t\t\tpam_permit.so";
$f[] = "session\trequired\tpam_unix.so";
if (SearchLibrarySecurity("pam_ck_connector.so")) {
$f[] = "session\toptional\t\t\tpam_ck_connector.so nox11";
}
}
$f[] = "";
@file_put_contents("/etc/pam.d/common-session", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-session\" done\n";
unset($f);
}
//-------------------------------------------------------------------------------------------------------------------
if (is_file("/etc/pam.d/common-session-noninteractive")) {
$f[] = "session\t[default=1]\t\t\tpam_permit.so";
$f[] = "session\trequisite\t\t\tpam_deny.so";
$f[] = "session\trequired\t\t\tpam_permit.so";
$f[] = "session\trequired\t\t\tpam_unix.so";
if ($nsswitchEnableLdap == 1) {
$f[] = "session\toptional\t\t\tpam_ldap.so ";
}
if ($EnableSambaActiveDirectory == 1) {
$f[] = "session\toptional\t\t\tpam_winbind.so";
}
$f[] = "";
@file_put_contents("/etc/pam.d/common-session-noninteractive", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/common-session\" done\n";
unset($f);
}
//-------------------------------------------------------------------------------------------------------------------
if (is_file("/etc/pam.d/system-auth-ac")) {
$f[] = "#%PAM-1.0";
$f[] = "# This file is auto-generated.";
$f[] = "# User changes will be destroyed the next time authconfig is run.";
$f[] = "auth required pam_env.so";
$f[] = "auth sufficient pam_unix.so nullok try_first_pass";
$f[] = "auth requisite pam_succeed_if.so uid >= 500 quiet";
$f[] = "auth sufficient pam_ldap.so use_first_pass";
if ($EnableSambaActiveDirectory == 1) {
$f[] = "auth sufficient pam_winbind.so use_first_pass";
}
$f[] = "auth required pam_deny.so";
$f[] = "";
$f[] = "account required pam_unix.so";
$f[] = "account sufficient pam_succeed_if.so uid < 500 quiet";
$f[] = "account sufficient pam_ldap.so use_first_pass";
if ($EnableSambaActiveDirectory == 1) {
$f[] = "account sufficient pam_winbind.so use_first_pass";
}
$f[] = "account required pam_permit.so";
$f[] = "";
$f[] = "password requisite pam_cracklib.so try_first_pass retry=3";
$f[] = "password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok";
$f[] = "password sufficient pam_ldap.so use_first_pass";
if ($EnableSambaActiveDirectory == 1) {
$f[] = "password sufficient pam_winbind.so use_first_pass";
}
$f[] = "password required pam_deny.so";
$f[] = "";
$f[] = "session optional pam_keyinit.so revoke";
$f[] = "session required pam_limits.so";
$f[] = "session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid";
$f[] = "session optional pam_ldap.so use_first_pass";
if ($EnableSambaActiveDirectory == 1) {
$f[] = "session optional pam_winbind.so use_first_pass";
}
if (SearchLibrarySecurity("pam_mkhomedir.so")) {
$f[] = "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022";
}
$f[] = "session required pam_unix.so";
$f[] = "";
@file_put_contents("/etc/pam.d/system-auth-ac", @implode("\n", $f));
echo "Starting......: " . date("H:i:s") . " pam.d, \"/etc/pam.d/system-auth-ac\" done\n";
unset($f);
}
ldap_conf(true);
}
