usr/sbin/authconfig000075500000126772147207322250010410 0ustar00#!/usr/bin/python # -*- coding: UTF-8 -*- # # Authconfig - client authentication configuration program # Copyright (c) 1999-2008 Red Hat, Inc. # # Original authors: Preston Brown # Nalin Dahyabhai # Matt Wilson # Python rewrite and further development by: Tomas Mraz # # This is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA import authinfo, acutil import gettext, os, signal, sys _ = gettext.lgettext from optparse import OptionParser, IndentedHelpFormatter import locale try: locale.setlocale(locale.LC_ALL, '') except locale.Error: sys.stderr.write('Warning: Unsupported locale setting.\n') def runsAs(name): return sys.argv[0].find(name) >= 0 if runsAs("authconfig-tui"): import snack class UnihelpOptionParser(OptionParser): def print_help(self, file=None): if file is None: file = sys.stdout srcencoding = locale.getpreferredencoding() encoding = getattr(file, "encoding", None) if not encoding or encoding == "ascii": encoding = srcencoding file.write(self.format_help().decode(srcencoding).encode(encoding, "replace")) class NonWrapFormatter(IndentedHelpFormatter): def format_option(self, option): # The help for each option consists of two parts: # * the opt strings and metavars # eg. ("-x", or "-fFILENAME, --file=FILENAME") # * the user-supplied help string # eg. ("turn on expert mode", "read data from FILENAME") # # If possible, we write both of these on the same line: # -x turn on expert mode # # But if the opt string list is too long, we put the help # string on a second line, indented to the same column it would # start in if it fit on the first line. # -fFILENAME, --file=FILENAME # read data from FILENAME # We cannot wrap the help text as it can be in any language and # encoding and so we do not know how to wrap it correctly. result = [] opts = self.option_strings[option] opt_width = self.help_position - self.current_indent - 2 if len(opts) > opt_width: opts = "%*s%s\n" % (self.current_indent, "", opts) indent_first = self.help_position else: # start help on same line as opts opts = "%*s%-*s " % (self.current_indent, "", opt_width, opts) opts = "%*s%-*s " % (self.current_indent, "", opt_width, opts) indent_first = 0 result.append(opts) if option.help: help_text = self.expand_default(option) result.append("%*s%s\n" % (indent_first, "", help_text)) elif opts[-1] != "\n": result.append("\n") return "".join(result) class Authconfig: def __init__(self): self.nis_avail = False self.kerberos_avail = False self.ldap_avail = False self.sssd_avail = False self.cache_avail = False self.fprintd_avail = False self.retval = 0 def module(self): return "authconfig" def printError(self, error): sys.stderr.write("%s: %s\n" % (self.module(), error)) def listHelp(self, l, addidx): idx = 0 help = "<" for item in l: if idx > 0: help += "|" if addidx: help += str(idx) + "=" help += item idx += 1 help += ">" return help def parseOptions(self): usage = _("usage: %s [options]") % self.module() if self.module() == "authconfig": usage += " {--update|--updateall|--test|--probe|--restorebackup |--savebackup |--restorelastbackup}" parser = UnihelpOptionParser(usage, add_help_option=False, formatter=NonWrapFormatter()) parser.add_option("-h", "--help", action="help", help=_("show this help message and exit")) parser.add_option("--enableshadow", "--useshadow", action="store_true", help=_("enable shadowed passwords by default")) parser.add_option("--disableshadow", action="store_true", help=_("disable shadowed passwords by default")) parser.add_option("--enablemd5", "--usemd5", action="store_true", help=_("enable MD5 passwords by default")) parser.add_option("--disablemd5", action="store_true", help=_("disable MD5 passwords by default")) parser.add_option("--passalgo", metavar=self.listHelp(authinfo.password_algorithms, False), help=_("hash/crypt algorithm for new passwords")) parser.add_option("--enablenis", action="store_true", help=_("enable NIS for user information by default")) parser.add_option("--disablenis", action="store_true", help=_("disable NIS for user information by default")) parser.add_option("--nisdomain", metavar=_(""), help=_("default NIS domain")) parser.add_option("--nisserver", metavar=_(""), help=_("default NIS server")) parser.add_option("--enableldap", action="store_true", help=_("enable LDAP for user information by default")) parser.add_option("--disableldap", action="store_true", help=_("disable LDAP for user information by default")) parser.add_option("--enableldapauth", action="store_true", help=_("enable LDAP for authentication by default")) parser.add_option("--disableldapauth", action="store_true", help=_("disable LDAP for authentication by default")) parser.add_option("--ldapserver", metavar=_(""), help=_("default LDAP server hostname or URI")) parser.add_option("--ldapbasedn", metavar=_(""), help=_("default LDAP base DN")) parser.add_option("--enableldaptls", "--enableldapstarttls", action="store_true", help=_("enable use of TLS with LDAP (RFC-2830)")) parser.add_option("--disableldaptls", "--disableldapstarttls", action="store_true", help=_("disable use of TLS with LDAP (RFC-2830)")) parser.add_option("--enablerfc2307bis", action="store_true", help=_("enable use of RFC-2307bis schema for LDAP user information lookups")) parser.add_option("--disablerfc2307bis", action="store_true", help=_("disable use of RFC-2307bis schema for LDAP user information lookups")) parser.add_option("--ldaploadcacert", metavar=_(""), help=_("load CA certificate from the URL")) parser.add_option("--enablesmartcard", action="store_true", help=_("enable authentication with smart card by default")) parser.add_option("--disablesmartcard", action="store_true", help=_("disable authentication with smart card by default")) parser.add_option("--enablerequiresmartcard", action="store_true", help=_("require smart card for authentication by default")) parser.add_option("--disablerequiresmartcard", action="store_true", help=_("do not require smart card for authentication by default")) parser.add_option("--smartcardmodule", metavar=_(""), help=_("default smart card module to use")) actshelp = self.listHelp(authinfo.getSmartcardActions(), True) parser.add_option("--smartcardaction", metavar=actshelp, help=_("action to be taken on smart card removal")) parser.add_option("--enablefingerprint", action="store_true", help=_("enable authentication with fingerprint readers by default")) parser.add_option("--disablefingerprint", action="store_true", help=_("disable authentication with fingerprint readers by default")) parser.add_option("--enableecryptfs", action="store_true", help=_("enable automatic per-user ecryptfs")) parser.add_option("--disableecryptfs", action="store_true", help=_("disable automatic per-user ecryptfs")) parser.add_option("--enablekrb5", action="store_true", help=_("enable kerberos authentication by default")) parser.add_option("--disablekrb5", action="store_true", help=_("disable kerberos authentication by default")) parser.add_option("--krb5kdc", metavar=_(""), help=_("default kerberos KDC")) parser.add_option("--krb5adminserver", metavar=_(""), help=_("default kerberos admin server")) parser.add_option("--krb5realm", metavar=_(""), help=_("default kerberos realm")) parser.add_option("--enablekrb5kdcdns", action="store_true", help=_("enable use of DNS to find kerberos KDCs")) parser.add_option("--disablekrb5kdcdns", action="store_true", help=_("disable use of DNS to find kerberos KDCs")) parser.add_option("--enablekrb5realmdns", action="store_true", help=_("enable use of DNS to find kerberos realms")) parser.add_option("--disablekrb5realmdns", action="store_true", help=_("disable use of DNS to find kerberos realms")) parser.add_option("--enablewinbind", action="store_true", help=_("enable winbind for user information by default")) parser.add_option("--disablewinbind", action="store_true", help=_("disable winbind for user information by default")) parser.add_option("--enablewinbindauth", action="store_true", help=_("enable winbind for authentication by default")) parser.add_option("--disablewinbindauth", action="store_true", help=_("disable winbind for authentication by default")) parser.add_option("--smbsecurity", metavar="", help=_("security mode to use for samba and winbind")) parser.add_option("--smbrealm", metavar=_(""), help=_("default realm for samba and winbind when security=ads")) parser.add_option("--smbservers", metavar=_(""), help=_("names of servers to authenticate against")) parser.add_option("--smbworkgroup", metavar=_(""), help=_("workgroup authentication servers are in")) parser.add_option("--smbidmaprange", "--smbidmapuid", "--smbidmapgid", metavar=_(""), help=_("uid range winbind will assign to domain or ads users")) parser.add_option("--winbindseparator", metavar="<\\>", help=_("the character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enabled")) parser.add_option("--winbindtemplatehomedir", metavar="", help=_("the directory which winbind-created users will have as home directories")) parser.add_option("--winbindtemplateshell", metavar="", help=_("the shell which winbind-created users will have as their login shell")) parser.add_option("--enablewinbindusedefaultdomain", action="store_true", help=_("configures winbind to assume that users with no domain in their user names are domain users")) parser.add_option("--disablewinbindusedefaultdomain", action="store_true", help=_("configures winbind to assume that users with no domain in their user names are not domain users")) parser.add_option("--enablewinbindoffline", action="store_true", help=_("configures winbind to allow offline login")) parser.add_option("--disablewinbindoffline", action="store_true", help=_("configures winbind to prevent offline login")) parser.add_option("--enablewinbindkrb5", action="store_true", help=_("winbind will use Kerberos 5 to authenticate")) parser.add_option("--disablewinbindkrb5", action="store_true", help=_("winbind will use the default authentication method")) parser.add_option("--winbindjoin", metavar="", help=_("join the winbind domain or ads realm now as this administrator")) parser.add_option("--enableipav2", action="store_true", help=_("enable IPAv2 for user information and authentication by default")) parser.add_option("--disableipav2", action="store_true", help=_("disable IPAv2 for user information and authentication by default")) parser.add_option("--ipav2domain", metavar=_(""), help=_("the IPAv2 domain the system should be part of")) parser.add_option("--ipav2realm", metavar=_(""), help=_("the realm for the IPAv2 domain")) parser.add_option("--ipav2server", metavar=_(""), help=_("the server for the IPAv2 domain")) parser.add_option("--enableipav2nontp", action="store_true", help=_("do not setup the NTP against the IPAv2 domain")) parser.add_option("--disableipav2nontp", action="store_true", help=_("setup the NTP against the IPAv2 domain (default)")) parser.add_option("--ipav2join", metavar="", help=_("join the IPAv2 domain as this account")) parser.add_option("--enablewins", action="store_true", help=_("enable wins for hostname resolution")) parser.add_option("--disablewins", action="store_true", help=_("disable wins for hostname resolution")) parser.add_option("--enablepreferdns", action="store_true", help=_("prefer dns over wins or nis for hostname resolution")) parser.add_option("--disablepreferdns", action="store_true", help=_("do not prefer dns over wins or nis for hostname resolution")) parser.add_option("--enablehesiod", action="store_true", help=_("enable hesiod for user information by default")) parser.add_option("--disablehesiod", action="store_true", help=_("disable hesiod for user information by default")) parser.add_option("--hesiodlhs", metavar="", help=_("default hesiod LHS")) parser.add_option("--hesiodrhs", metavar="", help=_("default hesiod RHS")) parser.add_option("--enablesssd", action="store_true", help=_("enable SSSD for user information by default with manually managed configuration")) parser.add_option("--disablesssd", action="store_true", help=_("disable SSSD for user information by default (still used for supported configurations)")) parser.add_option("--enablesssdauth", action="store_true", help=_("enable SSSD for authentication by default with manually managed configuration")) parser.add_option("--disablesssdauth", action="store_true", help=_("disable SSSD for authentication by default (still used for supported configurations)")) parser.add_option("--enableforcelegacy", action="store_true", help=_("never use SSSD implicitly even for supported configurations")) parser.add_option("--disableforcelegacy", action="store_true", help=_("use SSSD implicitly if it supports the configuration")) parser.add_option("--enablecachecreds", action="store_true", help=_("enable caching of user credentials in SSSD by default")) parser.add_option("--disablecachecreds", action="store_true", help=_("disable caching of user credentials in SSSD by default")) parser.add_option("--enablecache", action="store_true", help=_("enable caching of user information by default (automatically disabled when SSSD is used)")) parser.add_option("--disablecache", action="store_true", help=_("disable caching of user information by default")) parser.add_option("--enablelocauthorize", action="store_true", help=_("local authorization is sufficient for local users")) parser.add_option("--disablelocauthorize", action="store_true", help=_("authorize local users also through remote service")) parser.add_option("--enablepamaccess", action="store_true", help=_("check access.conf during account authorization")) parser.add_option("--disablepamaccess", action="store_true", help=_("do not check access.conf during account authorization")) parser.add_option("--enablesysnetauth", action="store_true", help=_("authenticate system accounts by network services")) parser.add_option("--disablesysnetauth", action="store_true", help=_("authenticate system accounts by local files only")) parser.add_option("--enablemkhomedir", action="store_true", help=_("create home directories for users on their first login")) parser.add_option("--disablemkhomedir", action="store_true", help=_("do not create home directories for users on their first login")) parser.add_option("--passminlen", metavar=_(""), help=_("minimum length of a password")) parser.add_option("--passminclass", metavar=_(""), help=_("minimum number of character classes in a password")) parser.add_option("--passmaxrepeat", metavar=_(""), help=_("maximum number of same consecutive characters in a password")) parser.add_option("--passmaxclassrepeat", metavar=_(""), help=_("maximum number of consecutive characters of same class in a password")) parser.add_option("--enablereqlower", action="store_true", help=_("require at least one lowercase character in a password")) parser.add_option("--disablereqlower", action="store_true", help=_("do not require lowercase characters in a password")) parser.add_option("--enablerequpper", action="store_true", help=_("require at least one uppercase character in a password")) parser.add_option("--disablerequpper", action="store_true", help=_("do not require uppercase characters in a password")) parser.add_option("--enablereqdigit", action="store_true", help=_("require at least one digit in a password")) parser.add_option("--disablereqdigit", action="store_true", help=_("do not require digits in a password")) parser.add_option("--enablereqother", action="store_true", help=_("require at least one other character in a password")) parser.add_option("--disablereqother", action="store_true", help=_("do not require other characters in a password")) parser.add_option("--enablefaillock", action="store_true", help=_("enable account locking in case of too many consecutive authentication failures")) parser.add_option("--disablefaillock", action="store_true", help=_("disable account locking on too many consecutive authentication failures")) parser.add_option("--faillockargs", metavar=_(""), help=_("the pam_faillock module options")) parser.add_option("--nostart", action="store_true", help=_("do not start/stop portmap, ypbind, and nscd")) parser.add_option("--test", action="store_true", help=_("do not update the configuration files, only print new settings")) if self.module() == "authconfig-tui": parser.add_option("--back", action="store_true", help=_("display Back instead of Cancel in the main dialog of the TUI")) parser.add_option("--kickstart", action="store_true", help=_("do not display the deprecated text user interface")) else: parser.add_option("--update", "--kickstart", action="store_true", help=_("opposite of --test, update configuration files with changed settings")) parser.add_option("--updateall", action="store_true", help=_("update all configuration files")) parser.add_option("--probe", action="store_true", help=_("probe network for defaults and print them")) parser.add_option("--savebackup", metavar=_(""), help=_("save a backup of all configuration files")) parser.add_option("--restorebackup", metavar=_(""), help=_("restore the backup of configuration files")) parser.add_option("--restorelastbackup", action="store_true", help=_("restore the backup of configuration files saved before the previous configuration change")) (self.options, args) = parser.parse_args() if args: self.printError(_("unexpected argument")) sys.exit(2) if (not self.module() == "authconfig-tui" and not self.options.probe and not self.options.test and not self.options.update and not self.options.updateall and not self.options.savebackup and not self.options.restorebackup and not self.options.restorelastbackup): # --update (== --kickstart) or --test or --probe must be specified # this will print usage and call sys.exit() parser.print_help() sys.exit(2) def probe(self): info = authinfo.AuthInfo(self.printError) info.probe() if info.hesiodLHS and info.hesiodRHS: print "hesiod %s/%s" % (info.hesiodLHS, info.hesiodRHS) if info.ldapServer and info.ldapBaseDN: print "ldap %s/%s\n" % (info.ldapServer, info.ldapBaseDN) if info.kerberosRealm: print "krb5 %s/%s/%s\n" % (info.kerberosRealm, info.kerberosKDC or "", info.kerberosAdminServer or "") def readAuthInfo(self): self.info = authinfo.read(self.printError) # FIXME: what about printing critical errors reading individual configs? self.pristineinfo = self.info.copy() if self.info.enableLocAuthorize == None: self.info.enableLocAuthorize = True # ON by default def testAvailableSubsys(self): self.nis_avail = (os.access(authinfo.PATH_YPBIND, os.X_OK) and os.access(authinfo.PATH_LIBNSS_NIS, os.X_OK)) self.kerberos_avail = os.access(authinfo.PATH_PAM_KRB5, os.X_OK) self.ldap_avail = (os.access(authinfo.PATH_PAM_LDAP, os.X_OK) and os.access(authinfo.PATH_LIBNSS_LDAP, os.X_OK)) self.sssd_avail = (os.access(authinfo.PATH_PAM_SSS, os.X_OK) and os.access(authinfo.PATH_LIBNSS_SSS, os.X_OK)) self.cache_avail = os.access(authinfo.PATH_NSCD, os.X_OK) self.fprintd_avail = os.access(authinfo.PATH_PAM_FPRINTD, os.X_OK) def overrideSettings(self): bool_settings = {"shadow":"enableShadow", "locauthorize":"enableLocAuthorize", "pamaccess":"enablePAMAccess", "sysnetauth":"enableSysNetAuth", "mkhomedir":"enableMkHomeDir", "cache":"enableCache", "ecryptfs":"enableEcryptfs", "hesiod":"enableHesiod", "ldap":"enableLDAP", "ldaptls":"enableLDAPS", "rfc2307bis":"enableRFC2307bis", "ldapauth":"enableLDAPAuth", "krb5":"enableKerberos", "nis":"enableNIS", "krb5kdcdns":"kerberosKDCviaDNS", "krb5realmdns":"kerberosRealmviaDNS", "smartcard":"enableSmartcard", "fingerprint":"enableFprintd", "requiresmartcard":"forceSmartcard", "winbind":"enableWinbind", "winbindauth":"enableWinbindAuth", "winbindusedefaultdomain":"winbindUseDefaultDomain", "winbindoffline":"winbindOffline", "winbindkrb5":"winbindKrb5", "ipav2":"enableIPAv2", "ipav2nontp":"ipav2NoNTP", "wins":"enableWINS", "sssd":"enableSSSD", "sssdauth":"enableSSSDAuth", "forcelegacy":"enableForceLegacy", "cachecreds":"enableCacheCreds", "preferdns":"preferDNSinHosts", "reqlower":"passReqLower", "requpper":"passReqUpper", "reqdigit":"passReqDigit", "reqother":"passReqOther", "faillock":"enableFaillock"} string_settings = {"passalgo":"passwordAlgorithm", "hesiodlhs":"hesiodLHS", "hesiodrhs":"hesiodRHS", "ldapserver":"ldapServer", "ldapbasedn":"ldapBaseDN", "ldaploadcacert":"ldapCacertURL", "krb5realm":"kerberosRealm", "krb5kdc":"kerberosKDC", "krb5adminserver":"kerberosAdminServer", "smartcardmodule":"smartcardModule", "smartcardaction":"smartcardAction", "nisdomain":"nisDomain", "nisserver":"nisServer", "smbworkgroup":"smbWorkgroup", "smbservers":"smbServers", "smbsecurity":"smbSecurity", "smbrealm" : "smbRealm", "smbidmaprange":"smbIdmapRange", "winbindseparator":"winbindSeparator", "winbindtemplatehomedir":"winbindTemplateHomedir", "winbindtemplateshell":"winbindTemplateShell", "ipav2domain":"ipav2Domain", "ipav2realm":"ipav2Realm", "ipav2server":"ipav2Server", "passminlen":"passMinLen", "passminclass":"passMinClass", "passmaxrepeat":"passMaxRepeat", "passmaxclassrepeat":"passMaxClassRepeat", "faillockargs":"faillockArgs"} for opt, aival in bool_settings.iteritems(): if getattr(self.options, "enable"+opt): setattr(self.info, aival, True) if getattr(self.options, "disable"+opt): setattr(self.info, aival, False) try: if self.info.enableRFC2307bis: self.info.ldapSchema = 'rfc2307bis' else: self.info.ldapSchema = '' except AttributeError: pass if self.options.krb5realm and self.options.krb5realm != self.info.kerberosRealm: self.info.kerberosKDC = self.info.getKerberosKDC(self.options.krb5realm) self.info.kerberosAdminServer = self.info.getKerberosAdminServer(self.options.krb5realm) try: val = self.options.passminlen if val != None: val = int(val) if val < 6: self.printError(_("The passminlen minimum value is 6")) self.options.passminlen = None self.retval = 3 except ValueError: self.printError(_("The passminlen option value is not an integer")) self.options.passminlen = None self.retval = 3 try: val = self.options.passminclass if val != None: val = int(val) if val < 0: self.printError(_("The passminclass value must not be negative")) self.options.passminclass = None self.retval = 3 if val > 4: self.printError(_("The passminclass value must not be higher than 4")) self.options.passminclass = None self.retval = 3 except ValueError: self.printError(_("The passminclass option value is not an integer")) self.options.passminclass = None self.retval = 3 try: val = self.options.passmaxrepeat if val != None: val = int(val) if val < 0: self.printError(_("The passmaxrepeat value must not be negative")) self.options.passmaxrepeat = None self.retval = 3 except ValueError: self.printError(_("The passmaxrepeat option value is not an integer")) self.options.passmaxrepeat = None self.retval = 3 try: val = self.options.passmaxclassrepeat if val != None: val = int(val) if val < 0: self.printError(_("The passmaxclassrepeat value must not be negative")) self.options.passmaxclassrepeat = None self.retval = 3 except ValueError: self.printError(_("The passmaxclassrepeat option value is not an integer")) self.options.passmaxclassrepeat = None self.retval = 3 for opt, aival in string_settings.iteritems(): if getattr(self.options, opt) != None: setattr(self.info, aival, getattr(self.options, opt)) if self.options.winbindjoin: lst = self.options.winbindjoin.split("%", 1) self.info.joinUser = lst[0] if len(lst) > 1: self.info.joinPassword = lst[1] if self.options.ipav2join != None: self.info.joinUser = self.options.ipav2join if self.options.smartcardaction: try: idx = int(self.options.smartcardaction) self.info.smartcardAction = authinfo.getSmartcardActions()[idx] except (ValueError, IndexError): self.printError(_("Bad smart card removal action specified.")) self.info.smartcardAction = "" if self.options.enablerequiresmartcard and self.options.smartcardmodule == "sssd": self.printError(_("--enablerequiresmartcard is not supported for module 'sssd', option is ignored.")) self.options.enablerequiresmartcard = False if not self.options.passalgo: if self.options.enablemd5: self.info.passwordAlgorithm = "md5" if self.options.disablemd5: self.info.passwordAlgorithm = "descrypt" elif self.options.passalgo not in authinfo.password_algorithms: self.printError(_("Unknown password hashing algorithm specified, using sha256.")) self.info.passwordAlgorithm = "sha256" self.retval = 3 def doUI(self): return True def joinDomain(self): ret = True if self.options.winbindjoin: ret = self.info.joinDomain(True) if self.options.ipav2join != None: if self.info.joinIPADomain(True): # This is a hack but otherwise we cannot # get the IPAV2DOMAINJOINED saved # unfortunately the backup will be overwritten self.info.writeSysconfig() else: ret = False return ret def writeAuthInfo(self): self.info.testLDAPCACerts() if self.info.ldapCacertURL: if not self.info.downloadLDAPCACert(): self.retval = 4 self.info.rehashLDAPCACerts() if self.options.updateall: if not self.info.write(): self.retval = 5 else: if not self.info.writeChanged(self.pristineinfo): self.retval = 6 # FIXME: what about printing critical errors writing individual configs? if not self.joinDomain(): self.retval = 7 self.info.post(self.options.nostart) def run(self): self.parseOptions() if self.options.probe: self.probe() sys.exit(0) if not self.options.test and os.getuid() != 0: self.printError(_("can only be run as root")) sys.exit(2) self.readAuthInfo() if self.options.restorelastbackup: rv = self.info.restoreLast() sys.exit(int(not rv)) if self.options.restorebackup: rv = self.info.restoreBackup(self.options.restorebackup) sys.exit(int(not rv)) if self.options.savebackup: rv = self.info.saveBackup(self.options.savebackup) sys.exit(int(not rv)) self.testAvailableSubsys() self.overrideSettings() if not self.doUI(): if self.options.test: self.printError(_("dialog was cancelled")) sys.exit(1) if self.options.test: self.info.printInfo() else: self.writeAuthInfo() return self.retval class AuthconfigTUI(Authconfig): def module(self): return "authconfig-tui" def joinDomain(self): # join domain only on kickstart if self.options.kickstart and self.options.winbindjoin: self.info.joinDomain(True) def warn(self, toggle, warning): if not toggle: return while warning: path = warning[0] package = warning[2] if type(path) == tuple: if self.info.sssdSupported(): path = path[1] package = package[1] else: path = path[0] package = package[0] if not os.access(path, os.R_OK): text = (_("The %s file was not found, but it is required for %s support to work properly.\nInstall the %s package, which provides this file.") % (path, warning[1], package)) snack.ButtonChoiceWindow(self.screen, _("Warning"), text, [_("Ok")]) warning = warning[3] def getMainChoices(self): warnCache = [authinfo.PATH_NSCD, _("caching"), "nscd", None] warnFprintd = [authinfo.PATH_PAM_FPRINTD, _("Fingerprint reader"), "pam_fprintd", None] warnKerberos = [(authinfo.PATH_PAM_KRB5, authinfo.PATH_PAM_SSS), _("Kerberos"), ("pam_krb5", "sssd-client"), None] warnLDAPAuth = [(authinfo.PATH_PAM_LDAP, authinfo.PATH_PAM_SSS), _("LDAP authentication"), ("pam_ldap", "sssd-client"), None] warnLDAP = [(authinfo.PATH_LIBNSS_LDAP, authinfo.PATH_LIBNSS_SSS), _("LDAP"), ("nss-pam-ldapd", "sssd-client"), None] warnNIS = [authinfo.PATH_YPBIND, _("NIS"), "ypbind", None] warnShadow = [authinfo.PATH_PWCONV, _("shadow password"), "shadow-utils", None] warnWinbindNet = [authinfo.PATH_WINBIND_NET, _("Winbind"), "samba-client", None] warnWinbindAuth = [authinfo.PATH_PAM_WINBIND, _("Winbind authentication"), "samba-winbind", warnWinbindNet] warnWinbind = [authinfo.PATH_LIBNSS_WINBIND, _("Winbind"), "samba-winbind", warnWinbindAuth] # Information infoGrid = snack.Grid(1, 6) comp = snack.Label(_("User Information")) infoGrid.setField(comp, 0, 0, anchorLeft=1, growx=1) cache = cb = snack.Checkbox(_("Cache Information"), bool(self.info.enableCache)) infoGrid.setField(cb, 0, 1, anchorLeft=1, growx=1) ldap = cb = snack.Checkbox(_("Use LDAP"), bool(self.info.enableLDAP)) infoGrid.setField(cb, 0, 2, anchorLeft=1, growx=1) nis = cb = snack.Checkbox(_("Use NIS"), bool(self.info.enableNIS)) infoGrid.setField(cb, 0, 3, anchorLeft=1, growx=1) ipav2 = cb = snack.Checkbox(_("Use IPAv2"), bool(self.info.enableIPAv2)) infoGrid.setField(cb, 0, 4, anchorLeft=1, growx=1) winbind = cb = snack.Checkbox(_("Use Winbind"), bool(self.info.enableWinbind)) infoGrid.setField(cb, 0, 5, anchorLeft=1, growx=1) # Authentication authGrid = snack.Grid(1, 8) comp = snack.Label(_("Authentication")) authGrid.setField(comp, 0, 0, anchorLeft=1, growx=1) md5 = cb = snack.Checkbox(_("Use MD5 Passwords"), bool(self.info.passwordAlgorithm=='md5')) authGrid.setField(cb, 0, 1, anchorLeft=1, growx=1) shadow = cb = snack.Checkbox(_("Use Shadow Passwords"), bool(self.info.enableShadow)) authGrid.setField(cb, 0, 2, anchorLeft=1, growx=1) ldapa = cb = snack.Checkbox(_("Use LDAP Authentication"), bool(self.info.enableLDAPAuth)) authGrid.setField(cb, 0, 3, anchorLeft=1, growx=1) krb5 = cb = snack.Checkbox(_("Use Kerberos"), bool(self.info.enableKerberos)) authGrid.setField(cb, 0, 4, anchorLeft=1, growx=1) fprintd = cb = snack.Checkbox(_("Use Fingerprint reader"), bool(self.info.enableFprintd)) authGrid.setField(cb, 0, 5, anchorLeft=1, growx=1) winbindauth = cb = snack.Checkbox(_("Use Winbind Authentication"), bool(self.info.enableWinbindAuth)) authGrid.setField(cb, 0, 6, anchorLeft=1, growx=1) locauthorize = cb = snack.Checkbox(_("Local authorization is sufficient"), bool(self.info.enableLocAuthorize)) authGrid.setField(cb, 0, 7, anchorLeft=1, growx=1) # Control grid mechGrid = snack.Grid(2, 1) mechGrid.setField(infoGrid, 0, 0, anchorLeft=1, anchorTop=1, padding=(1, 0, 1, 1)) mechGrid.setField(authGrid, 1, 0, anchorRight=1, anchorTop=1, padding=(2, 0, 1, 1)) # Buttons buttonGrid = snack.Grid(2, 1) cancel = snack.Button(self.options.back and _("Back") or _("Cancel")) ok = snack.Button(_("Next")) buttonGrid.setField(cancel, 0, 0) buttonGrid.setField(ok, 1, 0) # Top-level grid mainGrid = snack.Grid(1, 2) mainGrid.setField(mechGrid, 0, 0, growx=1) mainGrid.setField(buttonGrid, 0, 1, growx=1) # Run the form and interpret the results form = snack.Form() self.screen.gridWrappedWindow(mainGrid, _("Authentication Configuration")) form.add(mainGrid) # BEHOLD! AUTHCONFIG IN ALL ITS GORY GLORY! comp = form.run() if comp != cancel: self.info.enableCache = cache.selected() self.info.enableIPAv2 = ipav2.selected() self.info.enableLDAP = ldap.selected() self.info.enableNIS = nis.selected() self.info.enableWinbind = winbind.selected() self.info.enableShadow = shadow.selected() if md5.selected(): self.info.passwordAlgorithm = 'md5' elif self.info.passwordAlgorithm == 'md5': self.info.passwordAlgorithm = 'descrypt' self.info.enableLDAPAuth = ldapa.selected() self.info.enableKerberos = krb5.selected() self.info.enableWinbindAuth = winbindauth.selected() self.info.enableLocAuthorize = locauthorize.selected() self.info.enableFprintd = fprintd.selected() allwarnings = [(self.info.enableCache, warnCache), (self.info.enableLDAP, warnLDAP), (self.info.enableNIS, warnNIS), (self.info.enableWinbind, warnWinbind), (self.info.enableLDAPAuth, warnLDAPAuth), (self.info.enableKerberos, warnKerberos), (self.info.enableFprintd, warnFprintd), (self.info.enableShadow, warnShadow), (self.info.enableWinbindAuth, warnWinbindAuth)] for warning in allwarnings: self.warn(warning[0], warning[1]) self.screen.popWindow() return comp != cancel def getGenericChoices(self, dtitle, items, canceltxt, oktxt, anothertxt=None, anothercb=None): # Count up the number of rows we need in the grid. rows = len(items) # Create a grid for these questions. questionGrid = snack.Grid(2, rows) row = 0 widgets = [] for (t, desc, attr, val) in items: if t == "tfvalue": cb = snack.Checkbox(desc, bool(getattr(self.info, attr))) widgets.append(cb) questionGrid.setField(snack.Label(""), 0, row, anchorRight=1) questionGrid.setField(cb, 1, row, anchorLeft=1) elif t == "svalue": comp = snack.Label(desc) questionGrid.setField(comp, 0, row, padding=(0, 0, 1, 0), anchorRight=1) comp = snack.Entry(40, getattr(self.info, attr), hidden=val) widgets.append(comp) # FIXME? Filtering " " and "\t" questionGrid.setField(comp, 1, row, growx=1) elif t == "rvalue": comp = snack.Label(desc) questionGrid.setField(comp, 0, row, padding=(0, 0, 1, 0), anchorRight=1, anchorTop=1) try: sel = getattr(self.info, attr) val.index(sel) except ValueError: sel = val[0] comp = None buttonlist = [] for v in val: buttonlist.append((v, v, v == sel)) radioBar = snack.RadioBar(None, buttonlist) widgets.append(radioBar) questionGrid.setField(radioBar, 1, row, anchorLeft=1) elif t == "lvalue": comp = snack.TextboxReflowed(50, desc, flexDown=1, flexUp=1) widgets.append(comp) questionGrid.setField(comp, 0, row, anchorLeft=1) row += 1 # Buttons buttonGrid = snack.Grid(anothertxt and 3 or 2, 1) cancel = snack.Button(canceltxt) ok = snack.Button(oktxt) another = anothertxt and snack.Button(anothertxt) or None buttonGrid.setField(cancel, 0, 0) if anothertxt: buttonGrid.setField(another, 1, 0) buttonGrid.setField(ok, anothertxt and 2 or 1, 0) # Top-level grid mainGrid = snack.Grid(1, 2) mainGrid.setField(questionGrid, 0, 0, padding=(0, 0, 0, 1), growx=1) mainGrid.setField(buttonGrid, 0, 1, padding=(0, 0, 0, 0), growx=1) # Run the form and interpret the results form = snack.Form() self.screen.gridWrappedWindow(mainGrid, dtitle) form.add(mainGrid) while True: comp = form.run() if comp == cancel: break wcopy = widgets[:] for (t, desc, attr, val) in items: if t == "tfvalue": setattr(self.info, attr, wcopy.pop(0).selected()) elif t == "svalue": setattr(self.info, attr, wcopy.pop(0).value()) # FIXME? Filtering " " and "\t" elif t == "rvalue": setattr(self.info, attr, wcopy.pop(0).getSelection()) elif t == "lvalue": wcopy.pop(0) if comp != another: break if anothercb: anothercb() self.screen.popWindow() return comp != cancel def getIPAv2Settings(self, next): questions = [("svalue", _("Domain:"), "ipav2Domain", 0), ("svalue", _("Realm:"), "ipav2Realm", 0), ("svalue", _("Server:"), "ipav2Server", 0)] return self.getGenericChoices(_("IPAv2 Settings"), questions, _("Back"), next and _("Next") or _("Ok"), anothertxt=_("Join Domain"), anothercb=self.maybeGetJoinSettings) def getLDAPSettings(self, next): questions = [("tfvalue", _("Use TLS"), "enableLDAPS", None), ("svalue", _("Server:"), "ldapServer", 0), ("svalue", _("Base DN:"), "ldapBaseDN", 0)] return self.getGenericChoices(_("LDAP Settings"), questions, _("Back"), next and _("Next") or _("Ok")) def getNISSettings(self, next): questions = [("svalue", _("Domain:"), "nisDomain", 0), ("svalue", _("Server:"), "nisServer", 0)] return self.getGenericChoices(_("NIS Settings"), questions, _("Back"), next and _("Next") or _("Ok")) def getKerberosSettings(self, next): questions = [("svalue", _("Realm:"), "kerberosRealm", 0), ("svalue", _("KDC:"), "kerberosKDC", 0), ("svalue", _("Admin Server:"), "kerberosAdminServer", 0), ("tfvalue", _("Use DNS to resolve hosts to realms"), "kerberosRealmviaDNS", None), ("tfvalue", _("Use DNS to locate KDCs for realms"), "kerberosKDCviaDNS", None)] return self.getGenericChoices(_("Kerberos Settings"), questions, _("Back"), next and _("Next") or _("Ok")) def getJoinSettings(self): questions = [("svalue", _("Domain Administrator:"), "joinUser", 0), ("svalue", _("Password:"), "joinPassword", 1)] if not self.info.joinUser: self.info.joinUser = "Administrator" if self.getGenericChoices(_("Join Settings"), questions, _("Cancel"), _("Ok")): self.screen.suspend() self.info.update() if self.info.enableWinbind: self.info.joinDomain(True) elif self.info.enableIPAv2: self.info.joinIPADomain(True) self.screen.resume() return True def maybeGetJoinSettings(self): questions = [("lvalue", _("Some of the configuration changes you've made should be saved to disk before continuing. If you do not save them, then your attempt to join the domain may fail. Save changes?"), None, None)] orig_info = authinfo.read(self.printError) orig_info.update() self.info.update() ret = False if self.info.differs(orig_info): ret = self.getGenericChoices(_("Save Settings"), questions, _("No"), _("Yes")) if ret: self.info.write() self.getJoinSettings() return True def getWinbindSettings(self, next): security = ["ads", "domain"] shells = ["/sbin/nologin", "/bin/sh", "/bin/bash", "/bin/tcsh", "/bin/ksh", "/bin/zsh"] def shellexists(shell): return os.access(shell, os.X_OK) shells = filter(shellexists, shells) # Why does your favorite shell not show up in the list? Because it won't # fit, that's why! questions = [("rvalue", _("Security Model:"), "smbSecurity", security), ("svalue", _("Domain:"), "smbWorkgroup", 0), ("svalue", _("Domain Controllers:"), "smbServers", 0), ("svalue", _("ADS Realm:"), "smbRealm", 0), ("rvalue", _("Template Shell:"), "winbindTemplateShell", shells)] return self.getGenericChoices(_("Winbind Settings"), questions, _("Back"), next and _("Next") or _("Ok"), anothertxt=_("Join Domain"), anothercb=self.maybeGetJoinSettings) def getChoices(self): next = 1 rc = False while next > 0 and next <= 6: self.info.update() if next == 1: rc = self.getMainChoices() elif next == 2: if self.info.enableIPAv2: more = (self.info.enableLDAP or self.info.enableLDAPAuth or self.info.enableKerberos or self.info.enableNIS or self.info.enableWinbind or self.info.enableWinbindAuth) rc = self.getIPAv2Settings(more) elif next == 3: if self.info.enableLDAP or self.info.enableLDAPAuth: more = (self.info.enableKerberos or self.info.enableNIS or self.info.enableWinbind or self.info.enableWinbindAuth) rc = self.getLDAPSettings(more) elif next == 4: if self.info.enableNIS: more = (self.info.enableKerberos or self.info.enableWinbind or self.info.enableWinbindAuth) rc = self.getNISSettings(more) elif next == 5: if self.info.enableKerberos: more = (self.info.enableWinbind or self.info.enableWinbindAuth) rc = self.getKerberosSettings(more) elif next == 6: if self.info.enableWinbind or self.info.enableWinbindAuth: more = False rc = self.getWinbindSettings(more) self.info.update() if rc: next += 1 else: next -= 1 return next == 7 def displayCACertsMessage(self): text = (_("To connect to a LDAP server with TLS protocol enabled you need " "a CA certificate which signed your server's certificate. " "Copy the certificate in the PEM format to the '%s' directory.\n" "Then press OK.") % self.info.ldapCacertDir) snack.ButtonChoiceWindow(self.screen, _("Warning"), text, [_("Ok")]) def doUI(self): if self.options.kickstart: return True try: self.screen = snack.SnackScreen() packageversion = self.module() # FIXME - version self.screen.pushHelpLine(_(" / between elements | selects | next screen")) self.screen.drawRootText(0, 0, packageversion + " - (c) 1999-2005 Red Hat, Inc.") if not self.getChoices(): # cancelled self.screen.finish() return False if self.info.enableLDAPS and self.info.testLDAPCACerts(): self.displayCACertsMessage() finally: self.screen.finish() return True if __name__ == '__main__': signal.signal(signal.SIGINT, signal.SIG_DFL) gettext.textdomain("authconfig") if runsAs("authconfig-tui"): # deprecated TUI module = AuthconfigTUI() else: module = Authconfig() sys.exit(module.run()) etc/sysconfig/authconfig000064400000000743147221217760011412 0ustar00CACHECREDENTIALS=yes FAILLOCKARGS="deny=4 unlock_time=1200" FORCELEGACY=no FORCESMARTCARD=no IPADOMAINJOINED=no IPAV2NONTP=no PASSWDALGORITHM=sha512 USEDB=no USEECRYPTFS=no USEFAILLOCK=no USEFPRINTD=no USEHESIOD=no USEIPAV2=no USEKERBEROS=no USELDAP=no USELDAPAUTH=no USELOCAUTHORIZE=yes USEMKHOMEDIR=no USENIS=no USEPAMACCESS=no USEPASSWDQC=no USEPWQUALITY=yes USESHADOW=yes USESMARTCARD=no USESSSD=yes USESSSDAUTH=no USESYSNETAUTH=no USEWINBIND=no USEWINBINDAUTH=no WINBINDKRB5=no authconfig.py000075500000126772147645272700007305 0ustar00#!/usr/bin/python # -*- coding: UTF-8 -*- # # Authconfig - client authentication configuration program # Copyright (c) 1999-2008 Red Hat, Inc. # # Original authors: Preston Brown # Nalin Dahyabhai # Matt Wilson # Python rewrite and further development by: Tomas Mraz # # This is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA import authinfo, acutil import gettext, os, signal, sys _ = gettext.lgettext from optparse import OptionParser, IndentedHelpFormatter import locale try: locale.setlocale(locale.LC_ALL, '') except locale.Error: sys.stderr.write('Warning: Unsupported locale setting.\n') def runsAs(name): return sys.argv[0].find(name) >= 0 if runsAs("authconfig-tui"): import snack class UnihelpOptionParser(OptionParser): def print_help(self, file=None): if file is None: file = sys.stdout srcencoding = locale.getpreferredencoding() encoding = getattr(file, "encoding", None) if not encoding or encoding == "ascii": encoding = srcencoding file.write(self.format_help().decode(srcencoding).encode(encoding, "replace")) class NonWrapFormatter(IndentedHelpFormatter): def format_option(self, option): # The help for each option consists of two parts: # * the opt strings and metavars # eg. ("-x", or "-fFILENAME, --file=FILENAME") # * the user-supplied help string # eg. ("turn on expert mode", "read data from FILENAME") # # If possible, we write both of these on the same line: # -x turn on expert mode # # But if the opt string list is too long, we put the help # string on a second line, indented to the same column it would # start in if it fit on the first line. # -fFILENAME, --file=FILENAME # read data from FILENAME # We cannot wrap the help text as it can be in any language and # encoding and so we do not know how to wrap it correctly. result = [] opts = self.option_strings[option] opt_width = self.help_position - self.current_indent - 2 if len(opts) > opt_width: opts = "%*s%s\n" % (self.current_indent, "", opts) indent_first = self.help_position else: # start help on same line as opts opts = "%*s%-*s " % (self.current_indent, "", opt_width, opts) opts = "%*s%-*s " % (self.current_indent, "", opt_width, opts) indent_first = 0 result.append(opts) if option.help: help_text = self.expand_default(option) result.append("%*s%s\n" % (indent_first, "", help_text)) elif opts[-1] != "\n": result.append("\n") return "".join(result) class Authconfig: def __init__(self): self.nis_avail = False self.kerberos_avail = False self.ldap_avail = False self.sssd_avail = False self.cache_avail = False self.fprintd_avail = False self.retval = 0 def module(self): return "authconfig" def printError(self, error): sys.stderr.write("%s: %s\n" % (self.module(), error)) def listHelp(self, l, addidx): idx = 0 help = "<" for item in l: if idx > 0: help += "|" if addidx: help += str(idx) + "=" help += item idx += 1 help += ">" return help def parseOptions(self): usage = _("usage: %s [options]") % self.module() if self.module() == "authconfig": usage += " {--update|--updateall|--test|--probe|--restorebackup |--savebackup |--restorelastbackup}" parser = UnihelpOptionParser(usage, add_help_option=False, formatter=NonWrapFormatter()) parser.add_option("-h", "--help", action="help", help=_("show this help message and exit")) parser.add_option("--enableshadow", "--useshadow", action="store_true", help=_("enable shadowed passwords by default")) parser.add_option("--disableshadow", action="store_true", help=_("disable shadowed passwords by default")) parser.add_option("--enablemd5", "--usemd5", action="store_true", help=_("enable MD5 passwords by default")) parser.add_option("--disablemd5", action="store_true", help=_("disable MD5 passwords by default")) parser.add_option("--passalgo", metavar=self.listHelp(authinfo.password_algorithms, False), help=_("hash/crypt algorithm for new passwords")) parser.add_option("--enablenis", action="store_true", help=_("enable NIS for user information by default")) parser.add_option("--disablenis", action="store_true", help=_("disable NIS for user information by default")) parser.add_option("--nisdomain", metavar=_(""), help=_("default NIS domain")) parser.add_option("--nisserver", metavar=_(""), help=_("default NIS server")) parser.add_option("--enableldap", action="store_true", help=_("enable LDAP for user information by default")) parser.add_option("--disableldap", action="store_true", help=_("disable LDAP for user information by default")) parser.add_option("--enableldapauth", action="store_true", help=_("enable LDAP for authentication by default")) parser.add_option("--disableldapauth", action="store_true", help=_("disable LDAP for authentication by default")) parser.add_option("--ldapserver", metavar=_(""), help=_("default LDAP server hostname or URI")) parser.add_option("--ldapbasedn", metavar=_(""), help=_("default LDAP base DN")) parser.add_option("--enableldaptls", "--enableldapstarttls", action="store_true", help=_("enable use of TLS with LDAP (RFC-2830)")) parser.add_option("--disableldaptls", "--disableldapstarttls", action="store_true", help=_("disable use of TLS with LDAP (RFC-2830)")) parser.add_option("--enablerfc2307bis", action="store_true", help=_("enable use of RFC-2307bis schema for LDAP user information lookups")) parser.add_option("--disablerfc2307bis", action="store_true", help=_("disable use of RFC-2307bis schema for LDAP user information lookups")) parser.add_option("--ldaploadcacert", metavar=_(""), help=_("load CA certificate from the URL")) parser.add_option("--enablesmartcard", action="store_true", help=_("enable authentication with smart card by default")) parser.add_option("--disablesmartcard", action="store_true", help=_("disable authentication with smart card by default")) parser.add_option("--enablerequiresmartcard", action="store_true", help=_("require smart card for authentication by default")) parser.add_option("--disablerequiresmartcard", action="store_true", help=_("do not require smart card for authentication by default")) parser.add_option("--smartcardmodule", metavar=_(""), help=_("default smart card module to use")) actshelp = self.listHelp(authinfo.getSmartcardActions(), True) parser.add_option("--smartcardaction", metavar=actshelp, help=_("action to be taken on smart card removal")) parser.add_option("--enablefingerprint", action="store_true", help=_("enable authentication with fingerprint readers by default")) parser.add_option("--disablefingerprint", action="store_true", help=_("disable authentication with fingerprint readers by default")) parser.add_option("--enableecryptfs", action="store_true", help=_("enable automatic per-user ecryptfs")) parser.add_option("--disableecryptfs", action="store_true", help=_("disable automatic per-user ecryptfs")) parser.add_option("--enablekrb5", action="store_true", help=_("enable kerberos authentication by default")) parser.add_option("--disablekrb5", action="store_true", help=_("disable kerberos authentication by default")) parser.add_option("--krb5kdc", metavar=_(""), help=_("default kerberos KDC")) parser.add_option("--krb5adminserver", metavar=_(""), help=_("default kerberos admin server")) parser.add_option("--krb5realm", metavar=_(""), help=_("default kerberos realm")) parser.add_option("--enablekrb5kdcdns", action="store_true", help=_("enable use of DNS to find kerberos KDCs")) parser.add_option("--disablekrb5kdcdns", action="store_true", help=_("disable use of DNS to find kerberos KDCs")) parser.add_option("--enablekrb5realmdns", action="store_true", help=_("enable use of DNS to find kerberos realms")) parser.add_option("--disablekrb5realmdns", action="store_true", help=_("disable use of DNS to find kerberos realms")) parser.add_option("--enablewinbind", action="store_true", help=_("enable winbind for user information by default")) parser.add_option("--disablewinbind", action="store_true", help=_("disable winbind for user information by default")) parser.add_option("--enablewinbindauth", action="store_true", help=_("enable winbind for authentication by default")) parser.add_option("--disablewinbindauth", action="store_true", help=_("disable winbind for authentication by default")) parser.add_option("--smbsecurity", metavar="", help=_("security mode to use for samba and winbind")) parser.add_option("--smbrealm", metavar=_(""), help=_("default realm for samba and winbind when security=ads")) parser.add_option("--smbservers", metavar=_(""), help=_("names of servers to authenticate against")) parser.add_option("--smbworkgroup", metavar=_(""), help=_("workgroup authentication servers are in")) parser.add_option("--smbidmaprange", "--smbidmapuid", "--smbidmapgid", metavar=_(""), help=_("uid range winbind will assign to domain or ads users")) parser.add_option("--winbindseparator", metavar="<\\>", help=_("the character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enabled")) parser.add_option("--winbindtemplatehomedir", metavar="", help=_("the directory which winbind-created users will have as home directories")) parser.add_option("--winbindtemplateshell", metavar="", help=_("the shell which winbind-created users will have as their login shell")) parser.add_option("--enablewinbindusedefaultdomain", action="store_true", help=_("configures winbind to assume that users with no domain in their user names are domain users")) parser.add_option("--disablewinbindusedefaultdomain", action="store_true", help=_("configures winbind to assume that users with no domain in their user names are not domain users")) parser.add_option("--enablewinbindoffline", action="store_true", help=_("configures winbind to allow offline login")) parser.add_option("--disablewinbindoffline", action="store_true", help=_("configures winbind to prevent offline login")) parser.add_option("--enablewinbindkrb5", action="store_true", help=_("winbind will use Kerberos 5 to authenticate")) parser.add_option("--disablewinbindkrb5", action="store_true", help=_("winbind will use the default authentication method")) parser.add_option("--winbindjoin", metavar="", help=_("join the winbind domain or ads realm now as this administrator")) parser.add_option("--enableipav2", action="store_true", help=_("enable IPAv2 for user information and authentication by default")) parser.add_option("--disableipav2", action="store_true", help=_("disable IPAv2 for user information and authentication by default")) parser.add_option("--ipav2domain", metavar=_(""), help=_("the IPAv2 domain the system should be part of")) parser.add_option("--ipav2realm", metavar=_(""), help=_("the realm for the IPAv2 domain")) parser.add_option("--ipav2server", metavar=_(""), help=_("the server for the IPAv2 domain")) parser.add_option("--enableipav2nontp", action="store_true", help=_("do not setup the NTP against the IPAv2 domain")) parser.add_option("--disableipav2nontp", action="store_true", help=_("setup the NTP against the IPAv2 domain (default)")) parser.add_option("--ipav2join", metavar="", help=_("join the IPAv2 domain as this account")) parser.add_option("--enablewins", action="store_true", help=_("enable wins for hostname resolution")) parser.add_option("--disablewins", action="store_true", help=_("disable wins for hostname resolution")) parser.add_option("--enablepreferdns", action="store_true", help=_("prefer dns over wins or nis for hostname resolution")) parser.add_option("--disablepreferdns", action="store_true", help=_("do not prefer dns over wins or nis for hostname resolution")) parser.add_option("--enablehesiod", action="store_true", help=_("enable hesiod for user information by default")) parser.add_option("--disablehesiod", action="store_true", help=_("disable hesiod for user information by default")) parser.add_option("--hesiodlhs", metavar="", help=_("default hesiod LHS")) parser.add_option("--hesiodrhs", metavar="", help=_("default hesiod RHS")) parser.add_option("--enablesssd", action="store_true", help=_("enable SSSD for user information by default with manually managed configuration")) parser.add_option("--disablesssd", action="store_true", help=_("disable SSSD for user information by default (still used for supported configurations)")) parser.add_option("--enablesssdauth", action="store_true", help=_("enable SSSD for authentication by default with manually managed configuration")) parser.add_option("--disablesssdauth", action="store_true", help=_("disable SSSD for authentication by default (still used for supported configurations)")) parser.add_option("--enableforcelegacy", action="store_true", help=_("never use SSSD implicitly even for supported configurations")) parser.add_option("--disableforcelegacy", action="store_true", help=_("use SSSD implicitly if it supports the configuration")) parser.add_option("--enablecachecreds", action="store_true", help=_("enable caching of user credentials in SSSD by default")) parser.add_option("--disablecachecreds", action="store_true", help=_("disable caching of user credentials in SSSD by default")) parser.add_option("--enablecache", action="store_true", help=_("enable caching of user information by default (automatically disabled when SSSD is used)")) parser.add_option("--disablecache", action="store_true", help=_("disable caching of user information by default")) parser.add_option("--enablelocauthorize", action="store_true", help=_("local authorization is sufficient for local users")) parser.add_option("--disablelocauthorize", action="store_true", help=_("authorize local users also through remote service")) parser.add_option("--enablepamaccess", action="store_true", help=_("check access.conf during account authorization")) parser.add_option("--disablepamaccess", action="store_true", help=_("do not check access.conf during account authorization")) parser.add_option("--enablesysnetauth", action="store_true", help=_("authenticate system accounts by network services")) parser.add_option("--disablesysnetauth", action="store_true", help=_("authenticate system accounts by local files only")) parser.add_option("--enablemkhomedir", action="store_true", help=_("create home directories for users on their first login")) parser.add_option("--disablemkhomedir", action="store_true", help=_("do not create home directories for users on their first login")) parser.add_option("--passminlen", metavar=_(""), help=_("minimum length of a password")) parser.add_option("--passminclass", metavar=_(""), help=_("minimum number of character classes in a password")) parser.add_option("--passmaxrepeat", metavar=_(""), help=_("maximum number of same consecutive characters in a password")) parser.add_option("--passmaxclassrepeat", metavar=_(""), help=_("maximum number of consecutive characters of same class in a password")) parser.add_option("--enablereqlower", action="store_true", help=_("require at least one lowercase character in a password")) parser.add_option("--disablereqlower", action="store_true", help=_("do not require lowercase characters in a password")) parser.add_option("--enablerequpper", action="store_true", help=_("require at least one uppercase character in a password")) parser.add_option("--disablerequpper", action="store_true", help=_("do not require uppercase characters in a password")) parser.add_option("--enablereqdigit", action="store_true", help=_("require at least one digit in a password")) parser.add_option("--disablereqdigit", action="store_true", help=_("do not require digits in a password")) parser.add_option("--enablereqother", action="store_true", help=_("require at least one other character in a password")) parser.add_option("--disablereqother", action="store_true", help=_("do not require other characters in a password")) parser.add_option("--enablefaillock", action="store_true", help=_("enable account locking in case of too many consecutive authentication failures")) parser.add_option("--disablefaillock", action="store_true", help=_("disable account locking on too many consecutive authentication failures")) parser.add_option("--faillockargs", metavar=_(""), help=_("the pam_faillock module options")) parser.add_option("--nostart", action="store_true", help=_("do not start/stop portmap, ypbind, and nscd")) parser.add_option("--test", action="store_true", help=_("do not update the configuration files, only print new settings")) if self.module() == "authconfig-tui": parser.add_option("--back", action="store_true", help=_("display Back instead of Cancel in the main dialog of the TUI")) parser.add_option("--kickstart", action="store_true", help=_("do not display the deprecated text user interface")) else: parser.add_option("--update", "--kickstart", action="store_true", help=_("opposite of --test, update configuration files with changed settings")) parser.add_option("--updateall", action="store_true", help=_("update all configuration files")) parser.add_option("--probe", action="store_true", help=_("probe network for defaults and print them")) parser.add_option("--savebackup", metavar=_(""), help=_("save a backup of all configuration files")) parser.add_option("--restorebackup", metavar=_(""), help=_("restore the backup of configuration files")) parser.add_option("--restorelastbackup", action="store_true", help=_("restore the backup of configuration files saved before the previous configuration change")) (self.options, args) = parser.parse_args() if args: self.printError(_("unexpected argument")) sys.exit(2) if (not self.module() == "authconfig-tui" and not self.options.probe and not self.options.test and not self.options.update and not self.options.updateall and not self.options.savebackup and not self.options.restorebackup and not self.options.restorelastbackup): # --update (== --kickstart) or --test or --probe must be specified # this will print usage and call sys.exit() parser.print_help() sys.exit(2) def probe(self): info = authinfo.AuthInfo(self.printError) info.probe() if info.hesiodLHS and info.hesiodRHS: print "hesiod %s/%s" % (info.hesiodLHS, info.hesiodRHS) if info.ldapServer and info.ldapBaseDN: print "ldap %s/%s\n" % (info.ldapServer, info.ldapBaseDN) if info.kerberosRealm: print "krb5 %s/%s/%s\n" % (info.kerberosRealm, info.kerberosKDC or "", info.kerberosAdminServer or "") def readAuthInfo(self): self.info = authinfo.read(self.printError) # FIXME: what about printing critical errors reading individual configs? self.pristineinfo = self.info.copy() if self.info.enableLocAuthorize == None: self.info.enableLocAuthorize = True # ON by default def testAvailableSubsys(self): self.nis_avail = (os.access(authinfo.PATH_YPBIND, os.X_OK) and os.access(authinfo.PATH_LIBNSS_NIS, os.X_OK)) self.kerberos_avail = os.access(authinfo.PATH_PAM_KRB5, os.X_OK) self.ldap_avail = (os.access(authinfo.PATH_PAM_LDAP, os.X_OK) and os.access(authinfo.PATH_LIBNSS_LDAP, os.X_OK)) self.sssd_avail = (os.access(authinfo.PATH_PAM_SSS, os.X_OK) and os.access(authinfo.PATH_LIBNSS_SSS, os.X_OK)) self.cache_avail = os.access(authinfo.PATH_NSCD, os.X_OK) self.fprintd_avail = os.access(authinfo.PATH_PAM_FPRINTD, os.X_OK) def overrideSettings(self): bool_settings = {"shadow":"enableShadow", "locauthorize":"enableLocAuthorize", "pamaccess":"enablePAMAccess", "sysnetauth":"enableSysNetAuth", "mkhomedir":"enableMkHomeDir", "cache":"enableCache", "ecryptfs":"enableEcryptfs", "hesiod":"enableHesiod", "ldap":"enableLDAP", "ldaptls":"enableLDAPS", "rfc2307bis":"enableRFC2307bis", "ldapauth":"enableLDAPAuth", "krb5":"enableKerberos", "nis":"enableNIS", "krb5kdcdns":"kerberosKDCviaDNS", "krb5realmdns":"kerberosRealmviaDNS", "smartcard":"enableSmartcard", "fingerprint":"enableFprintd", "requiresmartcard":"forceSmartcard", "winbind":"enableWinbind", "winbindauth":"enableWinbindAuth", "winbindusedefaultdomain":"winbindUseDefaultDomain", "winbindoffline":"winbindOffline", "winbindkrb5":"winbindKrb5", "ipav2":"enableIPAv2", "ipav2nontp":"ipav2NoNTP", "wins":"enableWINS", "sssd":"enableSSSD", "sssdauth":"enableSSSDAuth", "forcelegacy":"enableForceLegacy", "cachecreds":"enableCacheCreds", "preferdns":"preferDNSinHosts", "reqlower":"passReqLower", "requpper":"passReqUpper", "reqdigit":"passReqDigit", "reqother":"passReqOther", "faillock":"enableFaillock"} string_settings = {"passalgo":"passwordAlgorithm", "hesiodlhs":"hesiodLHS", "hesiodrhs":"hesiodRHS", "ldapserver":"ldapServer", "ldapbasedn":"ldapBaseDN", "ldaploadcacert":"ldapCacertURL", "krb5realm":"kerberosRealm", "krb5kdc":"kerberosKDC", "krb5adminserver":"kerberosAdminServer", "smartcardmodule":"smartcardModule", "smartcardaction":"smartcardAction", "nisdomain":"nisDomain", "nisserver":"nisServer", "smbworkgroup":"smbWorkgroup", "smbservers":"smbServers", "smbsecurity":"smbSecurity", "smbrealm" : "smbRealm", "smbidmaprange":"smbIdmapRange", "winbindseparator":"winbindSeparator", "winbindtemplatehomedir":"winbindTemplateHomedir", "winbindtemplateshell":"winbindTemplateShell", "ipav2domain":"ipav2Domain", "ipav2realm":"ipav2Realm", "ipav2server":"ipav2Server", "passminlen":"passMinLen", "passminclass":"passMinClass", "passmaxrepeat":"passMaxRepeat", "passmaxclassrepeat":"passMaxClassRepeat", "faillockargs":"faillockArgs"} for opt, aival in bool_settings.iteritems(): if getattr(self.options, "enable"+opt): setattr(self.info, aival, True) if getattr(self.options, "disable"+opt): setattr(self.info, aival, False) try: if self.info.enableRFC2307bis: self.info.ldapSchema = 'rfc2307bis' else: self.info.ldapSchema = '' except AttributeError: pass if self.options.krb5realm and self.options.krb5realm != self.info.kerberosRealm: self.info.kerberosKDC = self.info.getKerberosKDC(self.options.krb5realm) self.info.kerberosAdminServer = self.info.getKerberosAdminServer(self.options.krb5realm) try: val = self.options.passminlen if val != None: val = int(val) if val < 6: self.printError(_("The passminlen minimum value is 6")) self.options.passminlen = None self.retval = 3 except ValueError: self.printError(_("The passminlen option value is not an integer")) self.options.passminlen = None self.retval = 3 try: val = self.options.passminclass if val != None: val = int(val) if val < 0: self.printError(_("The passminclass value must not be negative")) self.options.passminclass = None self.retval = 3 if val > 4: self.printError(_("The passminclass value must not be higher than 4")) self.options.passminclass = None self.retval = 3 except ValueError: self.printError(_("The passminclass option value is not an integer")) self.options.passminclass = None self.retval = 3 try: val = self.options.passmaxrepeat if val != None: val = int(val) if val < 0: self.printError(_("The passmaxrepeat value must not be negative")) self.options.passmaxrepeat = None self.retval = 3 except ValueError: self.printError(_("The passmaxrepeat option value is not an integer")) self.options.passmaxrepeat = None self.retval = 3 try: val = self.options.passmaxclassrepeat if val != None: val = int(val) if val < 0: self.printError(_("The passmaxclassrepeat value must not be negative")) self.options.passmaxclassrepeat = None self.retval = 3 except ValueError: self.printError(_("The passmaxclassrepeat option value is not an integer")) self.options.passmaxclassrepeat = None self.retval = 3 for opt, aival in string_settings.iteritems(): if getattr(self.options, opt) != None: setattr(self.info, aival, getattr(self.options, opt)) if self.options.winbindjoin: lst = self.options.winbindjoin.split("%", 1) self.info.joinUser = lst[0] if len(lst) > 1: self.info.joinPassword = lst[1] if self.options.ipav2join != None: self.info.joinUser = self.options.ipav2join if self.options.smartcardaction: try: idx = int(self.options.smartcardaction) self.info.smartcardAction = authinfo.getSmartcardActions()[idx] except (ValueError, IndexError): self.printError(_("Bad smart card removal action specified.")) self.info.smartcardAction = "" if self.options.enablerequiresmartcard and self.options.smartcardmodule == "sssd": self.printError(_("--enablerequiresmartcard is not supported for module 'sssd', option is ignored.")) self.options.enablerequiresmartcard = False if not self.options.passalgo: if self.options.enablemd5: self.info.passwordAlgorithm = "md5" if self.options.disablemd5: self.info.passwordAlgorithm = "descrypt" elif self.options.passalgo not in authinfo.password_algorithms: self.printError(_("Unknown password hashing algorithm specified, using sha256.")) self.info.passwordAlgorithm = "sha256" self.retval = 3 def doUI(self): return True def joinDomain(self): ret = True if self.options.winbindjoin: ret = self.info.joinDomain(True) if self.options.ipav2join != None: if self.info.joinIPADomain(True): # This is a hack but otherwise we cannot # get the IPAV2DOMAINJOINED saved # unfortunately the backup will be overwritten self.info.writeSysconfig() else: ret = False return ret def writeAuthInfo(self): self.info.testLDAPCACerts() if self.info.ldapCacertURL: if not self.info.downloadLDAPCACert(): self.retval = 4 self.info.rehashLDAPCACerts() if self.options.updateall: if not self.info.write(): self.retval = 5 else: if not self.info.writeChanged(self.pristineinfo): self.retval = 6 # FIXME: what about printing critical errors writing individual configs? if not self.joinDomain(): self.retval = 7 self.info.post(self.options.nostart) def run(self): self.parseOptions() if self.options.probe: self.probe() sys.exit(0) if not self.options.test and os.getuid() != 0: self.printError(_("can only be run as root")) sys.exit(2) self.readAuthInfo() if self.options.restorelastbackup: rv = self.info.restoreLast() sys.exit(int(not rv)) if self.options.restorebackup: rv = self.info.restoreBackup(self.options.restorebackup) sys.exit(int(not rv)) if self.options.savebackup: rv = self.info.saveBackup(self.options.savebackup) sys.exit(int(not rv)) self.testAvailableSubsys() self.overrideSettings() if not self.doUI(): if self.options.test: self.printError(_("dialog was cancelled")) sys.exit(1) if self.options.test: self.info.printInfo() else: self.writeAuthInfo() return self.retval class AuthconfigTUI(Authconfig): def module(self): return "authconfig-tui" def joinDomain(self): # join domain only on kickstart if self.options.kickstart and self.options.winbindjoin: self.info.joinDomain(True) def warn(self, toggle, warning): if not toggle: return while warning: path = warning[0] package = warning[2] if type(path) == tuple: if self.info.sssdSupported(): path = path[1] package = package[1] else: path = path[0] package = package[0] if not os.access(path, os.R_OK): text = (_("The %s file was not found, but it is required for %s support to work properly.\nInstall the %s package, which provides this file.") % (path, warning[1], package)) snack.ButtonChoiceWindow(self.screen, _("Warning"), text, [_("Ok")]) warning = warning[3] def getMainChoices(self): warnCache = [authinfo.PATH_NSCD, _("caching"), "nscd", None] warnFprintd = [authinfo.PATH_PAM_FPRINTD, _("Fingerprint reader"), "pam_fprintd", None] warnKerberos = [(authinfo.PATH_PAM_KRB5, authinfo.PATH_PAM_SSS), _("Kerberos"), ("pam_krb5", "sssd-client"), None] warnLDAPAuth = [(authinfo.PATH_PAM_LDAP, authinfo.PATH_PAM_SSS), _("LDAP authentication"), ("pam_ldap", "sssd-client"), None] warnLDAP = [(authinfo.PATH_LIBNSS_LDAP, authinfo.PATH_LIBNSS_SSS), _("LDAP"), ("nss-pam-ldapd", "sssd-client"), None] warnNIS = [authinfo.PATH_YPBIND, _("NIS"), "ypbind", None] warnShadow = [authinfo.PATH_PWCONV, _("shadow password"), "shadow-utils", None] warnWinbindNet = [authinfo.PATH_WINBIND_NET, _("Winbind"), "samba-client", None] warnWinbindAuth = [authinfo.PATH_PAM_WINBIND, _("Winbind authentication"), "samba-winbind", warnWinbindNet] warnWinbind = [authinfo.PATH_LIBNSS_WINBIND, _("Winbind"), "samba-winbind", warnWinbindAuth] # Information infoGrid = snack.Grid(1, 6) comp = snack.Label(_("User Information")) infoGrid.setField(comp, 0, 0, anchorLeft=1, growx=1) cache = cb = snack.Checkbox(_("Cache Information"), bool(self.info.enableCache)) infoGrid.setField(cb, 0, 1, anchorLeft=1, growx=1) ldap = cb = snack.Checkbox(_("Use LDAP"), bool(self.info.enableLDAP)) infoGrid.setField(cb, 0, 2, anchorLeft=1, growx=1) nis = cb = snack.Checkbox(_("Use NIS"), bool(self.info.enableNIS)) infoGrid.setField(cb, 0, 3, anchorLeft=1, growx=1) ipav2 = cb = snack.Checkbox(_("Use IPAv2"), bool(self.info.enableIPAv2)) infoGrid.setField(cb, 0, 4, anchorLeft=1, growx=1) winbind = cb = snack.Checkbox(_("Use Winbind"), bool(self.info.enableWinbind)) infoGrid.setField(cb, 0, 5, anchorLeft=1, growx=1) # Authentication authGrid = snack.Grid(1, 8) comp = snack.Label(_("Authentication")) authGrid.setField(comp, 0, 0, anchorLeft=1, growx=1) md5 = cb = snack.Checkbox(_("Use MD5 Passwords"), bool(self.info.passwordAlgorithm=='md5')) authGrid.setField(cb, 0, 1, anchorLeft=1, growx=1) shadow = cb = snack.Checkbox(_("Use Shadow Passwords"), bool(self.info.enableShadow)) authGrid.setField(cb, 0, 2, anchorLeft=1, growx=1) ldapa = cb = snack.Checkbox(_("Use LDAP Authentication"), bool(self.info.enableLDAPAuth)) authGrid.setField(cb, 0, 3, anchorLeft=1, growx=1) krb5 = cb = snack.Checkbox(_("Use Kerberos"), bool(self.info.enableKerberos)) authGrid.setField(cb, 0, 4, anchorLeft=1, growx=1) fprintd = cb = snack.Checkbox(_("Use Fingerprint reader"), bool(self.info.enableFprintd)) authGrid.setField(cb, 0, 5, anchorLeft=1, growx=1) winbindauth = cb = snack.Checkbox(_("Use Winbind Authentication"), bool(self.info.enableWinbindAuth)) authGrid.setField(cb, 0, 6, anchorLeft=1, growx=1) locauthorize = cb = snack.Checkbox(_("Local authorization is sufficient"), bool(self.info.enableLocAuthorize)) authGrid.setField(cb, 0, 7, anchorLeft=1, growx=1) # Control grid mechGrid = snack.Grid(2, 1) mechGrid.setField(infoGrid, 0, 0, anchorLeft=1, anchorTop=1, padding=(1, 0, 1, 1)) mechGrid.setField(authGrid, 1, 0, anchorRight=1, anchorTop=1, padding=(2, 0, 1, 1)) # Buttons buttonGrid = snack.Grid(2, 1) cancel = snack.Button(self.options.back and _("Back") or _("Cancel")) ok = snack.Button(_("Next")) buttonGrid.setField(cancel, 0, 0) buttonGrid.setField(ok, 1, 0) # Top-level grid mainGrid = snack.Grid(1, 2) mainGrid.setField(mechGrid, 0, 0, growx=1) mainGrid.setField(buttonGrid, 0, 1, growx=1) # Run the form and interpret the results form = snack.Form() self.screen.gridWrappedWindow(mainGrid, _("Authentication Configuration")) form.add(mainGrid) # BEHOLD! AUTHCONFIG IN ALL ITS GORY GLORY! comp = form.run() if comp != cancel: self.info.enableCache = cache.selected() self.info.enableIPAv2 = ipav2.selected() self.info.enableLDAP = ldap.selected() self.info.enableNIS = nis.selected() self.info.enableWinbind = winbind.selected() self.info.enableShadow = shadow.selected() if md5.selected(): self.info.passwordAlgorithm = 'md5' elif self.info.passwordAlgorithm == 'md5': self.info.passwordAlgorithm = 'descrypt' self.info.enableLDAPAuth = ldapa.selected() self.info.enableKerberos = krb5.selected() self.info.enableWinbindAuth = winbindauth.selected() self.info.enableLocAuthorize = locauthorize.selected() self.info.enableFprintd = fprintd.selected() allwarnings = [(self.info.enableCache, warnCache), (self.info.enableLDAP, warnLDAP), (self.info.enableNIS, warnNIS), (self.info.enableWinbind, warnWinbind), (self.info.enableLDAPAuth, warnLDAPAuth), (self.info.enableKerberos, warnKerberos), (self.info.enableFprintd, warnFprintd), (self.info.enableShadow, warnShadow), (self.info.enableWinbindAuth, warnWinbindAuth)] for warning in allwarnings: self.warn(warning[0], warning[1]) self.screen.popWindow() return comp != cancel def getGenericChoices(self, dtitle, items, canceltxt, oktxt, anothertxt=None, anothercb=None): # Count up the number of rows we need in the grid. rows = len(items) # Create a grid for these questions. questionGrid = snack.Grid(2, rows) row = 0 widgets = [] for (t, desc, attr, val) in items: if t == "tfvalue": cb = snack.Checkbox(desc, bool(getattr(self.info, attr))) widgets.append(cb) questionGrid.setField(snack.Label(""), 0, row, anchorRight=1) questionGrid.setField(cb, 1, row, anchorLeft=1) elif t == "svalue": comp = snack.Label(desc) questionGrid.setField(comp, 0, row, padding=(0, 0, 1, 0), anchorRight=1) comp = snack.Entry(40, getattr(self.info, attr), hidden=val) widgets.append(comp) # FIXME? Filtering " " and "\t" questionGrid.setField(comp, 1, row, growx=1) elif t == "rvalue": comp = snack.Label(desc) questionGrid.setField(comp, 0, row, padding=(0, 0, 1, 0), anchorRight=1, anchorTop=1) try: sel = getattr(self.info, attr) val.index(sel) except ValueError: sel = val[0] comp = None buttonlist = [] for v in val: buttonlist.append((v, v, v == sel)) radioBar = snack.RadioBar(None, buttonlist) widgets.append(radioBar) questionGrid.setField(radioBar, 1, row, anchorLeft=1) elif t == "lvalue": comp = snack.TextboxReflowed(50, desc, flexDown=1, flexUp=1) widgets.append(comp) questionGrid.setField(comp, 0, row, anchorLeft=1) row += 1 # Buttons buttonGrid = snack.Grid(anothertxt and 3 or 2, 1) cancel = snack.Button(canceltxt) ok = snack.Button(oktxt) another = anothertxt and snack.Button(anothertxt) or None buttonGrid.setField(cancel, 0, 0) if anothertxt: buttonGrid.setField(another, 1, 0) buttonGrid.setField(ok, anothertxt and 2 or 1, 0) # Top-level grid mainGrid = snack.Grid(1, 2) mainGrid.setField(questionGrid, 0, 0, padding=(0, 0, 0, 1), growx=1) mainGrid.setField(buttonGrid, 0, 1, padding=(0, 0, 0, 0), growx=1) # Run the form and interpret the results form = snack.Form() self.screen.gridWrappedWindow(mainGrid, dtitle) form.add(mainGrid) while True: comp = form.run() if comp == cancel: break wcopy = widgets[:] for (t, desc, attr, val) in items: if t == "tfvalue": setattr(self.info, attr, wcopy.pop(0).selected()) elif t == "svalue": setattr(self.info, attr, wcopy.pop(0).value()) # FIXME? Filtering " " and "\t" elif t == "rvalue": setattr(self.info, attr, wcopy.pop(0).getSelection()) elif t == "lvalue": wcopy.pop(0) if comp != another: break if anothercb: anothercb() self.screen.popWindow() return comp != cancel def getIPAv2Settings(self, next): questions = [("svalue", _("Domain:"), "ipav2Domain", 0), ("svalue", _("Realm:"), "ipav2Realm", 0), ("svalue", _("Server:"), "ipav2Server", 0)] return self.getGenericChoices(_("IPAv2 Settings"), questions, _("Back"), next and _("Next") or _("Ok"), anothertxt=_("Join Domain"), anothercb=self.maybeGetJoinSettings) def getLDAPSettings(self, next): questions = [("tfvalue", _("Use TLS"), "enableLDAPS", None), ("svalue", _("Server:"), "ldapServer", 0), ("svalue", _("Base DN:"), "ldapBaseDN", 0)] return self.getGenericChoices(_("LDAP Settings"), questions, _("Back"), next and _("Next") or _("Ok")) def getNISSettings(self, next): questions = [("svalue", _("Domain:"), "nisDomain", 0), ("svalue", _("Server:"), "nisServer", 0)] return self.getGenericChoices(_("NIS Settings"), questions, _("Back"), next and _("Next") or _("Ok")) def getKerberosSettings(self, next): questions = [("svalue", _("Realm:"), "kerberosRealm", 0), ("svalue", _("KDC:"), "kerberosKDC", 0), ("svalue", _("Admin Server:"), "kerberosAdminServer", 0), ("tfvalue", _("Use DNS to resolve hosts to realms"), "kerberosRealmviaDNS", None), ("tfvalue", _("Use DNS to locate KDCs for realms"), "kerberosKDCviaDNS", None)] return self.getGenericChoices(_("Kerberos Settings"), questions, _("Back"), next and _("Next") or _("Ok")) def getJoinSettings(self): questions = [("svalue", _("Domain Administrator:"), "joinUser", 0), ("svalue", _("Password:"), "joinPassword", 1)] if not self.info.joinUser: self.info.joinUser = "Administrator" if self.getGenericChoices(_("Join Settings"), questions, _("Cancel"), _("Ok")): self.screen.suspend() self.info.update() if self.info.enableWinbind: self.info.joinDomain(True) elif self.info.enableIPAv2: self.info.joinIPADomain(True) self.screen.resume() return True def maybeGetJoinSettings(self): questions = [("lvalue", _("Some of the configuration changes you've made should be saved to disk before continuing. If you do not save them, then your attempt to join the domain may fail. Save changes?"), None, None)] orig_info = authinfo.read(self.printError) orig_info.update() self.info.update() ret = False if self.info.differs(orig_info): ret = self.getGenericChoices(_("Save Settings"), questions, _("No"), _("Yes")) if ret: self.info.write() self.getJoinSettings() return True def getWinbindSettings(self, next): security = ["ads", "domain"] shells = ["/sbin/nologin", "/bin/sh", "/bin/bash", "/bin/tcsh", "/bin/ksh", "/bin/zsh"] def shellexists(shell): return os.access(shell, os.X_OK) shells = filter(shellexists, shells) # Why does your favorite shell not show up in the list? Because it won't # fit, that's why! questions = [("rvalue", _("Security Model:"), "smbSecurity", security), ("svalue", _("Domain:"), "smbWorkgroup", 0), ("svalue", _("Domain Controllers:"), "smbServers", 0), ("svalue", _("ADS Realm:"), "smbRealm", 0), ("rvalue", _("Template Shell:"), "winbindTemplateShell", shells)] return self.getGenericChoices(_("Winbind Settings"), questions, _("Back"), next and _("Next") or _("Ok"), anothertxt=_("Join Domain"), anothercb=self.maybeGetJoinSettings) def getChoices(self): next = 1 rc = False while next > 0 and next <= 6: self.info.update() if next == 1: rc = self.getMainChoices() elif next == 2: if self.info.enableIPAv2: more = (self.info.enableLDAP or self.info.enableLDAPAuth or self.info.enableKerberos or self.info.enableNIS or self.info.enableWinbind or self.info.enableWinbindAuth) rc = self.getIPAv2Settings(more) elif next == 3: if self.info.enableLDAP or self.info.enableLDAPAuth: more = (self.info.enableKerberos or self.info.enableNIS or self.info.enableWinbind or self.info.enableWinbindAuth) rc = self.getLDAPSettings(more) elif next == 4: if self.info.enableNIS: more = (self.info.enableKerberos or self.info.enableWinbind or self.info.enableWinbindAuth) rc = self.getNISSettings(more) elif next == 5: if self.info.enableKerberos: more = (self.info.enableWinbind or self.info.enableWinbindAuth) rc = self.getKerberosSettings(more) elif next == 6: if self.info.enableWinbind or self.info.enableWinbindAuth: more = False rc = self.getWinbindSettings(more) self.info.update() if rc: next += 1 else: next -= 1 return next == 7 def displayCACertsMessage(self): text = (_("To connect to a LDAP server with TLS protocol enabled you need " "a CA certificate which signed your server's certificate. " "Copy the certificate in the PEM format to the '%s' directory.\n" "Then press OK.") % self.info.ldapCacertDir) snack.ButtonChoiceWindow(self.screen, _("Warning"), text, [_("Ok")]) def doUI(self): if self.options.kickstart: return True try: self.screen = snack.SnackScreen() packageversion = self.module() # FIXME - version self.screen.pushHelpLine(_(" / between elements | selects | next screen")) self.screen.drawRootText(0, 0, packageversion + " - (c) 1999-2005 Red Hat, Inc.") if not self.getChoices(): # cancelled self.screen.finish() return False if self.info.enableLDAPS and self.info.testLDAPCACerts(): self.displayCACertsMessage() finally: self.screen.finish() return True if __name__ == '__main__': signal.signal(signal.SIGINT, signal.SIG_DFL) gettext.textdomain("authconfig") if runsAs("authconfig-tui"): # deprecated TUI module = AuthconfigTUI() else: module = Authconfig() sys.exit(module.run()) authinfo.pyo000064400000333047147645272700007142 0ustar00 8Yc;@sddlZddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlTddlZddlZejZyddlaWnek r danXdZdZdZdZdZdZd Zd Z d Z!d Z"d Z#dZ$de%e&dkrdZ'ndZ'e'dZ(dZ)dZ*dZ+dZ,dZ-dZ.dZ/dZ0dZ1dZ2dZ3e'dZ4e'd Z5ej6j7e5se'd Z5ne'd!Z8e'd"Z9e'd#Z:e'd$Z;e'd%Z<e'd&Z=e(d'Z>e(d(Z?e(d)Z@e(d*ZAe(d+ZBe(d,ZCe'd-ZDd.ZEd/ZFd0ZGd1ZHd2ZId3ZJed4ZKd5ZLd6ZMd7ZNd8ZOd9ZPd:ZQd;ZRd<ZSd=ZTd>ZUd?ZVd@ZWdAZXdBZYdCZZdDZ[dEZ\dFZ]dGZ^dHZ_dIZ`dJZadKZbdLZcdMZddNZedOZfdPZgdQZhdRZidSZjdTgZkdTdUgZldVgZmdVgZndTdWdXdYgZodZgZpdVgZqdUgZrgZsd[gZtd[d\gZud]gZvdVgZwdVd^gZxdUgZydVgZzdUgZ{dVgZ|d_d`dagZ}dbd`dcgZ~dddcdegZdfdcdegZdVgZdUgZdVgZdUgZdggZdhgZdhgZdhgZdidjdcgZdkdlgZdmdndlgZdogZdpdqdrdsdtgZedudv\ZZZZdwdxdydzgZedud{\ZZZZZedud{\ZZZZZgeeeeefD] Zg^qZeeeLd|ggeeeLd}egeeeLd~ddmggeeeVdegeeeRdetgeeeOdexgeeeNdggeeeNdggeeeYde}geeeYdggeeeNdekgeeeMde}geeeNdegeeeNdemgeeeNdemgeeeNdeqgeeeNdewgeeeNdezgeeeNde|geeeNdegeeeLd~dggeeeLdggeeeLdggeeeLd~ggeeeLdggeeeNdggeeeNde~geeePdggeeePdggeeePdggeeePdggeeeLdggeeeMdeogeeeMdepgeeeNdelgeeeNdegeeeNdengeeeNdengeeeNdergeeeNdeygeeeNde{geeeNdegeeeLdggeeeOdegeeeLdggeeeOdggeeeOdggeeeVdegeeeLdggeeeOdggeeeOdggeeeOdggeeeOdggeeeOdggeeeOdggg7eeR@((s!/usr/share/authconfig/authinfo.pyt openLockedscCsEd}|jd}x)|D]!}|r|d|d7}qqW|S(NtRs kdc = s (R (tkdclisttoutputtkdc((s!/usr/share/authconfig/authinfo.pytkrbKdcs  cCsKd}|jd}x/|D]'}|r|d7}||d7}qqW|S(NRIRs admin_server = s (R (t adminserversRKt adminserver((s!/usr/share/authconfig/authinfo.pytkrbAdminServers  cCsOd}|rK|d|d7}|t|7}|t|7}|d7}n|S(NRIR s = { s } (RMRP(trealmRJRNRK((s!/usr/share/authconfig/authinfo.pytkrbRealms cCs|jdd}t|dkr-d}n |d}|djjd}|jjd}||kr|jtjdStS(NRiiRIi(R RR!RRRRR(RRtlinelsttparamtkeylst((s!/usr/share/authconfig/authinfo.pyt matchLineSMBs   ttry_first_passt use_authtoktuse_first_passtlocal_users_onlysretry=3s authtok_type=s enforce=userstnodebugt wait_for_cardtallow_missing_nametno_subsequent_promptsuid >=t500t quiet_successsuid =)[ \t]+([0-9]+)tSysVInitServicecBs>eZdZdZdZdZdZdZRS(cCstjd|ddS(Ns/sbin/service s start(R4tsystem(tselftservice((s!/usr/share/authconfig/authinfo.pyR1WscCstjd|ddS(Ns/sbin/service s stop >/dev/null 2>&1(R4R(RR((s!/usr/share/authconfig/authinfo.pytstopZscCs*tjd|tjd|ddS(Ns/sbin/chkconfig --add s/sbin/chkconfig --level 345 s on(R4R(RR((s!/usr/share/authconfig/authinfo.pytenable]scCstjd|ddS(Ns/sbin/chkconfig --level 345 s off(R4R(RR((s!/usr/share/authconfig/authinfo.pytdisableascCs9tjd|d}tj|o8tj|dkS(Ns/sbin/chkconfig s >/dev/null 2>&1i(R4Rt WIFEXITEDt WEXITSTATUS(RRtrv((s!/usr/share/authconfig/authinfo.pyt isEnableddscCstjd|ddS(Ns/sbin/service s condrestart >/dev/null 2>&1(R4R(RR((s!/usr/share/authconfig/authinfo.pyt tryRestarths(t__name__t __module__R1RRRRR(((s!/usr/share/authconfig/authinfo.pyRVs      tSystemdServicecBs>eZdZdZdZdZdZdZRS(cCstjd|ddS(Ns/bin/systemctl start s.service(R4R(RR((s!/usr/share/authconfig/authinfo.pyR1lscCstjd|ddS(Ns/bin/systemctl stop s.service >/dev/null 2>&1(R4R(RR((s!/usr/share/authconfig/authinfo.pyRoscCstjd|ddS(Ns/bin/systemctl enable s.service >/dev/null 2>&1(R4R(RR((s!/usr/share/authconfig/authinfo.pyRrscCstjd|ddS(Ns/bin/systemctl disable s.service >/dev/null 2>&1(R4R(RR((s!/usr/share/authconfig/authinfo.pyRuscCs9tjd|d}tj|o8tj|dkS(Ns/bin/systemctl is-enabled s.service >/dev/null 2>&1i(R4RRR(RRR((s!/usr/share/authconfig/authinfo.pyRxscCstjd|ddS(Ns/bin/systemctl try-restart s.service >/dev/null 2>&1(R4R(RR((s!/usr/share/authconfig/authinfo.pyR|s(RRR1RRRRR(((s!/usr/share/authconfig/authinfo.pyRks      s /sbin/initcCs|r^yAtj|tj||sFtj|tj|nWqtk rZqXn`yLtj||sytj|Wqtk rqXntj|Wntk rnXtS(N( R4tstattServiceRRR1R;RR%(Rtpathtnametnostart((s!/usr/share/authconfig/authinfo.pyttoggleSplatbindServices(       cCs|r dSdSdS(Ntenabledtdisabled((tval((s!/usr/share/authconfig/authinfo.pyt formatBoolscCsytj\}}Wntk r*dSX|s|rOt|gdt}n5t|gdtdt}|jd|p|dd|j|j}tj |nd\}} y7t j |t j } t j |t j | tj @Wntk rnXt} xk| sqy7g} g} tj|gg|gd\} }} Wn4tjk rz\}}tjjd|dnX| r| rtj|t} qnd}ytj|d }Wntk rM\}}|tjksG|tjkrq|tjkrtj|t} qtjjd |dtj|t} qnX|r[y||7}| |7} |rtjj|n|r||kr| jd }tj||pdtj|d |d krd| | } nd} d}|rtjjd qnWqntk rW\}}tjjd|dtj|t} qnXqtj|t} qWytj|tjWntk rnXd}ytj|d\}}Wn1tk r\}}tjjd|dnX|| fS(NitshelltstdintinputRIs i<sselect: isread: s is<...> swrite: is waitpid: (RIRI( R4tforkptyR;tPopenR%tPIPEt communicatetwaitt returncodet_exitR7tF_GETFLtF_SETFLt O_NONBLOCKR=RtselectterrortsyststderrtwriteR<treadRBtEINTRtEAGAINtEIOtrfindtkilltsignaltSIGTERMtwaitpid(tcommandtechotquerytresponsetpidtmastertchildtstatusRKRtiteoftifdstefdstofdsterrttexttctindex((s!/usr/share/authconfig/authinfo.pytfeedForks    "  +            cCsytj|}Wntk r'tSXxS|D]K}y1tj|d|}tj|jretSWq/tk ryq/Xq/WtS(Nt/(R4tlistdirR;R%RtS_ISREGtst_modeR(RRR>tst((s!/usr/share/authconfig/authinfo.pyt isEmptyDirs   cCs|ycttg|dt}|jdjd}|jdkrHdS|ddkrb|d3nWntk rwdSX|S(Ntstdoutis iRI(Rt PATH_SCSETUPRRR RRR;(toptionsRR((s!/usr/share/authconfig/authinfo.pytcallPKCS11Setups cCs#tdg}|dkrgS|S(Nt list_modules(RR(tmods((s!/usr/share/authconfig/authinfo.pytgetSmartcardModuless cCstdtdgS(NtLocktIgnore(t_(((s!/usr/share/authconfig/authinfo.pytgetSmartcardActions scCst|}|j|S(N(tAuthInfoR(tmsgcbtinfo((s!/usr/share/authconfig/authinfo.pyR#s  t SaveGroupcBseZdZdZRS(cCs||_||_||_dS(N(t saveFunctionttoggleFunctiontattrlist(Rtsavefunct togglefuncR((s!/usr/share/authconfig/authinfo.pyt__init__)s  cCsx|jD]\}}||jkr)tS|dkrZt||t||krtSq |dkrtt||t||trtSq |dkr tt||t||trtSq q WtS(NR'RR(RtinconsistentAttrsR%tgetattrR)R(RR&R'tanametatype((s!/usr/share/authconfig/authinfo.pyt attrsDiffer.s  $ $ (RRRR(((s!/usr/share/authconfig/authinfo.pyR(s tSafeFilecBs5eZdZdZdZdZdZRS(cCstjj|\}}t|_tjd|d|dt|_t dd||jj gdtj dtj dkrt|_tj |jj|n||_dS( Ntdirtprefixtdeletes/bin/cps-afRs /dev/nulli(R4RR RtmissingttempfiletNamedTemporaryFileR%tfiletcallRR5tO_WRONLYtfchmodtfilenoR>(RR>t default_modetbaseR((s!/usr/share/authconfig/authinfo.pyR>s ! cCst|jjtj|jjtj|jj|j|jrpt d|jgdtj dtj ndS(Ns/usr/sbin/restoreconRs /dev/null( RtflushR4tfsyncRtrenameRR>RRR5R(R((s!/usr/share/authconfig/authinfo.pytsaveJs   cCs)y|jjWntk r$nXdS(N(RR<R;(R((s!/usr/share/authconfig/authinfo.pyR<Rs cCs|jj|S(N(RR(RR ((s!/usr/share/authconfig/authinfo.pyRYscCs$|jjd|jjddS(Ni(Rtseekttruncate(R((s!/usr/share/authconfig/authinfo.pytrewind\s(RRRR R<RR (((s!/usr/share/authconfig/authinfo.pyR=s    t FileBackupcBs,eZdZdZdZdZRS(cCs||_||_dS(N(t backupNametorigPath(Rt backupnametorigpath((s!/usr/share/authconfig/authinfo.pyRas cCst}d}d}yt|tjd}Wntk r?tSXytjtj|j }Wn%tt fk rtj |tSXyt ||}|j Wntk rt}nXyLxE|rtj|d}|st}Pntj|jj|qWWntt fk r)t}nXy|rCtj |nWntt fk r]nXy'|r|r|j|j nWntt fk rt}nX|S(Nii(R%RRDR4R6R=RtS_IMODEtfstatRR;R<RR RRRRRR (RtsrctdestRtsrcfdtdestfileR?R'((s!/usr/share/authconfig/authinfo.pytsafeCopyesL     !    cCst}y&tjj|s+tj|nWnttfk rKt}nX|d|j}|r{|j |j |}n|S(NR( R%R4RtisdirtmkdirR;R=RRRR(RtdestdirRt backuppath((s!/usr/share/authconfig/authinfo.pytbackups   cCst}ytjj|stSWnttfk r?t}nX|d|j}|rtjj|r|j ||j }ny5|rt d|j gdtj dtj nWnttfk rnX|S(NRs/usr/sbin/restoreconRs /dev/null(R%R4RRRR=R;RtisfileRRRR5R(Rt backupdirRR((s!/usr/share/authconfig/authinfo.pytrestores  (RRRRRR (((s!/usr/share/authconfig/authinfo.pyR `s  * cCs tjdS(Ntnscd(RR(((s!/usr/share/authconfig/authinfo.pyt readCachescCsL|rtjdn2ytjttjdWntk rGnXtS(NR!(RRR4Rt PATH_NSCDRR;R%(R((s!/usr/share/authconfig/authinfo.pyt writeCaches  t CacheBackupcBseZdZdZRS(cCst}y&tjj|s+tj|nWnttfk rKt}nX|d|j}|rd}y5t }t |d}|j t t|Wntk rt}nX|r|jqn|sytj|Wqtk rqXn|S(NRtw(R%R4RRRR;R=RRRR"R5RtstrtintR<tunlink(RRRRRR((s!/usr/share/authconfig/authinfo.pyRs.     cCst}ytjj|stSWnttfk r?t}nX|d|j}|rtjj|rd}y/t |d}t |j }t |Wn tttfk rt}nX|r|jqn|S(NRtr(R%R4RRRR=R;RRRR5R(RR$t ValueErrorR<(RRRRRR((s!/usr/share/authconfig/authinfo.pyR s$  (RRRR (((s!/usr/share/authconfig/authinfo.pyR%s is hesiod.confs /hesiod.confsyp.confs/yp.confs ldap.confs /ldap.confs nss_ldap.confs/nss_ldap.confs pam_ldap.confs/pam_ldap.confs nslcd.confs /nslcd.confs openldap.confs/openldap/ldap.confs krb5.confs /krb5.confskrb.confs /krb.confspam_pkcs11.confs/pam_pkcs11/pam_pkcs11.confssmb.confs/samba/smb.confs nsswitch.confs/nsswitch.confscacheenabled.confRIs/pam.d/t authconfigs/sysconfig/authconfigtnetworks/sysconfig/networks libuser.confs /libuser.confspwquality.confs/security/pwquality.confs login.defss /login.defss sssd.conftshadows/shadowtpasswds/passwdtgshadows/gshadowtgroups/groups 10-authconfigs /dconf/db/distro.d/10-authconfigs10-authconfig-lockss,/dconf/db/distro.d/locks/10-authconfig-lockst ldapServertldap_urit ldapBaseDNtldap_search_baset enableLDAPStldap_id_use_start_tlst ldapSchemat ldap_schemat ldapCacertDirtldap_tls_cacertdirt kerberosKDCt krb5_servertkerberosAdminServert krb5_kpasswdt kerberosRealmt krb5_realmtenableCacheCredstcache_credentialstkrb5_store_password_if_offlineRcBseZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZedZdZ dZ!dZ"d Z#d!Z$d"Z%d#Z&d$Z'd%Z(d&Z)d'Z*d(Z+d)Z,d*Z-d+Z.d,Z/d-Z0d.Z1d/Z2d0Z3d1Z4d2Z5d3Z6d4Z7d5Z8d6Z9d7Z:d8Z;d9Z<d:Z=d;Z>d<Z?d=Z@d>ZAd?ZBd@ZCdAZDdBZEdCZFdDZGdEZHdFZIdGZJdHZKdIZLdJZMdKZNdLZOdMZPdNZQdOZRdPZSRS(Qc8Cs||_d|_g|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_t|_ t|_!d|_"d|_#d|_$d|_%d|_&d|_'d|_(d|_)d|_*d|_+d|_,d|_-d|_.d|_/d|_0d|_1d|_2d|_3d|_4d|_5d|_6d|_7d|_8d|_9d|_:d|_;t<|_=d|_>d|_?d|_@d|_Ad|_Bd|_Cd|_Dd|_Ed|_Fd|_Gd|_Hd|_Id|_Jd|_Kd|_Ld|_Md|_Nd|_Od|_Pd|_Qd|_Rd|_Sd|_Tt|_Ut|_Vd|_Wd|_Xd|_Yd|_Zd|_[d|_\d|_]d|_^d|__d|_`d|_ad|_bd|_cd|_dd|_ed|_fd|_gd|_hd|_id|_jd|_kd|_lt<|_md|_nd|_od|_pt|_qtrr$y trjr|_n|jnjsWq$ttk r q$Xntu|_vtw|jx|jydmdngtw|jzddodpgtw|j{|j|dqdrdsgtw|j}ddtdudvdwdxdygtw|j~ddzgtw|jdd{gtw|jdd|d}d~dddddgtw|jdddddddddgtw|j|jdddddddddddddddgtw|jdddgtw|jddddddgtw|j|jdddddddddddg tw|jdddddddddddddddddddddddgtw|jddddddddddddddddddddddddddddddddddddddddg'tw|jddddddddddddddddddddddddddddddddd d g!tw|jdd gtw|jdd gtwd|j|d gtwd|jdgtwd|jdddddgtwd|jddddddgtwd|jddgg|_dS(NRIt9t1t0sdeny=4 unlock_time=1200s umask=0077t enableCacheR't implicitSSSDt hesiodLHSRt hesiodRHSt nisDomainRtnisLocalDomaint nisServerR2R4R6R8R:tpasswordAlgorithmt passMinLent passMinClasst passMaxRepeattpassMaxClassRepeatt passReqLowert passReqUppert passReqDigitt passReqOtherR@R<t smbSecuritytsmbRealmt smbServersR>tkerberosRealmviaDNStkerberosKDCviaDNSRBtenableSmartcardtforceSSSDUpdatet enableLDAPtenableKerberostenableLDAPAutht enableIPAv2tsmartcardActiontsmartcardModulet enableFprintdtforceSmartcardt smbWorkgroupt smbIdmapRangetwinbindSeparatortwinbindTemplateHomedirtwinbindTemplateShelltwinbindUseDefaultDomaintwinbindOfflinet winbindKrb5tenableDBtenableDirectoriest enableWinbindtenableOdbcbindt enableNIS3t enableNIStenableLDAPbindtenableHesiodbindt enableHesiodt enableDBIbindt enableDBbindt enableCompatt enableWINSt enableMDNStenableMyhostnamet enableSSSDtpreferDNSinHostst pwqualityArgst passwdqcArgst faillockArgstenableFaillockt localuserArgst pamAccessArgstenablePAMAccesst mkhomedirArgstenableMkHomeDirt algoRoundst enableShadowt enableNullOktforceBrokenShadowtenableWinbindAutht enableAFStenableAFSKerberostenablePWQualityt enableEPStenableEcryptfst enableOTPtenablePasswdQCtenableLocAuthorizetenableSysNetAuthtenableSSSDAutht pamLinkedtimplicitSSSDAutht systemdArgstuidMintenableForceLegacyt ipav2Servert ipav2Domaint ipav2RealmtipaDomainJoinedt ipav2NoNTP(s enableCacheR'(s implicitSSSDR'(s hesiodLHSR(s hesiodRHSR(s nisDomainR(snisLocalDomainR(s nisServerR(s ldapServerR(s ldapBaseDNR(s enableLDAPSR'(s ldapSchemaR(s ldapCacertDirR(spasswordAlgorithmR(spasswordAlgorithmR(spasswordAlgorithmR(s passMinLenR(s passMinClassR(s passMaxRepeatR(spassMaxClassRepeatR(s passReqLowerR'(s passReqUpperR'(s passReqDigitR'(s passReqOtherR'(s kerberosRealmR(s kerberosKDCR(s smbSecurityR(ssmbRealmR(s smbServersR(skerberosAdminServerR(skerberosRealmviaDNSR'(skerberosKDCviaDNSR'(s ldapServerR(s ldapBaseDNR(s enableLDAPSR'(s ldapSchemaR(s ldapCacertDirR(senableCacheCredsR'(senableSmartcardR'(s kerberosRealmR(s kerberosKDCR(skerberosAdminServerR(sforceSSSDUpdateR'(s enableLDAPR'(senableKerberosR'(senableLDAPAuthR'(s enableIPAv2R'(ssmartcardActionR(ssmartcardModuleR(ssmartcardActionR(ssmartcardModuleR(s enableFprintdR'(senableSmartcardR'(sforceSmartcardR'(s smbWorkgroupR(s smbServersR(ssmbRealmR(s smbSecurityR(s smbIdmapRangeR(swinbindSeparatorR(swinbindTemplateHomedirR(swinbindTemplateShellR(swinbindUseDefaultDomainR'(swinbindOfflineR'(s winbindKrb5R'(senableDBR'(senableDirectoriesR'(s enableWinbindR'(senableOdbcbindR'(s enableNIS3R'(s enableNISR'(senableLDAPbindR'(s enableLDAPR'(senableHesiodbindR'(s enableHesiodR'(s enableDBIbindR'(s enableDBbindR'(s enableCompatR'(s enableWINSR'(s enableMDNSR'(senableMyhostnameR'(s enableNIS3R'(s enableNISR'(s enableIPAv2R'(s enableSSSDR'(spreferDNSinHostsR'(s implicitSSSDR'(s pwqualityArgsR(s passwdqcArgsR(s faillockArgsR(senableFaillockR'(s localuserArgsR(s pamAccessArgsR(senablePAMAccessR'(s mkhomedirArgsR(senableMkHomeDirR'(s algoRoundsR(spasswordAlgorithmR(s enableShadowR'(s enableNISR'(s enableNullOkR'(sforceBrokenShadowR'(senableLDAPAuthR'(senableKerberosR'(senableSmartcardR'(sforceSmartcardR'(senableWinbindAuthR'(senableMkHomeDirR'(s enableAFSR'(senableAFSKerberosR'(senablePWQualityR'(s enableEPSR'(senableEcryptfsR'(s enableOTPR'(senablePasswdQCR'(senableLocAuthorizeR'(senableSysNetAuthR'(swinbindOfflineR'(s winbindKrb5R'(senableSSSDAuthR'(s enableFprintdR'(s pamLinkedR'(simplicitSSSDAuthR'(s systemdArgsR(suidMinR(s enableIPAv2R'(spasswordAlgorithmR(s enableShadowR'(s enableNISR'(s enableLDAPR'(senableLDAPAuthR'(senableKerberosR'(senableEcryptfsR'(senableSmartcardR'(sforceSmartcardR'(senableWinbindAuthR'(s enableWinbindR'(s winbindKrb5R'(senableDBR'(s enableHesiodR'(senablePWQualityR'(senablePasswdQCR'(senableFaillockR'(s faillockArgsR(senableLocAuthorizeR'(senablePAMAccessR'(senableCacheCredsR'(senableMkHomeDirR'(senableSysNetAuthR'(s enableFprintdR'(s enableSSSDR'(senableSSSDAuthR'(senableForceLegacyR'(s ipav2ServerR(s ipav2DomainR(s ipav2RealmR(s enableIPAv2R'(sipaDomainJoinedR'(s ipav2NoNTPR'(s nisDomainR(s enableShadowR'(s enableNISR'(senableMkHomeDirR'(s enableLDAPR'(senableLDAPAuthR'(s implicitSSSDR'(simplicitSSSDAuthR'(senableForceLegacyR'(s implicitSSSDR'(simplicitSSSDAuthR'(s enableIPAv2R'(s enableSSSDR'(senableSSSDAuthR'(senableForceLegacyR'(s enableWinbindR'(senableWinbindAuthR'(t messageCBt backupDirRRJRKR2R4RR@R[R<R\R>RNRLRMRgRYRZRXRhRiRjRkRlRmRnRRRRRRt ipaUninstallRdRcRHRzRoRpRwR_R6RtRsRyRxRvRuRrRqR{R|R}RR~RbtenableAltfilesRRR%RRRRR`RaRORRRRRRRRRRR]Rt brokenShadowRRfReRRIRRBRPRQRRRSRTRURVRWRRtjoinUsert joinPasswordRRRRRRR:t ldapCacertURLR8Rt sssdConfigt sssdDomainR^tsssdConfigPresentt SSSDConfigt new_configR=tsetttoggleFunctionsRR$ttoggleCachingServicet writeHesiodtwriteNISttoggleNisServicet writeLDAPt writeLibusertwriteLogindefstwritePWQualityt writeKerberost writeSSSDttoggleSSSDServicetwriteSmartcardt writeDConft writeWinbindttoggleWinbindServicetwriteNSStwritePAMtwriteSysconfigt writeNetworkt toggleShadowttoggleOddjobServicettoggleLDAPServicet save_groups(RR((s!/usr/share/authconfig/authinfo.pyR&sr                                                                                                                                                cCsZt||}||krVt||||t||krV|jj|qVndS(N(RtsetattrRtappend(RtattrR#treftoldval((s!/usr/share/authconfig/authinfo.pytsetParams  cCs>yt|}Wntk r$dSX|j|t||S(N(R(R+RR'(RRR#R((s!/usr/share/authconfig/authinfo.pyt setIntParams  cCsWyt|}Wntk r$dSX|dkrD|j|t|S|j|t|S(Ni(R(R+RR%R(RRR#R((s!/usr/share/authconfig/authinfo.pytsetClassReqParam s  cCs|js|j rtSd }d}d}d}d }x>|D]6}t|d |r<||kretS|d 7}q<q<W|d krtSd }x>|D]6}t|d |r||krtS|d 7}qqW|d krtS|jr|jrtStS(NtNIStLDAPtWinbindtHesiodtIPAv2tKerberostLDAPAutht WinbindAutht SmartcardiRi(RRRRR(RRRR(RR(RRRRR`R[R%(Rtnssalltpamallt idsupportedt authsupportedtnumtt((s!/usr/share/authconfig/authinfo.pyt sssdSupporteds2      cCsytjttj}Wntk r.tSX|jdt|j d||jdt|j d||j t S(NRJtlhsRKtrhs( tshvfileRt all_configst CFG_HESIODRR=RRR tgetValueR<R%(RRtshv((s!/usr/share/authconfig/authinfo.pyt readHesiod2s "" cCsJytttjd}Wntk r.tSXd}x|D]}|j}t|d}|r|jrt ||}q<nt|d}|r<|j dd}t |dkrq<n|d|jkrq<nt |dkrq<n|d}t|d}|r%t ||}q%q<q<W|j d |||jtS( NR*RItypserverRiiitserverRN(R5RtCFG_YPRR=RtstripRRMR$R RRRR<R%(RRtft nisserverRR#((s!/usr/share/authconfig/authinfo.pytreadNISCs6     cCssd|kr|jd}n |j}xB|D]:}ytj|j}Wq1ttjfk rjtSXq1WtS(s& Check whether LDAP URI is valid. R(R turlparsetportR+tsocketRRR%(RR turisturitp((s!/usr/share/authconfig/authinfo.pytvalidateLDAPURIms    cCsd|kr|jd}n |j}d}xU|D]M}|r7|rV|d7}nd|kro||7}q|d|d7}q7q7W|r|j| r|jtdn|S(NRRIs://sldap://RsInvalid LDAP URI.(R RRR(RR tvalidatetltrettitem((s!/usr/share/authconfig/authinfo.pytldapHostsToURIs|s      cCst|_ytttjd}Wntk rytttjd}Wqtk rytttjd}Wqtk ryttt jd}Wqtk rt SXqXqXnXx|D] }|j }t |d}|rt |r|jd||qnt |d}|rC|jd||qnt |d}|rq|jd||qnt |d}|r|jdt|d |qnt |d }|r|jd ||qqqW|jt|jt |_|jtS( NR*RR4thostR2RtsslR6t start_tlst nss_schemaR8(tPATH_LDAP_CACERTSR:R5Rt CFG_NSSLDAPRR=t CFG_NSLCDt CFG_PAMLDAPtCFG_LDAPRRRR*RR RRR2R<R%(RRRRR#((s!/usr/share/authconfig/authinfo.pytreadLDAPsN         cCs(y|j|SWntk r#dSXdS(NRI(tallKerberosKDCstKeyError(RRQ((s!/usr/share/authconfig/authinfo.pytgetKerberosKDCs cCs(y|j|SWntk r#dSXdS(NRI(tallKerberosAdminServersR(RRQ((s!/usr/share/authconfig/authinfo.pytgetKerberosAdminServers cCsd}i|_i|_t}ytttjd}Wntk rLtSXx |D]}|jdd}|j }|dd!dkr|dd!}d}qTn|dkrbt |d }|r|j d ||t }qTnt |d }|r"|j d t |d dk|qTnt |d}|rY|j dt |d dk|qTqYqT|dkrT|s|jdd}t|dkrqTn|d}qY|dd!dkrd}qTn|js||_t }nt |d}|rt|j|||j|(RRRR5RtCFG_KRB5RR=R RRRR%RRRR@R$RR R<RR(RRtsectiont realm_foundRRt subsectionR#((s!/usr/share/authconfig/authinfo.pyt readKerberossr       ""      )  % cCsd}ytttjd}Wntk r4tSXx|D]}|j}|dd!dkrz|dd!}d}q<n|dkr<t|d}|r|jd |j |q<qq<q<W|j t S( NRIR*iiR itdefaultst crypt_styleRO( R5Rt CFG_LIBUSERRR=RRRRR!R<R%(RRRRRRR#((s!/usr/share/authconfig/authinfo.pyt readLibusers$       cCshytttjd}Wntk r.tSXx(|D] }tj|}|dk r6|j d}|j dr{q6n|j d}|dkr|j d}n|dkrd}qnq6|dkr|dkr|j d d |q6n|d kr4|d krd }n|j d |j |q6n|dkr6|j d||q6q6W|j tS(NR*iR iiRItMD5_CRYPT_ENABtyesRORktENCRYPT_METHODtDESRitUID_MINR(R5RtCFG_LOGIN_DEFSRR=Rt ld_line_retmatchRR1RRR!R<R%(RRRRR$RR#((s!/usr/share/authconfig/authinfo.pyt readLogindefs:s8           cCsd}ytttjd}Wntk r4tSXx|D]}|jdd}|j}t|d}|r|j d||q<nt|d}|r|j d||q<nt|d }|r|j d ||q<nt|d }|r|j d ||q<nt|d }|rG|j d||q<nt|d}|ru|j d||q<nt|d}|r|j d||q<nt|d}|r<|j d||q<q<q<W|j t S(NRIR*R itminlenRPtminclassRQt maxrepeatRRtmaxclassrepeatRStlcreditRTtucreditRUtdcreditRVtocreditRW( R5Rt CFG_PWQUALITYRR=RR RRRRR<R%(RRRRRR#((s!/usr/share/authconfig/authinfo.pyt readPWQuality\sT     c Cs%|js tStj|_y$|jjttjt|_Wn6ttj fk rxtj|_|jj nXy|jj t }|_ Wntjk ruy|jjd}Wn=tk ry|jjd}Wqtk rtSXnX|jj |}y|jd}Wntjk rAd}nXy|jd}Wqvtjk rqd}qvXnXxtD]\}}y}|j|}|dkrdj|jd}n0|dkr|dkrw}n|d krw}n|j|||Wq}tjk rq}Xq}WdS( Nit id_providert auth_providerR3R RR9trfc2307RD(RR%Rt import_configRtCFG_SSSDRRR=t ParsingErrorRt get_domaintSSSD_AUTHCONFIG_DOMAINRt NoDomainErrortlist_active_domainst IndexErrort list_domainst get_optiont NoOptionErrorRt sssd_optionsRR R( RRRtdomnametidprovtauthprovRtoptR((s!/usr/share/authconfig/authinfo.pytreadSSSDsP        cCst}tdg}|dkr.d|_tS|jd|d|tdg}|dkrdtSx#|D]}d|krkt}qkqkW|r|jdtd|n|jdtd |tS( Nt use_moduleRIRdit rm_actions lockhelper.shRcRR(RRRRdRR%R(RRtlocktsmartcardmodulet rmactionstaction((s!/usr/share/authconfig/authinfo.pyt readSmartcards       cCsd}d}ytttjd}Wntk r:|SXx|D]}|j}t|driqBnt|dr~qBnt|d}|r|jddj }qBn| sB|dkrqBnt ||}|rB|}qBqBW|j |S( NRIR*R t;R t]itglobal( R5RtCFG_SMBRR=RR RR R!RVR<(RRtresultRRRR#tres((s!/usr/share/authconfig/authinfo.pytreadWinbindGlobals.     cCsT|j|}|rP|jdksE|jdksE|dkrItStSndS(NRRRF(RQR!R%RR(RRttmp((s!/usr/share/authconfig/authinfo.pytreadWinbindGlobalBools 0cCs|jd}|r+|jd||n|jd}|rV|jd||n|jd}|r|jd||n|jd}|r|jd||n|jsd |_n|jd }|r|jd ||n|jsd |_n|jd }|r,|jd||n|jd}|rW|jd||n|jd}|r|jd||n|jsd|_n|jd}|dkr|jd||n|jd}|dkr|jd||ntS(Nt workgroupRgspassword serverRZRQRYtsecurityRXtusersidmap config * : rangeRhs16777216-33554431swinbind separatorRistemplate homedirRjstemplate shellRks /bin/falseswinbind use default domainRlswinbind offline logonRm(RQRRXRhRkRSRR%(RRRR((s!/usr/share/authconfig/authinfo.pyt readWinbindsJ        c Cs]d}d}ytttjd}Wntk r:tSXxM|D]E}|j}t|d}|rr|}qBt|d}|rit|dr|j dt |nt|dr|j dt |nt|d r|j d t |nt|d }|dkr#t|d}nt|d }|dkr|dkr|j d ||k|qqBt|d}|rB|}qBqBW|rOd#d$d%d&d'd(d)d*d+f } x=| D]5\} } t|| r|j d | t |qqW|r*t|d!r*t|d! r*|j j d"n|j d"tt|d!|n|jt S(,NRIR*spasswd:shosts:twinsR{smdns4_minimal [NOTFOUND=return]R|t myhostnameR}tnistdnsRs initgroups:tCompattcompattDBtdbt Directoriest directoriesRthesiodRRRtAltfilestaltfilestNIS3tnisplusRRRR}RI(R\R](R^R_(R`Ra(sHesiodshesiod(sLDAPR(sNISRZ(RcRd(ReRf(sWinbindR(R5Rt CFG_NSSWITCHRR=RRRR3RR%RRRtboolR<( RRt nssconfigt initgroupsRRR#tnispostdnspostnssmapRtnssentry((s!/usr/share/authconfig/authinfo.pytreadNSS sR        %% cCs|jdt|tS(NRH(RR"R%(RR((s!/usr/share/authconfig/authinfo.pyR"WscCsytttjd}WnAtk r]yttdtd}Wq^tk rYtSXnX|j|||j yttt jd}WnAtk ryttdt d}Wqtk rt SXnX|j|||j t S(NR*s/pam.d/( R5RtCFG_PAMRR=t SYSCONFDIRtAUTH_PAM_SERVICERt readPAMFileR<tCFG_POSTLOGIN_PAMtPOSTLOGIN_PAM_SERVICER%(RRR((s!/usr/share/authconfig/authinfo.pytreadPAM\s&        c Cs"d}x||D]t}|jdd}t|dkrD|d}n|j}|ddkrx||d d7}q n||}d}|j}d}|jdd}t|dkrq n|\}}|d kr|d kr|d kr|d krq n|jd r*|jdd}n|jdd}t|dkrTq n|ddkrjq n|d}|jd r|d7}n|d}|jdd}t|dkrq n|djdd\} t|dkr|d}n| jds| jdrP|jdt||r |jd||q q n| jdrx|jdt|q n| jdr|jdt|q n| jdr|jdt|q n| jdr%|jdt|d|kr |jdt|q |jdt|q n| jdrM|jd t|q n| jd!r|jd"t||r |jd#||q q n| jd$r|jd%t||jd&|j d'dk|q n| jd(r|jd)t|q n| jd*rG|jd+t||r |jd,||q q n| jd-se| jd.r|jd/t||r ||_ q q n| jd0r|jd1t||r |jd2||q q n| jd3r|r |jd4||q q n|d kr| jd5rx9t D]1} |j | dkr'|jd6| |q'q'WyP|j d7} || d8jdd} |jd9t t| d|Wnttfk rnXy$tjd:|jd;t|Wqtk r|jd;t|qXqn|d kr| jd5rW|jd<|j d=dk|n| jd>r|jd?t||r d@|kr |jd@dj}|jdA||q q qn|d kr| jd5r|jdB|j dCdk|qn|d ks|d kr | jdDrtj|} | dkr~| jddkr~|jdE| jd|q~qq q W|jr|jr|jd"t|n|j r|j r|jdt|n|jr|j r|j r|j r|j r|j rt|_!ndS(FNRIR iiis\R iRnRoRqRpR RLtincludeRt pam_cracklibt pam_pwqualityRRt pam_ecryptfsRtpam_krb5R`tpam_ldapRat pam_pkcs11R]tauthinfo_unavailRft pam_fprintdRet pam_passwdqcRRt pam_winbindRRnt krb5_authtpam_sssRt pam_accessRRt pam_mkhomedirtpam_oddjob_mkhomedirRt pam_localuserRRt pam_systemdRtpam_unixROsrounds=iRs /etc/shadowRRtnullokt pam_faillockRRRRt broken_shadowtpam_succeed_ifR("R RR RRRRR%RR-Rtpassword_algorithmsRR'R(R+R:R4RR;RRt succ_if_reR$R1RRRRaR`RRR]R(RRRtprevlineRRtargststacktcontroltmoduletalgotridxtroundsR$((s!/usr/share/authconfig/authinfo.pyRsws           "   '   %  (!)cCsSy;tjttj}y|jd|_Wntk rBnXy|jd|_Wntk rlnXy|jd|_ Wntk rnXy|jd|_ Wntk rnXy|jd|_ Wntk rnXy|jd|_ Wntk rnXy|jd|_ Wntk r>nXy(|jd|_|jd |_Wntk rznXy|jd |_Wntk rnXy|jd |_Wntk rnXy|jd |_Wntk rnXy|jd |_Wntk r"nXy|jd|_Wntk rLnXy|jd|_Wntk rvnXy|jd|_Wntk rnXy|jd|_Wntk rnXy|jd|_Wntk rnXy|jd|_Wntk rnXy|jd|_Wntk rHnXy.|jd}|rmd|_n d|_Wntk rnXy|jd|_Wntk rnXy|jd|_Wntk rnXy|jd|_Wntk rnXy|jd|_ Wntk r2nXy|jd|_!Wntk r\nXy|jd|_"Wntk rnXy|jd|_#Wntk rnXy|jd|_$Wntk rnXy|jd |_%Wntk rnXy|jd!|_&Wntk r.nXy|jd"|_'Wntk rXnXy|jd#|_(Wntk rnXy|jd$|_)Wntk rnXy|jd%|_*Wntk rnXy|jd&|_+Wntk rnXy|jd'|_,Wntk r*nXy|jd(|_-Wntk rTnXy|jd)|_.Wntk r~nXy|jd*|_/Wntk rnXy|jd+|_0Wntk rnX|jd,|_1|jd-|_2|jd.|_3|jd/}|t4kr0||_n|j5Wnt6k rNnXt7S(0NtUSEAFStUSEAFSKERBEROStUSEDBt USEPWQUALITYt USEDBBINDt USEDBIBINDtUSEDIRECTORIESt USEFAILLOCKt FAILLOCKARGSt USEECRYPTFStUSEEPSt USEHESIODt USEHESIODBINDt USEKERBEROStUSELDAPt USELDAPAUTHt USESMARTCARDt USEFPRINTDtFORCESMARTCARDt USELDAPBINDtUSEMD5RkRitUSENISt USENISPLUSt USEODBCBINDtUSEOTPt USEPASSWDQCt USESHADOWt USEWINBINDtUSEWINBINDAUTHt WINBINDKRB5tUSESSSDt USESSSDAUTHtUSELOCAUTHORIZEt USEPAMACCESSt USEMKHOMEDIRt USESYSNETAUTHt FORCELEGACYtCACHECREDENTIALStUSEIPAV2tIPADOMAINJOINEDt IPAV2NONTPt IPAV2SERVERt IPAV2DOMAINt IPAV2REALMtPASSWDALGORITHM(8RRRtCFG_AUTHCONFIGRt getBoolValueRR+RRoRRyRxRpRRRRRRwRvR`R_RaR]ReRfRuRORtt enableNISP3RrRRRRqRRnR~RRRRRRRBRbRRRRRRR<R=R%(RRt enableMD5R((s!/usr/share/authconfig/authinfo.pyt readSysconfig s`                                             cCsytjttj}Wntk r.tSX|jd}|rP||_n|j |jr||j d|j|nt S(Nt NISDOMAINRL( RRRt CFG_NETWORKRR=RRRMR<RR%(RRRRR((s!/usr/share/authconfig/authinfo.pyt readNetwork s    cCsh|j}t|j|ks6t|j|kr:tSx'|jD]}|j||rDtSqDWtS(N(RRhRIRR%RRR(RR't sssdsupportedR1((s!/usr/share/authconfig/authinfo.pytdiffers s *cCst|j|_t|j|_t|j|_t|j|_|j|j||_|jdkr|jr|jj |_qn|j j |_ |j dkrt|_ n|jdkrd|_ndS(NtadsRI(RRZRR<R>RR2RXRYtupperROR!RBRR%R@(RR((s!/usr/share/authconfig/authinfo.pytupdate s  cCs|j}|j|j||j||j||j}|jr| r|j r|jdt |t |_n|j r| r|j r|jdt |t |_ n|j ||j ||j||j||j||j||j r-|j r-|j|n|j||j||jsY|j ri|j|n|j||j||jdS(NR~R(tcopyRRoRRvRRIRbRR%RRR%R/RRWRRRCRRRJR"R(RRtreallyimplicit((s!/usr/share/authconfig/authinfo.pyR s6                  cCs%tj|}d|_d|_|S(NRI(RRR(RR((s!/usr/share/authconfig/authinfo.pyR& s  cCs/ttj|jt|jo'|j tS(N(Rt CFG_CACHERRR$RHRIR%(R((s!/usr/share/authconfig/authinfo.pyR$, scCsttj|jytjttj}Wntk rBtSX|j d|j |j d|j |j d|j tS(NRRi(RRRRRtrcreateRR=RtsetValueRJRKRR<R%(RR((s!/usr/share/authconfig/authinfo.pyR1 s   c Cst}d}d}ttj|jztttjd}x|jD]}|j }t |d}|r}|j dd}t |dkrqIn|d|j kr|d|jkr||7}qIn| r|j r|d|j 7}|jj d}|jr'|d7}||d7}n |d 7}|d 7}|d}x)|D]!}|rL|d |d 7}qLqLWt}qqIt|d r| r|j r|jr|jj d}x)|D]!}|r|d |d 7}qqWt}qqI||7}qIW|s|jj d}|j rv|d|j 7}|dr_|d7}||d7}|d}n |d 7}|d 7}nx,|D]!}|r}|d |d 7}q}q}Wn|j|j||jWdy|r|jnWntk rnXXtS( NRIiRiisdomain Rs server s broadcasts s ypserver R(RRRRRRRRRRRR RRLRMRNR%R R RR R<R=( RtwrittenRRKRtlsR#tserversR ((s!/usr/share/authconfig/authinfo.pyR@ sv &                    cCst}t} t} t} t} t} d}d}|jr`|jdkr`|jdkr`d}nd}zt|d}xJ|jD]?}|j}t||r| r|jr||d7}|dj|jj d7}|d 7}t } qqt||r"|jr|d |7}qqt ||rr| r|j r||d7}||j 7}|d 7}t }qq|rt|d r| s|d 7}|j r|d 7}n |d7}|d 7}t } qq|rt|dr| r|jr|d7}||j7}|d 7}t } qqt|drx| s|rG|d7}n |d7}|d|j7}|d 7}t } qq|rt|dr| s|d|7}|d 7}t } qq||7}qW| r|jr||d7}|dj|jj d7}|d 7}n| rG|j rG||d7}||j 7}|d 7}n|r| r|d 7}|j rt|d 7}n |d7}|d 7}n|r| r|jr|d7}||j7}|d 7}n| s|r|d7}n |d7}|d|j7}|d 7}n|r.| r.|d|7}|d 7}n|j|j||jWdy|ri|jnWntk r}nXXt S(NRIRiRjRktcryptiR Rs R Rsssl RtnoRs nss_schema t tls_cacertdirt TLS_CACERTDIRt pam_passwords pam_password (RRRORRRR R2RR R%R+R4R6R8R"R:R RR R<R=(RR>RRRt writepadlt writeschematwritepamt wrotebasednt wroteservertwrotesslt wroteschemat wrotepasstwrotecacertdirRRKtpassalgoRR((s!/usr/share/authconfig/authinfo.pyt writeLDAP2 s                                            cCstjjttjrVttj|j|jttjdddt t t ntjjtt jrtt j|j|jtt jdddt t t ntjjtt jrtt j|j|jtt jdddt t t ntjjtt jrXtt j|j|jtt jdddt t t nttj|j|jttjdddt t t }|S(NRRRtURItHOSTtBASE(R4RRRRRRRRR%RRRRt CFG_OPENLDAP(RR((s!/usr/share/authconfig/authinfo.pyR s(cCsRd}|jdkr|dS|jdks;|jdkrF||jS|dSdS(Nscrypt_style = RkRlRmtdes(RO(RR((s!/usr/share/authconfig/authinfo.pyt cryptStyle s  cCst}t}d}d}d}ttj|jzDtttjd}x|jD]}|j }|dkrt |dr||j d7}t }qUnt |dr|dkr| r||j d7}t }n|dj ddd }|dkrt }qn||7}qUW|sT|d 7}||j d7}t }t }n|j|j||jWdy|r|jnWntk rnXXt S( NRIiRRs R iRLis [defaults] (RRRRRRRRRRR RR%R R RR R<R=(Rtwrotecryptstylet wrotedefaultsRRRKRR((s!/usr/share/authconfig/authinfo.pyR* sH         c Cst}t}d}d}d}ttj|j|jdkrJd}nd}|jdksn|jdkrwd}nd|jjd }z^tttj d }x|j D]}t j |} | dk rE| j d } | jd r||7}qn| j d } | dkr-| j d} n| dkrRd} qRn ||7}q| dkrt||7}t}qn| dkr||7}t}qn||7}qW|s||7}n|s||7}n|j|j||jWdy|r|jnWntk rnXXtS(NRIRksMD5_CRYPT_ENAB yes sMD5_CRYPT_ENAB no RiRjsENCRYPT_METHOD DES sENCRYPT_METHOD s iiR iiRR(RRRR"RRRORRRRR#R$R1RR%R RR R<R=( Rt wrotemd5crypttwroteencmethodRRRKtmd5cryptt encmethodRR$RR#((s!/usr/share/authconfig/authinfo.pyR_ sd                 cCs|jd}t|dkr3|jd}nt|dkryat|d}|dkrh|S|r|dkr|ddS| r|dkr|ddSWqtk rqXn|rd}nd}|dd |S( NRiR is = -1s = 0s-1RGs = (R RR(RR+(RRR#RR((s!/usr/share/authconfig/authinfo.pytformatClassReqParam s$    c Cst}t}t}t}t}t}t}t}d} d} ttj|jzjtttjd} x| jD]} | j ddj } t | dr|ss| d|j d7} t }qsqsnt | dr|ss| d |jd7} t }qsqsnt | d r=|ss| d |jd7} t }qsqsnt | d rv|ss| d |jd7} t }qsqsnt | dr|ss| |j| |jd7} t }qsqsnt | dr|ss| |j| |jd7} t }qsqsnt | dr9|ss| |j| |jd7} t }qsqsnt | drz|ss| |j| |jd7} t }qsqsn| | 7} qsW|s| d|j d7} n|s| d |jd7} n|s| d |jd7} n|s| d |jd7} n|s&| |jd|jd7} n|sL| |jd|jd7} n|sr| |jd|jd7} n|s| |jd|jd7} n| j| j| | jWdy| r| jnWntk rnXXt S(NRIiR iR&s minlen = s R's minclass = R(s maxrepeat = R)smaxclassrepeat = R*R+R,R-(RRRR.RRRRRR RR RPR%RQRRRSRRTRURVRWR RR R<R=( Rt wroteminlent wroteminclasstwrotemaxrepeattwrotemaxclassrepeatt wrotereqlowert wroterequppert wrotereqdigitt wrotereqotherRRKRR((s!/usr/share/authconfig/authinfo.pyR s               c'Cs t}t}t}t}t}t}t}t}t} t} t} t} t} t}t}tjttj }d}d}d}d}ttj|j |j r|j r|j }n?|j s|j r|jdkr|jr|j}n |j }|j |jkrt}nze tttjd}x,|jD]!}|j}t|dtrq|s7t}qqq7n|dkr|r||j krt|dr|s7|jr|t|j7}nt}q7q7n|dkrH|jdkrH|rH||jkrHt|drH|s7|jr9|t|j7}nt}q7q7n|dkr|r||j krt|dr|s7|jr|t|j7}nt}q7q7n|dkrB| rB|jdd}t|dkr||7}q7n|d }|j r||j krt}n|jrB||jkrBt}qBn|dkr|rt|d r|j r||j kr|s|t|j7}t}n|s|t|j7}t}qn|jr||jkr|s|t|j7}t}qnd}n|d kr]t|d r]|r7| r7|d 7}||7}|d7}t} q7q7n|d krt|dr| s7|d7}|tt|jj 7}|d7}t} q7q7n|d kr#t|dr#| s7|d7}|tt|j!j 7}|d7}t} q7q7n|dkr|j rt||j j slt|d|j j r||7}t} q7nt|drN|s|dtd7}t}n|dkr|j r| r|t"|j |j|j7}t}n|dkr7|jr7| r7|t"|j|jd7}t}n|d kr|rw| rw|d 7}||7}|d7}t} n|jdkr| r|d7}|tt|jj 7}|d7}t} n|j!dkr| r|d7}|tt|j!j 7}|d7}t} qn|dkr|j r| r|d|j j 7}|d|j 7}|d7}|d|j j 7}|d|j 7}|d7}t} qn|r|dkrt}q|d krt} q|dkrt}qn|djddd }|dkr!t}qN|d kr6t}qN|dkrNt}qNn||7}q7W| s> |su|d7}n|r| r|d 7}||7}|d7}n|jdkr| r|d7}|tt|jj 7}|d7}n|j!dkr> | r> |d7}|tt|j!j 7}|d7}q> n| r |j sW |jr |sj |d7}n|s |t"|j |j|j7}n|s |t"|j|jd7}q n| rW |j rW |s |d7}n|j rW | rW |d|j j 7}|d|j 7}|d7}|d|j j 7}|d|j 7}|d7}qW n|j#|j$||j%Wdy|r |j&nWnt'k r nXXtS(NRIRis includedir RRLRiiRR R s default_realm = s Rs dns_lookup_realm = Rs dns_lookup_kdc = t domain_realmRR R s = s .RLs[libdefaults] s [realms] s[domain_realm] ((RR4RtPATH_KRB5_INCLUDEDIRtR_OKRRRRRR`R@RqRRXRYR%RRRRR R<RMRZR>RPR RR'RhR[R!R\RRR RR R<R=(Rt wroterealmtwrotekdct wroteadmint wrotesmbrealmt wrotesmbkdct wroterealmstwrotelibdefaultst wroterealms2twrotelibdefaults2twrotedefaultrealmt wrotednsrealmt wrotednskdctwroteourdomrealmt wrotedomrealmtwrotedomrealm2t wroteincdirRRRRKt defaultrealmRRR#((s!/usr/share/authconfig/authinfo.pyR s  !     !  !  !      !               -                                            "     cCssy|j|d}Wntjk r3d}nX||kro|dkr\|j|n|j||ndS(Nt _provider(R<RR=Rtremove_providert add_provider(RRt newprovidertsubtypetprov((s!/usr/share/authconfig/authinfo.pytchangeProvider s   cCs |js tS|j r%|j r%tSy|jjd}Wn&tjk rc|jjd}nX|jr|j r|j dkr|j ddn(y|j dWntj k rnX|jj||ry|jjttjWqtk rqXntS(Ntpamtsssdt pam_cert_authR%(RR%RRIt get_serviceRtNoServiceErrort new_serviceR]RRdt set_optiont remove_optionR=t save_serviceRRR4RR=(Rt write_configR((s!/usr/share/authconfig/authinfo.pyt writeSSSDPAM s* ! cCs|js tSttj|j|jt|jr;tS|j s|j sQtSy|jj t |_ Wqt jk r|jjt |_ qXn|j }y|jjdWn$t jk r|jjdnX|jjdt}|jr+t}|j|dd|j|ddn|jr]|j|dd|j|ddn2|jr|j|dd|j|ddnxtD]\}}yt||}|dkrt|}nt|tkr|j||nHt|tkr/|r|j||q<|j|n |j|Wqt j k rSqXqW|jj!||r|jj"|j#n|jj$|j#y|jj%ttj&Wnt'k rnXtS(NtautofsRtidRxRntchpassR3((RR%RR4RRR$RRbRRIt new_domainR7RtDomainAlreadyExistsErrorR6RRRtactivate_serviceR_RR`RaR>RRttypeRhR R'R!R=t save_domaintactivate_domaintget_nametdeactivate_domainRRR=(RRtactivateRtoptionR((s!/usr/share/authconfig/authinfo.pyR1 sj           cCs|jdkrtSttj|jd}d}d}|jtdkrk|d7}|d7}d}nt d|jd|d |gtS( Ns/usr/sbin/gdm-safe-restarttnoneRs ,/etc/pkcs11/lockhelper.sh -locks&,/etc/pkcs11/lockhelper.sh -deactivatet lock_screens use_module=s ins_action=s rm_action=( RdRR%RtCFG_PAM_PKCS11RRRcRR(RtinsacttrmactRF((s!/usr/share/authconfig/authinfo.pyRw s    c Cs0d}d}d}ttj|jttj|jtjjttj }tjj |s|j r~tj |qt Sndtjdd}d}|j s|j r||7}d}||7}d}|d7}|d7}n|j r6|jr6||7}d}||7}d}|d7}|d 7}n|j s[|j r|jr|jr||7}d}||7}d}|d 7}|d 7}nd }|jtd kr||7}d}||7}d}|d7}|d7}nytjttj Wntk rnXytjttj Wntk r;nX|dkrz;tttj d}|j|j||jWdy|r|jnWntk rnXXz;tttj d}|j|j||jWdy|r|jnWntk rnXXntjdt S(NRIs# Generated by authconfig on s%Y/%m/%d %H:%M:%Ss s [org/gnome/login-screen] s&enable-smartcard-authentication=false s7/org/gnome/login-screen/enable-smartcard-authentications%enable-password-authentication=false s7/org/gnome/login-screen/enable-password-authentication s(enable-fingerprint-authentication=false s:/org/gnome/login-screen/enable-fingerprint-authentication s3 [org/gnome/settings-daemon/peripherals/smartcard] Rsremoval-action='lock-screen' s1/org/gnome/settings-daemon/peripherals/smartcard is dconf update(RRt CFG_DCONFRRtCFG_DCONF_LOCKSR4RtdirnameRRR]tmakedirsR%ttimetstrftimeRdRfReRcRR)R;RR RR R<R=R(RRRKtlockstlocksdirtheadert groupHeader((s!/usr/share/authconfig/authinfo.pyR s         %                  cCsod}|d7}|dtjdd7}|d7}|d7}|d7}|jrv|d7}||j7}|d7}n|jr|d7}||jjd d 7}|d7}n|jr|d 7}||j7}|d7}n|jr |d 7}||j7}|d7}n|jr6|d 7}||j7}|d7}n|jrc|d7}||j7}|d7}n|j r|d7}||j 7}|d7}n|j r|d7}||j 7}|d7}n|j r|d7}|d7}n|d7}|d7}|d7}|t t |jj7}|d7}|d7}|t t |jj7}|d7}|d7}|d7}|S(Ns#--authconfig--start-line-- s s# Generated by authconfig on s%Y/%m/%d %H:%M:%SsF# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) sE# Any modification may be deleted or altered by authconfig in future s workgroup = s password server = RR s realm = s security = s idmap config * : range = s winbind separator = s template homedir = s template shell = s' kerberos method = secrets and keytabs! kerberos method = secrets onlys winbind use default domain = s winbind offline logon = s#--authconfig--end-line-- (R;R<RgRZRRYRXRhRiRjRkRnR'RhRlR!Rm(RRK((s!/usr/share/authconfig/authinfo.pyt paramsWinbind sh                                              cCs>d}x'|D]}t||r d}Pq q W||7}|S(NRIRK(RV(RRRRRKRB((s!/usr/share/authconfig/authinfo.pytcheckLineWinbinds  c Cs$t}t}d}ttj|jdddddddd d d d d ddg}d}d}ztttjd}x.|jD]#}|j }|rt |drt}qqnt |drt }qnt |dst |dr||7}qnt |d} | rsd| krs| j ddj}||7}|dkr||j7}t }qqn|dkr||j|||7}qn||7}qW|s|d7}||j7}n|j|j||jWdy|r |jnWntk rnXXt S(NRIRTspassword serverRQRUs domain logonss domain masters idmap uids idmap gidswinbind separatorstemplate homedirstemplate shellswinbind use default domainswinbind offline logonskerberos methodis#--authconfig--end-line--s#--authconfig--start-line--RKR R RLiRMs [global] (RRRNRRRRRRRR R%RR R!RARBR RR R<R=( Rt authsectiontwroteauthsectionRRRRKRRR#((s!/usr/share/authconfig/authinfo.pyR(sb              c Csd}d}d}t}t}t}t}t}t} t} t} d} d} ttj|jztttjd} |jr|d7}n|d7}|j r|d7}n|}|j r|d7}n|j r|d7}n|j r|d7}n|j r|d 7}n|js*|js*|jrA|d 7}|d 7}n|jrW|d 7}n|jrw|j rw|d 7}n|jr|d 7}n|jr|d7}n|jr|d7}n|jr|d7}n|}|jr|jdd}n|}|jr|d7}ntjttjs`|jrK|jrK|jdd}q`|jd d}n|d7}|jr|d7}n|jr|d7}n|j r|d7}n|j r|d7}n|j r|d 7}n|js|d7}n|j!r|d7}nx| j"D] }|j#}t$|dr_|s| d7} | |7} | d7} t%}qqt$|dr|s| d7} | |7} | d7} t%}qqt$|dr|s| d 7} | |7} | d7} t%}qqt$|d!r| s| d"7} | |7} t%} qqt$|d#rQ|s| d$7} | |7} | d7} t%}qqt$|d%r|s| d&7} | |7} | d7} t%}qqt$|d'r| s| d(7} | |7} | d7} t%} qqt$|d)r| s| d*7} | |7} | d7} t%} qq| |7} qW|sC| d7} | |7} | d7} n|sj| d7} | |7} | d7} n|s| d 7} | |7} | d7} n|s| d$7} | |7} | d7} n|s| d&7} | |7} | d7} n| s| d(7} | |7} | d7} n| s-| d*7} | |7} | d7} n| j&| j'| | j(Wdy| rh| j)nWnt*k r|nXXt%S(+NRIis dbs filess altfiless directoriess odbcbinds nispluss niss ssss ldapbinds ldaps hesiodbinds hesiods dbibinds dbbindtfilesR]s winbindR}Rs mdns4_minimal [NOTFOUND=return]s dnss winss myhostnamespasswd:s passwd: s sshadow:s shadow: sgroup:s group: s initgroups:R s netgroup:s netgroup: s automount:s automount: shosts:s hosts: s services:s services: (+RRRRgRRRRRoRRpRrRsRtR~RIRbRuR_RvRwRxRyRzRRqR4RtPATH_LIBSSS_AUTOFSRR|RR{R}RRR R%R RR R<R=(Rtuserstnormalthostst wrotepasswdt wrotegroupt wroteshadowt wrotenetgrouptwroteautomountt wrotehoststwroteinitgroupst wroteservicesRRKtservicestnetgroupRR((s!/usr/share/authconfig/authinfo.pyRps:                                                                                                    c Csft|t}|t}|t}d}|rX|rXd}|dkr|dkr|r|jrjt}nt}djt}q|jrt }qn|dkr|dkr|j rt }qt }n|dkr]|dkr|t kr|jrZt}qZq]|dks|dkr]|jdkrZ|td} |j| d |dkr>|t1kr>|j2d#d$}n|rX|d|7}qXn|d%7}|S(&NRIRwRnR RxRoRviiR|Rs %s/pam_%s.sotoddjob_mkhomedirRt-s%-12s%-13s pam_%s.sos_Authentication module %s/pam_%s.so is missing. Authentication process might not work correctly.RRR{RR}t forward_passRRqs cached_logins# krb5_auth krb5_ccache_type=KEYRINGRis rounds=s shadows niss nulloks broken_shadowRtR`Ras (3t pam_stackstSTACKtLOGICtNAMER`tLOGIC_FORCE_PKCS11_KRB5tLOGIC_FORCE_PKCS11Rtargv_force_pkcs11_authtLOGIC_PKCS11_KRB5R]tLOGIC_IGNORE_AUTH_ERRtLOGIC_IGNORE_UNKNOWNtLOGIC_SKIPNEXTtLOGIC_SKIPNEXT3RRtARGVRRRbRttLOGIC_SUFFICIENTR4RtAUTH_MODULE_DIRtX_OKRtmodule_missingRRR%RRRRRRtargv_sssd_missing_nameRmRnRORRRRRaRRtLOGIC_SKIPNEXT_ON_FAILURER( RRt forcescardtwarnRtlogicRRKRtargv((s!/usr/share/authconfig/authinfo.pytformatPAMModule4s              !                   3 !             !$ cCstjj|}tjj|}|r1| s>|r| rytj|Wntk rbnXytj||Wqtk rqXndS(N(R4RRtislinkR)R;tsymlink(RRRRR((s!/usr/share/authconfig/authinfo.pytlinkPAMServices  cCs}xvtttttgD]_}td|}tjj|}tjj |}|r[| sh|r| rt |_ dSqWdS(Ns/pam.d/( RrRutPASSWORD_AUTH_PAM_SERVICEtFINGERPRINT_AUTH_PAM_SERVICEtSMARTCARD_AUTH_PAM_SERVICERqR4RRRoRR(RRRR((s!/usr/share/authconfig/authinfo.pytcheckPAMLinkeds  cUCs[d}d}t|j|jztt|jd}|d7}|d7}|d7}|d7}|j}|j}|j} t } |t krt } n|t krt } n|t krt }t }n|jo|jdk} g} xt|D]} | r| t| tkr|d7}n| } | ts|jrF| td ks|jr_| td ks|jrx| td ks|jr| td ks|jr| td ks|jr| tdks|jr|j r| tdkr| ttk s|jrF|rF| tdkr&| ttks| tdkrF| ttks|jri|j ri| tdks|r| r| tdkr| tt ks|r| r| ttkr| tdkr| t!t"ks|r| r| tdks|r| r|r| tdks|r.|r.| tdks| rD| tdks|j#r]| tdks|j$rv| tdks|j%r| tdks|js|js|j&r| tdkr| tt ks|js|js|j&r9|j' r9| tdks)| tdkr9| t!t(kr9|j) r9| ttks|j*rb| tdkrb| tt+ks|j,r{| tdks|j-r| tdks|j) r| ttkr| tdkr| t!t.kr||j/| || 7}qqW|j0|j1||j2Wdy|r)|j3nWnt4k r=nXX|j5|t6d|t S(NRIis #%PAM-1.0 s# This file is auto-generated. s/# User changes will be destroyed the next time sauthconfig is run. Rs R~safs.krbRRtRtepsRxRyRR}RvRwRRzRRRR{RRs/pam.d/(7RRRRRRRfR]ReRtSTANDARDR%t FINGERPRINTt SMARTCARDRRdt pam_modulesRXt MANDATORYRRZRRRRRR`RRctargv_krb5_sc_authtAUTHRaRhRYRaRRRRbRtRiRRtACCOUNTRRtLOGIC_REQUISITERnR RR R<R=RqRq(RRtcfgt cfg_basenametcfg_linkRRKRfR]ReRktuse_sssd_smartcard_supportt prevmoduleR((s!/usr/share/authconfig/authinfo.pytwritePAMServices               #  #, #;*)     cCs{i|_|jtttt|jtttt |jt t t t |jtttt|jtttttS(N(RgRRwRptAUTH_PAM_SERVICE_ACRrt POSTLOGINRttPOSTLOGIN_PAM_SERVICE_ACRut PASSWORD_ONLYtCFG_PASSWORD_PAMtPASSWORD_AUTH_PAM_SERVICE_ACRrRxtCFG_FINGERPRINT_PAMtFINGERPRINT_AUTH_PAM_SERVICE_ACRsRytCFG_SMARTCARD_PAMtSMARTCARD_AUTH_PAM_SERVICE_ACRtR%(R((s!/usr/share/authconfig/authinfo.pyRs cCsttj|jytjttj}Wntk rBtSX|j d|j |j d|j |j d|j |j d|j|j d|j|j d|j|j d|j|j d|j|j d |j|j d |j|j d |j|j d |j|j d |j|j d|j|j d|j|j d|j|j d|j|j d|j|j dd|j d|j|j d|j|j d|j |j d|j!|j d|j"|j d|j#|j d|j$|j d|j%|j d|j&|j d|j'|j d|j(|j d|j)|j d |j*|j d!|j+|j d"|j,|j-d#|j.t/S($NRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRi(0RRRRRRRR=Rt setBoolValueRRRRRoRwR_RtRRRqRnR~R`RaR]RfReRORRRRRRRRRRBRbRRRRRRR<R%(RR((s!/usr/share/authconfig/authinfo.pyR sT   cCsqttj|jytjttj}Wntk rBtSX|j d|j |j d|j t S(NRi(RRRRRRRR=RRRLRR<R%(RR((s!/usr/share/authconfig/authinfo.pyR:s   cCs|j}|j|_|_|j rY|j rY|jrY| rY|jjdqYnt}t|dkr|j |kr|d|_ n|j r|j rt |_ t |_ndS(NR^i(RIRRR~RRRRRRdRRbRR%R(Rt oldimplicittmodules((s!/usr/share/authconfig/authinfo.pytprewriteUpdateHs  ! cCsd|jt|j|jtdy|j}|oF|j}|oX|j}|jry|os|j }n|j s|j r|o|j }n|j s|jr|jdkr|o|j}n|jr|o|j}n|jr|o |j}n|js$|jr9|o3|j}n|jsK|jr`|oZ|j}n!|jr|o{|jt}n|o|j}|o|j}|o|j}|o|j}|o|j }|o|j!}Wn<t"t#fk r,t$j%j&t't$j(ddt)SXx0|j*D]%}|j+r7|j,j-|j+q7q7W|S(Ns/lastRis (.RR%Rt setupBackuptPATH_CONFIG_BACKUPSRRR$RwRR_RaRR`RRXRR]RRtRRqRRIRRRR$RRRRRRR;R=RRRR'texc_infoRRRRtadd(RRR1((s!/usr/share/authconfig/authinfo.pyRVsL         $ cCs|j|jt|j|jtdt}yjxc|jD]X}|j||rE|jr{|ou|j}n|j r|j j |j qqEqEWWn<t t fk rtjjttjddtSX|S(Ns/lastis (RuRR%RRRRRRRRRR;R=RRRR'RR(RRRR1((s!/usr/share/authconfig/authinfo.pyt writeChangeds      !$cCsd}d}g}g}tjdgtjdgtjdgtjdgg}tj}|sddS|jds|d7}n||jd}d|}tj|tjtj}xJ|D]B}|j tjkr|j j j d|_ t||_qqWd|}tj|tjtj}|sXd|}tj|tjtj}nx?|D]7}|j tjkr_|j j|_|jrPqq_q_W|jrd|j}tj|tjtj}x|D]{}|j tjkr|j j j d}|j jr"|d |j j7}n|jrA|jd |7_qM||_qqWd |j}tj|tjtj}x|D]{}|j tjkr|j j j d}|j jr|d |j j7}n|jr|jd |7_q||_qqWnx|D]}|d |}tj||d tj}xV|D]N}|j tjkr@|j|kr@d|d |_|j d|_Pq@q@Wq WdS(NRIthstnsRs _ldap._tcps _kerberos.t _kerbeross_kerberos._udp.R,Rs_kerberos-adm._udp.ii(t dnsclienttDNS_C_INtDNS_C_HSRtgetfqdntendswithR-Rt DNS_T_SRVtdns_typetrdataRR R2RR4t DNS_T_TXTtdataR@RR<R>t DNS_T_SOAtdns_nameRJRK(RthostnametqnametresultsRORbRth((s!/usr/share/authconfig/authinfo.pytprobesx                       c Csdt|jGHdGHdt|jGHdt|jGHdt|jGHd|jGHd|jGHdt|jGHd t|jGHd |j GHd |j GHd t|j GHd |j GHd|j GHdt|jGHdt|jGHd|jGHd|jGHd|jGHd|jGHd|jGHd|jGHdt|jGHdt|jGHdt|jGHdt|jGHdt|jGHdGHdt|jGHd|jGHdt|jGHd |jGHd!t|jGHd"|j GHd#t|j!GHd$|j"GHd%t|j#GHd t|jGHd |j GHd |j GHd&|j$pYd'GHd(t|j%o|j&o|j'd)k GHd*t|j%o|j&o|j'd)kGHd+t|j(GHd,|j'GHd-|j)GHd.t|j*GHd/t|j+GHd0t|j,GHd|jGHd|jGHd|jGHd|jGHd1t|j&GHd2t|j-GHd3t|j. GHd4t|j/GHd5|j0 rd6pd7GHd8|j1GHd9|j2GHd:|j3GHd;t|j4|j5fGHd<t|j6|j7fGHd=t|j8|j9fGHd>t|j:|j;fGHd?t|j<|j=fGHd@t|j>|j?fGHdAt|j@GHdS(BNs caching is %ssnss_files is always enabledsnss_compat is %ss nss_db is %ssnss_hesiod is %ss hesiod LHS = "%s"s hesiod RHS = "%s"snss_ldap is %ss LDAP+TLS is %ss LDAP server = "%s"s LDAP base DN = "%s"s nss_nis is %ss NIS server = "%s"s NIS domain = "%s"snss_nisplus is %ssnss_winbind is %ss SMB workgroup = "%s"s SMB servers = "%s"s SMB security = "%s"s SMB realm = "%s"s Winbind template shell = "%s"s SMB idmap range = "%s"snss_sss is %s by defaultsnss_wins is %ssnss_mdns4_minimal is %ssmyhostname is %ss%DNS preference over NSS or WINS is %sspam_unix is always enableds shadow passwords are %ss! password hashing algorithm is %sspam_krb5 is %ss krb5 realm = "%s"s krb5 realm via dns is %ss krb5 kdc = "%s"s krb5 kdc via dns is %ss krb5 admin server = "%s"spam_ldap is %ss LDAP schema = "%s"R2spam_pkcs11 is %sRsSSSD smartcard support is %ss# use only smartcard for login is %ss smartcard module = "%s"s smartcard removal action = "%s"spam_fprintd is %sspam_ecryptfs is %sspam_winbind is %sspam_sss is %s by defaults! credential caching in SSSD is %ss6 SSSD use instead of legacy services if possible is %ss IPAv2 is %ssIPAv2 domain was %sjoinedsnot RIs IPAv2 server = "%s"s IPAv2 realm = "%s"s IPAv2 domain = "%s"spam_pwquality is %s (%s)spam_passwdqc is %s (%s)spam_access is %s (%s)spam_faillock is %s (%s)s0pam_mkhomedir or pam_oddjob_mkhomedir is %s (%s)s'Always authorize local users is %s (%s)s;Authenticate system accounts against network services is %s(ARRHRzRoRwRJRKR_R6R2R4RtRNRLRsRqRgRZRXRYRkRhR~R{R|R}RRROR`R@R[R<R\R>RaR8R]RRdRfRcReRRRBRRbRRRRRRRRRRRRRRRRR(R((s!/usr/share/authconfig/authinfo.pyt printInfos                  +*               cCsux.ttttfD]}t|j|jqW|jrWtj dtj dntj dtj dt S(Ns/usr/sbin/pwconvs/usr/sbin/grpconvs/usr/sbin/pwunconvs/usr/sbin/grpunconv( t CFG_SHADOWt CFG_PASSWDt CFG_GSHADOWt CFG_GROUPRRRRR4RR%(RR((s!/usr/share/authconfig/authinfo.pyR0s    c Csd}|js|jr|jr|jjdddjdddjddd}|j}|j}|s{d}n|dkr|dkrdStd|rd pd ||rd pd ||jf}|rtj j d |n|j s| rt ||d |j \}}n(t |gdt}|j|j}|rp|dkr|jtdqq|dkrtd} | d|7} |j| qn|dkS(NiRiR s RRs join %s%s %s%s -U %ss-w RIs-S s[%s] ssword:Rs'Winbind domain join was not successful.s]Winbind domain join was not successful. The net join command failed with the following error:s (RqRRRZR RgRXtPATH_WINBIND_NETRRRRRRR%RRRR( RRRRRtprotocoltcmdRRterrmsg((s!/usr/share/authconfig/authinfo.pyt joinDomain<s89   !     c Csd}|jr|j}|j}|j}|j}|j}|jrNd}nd}td|rfdpid||rxdp{d||rdpd||rdpd||| rd pd f } |rtj j d | t | gd t } | j | j}nt| |d|\}} |dkr5t |_n|r`|dkr|jtd qq|dkrtd} | d| 7} |j| qn|dkS(Nis-NRIs! --noac %s%s %s%s %s%s %s%s %s %ss --domain=s --server=s--realm=s --principal=s --unattendeds-Ws[%s] Rs%IPAv2 domain join was not successful.seIPAv2 domain join was not successful. The ipa-client-install command failed with the following error:s (RbRRRRRRtPATH_IPA_CLIENT_INSTALLRRRRR%RRRRRR( RRRRRRQt principalRqtnontpRRRR((s!/usr/share/authconfig/authinfo.pyt joinIPADomain_sB               cCstd}tj|dS(Ns --uninstall --noac --unattended(RR4R(RR((s!/usr/share/authconfig/authinfo.pyt uninstallIPAs cCsX|sT|jr,tjdtjdqTytjdWqTtk rPqTXntS(NR!(RHRRR1R;R%(RR((s!/usr/share/authconfig/authinfo.pyRs   cCsc|jr|jr|s/tjd|jnyAtjdtjttjd|sotjdnWnt k rnXyAtjt tjd|stj dtjdnWq_t k rq_Xn|stjdnyYtjdtjt |s=ytj dWq=t k r9q=Xntj dWnt k r^nXt S(Ns/bin/domainname sG[[ $(getsebool allow_ypbind) == *off* ]] && setsebool -P allow_ypbind 1trpcbindtypbinds/bin/domainname "(none)"sF[[ $(getsebool allow_ypbind) == *on* ]] && setsebool -P allow_ypbind 0(RtRLR4RRt PATH_RPCBINDRRR1R;t PATH_YPBINDRRR%(RR((s!/usr/share/authconfig/authinfo.pyRsB            cCst|js|jo|j td||jrZytjdWqtk rVqXn%ytjdWntk r~nXtS(Ntnslcdse[[ $(getsebool authlogin_nsswitch_use_ldap) == *off* ]] && setsebool -P authlogin_nsswitch_use_ldap 1sd[[ $(getsebool authlogin_nsswitch_use_ldap) == *on* ]] && setsebool -P authlogin_nsswitch_use_ldap 0( RR_RaRIt PATH_NSLCDR4RR;R%(RR((s!/usr/share/authconfig/authinfo.pyRs    cCs#t|jp|jtd|dS(NR(RRqRt PATH_WINBIND(RR((s!/usr/share/authconfig/authinfo.pyRscCs|jr|jpE|jr-tjjtpE|joEtjjt}|jpf|jpf|jpf|}t |t d|p|o|jp|jp|j dS(NR( R~RR4RtexiststPATH_SSSD_CONFIGRIRRbRt PATH_SSSD(RRtexplicitenableR((s!/usr/share/authconfig/authinfo.pyRscCsB|jr>tjdtdftjr>tttd|ndS(Ns %s/pam_%s.soRTtoddjobd(RR4RReRfRR%t PATH_ODDJOBD(RR((s!/usr/share/authconfig/authinfo.pyRs cCs8x|jD]}||q W|jr4|jndS(N(RRR(RRR((s!/usr/share/authconfig/authinfo.pytposts cCsx|js|jrtytj|jWn>tk rf\}}|tjkrgtj|jdqgnXt |jSt S(Ni( R_RaR4RR:R;RBtENOENTRRR(RRR((s!/usr/share/authconfig/authinfo.pyttestLDAPCACertss cCsE|js|jrA|js*d|jkrAtjd|jndS(Nsldaps:s/usr/sbin/cacertdir_rehash (R_RaR6R2R4RR:(R((s!/usr/share/authconfig/authinfo.pytrehashLDAPCACertsscCs|js tS|jyWtj|j}t|jdtd}|j|j |j |j Wn.t t t fk r|jtdtSX|jtS(NRis Error downloading CA certificate(RRRturllib2turlopenRHR:tLDAP_CACERT_DOWNLOADEDRRR<R=R;R+RRRR%(Rtreadftwritef((s!/usr/share/authconfig/authinfo.pytdownloadLDAPCACerts    cCs|ddkr!td|}n||_t|syQtj|}x;|D]3}ytj|d|WqOtk rqOXqOWWqtk rqXndS(NiRs/backup-(RRRR4RR)R;(RRRR>((s!/usr/share/authconfig/authinfo.pyR s      cCs@|j|t}x&tD]}|j|jo5|}qW|S(N(RR%RRR(RRRR((s!/usr/share/authconfig/authinfo.pyt saveBackups   cCsQ|ddkr!td|}nt}x#tD]}|j|oF|}q.W|S(NiRs/backup-(RR%RR (RRRR((s!/usr/share/authconfig/authinfo.pyt restoreBackups  cCs|jtdS(Ns/last(RR(R((s!/usr/share/authconfig/authinfo.pyt restoreLast's(TRRRRRRRRRRRRRR RRR%R/RCRJRQRSRWRoR"RvRsRRRRRRRR$RRRRRRRRRRRR$RRRRARBRRRnRqRuRRRRRRRRRRRRRRRRRRRRRRRRRRR(((s!/usr/share/authconfig/authinfo.pyR%s     *   9   K  " 1 *  + 7      "    U u  5 B  \  F  Y : H b  T /   )  S L # (  $         ((((((s ldapServersldap_uri(s ldapBaseDNR5(s enableLDAPSR7(s ldapSchemas ldap_schema(s ldapCacertDirR;(s kerberosKDCR=(skerberosAdminServerR?(s kerberosRealmRA(senableCacheCredsRC(senableCacheCredsskrb5_store_password_if_offline((RtreR4RR7RRRRRRRRBRRR;Rt subprocessRtgettexttlgettextRRt ImportErrorRRqRrRRuRRrRRsRRtRR7R'tglobalstLIBDIRRet PATH_PWCONVRR#RRRRRt PATH_SEBOOLt PATH_SCEVENTDRtPATH_LIBNSS_DBtPATH_LIBNSS_LDAPRRtPATH_LIBNSS_NIStPATH_LIBNSS_HESIODtPATH_LIBNSS_ODBCBINDtPATH_LIBNSS_WINBINDtPATH_LIBNSS_WINStPATH_LIBNSS_SSSt PATH_PAM_KRB5t PATH_PAM_LDAPtPATH_PAM_WINBINDtPATH_PAM_PKCS11tPATH_PAM_FPRINTDt PATH_PAM_SSSRFRRRRRRRtLOGIC_REQUIREDRRdtLOGIC_OPTIONALR`R_t LOGIC_PKCS11R\R^R[RaRbtLOGIC_ALWAYS_SKIPRiR RRRR R"R$R)R*R+R3RDRHRMRPRRRVtargv_unix_authtargv_unix_passwordt argv_afs_authtargv_afs_passwordtargv_pwquality_passwordtargv_passwdqc_passwordt argv_eps_authtargv_eps_passwordtargv_fprintd_authtargv_pkcs11_authR]Rhtargv_krb5_authR|targv_krb5_passwordtargv_ldap_authtargv_ldap_passwordt argv_otp_authtargv_succeed_if_authtargv_succeed_if_accounttargv_succeed_if_sessiontargv_succeed_if_nonlogintargv_winbind_authtargv_winbind_passwordt argv_sss_authtargv_sss_passwordtargv_keyinit_sessiontargv_ecryptfs_authtargv_ecryptfs_passwordtargv_ecryptfs_sessiontargv_succeed_if_not_gdmtargv_lastlog_gdmtargv_lastlog_not_gdmtargv_faildelayRtrangeR}R~tSESSIONtPASSWORDRWR{RXRYRZRcRwRRRxRyRRzR%RRtDEFAULT_DNS_QUERY_SIZEtcompileR#RRRtreadlinkRR;RRRRRRRRRRR R"R$R%RRRRRRRRtCFG_KRBR4RNRgRRpRtRRRRRRR.R"R4RRRRR7R8RR>R(((s!/usr/share/authconfig/authinfo.pyts                                                                                         (                                                                                                                                                                                                                                                                                                                                                       Z    #S  7i   authinfo.pyc000064400000333047147645272700007126 0ustar00 8Yc;@sddlZddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlTddlZddlZejZyddlaWnek r danXdZdZdZdZdZdZd Zd Z d Z!d Z"d Z#dZ$de%e&dkrdZ'ndZ'e'dZ(dZ)dZ*dZ+dZ,dZ-dZ.dZ/dZ0dZ1dZ2dZ3e'dZ4e'd Z5ej6j7e5se'd Z5ne'd!Z8e'd"Z9e'd#Z:e'd$Z;e'd%Z<e'd&Z=e(d'Z>e(d(Z?e(d)Z@e(d*ZAe(d+ZBe(d,ZCe'd-ZDd.ZEd/ZFd0ZGd1ZHd2ZId3ZJed4ZKd5ZLd6ZMd7ZNd8ZOd9ZPd:ZQd;ZRd<ZSd=ZTd>ZUd?ZVd@ZWdAZXdBZYdCZZdDZ[dEZ\dFZ]dGZ^dHZ_dIZ`dJZadKZbdLZcdMZddNZedOZfdPZgdQZhdRZidSZjdTgZkdTdUgZldVgZmdVgZndTdWdXdYgZodZgZpdVgZqdUgZrgZsd[gZtd[d\gZud]gZvdVgZwdVd^gZxdUgZydVgZzdUgZ{dVgZ|d_d`dagZ}dbd`dcgZ~dddcdegZdfdcdegZdVgZdUgZdVgZdUgZdggZdhgZdhgZdhgZdidjdcgZdkdlgZdmdndlgZdogZdpdqdrdsdtgZedudv\ZZZZdwdxdydzgZedud{\ZZZZZedud{\ZZZZZgeeeeefD] Zg^qZeeeLd|ggeeeLd}egeeeLd~ddmggeeeVdegeeeRdetgeeeOdexgeeeNdggeeeNdggeeeYde}geeeYdggeeeNdekgeeeMde}geeeNdegeeeNdemgeeeNdemgeeeNdeqgeeeNdewgeeeNdezgeeeNde|geeeNdegeeeLd~dggeeeLdggeeeLdggeeeLd~ggeeeLdggeeeNdggeeeNde~geeePdggeeePdggeeePdggeeePdggeeeLdggeeeMdeogeeeMdepgeeeNdelgeeeNdegeeeNdengeeeNdengeeeNdergeeeNdeygeeeNde{geeeNdegeeeLdggeeeOdegeeeLdggeeeOdggeeeOdggeeeVdegeeeLdggeeeOdggeeeOdggeeeOdggeeeOdggeeeOdggeeeOdggg7eeR@((s!/usr/share/authconfig/authinfo.pyt openLockedscCsEd}|jd}x)|D]!}|r|d|d7}qqW|S(NtRs kdc = s (R (tkdclisttoutputtkdc((s!/usr/share/authconfig/authinfo.pytkrbKdcs  cCsKd}|jd}x/|D]'}|r|d7}||d7}qqW|S(NRIRs admin_server = s (R (t adminserversRKt adminserver((s!/usr/share/authconfig/authinfo.pytkrbAdminServers  cCsOd}|rK|d|d7}|t|7}|t|7}|d7}n|S(NRIR s = { s } (RMRP(trealmRJRNRK((s!/usr/share/authconfig/authinfo.pytkrbRealms cCs|jdd}t|dkr-d}n |d}|djjd}|jjd}||kr|jtjdStS(NRiiRIi(R RR!RRRRR(RRtlinelsttparamtkeylst((s!/usr/share/authconfig/authinfo.pyt matchLineSMBs   ttry_first_passt use_authtoktuse_first_passtlocal_users_onlysretry=3s authtok_type=s enforce=userstnodebugt wait_for_cardtallow_missing_nametno_subsequent_promptsuid >=t500t quiet_successsuid =)[ \t]+([0-9]+)tSysVInitServicecBs>eZdZdZdZdZdZdZRS(cCstjd|ddS(Ns/sbin/service s start(R4tsystem(tselftservice((s!/usr/share/authconfig/authinfo.pyR1WscCstjd|ddS(Ns/sbin/service s stop >/dev/null 2>&1(R4R(RR((s!/usr/share/authconfig/authinfo.pytstopZscCs*tjd|tjd|ddS(Ns/sbin/chkconfig --add s/sbin/chkconfig --level 345 s on(R4R(RR((s!/usr/share/authconfig/authinfo.pytenable]scCstjd|ddS(Ns/sbin/chkconfig --level 345 s off(R4R(RR((s!/usr/share/authconfig/authinfo.pytdisableascCs9tjd|d}tj|o8tj|dkS(Ns/sbin/chkconfig s >/dev/null 2>&1i(R4Rt WIFEXITEDt WEXITSTATUS(RRtrv((s!/usr/share/authconfig/authinfo.pyt isEnableddscCstjd|ddS(Ns/sbin/service s condrestart >/dev/null 2>&1(R4R(RR((s!/usr/share/authconfig/authinfo.pyt tryRestarths(t__name__t __module__R1RRRRR(((s!/usr/share/authconfig/authinfo.pyRVs      tSystemdServicecBs>eZdZdZdZdZdZdZRS(cCstjd|ddS(Ns/bin/systemctl start s.service(R4R(RR((s!/usr/share/authconfig/authinfo.pyR1lscCstjd|ddS(Ns/bin/systemctl stop s.service >/dev/null 2>&1(R4R(RR((s!/usr/share/authconfig/authinfo.pyRoscCstjd|ddS(Ns/bin/systemctl enable s.service >/dev/null 2>&1(R4R(RR((s!/usr/share/authconfig/authinfo.pyRrscCstjd|ddS(Ns/bin/systemctl disable s.service >/dev/null 2>&1(R4R(RR((s!/usr/share/authconfig/authinfo.pyRuscCs9tjd|d}tj|o8tj|dkS(Ns/bin/systemctl is-enabled s.service >/dev/null 2>&1i(R4RRR(RRR((s!/usr/share/authconfig/authinfo.pyRxscCstjd|ddS(Ns/bin/systemctl try-restart s.service >/dev/null 2>&1(R4R(RR((s!/usr/share/authconfig/authinfo.pyR|s(RRR1RRRRR(((s!/usr/share/authconfig/authinfo.pyRks      s /sbin/initcCs|r^yAtj|tj||sFtj|tj|nWqtk rZqXn`yLtj||sytj|Wqtk rqXntj|Wntk rnXtS(N( R4tstattServiceRRR1R;RR%(Rtpathtnametnostart((s!/usr/share/authconfig/authinfo.pyttoggleSplatbindServices(       cCs|r dSdSdS(Ntenabledtdisabled((tval((s!/usr/share/authconfig/authinfo.pyt formatBoolscCsytj\}}Wntk r*dSX|s|rOt|gdt}n5t|gdtdt}|jd|p|dd|j|j}tj |nd\}} y7t j |t j } t j |t j | tj @Wntk rnXt} xk| sqy7g} g} tj|gg|gd\} }} Wn4tjk rz\}}tjjd|dnX| r| rtj|t} qnd}ytj|d }Wntk rM\}}|tjksG|tjkrq|tjkrtj|t} qtjjd |dtj|t} qnX|r[y||7}| |7} |rtjj|n|r||kr| jd }tj||pdtj|d |d krd| | } nd} d}|rtjjd qnWqntk rW\}}tjjd|dtj|t} qnXqtj|t} qWytj|tjWntk rnXd}ytj|d\}}Wn1tk r\}}tjjd|dnX|| fS(NitshelltstdintinputRIs i<sselect: isread: s is<...> swrite: is waitpid: (RIRI( R4tforkptyR;tPopenR%tPIPEt communicatetwaitt returncodet_exitR7tF_GETFLtF_SETFLt O_NONBLOCKR=RtselectterrortsyststderrtwriteR<treadRBtEINTRtEAGAINtEIOtrfindtkilltsignaltSIGTERMtwaitpid(tcommandtechotquerytresponsetpidtmastertchildtstatusRKRtiteoftifdstefdstofdsterrttexttctindex((s!/usr/share/authconfig/authinfo.pytfeedForks    "  +            cCsytj|}Wntk r'tSXxS|D]K}y1tj|d|}tj|jretSWq/tk ryq/Xq/WtS(Nt/(R4tlistdirR;R%RtS_ISREGtst_modeR(RRR>tst((s!/usr/share/authconfig/authinfo.pyt isEmptyDirs   cCs|ycttg|dt}|jdjd}|jdkrHdS|ddkrb|d3nWntk rwdSX|S(Ntstdoutis iRI(Rt PATH_SCSETUPRRR RRR;(toptionsRR((s!/usr/share/authconfig/authinfo.pytcallPKCS11Setups cCs#tdg}|dkrgS|S(Nt list_modules(RR(tmods((s!/usr/share/authconfig/authinfo.pytgetSmartcardModuless cCstdtdgS(NtLocktIgnore(t_(((s!/usr/share/authconfig/authinfo.pytgetSmartcardActions scCst|}|j|S(N(tAuthInfoR(tmsgcbtinfo((s!/usr/share/authconfig/authinfo.pyR#s  t SaveGroupcBseZdZdZRS(cCs||_||_||_dS(N(t saveFunctionttoggleFunctiontattrlist(Rtsavefunct togglefuncR((s!/usr/share/authconfig/authinfo.pyt__init__)s  cCsx|jD]\}}||jkr)tS|dkrZt||t||krtSq |dkrtt||t||trtSq |dkr tt||t||trtSq q WtS(NR'RR(RtinconsistentAttrsR%tgetattrR)R(RR&R'tanametatype((s!/usr/share/authconfig/authinfo.pyt attrsDiffer.s  $ $ (RRRR(((s!/usr/share/authconfig/authinfo.pyR(s tSafeFilecBs5eZdZdZdZdZdZRS(cCstjj|\}}t|_tjd|d|dt|_t dd||jj gdtj dtj dkrt|_tj |jj|n||_dS( Ntdirtprefixtdeletes/bin/cps-afRs /dev/nulli(R4RR RtmissingttempfiletNamedTemporaryFileR%tfiletcallRR5tO_WRONLYtfchmodtfilenoR>(RR>t default_modetbaseR((s!/usr/share/authconfig/authinfo.pyR>s ! cCst|jjtj|jjtj|jj|j|jrpt d|jgdtj dtj ndS(Ns/usr/sbin/restoreconRs /dev/null( RtflushR4tfsyncRtrenameRR>RRR5R(R((s!/usr/share/authconfig/authinfo.pytsaveJs   cCs)y|jjWntk r$nXdS(N(RR<R;(R((s!/usr/share/authconfig/authinfo.pyR<Rs cCs|jj|S(N(RR(RR ((s!/usr/share/authconfig/authinfo.pyRYscCs$|jjd|jjddS(Ni(Rtseekttruncate(R((s!/usr/share/authconfig/authinfo.pytrewind\s(RRRR R<RR (((s!/usr/share/authconfig/authinfo.pyR=s    t FileBackupcBs,eZdZdZdZdZRS(cCs||_||_dS(N(t backupNametorigPath(Rt backupnametorigpath((s!/usr/share/authconfig/authinfo.pyRas cCst}d}d}yt|tjd}Wntk r?tSXytjtj|j }Wn%tt fk rtj |tSXyt ||}|j Wntk rt}nXyLxE|rtj|d}|st}Pntj|jj|qWWntt fk r)t}nXy|rCtj |nWntt fk r]nXy'|r|r|j|j nWntt fk rt}nX|S(Nii(R%RRDR4R6R=RtS_IMODEtfstatRR;R<RR RRRRRR (RtsrctdestRtsrcfdtdestfileR?R'((s!/usr/share/authconfig/authinfo.pytsafeCopyesL     !    cCst}y&tjj|s+tj|nWnttfk rKt}nX|d|j}|r{|j |j |}n|S(NR( R%R4RtisdirtmkdirR;R=RRRR(RtdestdirRt backuppath((s!/usr/share/authconfig/authinfo.pytbackups   cCst}ytjj|stSWnttfk r?t}nX|d|j}|rtjj|r|j ||j }ny5|rt d|j gdtj dtj nWnttfk rnX|S(NRs/usr/sbin/restoreconRs /dev/null(R%R4RRRR=R;RtisfileRRRR5R(Rt backupdirRR((s!/usr/share/authconfig/authinfo.pytrestores  (RRRRRR (((s!/usr/share/authconfig/authinfo.pyR `s  * cCs tjdS(Ntnscd(RR(((s!/usr/share/authconfig/authinfo.pyt readCachescCsL|rtjdn2ytjttjdWntk rGnXtS(NR!(RRR4Rt PATH_NSCDRR;R%(R((s!/usr/share/authconfig/authinfo.pyt writeCaches  t CacheBackupcBseZdZdZRS(cCst}y&tjj|s+tj|nWnttfk rKt}nX|d|j}|rd}y5t }t |d}|j t t|Wntk rt}nX|r|jqn|sytj|Wqtk rqXn|S(NRtw(R%R4RRRR;R=RRRR"R5RtstrtintR<tunlink(RRRRRR((s!/usr/share/authconfig/authinfo.pyRs.     cCst}ytjj|stSWnttfk r?t}nX|d|j}|rtjj|rd}y/t |d}t |j }t |Wn tttfk rt}nX|r|jqn|S(NRtr(R%R4RRRR=R;RRRR5R(RR$t ValueErrorR<(RRRRRR((s!/usr/share/authconfig/authinfo.pyR s$  (RRRR (((s!/usr/share/authconfig/authinfo.pyR%s is hesiod.confs /hesiod.confsyp.confs/yp.confs ldap.confs /ldap.confs nss_ldap.confs/nss_ldap.confs pam_ldap.confs/pam_ldap.confs nslcd.confs /nslcd.confs openldap.confs/openldap/ldap.confs krb5.confs /krb5.confskrb.confs /krb.confspam_pkcs11.confs/pam_pkcs11/pam_pkcs11.confssmb.confs/samba/smb.confs nsswitch.confs/nsswitch.confscacheenabled.confRIs/pam.d/t authconfigs/sysconfig/authconfigtnetworks/sysconfig/networks libuser.confs /libuser.confspwquality.confs/security/pwquality.confs login.defss /login.defss sssd.conftshadows/shadowtpasswds/passwdtgshadows/gshadowtgroups/groups 10-authconfigs /dconf/db/distro.d/10-authconfigs10-authconfig-lockss,/dconf/db/distro.d/locks/10-authconfig-lockst ldapServertldap_urit ldapBaseDNtldap_search_baset enableLDAPStldap_id_use_start_tlst ldapSchemat ldap_schemat ldapCacertDirtldap_tls_cacertdirt kerberosKDCt krb5_servertkerberosAdminServert krb5_kpasswdt kerberosRealmt krb5_realmtenableCacheCredstcache_credentialstkrb5_store_password_if_offlineRcBseZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZedZdZ dZ!dZ"d Z#d!Z$d"Z%d#Z&d$Z'd%Z(d&Z)d'Z*d(Z+d)Z,d*Z-d+Z.d,Z/d-Z0d.Z1d/Z2d0Z3d1Z4d2Z5d3Z6d4Z7d5Z8d6Z9d7Z:d8Z;d9Z<d:Z=d;Z>d<Z?d=Z@d>ZAd?ZBd@ZCdAZDdBZEdCZFdDZGdEZHdFZIdGZJdHZKdIZLdJZMdKZNdLZOdMZPdNZQdOZRdPZSRS(Qc8Cs||_d|_g|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_t|_ t|_!d|_"d|_#d|_$d|_%d|_&d|_'d|_(d|_)d|_*d|_+d|_,d|_-d|_.d|_/d|_0d|_1d|_2d|_3d|_4d|_5d|_6d|_7d|_8d|_9d|_:d|_;t<|_=d|_>d|_?d|_@d|_Ad|_Bd|_Cd|_Dd|_Ed|_Fd|_Gd|_Hd|_Id|_Jd|_Kd|_Ld|_Md|_Nd|_Od|_Pd|_Qd|_Rd|_Sd|_Tt|_Ut|_Vd|_Wd|_Xd|_Yd|_Zd|_[d|_\d|_]d|_^d|__d|_`d|_ad|_bd|_cd|_dd|_ed|_fd|_gd|_hd|_id|_jd|_kd|_lt<|_md|_nd|_od|_pt|_qtrr$y trjr|_n|jnjsWq$ttk r q$Xntu|_vtw|jx|jydmdngtw|jzddodpgtw|j{|j|dqdrdsgtw|j}ddtdudvdwdxdygtw|j~ddzgtw|jdd{gtw|jdd|d}d~dddddgtw|jdddddddddgtw|j|jdddddddddddddddgtw|jdddgtw|jddddddgtw|j|jdddddddddddg tw|jdddddddddddddddddddddddgtw|jddddddddddddddddddddddddddddddddddddddddg'tw|jddddddddddddddddddddddddddddddddd d g!tw|jdd gtw|jdd gtwd|j|d gtwd|jdgtwd|jdddddgtwd|jddddddgtwd|jddgg|_dS(NRIt9t1t0sdeny=4 unlock_time=1200s umask=0077t enableCacheR't implicitSSSDt hesiodLHSRt hesiodRHSt nisDomainRtnisLocalDomaint nisServerR2R4R6R8R:tpasswordAlgorithmt passMinLent passMinClasst passMaxRepeattpassMaxClassRepeatt passReqLowert passReqUppert passReqDigitt passReqOtherR@R<t smbSecuritytsmbRealmt smbServersR>tkerberosRealmviaDNStkerberosKDCviaDNSRBtenableSmartcardtforceSSSDUpdatet enableLDAPtenableKerberostenableLDAPAutht enableIPAv2tsmartcardActiontsmartcardModulet enableFprintdtforceSmartcardt smbWorkgroupt smbIdmapRangetwinbindSeparatortwinbindTemplateHomedirtwinbindTemplateShelltwinbindUseDefaultDomaintwinbindOfflinet winbindKrb5tenableDBtenableDirectoriest enableWinbindtenableOdbcbindt enableNIS3t enableNIStenableLDAPbindtenableHesiodbindt enableHesiodt enableDBIbindt enableDBbindt enableCompatt enableWINSt enableMDNStenableMyhostnamet enableSSSDtpreferDNSinHostst pwqualityArgst passwdqcArgst faillockArgstenableFaillockt localuserArgst pamAccessArgstenablePAMAccesst mkhomedirArgstenableMkHomeDirt algoRoundst enableShadowt enableNullOktforceBrokenShadowtenableWinbindAutht enableAFStenableAFSKerberostenablePWQualityt enableEPStenableEcryptfst enableOTPtenablePasswdQCtenableLocAuthorizetenableSysNetAuthtenableSSSDAutht pamLinkedtimplicitSSSDAutht systemdArgstuidMintenableForceLegacyt ipav2Servert ipav2Domaint ipav2RealmtipaDomainJoinedt ipav2NoNTP(s enableCacheR'(s implicitSSSDR'(s hesiodLHSR(s hesiodRHSR(s nisDomainR(snisLocalDomainR(s nisServerR(s ldapServerR(s ldapBaseDNR(s enableLDAPSR'(s ldapSchemaR(s ldapCacertDirR(spasswordAlgorithmR(spasswordAlgorithmR(spasswordAlgorithmR(s passMinLenR(s passMinClassR(s passMaxRepeatR(spassMaxClassRepeatR(s passReqLowerR'(s passReqUpperR'(s passReqDigitR'(s passReqOtherR'(s kerberosRealmR(s kerberosKDCR(s smbSecurityR(ssmbRealmR(s smbServersR(skerberosAdminServerR(skerberosRealmviaDNSR'(skerberosKDCviaDNSR'(s ldapServerR(s ldapBaseDNR(s enableLDAPSR'(s ldapSchemaR(s ldapCacertDirR(senableCacheCredsR'(senableSmartcardR'(s kerberosRealmR(s kerberosKDCR(skerberosAdminServerR(sforceSSSDUpdateR'(s enableLDAPR'(senableKerberosR'(senableLDAPAuthR'(s enableIPAv2R'(ssmartcardActionR(ssmartcardModuleR(ssmartcardActionR(ssmartcardModuleR(s enableFprintdR'(senableSmartcardR'(sforceSmartcardR'(s smbWorkgroupR(s smbServersR(ssmbRealmR(s smbSecurityR(s smbIdmapRangeR(swinbindSeparatorR(swinbindTemplateHomedirR(swinbindTemplateShellR(swinbindUseDefaultDomainR'(swinbindOfflineR'(s winbindKrb5R'(senableDBR'(senableDirectoriesR'(s enableWinbindR'(senableOdbcbindR'(s enableNIS3R'(s enableNISR'(senableLDAPbindR'(s enableLDAPR'(senableHesiodbindR'(s enableHesiodR'(s enableDBIbindR'(s enableDBbindR'(s enableCompatR'(s enableWINSR'(s enableMDNSR'(senableMyhostnameR'(s enableNIS3R'(s enableNISR'(s enableIPAv2R'(s enableSSSDR'(spreferDNSinHostsR'(s implicitSSSDR'(s pwqualityArgsR(s passwdqcArgsR(s faillockArgsR(senableFaillockR'(s localuserArgsR(s pamAccessArgsR(senablePAMAccessR'(s mkhomedirArgsR(senableMkHomeDirR'(s algoRoundsR(spasswordAlgorithmR(s enableShadowR'(s enableNISR'(s enableNullOkR'(sforceBrokenShadowR'(senableLDAPAuthR'(senableKerberosR'(senableSmartcardR'(sforceSmartcardR'(senableWinbindAuthR'(senableMkHomeDirR'(s enableAFSR'(senableAFSKerberosR'(senablePWQualityR'(s enableEPSR'(senableEcryptfsR'(s enableOTPR'(senablePasswdQCR'(senableLocAuthorizeR'(senableSysNetAuthR'(swinbindOfflineR'(s winbindKrb5R'(senableSSSDAuthR'(s enableFprintdR'(s pamLinkedR'(simplicitSSSDAuthR'(s systemdArgsR(suidMinR(s enableIPAv2R'(spasswordAlgorithmR(s enableShadowR'(s enableNISR'(s enableLDAPR'(senableLDAPAuthR'(senableKerberosR'(senableEcryptfsR'(senableSmartcardR'(sforceSmartcardR'(senableWinbindAuthR'(s enableWinbindR'(s winbindKrb5R'(senableDBR'(s enableHesiodR'(senablePWQualityR'(senablePasswdQCR'(senableFaillockR'(s faillockArgsR(senableLocAuthorizeR'(senablePAMAccessR'(senableCacheCredsR'(senableMkHomeDirR'(senableSysNetAuthR'(s enableFprintdR'(s enableSSSDR'(senableSSSDAuthR'(senableForceLegacyR'(s ipav2ServerR(s ipav2DomainR(s ipav2RealmR(s enableIPAv2R'(sipaDomainJoinedR'(s ipav2NoNTPR'(s nisDomainR(s enableShadowR'(s enableNISR'(senableMkHomeDirR'(s enableLDAPR'(senableLDAPAuthR'(s implicitSSSDR'(simplicitSSSDAuthR'(senableForceLegacyR'(s implicitSSSDR'(simplicitSSSDAuthR'(s enableIPAv2R'(s enableSSSDR'(senableSSSDAuthR'(senableForceLegacyR'(s enableWinbindR'(senableWinbindAuthR'(t messageCBt backupDirRRJRKR2R4RR@R[R<R\R>RNRLRMRgRYRZRXRhRiRjRkRlRmRnRRRRRRt ipaUninstallRdRcRHRzRoRpRwR_R6RtRsRyRxRvRuRrRqR{R|R}RR~RbtenableAltfilesRRR%RRRRR`RaRORRRRRRRRRRR]Rt brokenShadowRRfReRRIRRBRPRQRRRSRTRURVRWRRtjoinUsert joinPasswordRRRRRRR:t ldapCacertURLR8Rt sssdConfigt sssdDomainR^tsssdConfigPresentt SSSDConfigt new_configR=tsetttoggleFunctionsRR$ttoggleCachingServicet writeHesiodtwriteNISttoggleNisServicet writeLDAPt writeLibusertwriteLogindefstwritePWQualityt writeKerberost writeSSSDttoggleSSSDServicetwriteSmartcardt writeDConft writeWinbindttoggleWinbindServicetwriteNSStwritePAMtwriteSysconfigt writeNetworkt toggleShadowttoggleOddjobServicettoggleLDAPServicet save_groups(RR((s!/usr/share/authconfig/authinfo.pyR&sr                                                                                                                                                cCsZt||}||krVt||||t||krV|jj|qVndS(N(RtsetattrRtappend(RtattrR#treftoldval((s!/usr/share/authconfig/authinfo.pytsetParams  cCs>yt|}Wntk r$dSX|j|t||S(N(R(R+RR'(RRR#R((s!/usr/share/authconfig/authinfo.pyt setIntParams  cCsWyt|}Wntk r$dSX|dkrD|j|t|S|j|t|S(Ni(R(R+RR%R(RRR#R((s!/usr/share/authconfig/authinfo.pytsetClassReqParam s  cCs|js|j rtSd }d}d}d}d }x>|D]6}t|d |r<||kretS|d 7}q<q<W|d krtSd }x>|D]6}t|d |r||krtS|d 7}qqW|d krtS|jr|jrtStS(NtNIStLDAPtWinbindtHesiodtIPAv2tKerberostLDAPAutht WinbindAutht SmartcardiRi(RRRRR(RRRR(RR(RRRRR`R[R%(Rtnssalltpamallt idsupportedt authsupportedtnumtt((s!/usr/share/authconfig/authinfo.pyt sssdSupporteds2      cCsytjttj}Wntk r.tSX|jdt|j d||jdt|j d||j t S(NRJtlhsRKtrhs( tshvfileRt all_configst CFG_HESIODRR=RRR tgetValueR<R%(RRtshv((s!/usr/share/authconfig/authinfo.pyt readHesiod2s "" cCsJytttjd}Wntk r.tSXd}x|D]}|j}t|d}|r|jrt ||}q<nt|d}|r<|j dd}t |dkrq<n|d|jkrq<nt |dkrq<n|d}t|d}|r%t ||}q%q<q<W|j d |||jtS( NR*RItypserverRiiitserverRN(R5RtCFG_YPRR=RtstripRRMR$R RRRR<R%(RRtft nisserverRR#((s!/usr/share/authconfig/authinfo.pytreadNISCs6     cCssd|kr|jd}n |j}xB|D]:}ytj|j}Wq1ttjfk rjtSXq1WtS(s& Check whether LDAP URI is valid. R(R turlparsetportR+tsocketRRR%(RR turisturitp((s!/usr/share/authconfig/authinfo.pytvalidateLDAPURIms    cCsd|kr|jd}n |j}d}xU|D]M}|r7|rV|d7}nd|kro||7}q|d|d7}q7q7W|r|j| r|jtdn|S(NRRIs://sldap://RsInvalid LDAP URI.(R RRR(RR tvalidatetltrettitem((s!/usr/share/authconfig/authinfo.pytldapHostsToURIs|s      cCst|_ytttjd}Wntk rytttjd}Wqtk rytttjd}Wqtk ryttt jd}Wqtk rt SXqXqXnXx|D] }|j }t |d}|rt |r|jd||qnt |d}|rC|jd||qnt |d}|rq|jd||qnt |d}|r|jdt|d |qnt |d }|r|jd ||qqqW|jt|jt |_|jtS( NR*RR4thostR2RtsslR6t start_tlst nss_schemaR8(tPATH_LDAP_CACERTSR:R5Rt CFG_NSSLDAPRR=t CFG_NSLCDt CFG_PAMLDAPtCFG_LDAPRRRR*RR RRR2R<R%(RRRRR#((s!/usr/share/authconfig/authinfo.pytreadLDAPsN         cCs(y|j|SWntk r#dSXdS(NRI(tallKerberosKDCstKeyError(RRQ((s!/usr/share/authconfig/authinfo.pytgetKerberosKDCs cCs(y|j|SWntk r#dSXdS(NRI(tallKerberosAdminServersR(RRQ((s!/usr/share/authconfig/authinfo.pytgetKerberosAdminServers cCsd}i|_i|_t}ytttjd}Wntk rLtSXx |D]}|jdd}|j }|dd!dkr|dd!}d}qTn|dkrbt |d }|r|j d ||t }qTnt |d }|r"|j d t |d dk|qTnt |d}|rY|j dt |d dk|qTqYqT|dkrT|s|jdd}t|dkrqTn|d}qY|dd!dkrd}qTn|js||_t }nt |d}|rt|j|||j|(RRRR5RtCFG_KRB5RR=R RRRR%RRRR@R$RR R<RR(RRtsectiont realm_foundRRt subsectionR#((s!/usr/share/authconfig/authinfo.pyt readKerberossr       ""      )  % cCsd}ytttjd}Wntk r4tSXx|D]}|j}|dd!dkrz|dd!}d}q<n|dkr<t|d}|r|jd |j |q<qq<q<W|j t S( NRIR*iiR itdefaultst crypt_styleRO( R5Rt CFG_LIBUSERRR=RRRRR!R<R%(RRRRRRR#((s!/usr/share/authconfig/authinfo.pyt readLibusers$       cCshytttjd}Wntk r.tSXx(|D] }tj|}|dk r6|j d}|j dr{q6n|j d}|dkr|j d}n|dkrd}qnq6|dkr|dkr|j d d |q6n|d kr4|d krd }n|j d |j |q6n|dkr6|j d||q6q6W|j tS(NR*iR iiRItMD5_CRYPT_ENABtyesRORktENCRYPT_METHODtDESRitUID_MINR(R5RtCFG_LOGIN_DEFSRR=Rt ld_line_retmatchRR1RRR!R<R%(RRRRR$RR#((s!/usr/share/authconfig/authinfo.pyt readLogindefs:s8           cCsd}ytttjd}Wntk r4tSXx|D]}|jdd}|j}t|d}|r|j d||q<nt|d}|r|j d||q<nt|d }|r|j d ||q<nt|d }|r|j d ||q<nt|d }|rG|j d||q<nt|d}|ru|j d||q<nt|d}|r|j d||q<nt|d}|r<|j d||q<q<q<W|j t S(NRIR*R itminlenRPtminclassRQt maxrepeatRRtmaxclassrepeatRStlcreditRTtucreditRUtdcreditRVtocreditRW( R5Rt CFG_PWQUALITYRR=RR RRRRR<R%(RRRRRR#((s!/usr/share/authconfig/authinfo.pyt readPWQuality\sT     c Cs%|js tStj|_y$|jjttjt|_Wn6ttj fk rxtj|_|jj nXy|jj t }|_ Wntjk ruy|jjd}Wn=tk ry|jjd}Wqtk rtSXnX|jj |}y|jd}Wntjk rAd}nXy|jd}Wqvtjk rqd}qvXnXxtD]\}}y}|j|}|dkrdj|jd}n0|dkr|dkrw}n|d krw}n|j|||Wq}tjk rq}Xq}WdS( Nit id_providert auth_providerR3R RR9trfc2307RD(RR%Rt import_configRtCFG_SSSDRRR=t ParsingErrorRt get_domaintSSSD_AUTHCONFIG_DOMAINRt NoDomainErrortlist_active_domainst IndexErrort list_domainst get_optiont NoOptionErrorRt sssd_optionsRR R( RRRtdomnametidprovtauthprovRtoptR((s!/usr/share/authconfig/authinfo.pytreadSSSDsP        cCst}tdg}|dkr.d|_tS|jd|d|tdg}|dkrdtSx#|D]}d|krkt}qkqkW|r|jdtd|n|jdtd |tS( Nt use_moduleRIRdit rm_actions lockhelper.shRcRR(RRRRdRR%R(RRtlocktsmartcardmodulet rmactionstaction((s!/usr/share/authconfig/authinfo.pyt readSmartcards       cCsd}d}ytttjd}Wntk r:|SXx|D]}|j}t|driqBnt|dr~qBnt|d}|r|jddj }qBn| sB|dkrqBnt ||}|rB|}qBqBW|j |S( NRIR*R t;R t]itglobal( R5RtCFG_SMBRR=RR RR R!RVR<(RRtresultRRRR#tres((s!/usr/share/authconfig/authinfo.pytreadWinbindGlobals.     cCsT|j|}|rP|jdksE|jdksE|dkrItStSndS(NRRRF(RQR!R%RR(RRttmp((s!/usr/share/authconfig/authinfo.pytreadWinbindGlobalBools 0cCs|jd}|r+|jd||n|jd}|rV|jd||n|jd}|r|jd||n|jd}|r|jd||n|jsd |_n|jd }|r|jd ||n|jsd |_n|jd }|r,|jd||n|jd}|rW|jd||n|jd}|r|jd||n|jsd|_n|jd}|dkr|jd||n|jd}|dkr|jd||ntS(Nt workgroupRgspassword serverRZRQRYtsecurityRXtusersidmap config * : rangeRhs16777216-33554431swinbind separatorRistemplate homedirRjstemplate shellRks /bin/falseswinbind use default domainRlswinbind offline logonRm(RQRRXRhRkRSRR%(RRRR((s!/usr/share/authconfig/authinfo.pyt readWinbindsJ        c Cs]d}d}ytttjd}Wntk r:tSXxM|D]E}|j}t|d}|rr|}qBt|d}|rit|dr|j dt |nt|dr|j dt |nt|d r|j d t |nt|d }|dkr#t|d}nt|d }|dkr|dkr|j d ||k|qqBt|d}|rB|}qBqBW|rOd#d$d%d&d'd(d)d*d+f } x=| D]5\} } t|| r|j d | t |qqW|r*t|d!r*t|d! r*|j j d"n|j d"tt|d!|n|jt S(,NRIR*spasswd:shosts:twinsR{smdns4_minimal [NOTFOUND=return]R|t myhostnameR}tnistdnsRs initgroups:tCompattcompattDBtdbt Directoriest directoriesRthesiodRRRtAltfilestaltfilestNIS3tnisplusRRRR}RI(R\R](R^R_(R`Ra(sHesiodshesiod(sLDAPR(sNISRZ(RcRd(ReRf(sWinbindR(R5Rt CFG_NSSWITCHRR=RRRR3RR%RRRtboolR<( RRt nssconfigt initgroupsRRR#tnispostdnspostnssmapRtnssentry((s!/usr/share/authconfig/authinfo.pytreadNSS sR        %% cCs|jdt|tS(NRH(RR"R%(RR((s!/usr/share/authconfig/authinfo.pyR"WscCsytttjd}WnAtk r]yttdtd}Wq^tk rYtSXnX|j|||j yttt jd}WnAtk ryttdt d}Wqtk rt SXnX|j|||j t S(NR*s/pam.d/( R5RtCFG_PAMRR=t SYSCONFDIRtAUTH_PAM_SERVICERt readPAMFileR<tCFG_POSTLOGIN_PAMtPOSTLOGIN_PAM_SERVICER%(RRR((s!/usr/share/authconfig/authinfo.pytreadPAM\s&        c Cs"d}x||D]t}|jdd}t|dkrD|d}n|j}|ddkrx||d d7}q n||}d}|j}d}|jdd}t|dkrq n|\}}|d kr|d kr|d kr|d krq n|jd r*|jdd}n|jdd}t|dkrTq n|ddkrjq n|d}|jd r|d7}n|d}|jdd}t|dkrq n|djdd\} t|dkr|d}n| jds| jdrP|jdt||r |jd||q q n| jdrx|jdt|q n| jdr|jdt|q n| jdr|jdt|q n| jdr%|jdt|d|kr |jdt|q |jdt|q n| jdrM|jd t|q n| jd!r|jd"t||r |jd#||q q n| jd$r|jd%t||jd&|j d'dk|q n| jd(r|jd)t|q n| jd*rG|jd+t||r |jd,||q q n| jd-se| jd.r|jd/t||r ||_ q q n| jd0r|jd1t||r |jd2||q q n| jd3r|r |jd4||q q n|d kr| jd5rx9t D]1} |j | dkr'|jd6| |q'q'WyP|j d7} || d8jdd} |jd9t t| d|Wnttfk rnXy$tjd:|jd;t|Wqtk r|jd;t|qXqn|d kr| jd5rW|jd<|j d=dk|n| jd>r|jd?t||r d@|kr |jd@dj}|jdA||q q qn|d kr| jd5r|jdB|j dCdk|qn|d ks|d kr | jdDrtj|} | dkr~| jddkr~|jdE| jd|q~qq q W|jr|jr|jd"t|n|j r|j r|jdt|n|jr|j r|j r|j r|j r|j rt|_!ndS(FNRIR iiis\R iRnRoRqRpR RLtincludeRt pam_cracklibt pam_pwqualityRRt pam_ecryptfsRtpam_krb5R`tpam_ldapRat pam_pkcs11R]tauthinfo_unavailRft pam_fprintdRet pam_passwdqcRRt pam_winbindRRnt krb5_authtpam_sssRt pam_accessRRt pam_mkhomedirtpam_oddjob_mkhomedirRt pam_localuserRRt pam_systemdRtpam_unixROsrounds=iRs /etc/shadowRRtnullokt pam_faillockRRRRt broken_shadowtpam_succeed_ifR("R RR RRRRR%RR-Rtpassword_algorithmsRR'R(R+R:R4RR;RRt succ_if_reR$R1RRRRaR`RRR]R(RRRtprevlineRRtargststacktcontroltmoduletalgotridxtroundsR$((s!/usr/share/authconfig/authinfo.pyRsws           "   '   %  (!)cCsSy;tjttj}y|jd|_Wntk rBnXy|jd|_Wntk rlnXy|jd|_ Wntk rnXy|jd|_ Wntk rnXy|jd|_ Wntk rnXy|jd|_ Wntk rnXy|jd|_ Wntk r>nXy(|jd|_|jd |_Wntk rznXy|jd |_Wntk rnXy|jd |_Wntk rnXy|jd |_Wntk rnXy|jd |_Wntk r"nXy|jd|_Wntk rLnXy|jd|_Wntk rvnXy|jd|_Wntk rnXy|jd|_Wntk rnXy|jd|_Wntk rnXy|jd|_Wntk rnXy|jd|_Wntk rHnXy.|jd}|rmd|_n d|_Wntk rnXy|jd|_Wntk rnXy|jd|_Wntk rnXy|jd|_Wntk rnXy|jd|_ Wntk r2nXy|jd|_!Wntk r\nXy|jd|_"Wntk rnXy|jd|_#Wntk rnXy|jd|_$Wntk rnXy|jd |_%Wntk rnXy|jd!|_&Wntk r.nXy|jd"|_'Wntk rXnXy|jd#|_(Wntk rnXy|jd$|_)Wntk rnXy|jd%|_*Wntk rnXy|jd&|_+Wntk rnXy|jd'|_,Wntk r*nXy|jd(|_-Wntk rTnXy|jd)|_.Wntk r~nXy|jd*|_/Wntk rnXy|jd+|_0Wntk rnX|jd,|_1|jd-|_2|jd.|_3|jd/}|t4kr0||_n|j5Wnt6k rNnXt7S(0NtUSEAFStUSEAFSKERBEROStUSEDBt USEPWQUALITYt USEDBBINDt USEDBIBINDtUSEDIRECTORIESt USEFAILLOCKt FAILLOCKARGSt USEECRYPTFStUSEEPSt USEHESIODt USEHESIODBINDt USEKERBEROStUSELDAPt USELDAPAUTHt USESMARTCARDt USEFPRINTDtFORCESMARTCARDt USELDAPBINDtUSEMD5RkRitUSENISt USENISPLUSt USEODBCBINDtUSEOTPt USEPASSWDQCt USESHADOWt USEWINBINDtUSEWINBINDAUTHt WINBINDKRB5tUSESSSDt USESSSDAUTHtUSELOCAUTHORIZEt USEPAMACCESSt USEMKHOMEDIRt USESYSNETAUTHt FORCELEGACYtCACHECREDENTIALStUSEIPAV2tIPADOMAINJOINEDt IPAV2NONTPt IPAV2SERVERt IPAV2DOMAINt IPAV2REALMtPASSWDALGORITHM(8RRRtCFG_AUTHCONFIGRt getBoolValueRR+RRoRRyRxRpRRRRRRwRvR`R_RaR]ReRfRuRORtt enableNISP3RrRRRRqRRnR~RRRRRRRBRbRRRRRRR<R=R%(RRt enableMD5R((s!/usr/share/authconfig/authinfo.pyt readSysconfig s`                                             cCsytjttj}Wntk r.tSX|jd}|rP||_n|j |jr||j d|j|nt S(Nt NISDOMAINRL( RRRt CFG_NETWORKRR=RRRMR<RR%(RRRRR((s!/usr/share/authconfig/authinfo.pyt readNetwork s    cCsh|j}t|j|ks6t|j|kr:tSx'|jD]}|j||rDtSqDWtS(N(RRhRIRR%RRR(RR't sssdsupportedR1((s!/usr/share/authconfig/authinfo.pytdiffers s *cCst|j|_t|j|_t|j|_t|j|_|j|j||_|jdkr|jr|jj |_qn|j j |_ |j dkrt|_ n|jdkrd|_ndS(NtadsRI(RRZRR<R>RR2RXRYtupperROR!RBRR%R@(RR((s!/usr/share/authconfig/authinfo.pytupdate s  cCs|j}|j|j||j||j||j}|jr| r|j r|jdt |t |_n|j r| r|j r|jdt |t |_ n|j ||j ||j||j||j||j||j r-|j r-|j|n|j||j||jsY|j ri|j|n|j||j||jdS(NR~R(tcopyRRoRRvRRIRbRR%RRR%R/RRWRRRCRRRJR"R(RRtreallyimplicit((s!/usr/share/authconfig/authinfo.pyR s6                  cCs%tj|}d|_d|_|S(NRI(RRR(RR((s!/usr/share/authconfig/authinfo.pyR& s  cCs/ttj|jt|jo'|j tS(N(Rt CFG_CACHERRR$RHRIR%(R((s!/usr/share/authconfig/authinfo.pyR$, scCsttj|jytjttj}Wntk rBtSX|j d|j |j d|j |j d|j tS(NRRi(RRRRRtrcreateRR=RtsetValueRJRKRR<R%(RR((s!/usr/share/authconfig/authinfo.pyR1 s   c Cst}d}d}ttj|jztttjd}x|jD]}|j }t |d}|r}|j dd}t |dkrqIn|d|j kr|d|jkr||7}qIn| r|j r|d|j 7}|jj d}|jr'|d7}||d7}n |d 7}|d 7}|d}x)|D]!}|rL|d |d 7}qLqLWt}qqIt|d r| r|j r|jr|jj d}x)|D]!}|r|d |d 7}qqWt}qqI||7}qIW|s|jj d}|j rv|d|j 7}|dr_|d7}||d7}|d}n |d 7}|d 7}nx,|D]!}|r}|d |d 7}q}q}Wn|j|j||jWdy|r|jnWntk rnXXtS( NRIiRiisdomain Rs server s broadcasts s ypserver R(RRRRRRRRRRRR RRLRMRNR%R R RR R<R=( RtwrittenRRKRtlsR#tserversR ((s!/usr/share/authconfig/authinfo.pyR@ sv &                    cCst}t} t} t} t} t} d}d}|jr`|jdkr`|jdkr`d}nd}zt|d}xJ|jD]?}|j}t||r| r|jr||d7}|dj|jj d7}|d 7}t } qqt||r"|jr|d |7}qqt ||rr| r|j r||d7}||j 7}|d 7}t }qq|rt|d r| s|d 7}|j r|d 7}n |d7}|d 7}t } qq|rt|dr| r|jr|d7}||j7}|d 7}t } qqt|drx| s|rG|d7}n |d7}|d|j7}|d 7}t } qq|rt|dr| s|d|7}|d 7}t } qq||7}qW| r|jr||d7}|dj|jj d7}|d 7}n| rG|j rG||d7}||j 7}|d 7}n|r| r|d 7}|j rt|d 7}n |d7}|d 7}n|r| r|jr|d7}||j7}|d 7}n| s|r|d7}n |d7}|d|j7}|d 7}n|r.| r.|d|7}|d 7}n|j|j||jWdy|ri|jnWntk r}nXXt S(NRIRiRjRktcryptiR Rs R Rsssl RtnoRs nss_schema t tls_cacertdirt TLS_CACERTDIRt pam_passwords pam_password (RRRORRRR R2RR R%R+R4R6R8R"R:R RR R<R=(RR>RRRt writepadlt writeschematwritepamt wrotebasednt wroteservertwrotesslt wroteschemat wrotepasstwrotecacertdirRRKtpassalgoRR((s!/usr/share/authconfig/authinfo.pyt writeLDAP2 s                                            cCstjjttjrVttj|j|jttjdddt t t ntjjtt jrtt j|j|jtt jdddt t t ntjjtt jrtt j|j|jtt jdddt t t ntjjtt jrXtt j|j|jtt jdddt t t nttj|j|jttjdddt t t }|S(NRRRtURItHOSTtBASE(R4RRRRRRRRR%RRRRt CFG_OPENLDAP(RR((s!/usr/share/authconfig/authinfo.pyR s(cCsRd}|jdkr|dS|jdks;|jdkrF||jS|dSdS(Nscrypt_style = RkRlRmtdes(RO(RR((s!/usr/share/authconfig/authinfo.pyt cryptStyle s  cCst}t}d}d}d}ttj|jzDtttjd}x|jD]}|j }|dkrt |dr||j d7}t }qUnt |dr|dkr| r||j d7}t }n|dj ddd }|dkrt }qn||7}qUW|sT|d 7}||j d7}t }t }n|j|j||jWdy|r|jnWntk rnXXt S( NRIiRRs R iRLis [defaults] (RRRRRRRRRRR RR%R R RR R<R=(Rtwrotecryptstylet wrotedefaultsRRRKRR((s!/usr/share/authconfig/authinfo.pyR* sH         c Cst}t}d}d}d}ttj|j|jdkrJd}nd}|jdksn|jdkrwd}nd|jjd }z^tttj d }x|j D]}t j |} | dk rE| j d } | jd r||7}qn| j d } | dkr-| j d} n| dkrRd} qRn ||7}q| dkrt||7}t}qn| dkr||7}t}qn||7}qW|s||7}n|s||7}n|j|j||jWdy|r|jnWntk rnXXtS(NRIRksMD5_CRYPT_ENAB yes sMD5_CRYPT_ENAB no RiRjsENCRYPT_METHOD DES sENCRYPT_METHOD s iiR iiRR(RRRR"RRRORRRRR#R$R1RR%R RR R<R=( Rt wrotemd5crypttwroteencmethodRRRKtmd5cryptt encmethodRR$RR#((s!/usr/share/authconfig/authinfo.pyR_ sd                 cCs|jd}t|dkr3|jd}nt|dkryat|d}|dkrh|S|r|dkr|ddS| r|dkr|ddSWqtk rqXn|rd}nd}|dd |S( NRiR is = -1s = 0s-1RGs = (R RR(RR+(RRR#RR((s!/usr/share/authconfig/authinfo.pytformatClassReqParam s$    c Cst}t}t}t}t}t}t}t}d} d} ttj|jzjtttjd} x| jD]} | j ddj } t | dr|ss| d|j d7} t }qsqsnt | dr|ss| d |jd7} t }qsqsnt | d r=|ss| d |jd7} t }qsqsnt | d rv|ss| d |jd7} t }qsqsnt | dr|ss| |j| |jd7} t }qsqsnt | dr|ss| |j| |jd7} t }qsqsnt | dr9|ss| |j| |jd7} t }qsqsnt | drz|ss| |j| |jd7} t }qsqsn| | 7} qsW|s| d|j d7} n|s| d |jd7} n|s| d |jd7} n|s| d |jd7} n|s&| |jd|jd7} n|sL| |jd|jd7} n|sr| |jd|jd7} n|s| |jd|jd7} n| j| j| | jWdy| r| jnWntk rnXXt S(NRIiR iR&s minlen = s R's minclass = R(s maxrepeat = R)smaxclassrepeat = R*R+R,R-(RRRR.RRRRRR RR RPR%RQRRRSRRTRURVRWR RR R<R=( Rt wroteminlent wroteminclasstwrotemaxrepeattwrotemaxclassrepeatt wrotereqlowert wroterequppert wrotereqdigitt wrotereqotherRRKRR((s!/usr/share/authconfig/authinfo.pyR s               c'Cs t}t}t}t}t}t}t}t}t} t} t} t} t} t}t}tjttj }d}d}d}d}ttj|j |j r|j r|j }n?|j s|j r|jdkr|jr|j}n |j }|j |jkrt}nze tttjd}x,|jD]!}|j}t|dtrq|s7t}qqq7n|dkr|r||j krt|dr|s7|jr|t|j7}nt}q7q7n|dkrH|jdkrH|rH||jkrHt|drH|s7|jr9|t|j7}nt}q7q7n|dkr|r||j krt|dr|s7|jr|t|j7}nt}q7q7n|dkrB| rB|jdd}t|dkr||7}q7n|d }|j r||j krt}n|jrB||jkrBt}qBn|dkr|rt|d r|j r||j kr|s|t|j7}t}n|s|t|j7}t}qn|jr||jkr|s|t|j7}t}qnd}n|d kr]t|d r]|r7| r7|d 7}||7}|d7}t} q7q7n|d krt|dr| s7|d7}|tt|jj 7}|d7}t} q7q7n|d kr#t|dr#| s7|d7}|tt|j!j 7}|d7}t} q7q7n|dkr|j rt||j j slt|d|j j r||7}t} q7nt|drN|s|dtd7}t}n|dkr|j r| r|t"|j |j|j7}t}n|dkr7|jr7| r7|t"|j|jd7}t}n|d kr|rw| rw|d 7}||7}|d7}t} n|jdkr| r|d7}|tt|jj 7}|d7}t} n|j!dkr| r|d7}|tt|j!j 7}|d7}t} qn|dkr|j r| r|d|j j 7}|d|j 7}|d7}|d|j j 7}|d|j 7}|d7}t} qn|r|dkrt}q|d krt} q|dkrt}qn|djddd }|dkr!t}qN|d kr6t}qN|dkrNt}qNn||7}q7W| s> |su|d7}n|r| r|d 7}||7}|d7}n|jdkr| r|d7}|tt|jj 7}|d7}n|j!dkr> | r> |d7}|tt|j!j 7}|d7}q> n| r |j sW |jr |sj |d7}n|s |t"|j |j|j7}n|s |t"|j|jd7}q n| rW |j rW |s |d7}n|j rW | rW |d|j j 7}|d|j 7}|d7}|d|j j 7}|d|j 7}|d7}qW n|j#|j$||j%Wdy|r |j&nWnt'k r nXXtS(NRIRis includedir RRLRiiRR R s default_realm = s Rs dns_lookup_realm = Rs dns_lookup_kdc = t domain_realmRR R s = s .RLs[libdefaults] s [realms] s[domain_realm] ((RR4RtPATH_KRB5_INCLUDEDIRtR_OKRRRRRR`R@RqRRXRYR%RRRRR R<RMRZR>RPR RR'RhR[R!R\RRR RR R<R=(Rt wroterealmtwrotekdct wroteadmint wrotesmbrealmt wrotesmbkdct wroterealmstwrotelibdefaultst wroterealms2twrotelibdefaults2twrotedefaultrealmt wrotednsrealmt wrotednskdctwroteourdomrealmt wrotedomrealmtwrotedomrealm2t wroteincdirRRRRKt defaultrealmRRR#((s!/usr/share/authconfig/authinfo.pyR s  !     !  !  !      !               -                                            "     cCssy|j|d}Wntjk r3d}nX||kro|dkr\|j|n|j||ndS(Nt _provider(R<RR=Rtremove_providert add_provider(RRt newprovidertsubtypetprov((s!/usr/share/authconfig/authinfo.pytchangeProvider s   cCs |js tS|j r%|j r%tSy|jjd}Wn&tjk rc|jjd}nX|jr|j r|j dkr|j ddn(y|j dWntj k rnX|jj||ry|jjttjWqtk rqXntS(Ntpamtsssdt pam_cert_authR%(RR%RRIt get_serviceRtNoServiceErrort new_serviceR]RRdt set_optiont remove_optionR=t save_serviceRRR4RR=(Rt write_configR((s!/usr/share/authconfig/authinfo.pyt writeSSSDPAM s* ! cCs|js tSttj|j|jt|jr;tS|j s|j sQtSy|jj t |_ Wqt jk r|jjt |_ qXn|j }y|jjdWn$t jk r|jjdnX|jjdt}|jr+t}|j|dd|j|ddn|jr]|j|dd|j|ddn2|jr|j|dd|j|ddnxtD]\}}yt||}|dkrt|}nt|tkr|j||nHt|tkr/|r|j||q<|j|n |j|Wqt j k rSqXqW|jj!||r|jj"|j#n|jj$|j#y|jj%ttj&Wnt'k rnXtS(NtautofsRtidRxRntchpassR3((RR%RR4RRR$RRbRRIt new_domainR7RtDomainAlreadyExistsErrorR6RRRtactivate_serviceR_RR`RaR>RRttypeRhR R'R!R=t save_domaintactivate_domaintget_nametdeactivate_domainRRR=(RRtactivateRtoptionR((s!/usr/share/authconfig/authinfo.pyR1 sj           cCs|jdkrtSttj|jd}d}d}|jtdkrk|d7}|d7}d}nt d|jd|d |gtS( Ns/usr/sbin/gdm-safe-restarttnoneRs ,/etc/pkcs11/lockhelper.sh -locks&,/etc/pkcs11/lockhelper.sh -deactivatet lock_screens use_module=s ins_action=s rm_action=( RdRR%RtCFG_PAM_PKCS11RRRcRR(RtinsacttrmactRF((s!/usr/share/authconfig/authinfo.pyRw s    c Cs0d}d}d}ttj|jttj|jtjjttj }tjj |s|j r~tj |qt Sndtjdd}d}|j s|j r||7}d}||7}d}|d7}|d7}n|j r6|jr6||7}d}||7}d}|d7}|d 7}n|j s[|j r|jr|jr||7}d}||7}d}|d 7}|d 7}nd }|jtd kr||7}d}||7}d}|d7}|d7}nytjttj Wntk rnXytjttj Wntk r;nX|dkrz;tttj d}|j|j||jWdy|r|jnWntk rnXXz;tttj d}|j|j||jWdy|r|jnWntk rnXXntjdt S(NRIs# Generated by authconfig on s%Y/%m/%d %H:%M:%Ss s [org/gnome/login-screen] s&enable-smartcard-authentication=false s7/org/gnome/login-screen/enable-smartcard-authentications%enable-password-authentication=false s7/org/gnome/login-screen/enable-password-authentication s(enable-fingerprint-authentication=false s:/org/gnome/login-screen/enable-fingerprint-authentication s3 [org/gnome/settings-daemon/peripherals/smartcard] Rsremoval-action='lock-screen' s1/org/gnome/settings-daemon/peripherals/smartcard is dconf update(RRt CFG_DCONFRRtCFG_DCONF_LOCKSR4RtdirnameRRR]tmakedirsR%ttimetstrftimeRdRfReRcRR)R;RR RR R<R=R(RRRKtlockstlocksdirtheadert groupHeader((s!/usr/share/authconfig/authinfo.pyR s         %                  cCsod}|d7}|dtjdd7}|d7}|d7}|d7}|jrv|d7}||j7}|d7}n|jr|d7}||jjd d 7}|d7}n|jr|d 7}||j7}|d7}n|jr |d 7}||j7}|d7}n|jr6|d 7}||j7}|d7}n|jrc|d7}||j7}|d7}n|j r|d7}||j 7}|d7}n|j r|d7}||j 7}|d7}n|j r|d7}|d7}n|d7}|d7}|d7}|t t |jj7}|d7}|d7}|t t |jj7}|d7}|d7}|d7}|S(Ns#--authconfig--start-line-- s s# Generated by authconfig on s%Y/%m/%d %H:%M:%SsF# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) sE# Any modification may be deleted or altered by authconfig in future s workgroup = s password server = RR s realm = s security = s idmap config * : range = s winbind separator = s template homedir = s template shell = s' kerberos method = secrets and keytabs! kerberos method = secrets onlys winbind use default domain = s winbind offline logon = s#--authconfig--end-line-- (R;R<RgRZRRYRXRhRiRjRkRnR'RhRlR!Rm(RRK((s!/usr/share/authconfig/authinfo.pyt paramsWinbind sh                                              cCs>d}x'|D]}t||r d}Pq q W||7}|S(NRIRK(RV(RRRRRKRB((s!/usr/share/authconfig/authinfo.pytcheckLineWinbinds  c Cs$t}t}d}ttj|jdddddddd d d d d ddg}d}d}ztttjd}x.|jD]#}|j }|rt |drt}qqnt |drt }qnt |dst |dr||7}qnt |d} | rsd| krs| j ddj}||7}|dkr||j7}t }qqn|dkr||j|||7}qn||7}qW|s|d7}||j7}n|j|j||jWdy|r |jnWntk rnXXt S(NRIRTspassword serverRQRUs domain logonss domain masters idmap uids idmap gidswinbind separatorstemplate homedirstemplate shellswinbind use default domainswinbind offline logonskerberos methodis#--authconfig--end-line--s#--authconfig--start-line--RKR R RLiRMs [global] (RRRNRRRRRRRR R%RR R!RARBR RR R<R=( Rt authsectiontwroteauthsectionRRRRKRRR#((s!/usr/share/authconfig/authinfo.pyR(sb              c Csd}d}d}t}t}t}t}t}t} t} t} d} d} ttj|jztttjd} |jr|d7}n|d7}|j r|d7}n|}|j r|d7}n|j r|d7}n|j r|d7}n|j r|d 7}n|js*|js*|jrA|d 7}|d 7}n|jrW|d 7}n|jrw|j rw|d 7}n|jr|d 7}n|jr|d7}n|jr|d7}n|jr|d7}n|}|jr|jdd}n|}|jr|d7}ntjttjs`|jrK|jrK|jdd}q`|jd d}n|d7}|jr|d7}n|jr|d7}n|j r|d7}n|j r|d7}n|j r|d 7}n|js|d7}n|j!r|d7}nx| j"D] }|j#}t$|dr_|s| d7} | |7} | d7} t%}qqt$|dr|s| d7} | |7} | d7} t%}qqt$|dr|s| d 7} | |7} | d7} t%}qqt$|d!r| s| d"7} | |7} t%} qqt$|d#rQ|s| d$7} | |7} | d7} t%}qqt$|d%r|s| d&7} | |7} | d7} t%}qqt$|d'r| s| d(7} | |7} | d7} t%} qqt$|d)r| s| d*7} | |7} | d7} t%} qq| |7} qW|sC| d7} | |7} | d7} n|sj| d7} | |7} | d7} n|s| d 7} | |7} | d7} n|s| d$7} | |7} | d7} n|s| d&7} | |7} | d7} n| s| d(7} | |7} | d7} n| s-| d*7} | |7} | d7} n| j&| j'| | j(Wdy| rh| j)nWnt*k r|nXXt%S(+NRIis dbs filess altfiless directoriess odbcbinds nispluss niss ssss ldapbinds ldaps hesiodbinds hesiods dbibinds dbbindtfilesR]s winbindR}Rs mdns4_minimal [NOTFOUND=return]s dnss winss myhostnamespasswd:s passwd: s sshadow:s shadow: sgroup:s group: s initgroups:R s netgroup:s netgroup: s automount:s automount: shosts:s hosts: s services:s services: (+RRRRgRRRRRoRRpRrRsRtR~RIRbRuR_RvRwRxRyRzRRqR4RtPATH_LIBSSS_AUTOFSRR|RR{R}RRR R%R RR R<R=(Rtuserstnormalthostst wrotepasswdt wrotegroupt wroteshadowt wrotenetgrouptwroteautomountt wrotehoststwroteinitgroupst wroteservicesRRKtservicestnetgroupRR((s!/usr/share/authconfig/authinfo.pyRps:                                                                                                    c Csft|t}|t}|t}d}|rX|rXd}|dkr|dkr|r|jrjt}nt}djt}q|jrt }qn|dkr|dkr|j rt }qt }n|dkr]|dkr|t kr|jrZt}qZq]|dks|dkr]|jdkrZ|td} |j| d |dkr>|t1kr>|j2d#d$}n|rX|d|7}qXn|d%7}|S(&NRIRwRnR RxRoRviiR|Rs %s/pam_%s.sotoddjob_mkhomedirRt-s%-12s%-13s pam_%s.sos_Authentication module %s/pam_%s.so is missing. Authentication process might not work correctly.RRR{RR}t forward_passRRqs cached_logins# krb5_auth krb5_ccache_type=KEYRINGRis rounds=s shadows niss nulloks broken_shadowRtR`Ras (3t pam_stackstSTACKtLOGICtNAMER`tLOGIC_FORCE_PKCS11_KRB5tLOGIC_FORCE_PKCS11Rtargv_force_pkcs11_authtLOGIC_PKCS11_KRB5R]tLOGIC_IGNORE_AUTH_ERRtLOGIC_IGNORE_UNKNOWNtLOGIC_SKIPNEXTtLOGIC_SKIPNEXT3RRtARGVRRRbRttLOGIC_SUFFICIENTR4RtAUTH_MODULE_DIRtX_OKRtmodule_missingRRR%RRRRRRtargv_sssd_missing_nameRmRnRORRRRRaRRtLOGIC_SKIPNEXT_ON_FAILURER( RRt forcescardtwarnRtlogicRRKRtargv((s!/usr/share/authconfig/authinfo.pytformatPAMModule4s              !                   3 !             !$ cCstjj|}tjj|}|r1| s>|r| rytj|Wntk rbnXytj||Wqtk rqXndS(N(R4RRtislinkR)R;tsymlink(RRRRR((s!/usr/share/authconfig/authinfo.pytlinkPAMServices  cCs}xvtttttgD]_}td|}tjj|}tjj |}|r[| sh|r| rt |_ dSqWdS(Ns/pam.d/( RrRutPASSWORD_AUTH_PAM_SERVICEtFINGERPRINT_AUTH_PAM_SERVICEtSMARTCARD_AUTH_PAM_SERVICERqR4RRRoRR(RRRR((s!/usr/share/authconfig/authinfo.pytcheckPAMLinkeds  cUCs[d}d}t|j|jztt|jd}|d7}|d7}|d7}|d7}|j}|j}|j} t } |t krt } n|t krt } n|t krt }t }n|jo|jdk} g} xt|D]} | r| t| tkr|d7}n| } | ts|jrF| td ks|jr_| td ks|jrx| td ks|jr| td ks|jr| td ks|jr| tdks|jr|j r| tdkr| ttk s|jrF|rF| tdkr&| ttks| tdkrF| ttks|jri|j ri| tdks|r| r| tdkr| tt ks|r| r| ttkr| tdkr| t!t"ks|r| r| tdks|r| r|r| tdks|r.|r.| tdks| rD| tdks|j#r]| tdks|j$rv| tdks|j%r| tdks|js|js|j&r| tdkr| tt ks|js|js|j&r9|j' r9| tdks)| tdkr9| t!t(kr9|j) r9| ttks|j*rb| tdkrb| tt+ks|j,r{| tdks|j-r| tdks|j) r| ttkr| tdkr| t!t.kr||j/| || 7}qqW|j0|j1||j2Wdy|r)|j3nWnt4k r=nXX|j5|t6d|t S(NRIis #%PAM-1.0 s# This file is auto-generated. s/# User changes will be destroyed the next time sauthconfig is run. Rs R~safs.krbRRtRtepsRxRyRR}RvRwRRzRRRR{RRs/pam.d/(7RRRRRRRfR]ReRtSTANDARDR%t FINGERPRINTt SMARTCARDRRdt pam_modulesRXt MANDATORYRRZRRRRRR`RRctargv_krb5_sc_authtAUTHRaRhRYRaRRRRbRtRiRRtACCOUNTRRtLOGIC_REQUISITERnR RR R<R=RqRq(RRtcfgt cfg_basenametcfg_linkRRKRfR]ReRktuse_sssd_smartcard_supportt prevmoduleR((s!/usr/share/authconfig/authinfo.pytwritePAMServices               #  #, #;*)     cCs{i|_|jtttt|jtttt |jt t t t |jtttt|jtttttS(N(RgRRwRptAUTH_PAM_SERVICE_ACRrt POSTLOGINRttPOSTLOGIN_PAM_SERVICE_ACRut PASSWORD_ONLYtCFG_PASSWORD_PAMtPASSWORD_AUTH_PAM_SERVICE_ACRrRxtCFG_FINGERPRINT_PAMtFINGERPRINT_AUTH_PAM_SERVICE_ACRsRytCFG_SMARTCARD_PAMtSMARTCARD_AUTH_PAM_SERVICE_ACRtR%(R((s!/usr/share/authconfig/authinfo.pyRs cCsttj|jytjttj}Wntk rBtSX|j d|j |j d|j |j d|j |j d|j|j d|j|j d|j|j d|j|j d|j|j d |j|j d |j|j d |j|j d |j|j d |j|j d|j|j d|j|j d|j|j d|j|j d|j|j dd|j d|j|j d|j|j d|j |j d|j!|j d|j"|j d|j#|j d|j$|j d|j%|j d|j&|j d|j'|j d|j(|j d|j)|j d |j*|j d!|j+|j d"|j,|j-d#|j.t/S($NRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRi(0RRRRRRRR=Rt setBoolValueRRRRRoRwR_RtRRRqRnR~R`RaR]RfReRORRRRRRRRRRBRbRRRRRRR<R%(RR((s!/usr/share/authconfig/authinfo.pyR sT   cCsqttj|jytjttj}Wntk rBtSX|j d|j |j d|j t S(NRi(RRRRRRRR=RRRLRR<R%(RR((s!/usr/share/authconfig/authinfo.pyR:s   cCs|j}|j|_|_|j rY|j rY|jrY| rY|jjdqYnt}t|dkr|j |kr|d|_ n|j r|j rt |_ t |_ndS(NR^i(RIRRR~RRRRRRdRRbRR%R(Rt oldimplicittmodules((s!/usr/share/authconfig/authinfo.pytprewriteUpdateHs  ! cCsd|jt|j|jtdy|j}|oF|j}|oX|j}|jry|os|j }n|j s|j r|o|j }n|j s|jr|jdkr|o|j}n|jr|o|j}n|jr|o |j}n|js$|jr9|o3|j}n|jsK|jr`|oZ|j}n!|jr|o{|jt}n|o|j}|o|j}|o|j}|o|j}|o|j }|o|j!}Wn<t"t#fk r,t$j%j&t't$j(ddt)SXx0|j*D]%}|j+r7|j,j-|j+q7q7W|S(Ns/lastRis (.RR%Rt setupBackuptPATH_CONFIG_BACKUPSRRR$RwRR_RaRR`RRXRR]RRtRRqRRIRRRR$RRRRRRR;R=RRRR'texc_infoRRRRtadd(RRR1((s!/usr/share/authconfig/authinfo.pyRVsL         $ cCs|j|jt|j|jtdt}yjxc|jD]X}|j||rE|jr{|ou|j}n|j r|j j |j qqEqEWWn<t t fk rtjjttjddtSX|S(Ns/lastis (RuRR%RRRRRRRRRR;R=RRRR'RR(RRRR1((s!/usr/share/authconfig/authinfo.pyt writeChangeds      !$cCsd}d}g}g}tjdgtjdgtjdgtjdgg}tj}|sddS|jds|d7}n||jd}d|}tj|tjtj}xJ|D]B}|j tjkr|j j j d|_ t||_qqWd|}tj|tjtj}|sXd|}tj|tjtj}nx?|D]7}|j tjkr_|j j|_|jrPqq_q_W|jrd|j}tj|tjtj}x|D]{}|j tjkr|j j j d}|j jr"|d |j j7}n|jrA|jd |7_qM||_qqWd |j}tj|tjtj}x|D]{}|j tjkr|j j j d}|j jr|d |j j7}n|jr|jd |7_q||_qqWnx|D]}|d |}tj||d tj}xV|D]N}|j tjkr@|j|kr@d|d |_|j d|_Pq@q@Wq WdS(NRIthstnsRs _ldap._tcps _kerberos.t _kerbeross_kerberos._udp.R,Rs_kerberos-adm._udp.ii(t dnsclienttDNS_C_INtDNS_C_HSRtgetfqdntendswithR-Rt DNS_T_SRVtdns_typetrdataRR R2RR4t DNS_T_TXTtdataR@RR<R>t DNS_T_SOAtdns_nameRJRK(RthostnametqnametresultsRORbRth((s!/usr/share/authconfig/authinfo.pytprobesx                       c Csdt|jGHdGHdt|jGHdt|jGHdt|jGHd|jGHd|jGHdt|jGHd t|jGHd |j GHd |j GHd t|j GHd |j GHd|j GHdt|jGHdt|jGHd|jGHd|jGHd|jGHd|jGHd|jGHd|jGHdt|jGHdt|jGHdt|jGHdt|jGHdt|jGHdGHdt|jGHd|jGHdt|jGHd |jGHd!t|jGHd"|j GHd#t|j!GHd$|j"GHd%t|j#GHd t|jGHd |j GHd |j GHd&|j$pYd'GHd(t|j%o|j&o|j'd)k GHd*t|j%o|j&o|j'd)kGHd+t|j(GHd,|j'GHd-|j)GHd.t|j*GHd/t|j+GHd0t|j,GHd|jGHd|jGHd|jGHd|jGHd1t|j&GHd2t|j-GHd3t|j. GHd4t|j/GHd5|j0 rd6pd7GHd8|j1GHd9|j2GHd:|j3GHd;t|j4|j5fGHd<t|j6|j7fGHd=t|j8|j9fGHd>t|j:|j;fGHd?t|j<|j=fGHd@t|j>|j?fGHdAt|j@GHdS(BNs caching is %ssnss_files is always enabledsnss_compat is %ss nss_db is %ssnss_hesiod is %ss hesiod LHS = "%s"s hesiod RHS = "%s"snss_ldap is %ss LDAP+TLS is %ss LDAP server = "%s"s LDAP base DN = "%s"s nss_nis is %ss NIS server = "%s"s NIS domain = "%s"snss_nisplus is %ssnss_winbind is %ss SMB workgroup = "%s"s SMB servers = "%s"s SMB security = "%s"s SMB realm = "%s"s Winbind template shell = "%s"s SMB idmap range = "%s"snss_sss is %s by defaultsnss_wins is %ssnss_mdns4_minimal is %ssmyhostname is %ss%DNS preference over NSS or WINS is %sspam_unix is always enableds shadow passwords are %ss! password hashing algorithm is %sspam_krb5 is %ss krb5 realm = "%s"s krb5 realm via dns is %ss krb5 kdc = "%s"s krb5 kdc via dns is %ss krb5 admin server = "%s"spam_ldap is %ss LDAP schema = "%s"R2spam_pkcs11 is %sRsSSSD smartcard support is %ss# use only smartcard for login is %ss smartcard module = "%s"s smartcard removal action = "%s"spam_fprintd is %sspam_ecryptfs is %sspam_winbind is %sspam_sss is %s by defaults! credential caching in SSSD is %ss6 SSSD use instead of legacy services if possible is %ss IPAv2 is %ssIPAv2 domain was %sjoinedsnot RIs IPAv2 server = "%s"s IPAv2 realm = "%s"s IPAv2 domain = "%s"spam_pwquality is %s (%s)spam_passwdqc is %s (%s)spam_access is %s (%s)spam_faillock is %s (%s)s0pam_mkhomedir or pam_oddjob_mkhomedir is %s (%s)s'Always authorize local users is %s (%s)s;Authenticate system accounts against network services is %s(ARRHRzRoRwRJRKR_R6R2R4RtRNRLRsRqRgRZRXRYRkRhR~R{R|R}RRROR`R@R[R<R\R>RaR8R]RRdRfRcReRRRBRRbRRRRRRRRRRRRRRRRR(R((s!/usr/share/authconfig/authinfo.pyt printInfos                  +*               cCsux.ttttfD]}t|j|jqW|jrWtj dtj dntj dtj dt S(Ns/usr/sbin/pwconvs/usr/sbin/grpconvs/usr/sbin/pwunconvs/usr/sbin/grpunconv( t CFG_SHADOWt CFG_PASSWDt CFG_GSHADOWt CFG_GROUPRRRRR4RR%(RR((s!/usr/share/authconfig/authinfo.pyR0s    c Csd}|js|jr|jr|jjdddjdddjddd}|j}|j}|s{d}n|dkr|dkrdStd|rd pd ||rd pd ||jf}|rtj j d |n|j s| rt ||d |j \}}n(t |gdt}|j|j}|rp|dkr|jtdqq|dkrtd} | d|7} |j| qn|dkS(NiRiR s RRs join %s%s %s%s -U %ss-w RIs-S s[%s] ssword:Rs'Winbind domain join was not successful.s]Winbind domain join was not successful. The net join command failed with the following error:s (RqRRRZR RgRXtPATH_WINBIND_NETRRRRRRR%RRRR( RRRRRtprotocoltcmdRRterrmsg((s!/usr/share/authconfig/authinfo.pyt joinDomain<s89   !     c Csd}|jr|j}|j}|j}|j}|j}|jrNd}nd}td|rfdpid||rxdp{d||rdpd||rdpd||| rd pd f } |rtj j d | t | gd t } | j | j}nt| |d|\}} |dkr5t |_n|r`|dkr|jtd qq|dkrtd} | d| 7} |j| qn|dkS(Nis-NRIs! --noac %s%s %s%s %s%s %s%s %s %ss --domain=s --server=s--realm=s --principal=s --unattendeds-Ws[%s] Rs%IPAv2 domain join was not successful.seIPAv2 domain join was not successful. The ipa-client-install command failed with the following error:s (RbRRRRRRtPATH_IPA_CLIENT_INSTALLRRRRR%RRRRRR( RRRRRRQt principalRqtnontpRRRR((s!/usr/share/authconfig/authinfo.pyt joinIPADomain_sB               cCstd}tj|dS(Ns --uninstall --noac --unattended(RR4R(RR((s!/usr/share/authconfig/authinfo.pyt uninstallIPAs cCsX|sT|jr,tjdtjdqTytjdWqTtk rPqTXntS(NR!(RHRRR1R;R%(RR((s!/usr/share/authconfig/authinfo.pyRs   cCsc|jr|jr|s/tjd|jnyAtjdtjttjd|sotjdnWnt k rnXyAtjt tjd|stj dtjdnWq_t k rq_Xn|stjdnyYtjdtjt |s=ytj dWq=t k r9q=Xntj dWnt k r^nXt S(Ns/bin/domainname sG[[ $(getsebool allow_ypbind) == *off* ]] && setsebool -P allow_ypbind 1trpcbindtypbinds/bin/domainname "(none)"sF[[ $(getsebool allow_ypbind) == *on* ]] && setsebool -P allow_ypbind 0(RtRLR4RRt PATH_RPCBINDRRR1R;t PATH_YPBINDRRR%(RR((s!/usr/share/authconfig/authinfo.pyRsB            cCst|js|jo|j td||jrZytjdWqtk rVqXn%ytjdWntk r~nXtS(Ntnslcdse[[ $(getsebool authlogin_nsswitch_use_ldap) == *off* ]] && setsebool -P authlogin_nsswitch_use_ldap 1sd[[ $(getsebool authlogin_nsswitch_use_ldap) == *on* ]] && setsebool -P authlogin_nsswitch_use_ldap 0( RR_RaRIt PATH_NSLCDR4RR;R%(RR((s!/usr/share/authconfig/authinfo.pyRs    cCs#t|jp|jtd|dS(NR(RRqRt PATH_WINBIND(RR((s!/usr/share/authconfig/authinfo.pyRscCs|jr|jpE|jr-tjjtpE|joEtjjt}|jpf|jpf|jpf|}t |t d|p|o|jp|jp|j dS(NR( R~RR4RtexiststPATH_SSSD_CONFIGRIRRbRt PATH_SSSD(RRtexplicitenableR((s!/usr/share/authconfig/authinfo.pyRscCsB|jr>tjdtdftjr>tttd|ndS(Ns %s/pam_%s.soRTtoddjobd(RR4RReRfRR%t PATH_ODDJOBD(RR((s!/usr/share/authconfig/authinfo.pyRs cCs8x|jD]}||q W|jr4|jndS(N(RRR(RRR((s!/usr/share/authconfig/authinfo.pytposts cCsx|js|jrtytj|jWn>tk rf\}}|tjkrgtj|jdqgnXt |jSt S(Ni( R_RaR4RR:R;RBtENOENTRRR(RRR((s!/usr/share/authconfig/authinfo.pyttestLDAPCACertss cCsE|js|jrA|js*d|jkrAtjd|jndS(Nsldaps:s/usr/sbin/cacertdir_rehash (R_RaR6R2R4RR:(R((s!/usr/share/authconfig/authinfo.pytrehashLDAPCACertsscCs|js tS|jyWtj|j}t|jdtd}|j|j |j |j Wn.t t t fk r|jtdtSX|jtS(NRis Error downloading CA certificate(RRRturllib2turlopenRHR:tLDAP_CACERT_DOWNLOADEDRRR<R=R;R+RRRR%(Rtreadftwritef((s!/usr/share/authconfig/authinfo.pytdownloadLDAPCACerts    cCs|ddkr!td|}n||_t|syQtj|}x;|D]3}ytj|d|WqOtk rqOXqOWWqtk rqXndS(NiRs/backup-(RRRR4RR)R;(RRRR>((s!/usr/share/authconfig/authinfo.pyR s      cCs@|j|t}x&tD]}|j|jo5|}qW|S(N(RR%RRR(RRRR((s!/usr/share/authconfig/authinfo.pyt saveBackups   cCsQ|ddkr!td|}nt}x#tD]}|j|oF|}q.W|S(NiRs/backup-(RR%RR (RRRR((s!/usr/share/authconfig/authinfo.pyt restoreBackups  cCs|jtdS(Ns/last(RR(R((s!/usr/share/authconfig/authinfo.pyt restoreLast's(TRRRRRRRRRRRRRR RRR%R/RCRJRQRSRWRoR"RvRsRRRRRRRR$RRRRRRRRRRRR$RRRRARBRRRnRqRuRRRRRRRRRRRRRRRRRRRRRRRRRRR(((s!/usr/share/authconfig/authinfo.pyR%s     *   9   K  " 1 *  + 7      "    U u  5 B  \  F  Y : H b  T /   )  S L # (  $         ((((((s ldapServersldap_uri(s ldapBaseDNR5(s enableLDAPSR7(s ldapSchemas ldap_schema(s ldapCacertDirR;(s kerberosKDCR=(skerberosAdminServerR?(s kerberosRealmRA(senableCacheCredsRC(senableCacheCredsskrb5_store_password_if_offline((RtreR4RR7RRRRRRRRBRRR;Rt subprocessRtgettexttlgettextRRt ImportErrorRRqRrRRuRRrRRsRRtRR7R'tglobalstLIBDIRRet PATH_PWCONVRR#RRRRRt PATH_SEBOOLt PATH_SCEVENTDRtPATH_LIBNSS_DBtPATH_LIBNSS_LDAPRRtPATH_LIBNSS_NIStPATH_LIBNSS_HESIODtPATH_LIBNSS_ODBCBINDtPATH_LIBNSS_WINBINDtPATH_LIBNSS_WINStPATH_LIBNSS_SSSt PATH_PAM_KRB5t PATH_PAM_LDAPtPATH_PAM_WINBINDtPATH_PAM_PKCS11tPATH_PAM_FPRINTDt PATH_PAM_SSSRFRRRRRRRtLOGIC_REQUIREDRRdtLOGIC_OPTIONALR`R_t LOGIC_PKCS11R\R^R[RaRbtLOGIC_ALWAYS_SKIPRiR RRRR R"R$R)R*R+R3RDRHRMRPRRRVtargv_unix_authtargv_unix_passwordt argv_afs_authtargv_afs_passwordtargv_pwquality_passwordtargv_passwdqc_passwordt argv_eps_authtargv_eps_passwordtargv_fprintd_authtargv_pkcs11_authR]Rhtargv_krb5_authR|targv_krb5_passwordtargv_ldap_authtargv_ldap_passwordt argv_otp_authtargv_succeed_if_authtargv_succeed_if_accounttargv_succeed_if_sessiontargv_succeed_if_nonlogintargv_winbind_authtargv_winbind_passwordt argv_sss_authtargv_sss_passwordtargv_keyinit_sessiontargv_ecryptfs_authtargv_ecryptfs_passwordtargv_ecryptfs_sessiontargv_succeed_if_not_gdmtargv_lastlog_gdmtargv_lastlog_not_gdmtargv_faildelayRtrangeR}R~tSESSIONtPASSWORDRWR{RXRYRZRcRwRRRxRyRRzR%RRtDEFAULT_DNS_QUERY_SIZEtcompileR#RRRtreadlinkRR;RRRRRRRRRRR R"R$R%RRRRRRRRtCFG_KRBR4RNRgRRpRtRRRRRRR.R"R4RRRRR7R8RR>R(((s!/usr/share/authconfig/authinfo.pyts                                                                                         (                                                                                                                                                                                                                                                                                                                                                       Z    #S  7i   msgarea.py000064400000024630147645272700006560 0ustar00# This file is part of the Hotwire Shell user interface. # # Copyright (C) 2007,2008 Colin Walters # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA import gtk, gobject # This file is a Python translation of gedit/gedit/gedit-message-area.c if gtk.pygtk_version < (2, 17): class MsgArea(gtk.HBox): __gsignals__ = { "response" : (gobject.SIGNAL_RUN_LAST, gobject.TYPE_NONE, (gobject.TYPE_INT,)), "close" : (gobject.SIGNAL_RUN_LAST, gobject.TYPE_NONE, []) } def __init__(self, buttons, **kwargs): super(MsgArea, self).__init__(**kwargs) self.__contents = None self.__changing_style = False self.__main_hbox = gtk.HBox(False, 16) # FIXME: use style properties self.__main_hbox.show() self.__main_hbox.set_border_width(8) # FIXME: use style properties self.__action_area = gtk.HBox(True, 4); # FIXME: use style properties self.__action_area.show() self.__main_hbox.pack_end (self.__action_area, False, True, 0) self.pack_start(self.__main_hbox, True, True, 0) self.set_app_paintable(True) self.connect("expose-event", self.__paint) # Note that we connect to style-set on one of the internal # widgets, not on the message area itself, since gtk does # not deliver any further style-set signals for a widget on # which the style has been forced with gtk_widget_set_style() self.__main_hbox.connect("style-set", self.__on_style_set) self.add_buttons(buttons) def __get_response_data(self, w, create): d = w.get_data('hotwire-msg-area-data') if (d is None) and create: d = {'respid': None} w.set_data('hotwire-msg-area-data', d) return d def __find_button(self, respid): children = self.__actionarea.get_children() for child in children: rd = self.__get_response_data(child, False) if rd is not None and rd['respid'] == respid: return child def __close(self): cancel = self.__find_button(gtk.RESPONSE_CANCEL) if cancel is None: return self.response(gtk.RESPONSE_CANCEL) def __paint(self, w, event): gtk.Style.paint_flat_box(w.style, w.window, gtk.STATE_NORMAL, gtk.SHADOW_OUT, None, w, "tooltip", w.allocation.x + 1, w.allocation.y + 1, w.allocation.width - 2, w.allocation.height - 2) return False def __on_style_set(self, w, style): if self.__changing_style: return style = self.get_style().copy() style.bg[gtk.STATE_NORMAL] = gtk.gdk.Color('#e9afaf') self.__changing_style = True self.set_style(style) self.__changing_style = False self.queue_draw() def __get_response_for_widget(self, w): rd = self.__get_response_data(w, False) if rd is None: return gtk.RESPONSE_NONE return rd['respid'] def __on_action_widget_activated(self, w): response_id = self.__get_response_for_widget(w) self.response(response_id) def add_action_widget(self, child, respid): rd = self.__get_response_data(child, True) rd['respid'] = respid if not isinstance(child, gtk.Button): raise ValueError("Can only pack buttons as action widgets") child.connect('clicked', self.__on_action_widget_activated) if respid != gtk.RESPONSE_HELP: self.__action_area.pack_start(child, False, False, 0) else: self.__action_area.pack_end(child, False, False, 0) def set_contents(self, contents): self.__contents = contents self.__main_hbox.pack_start(contents, True, True, 0) def add_button(self, btext, respid): button = gtk.Button(stock=btext) button.set_focus_on_click(False) button.set_flags(gtk.CAN_DEFAULT) button.show() self.add_action_widget(button, respid) return button def add_buttons(self, args): for (btext, respid) in args: self.add_button(btext, respid) def set_response_sensitive(self, respid, setting): for child in self.__action_area.get_children(): rd = self.__get_response_data(child, False) if rd is not None and rd['respid'] == respid: child.set_sensitive(setting) break def set_default_response(self, respid): for child in self.__action_area.get_children(): rd = self.__get_response_data(child, False) if rd is not None and rd['respid'] == respid: child.grab_default() break def response(self, respid): self.emit('response', respid) def add_stock_button_with_text(self, text, stockid, respid): b = gtk.Button(label=text) b.set_focus_on_click(False) img = gtk.Image() img.set_from_stock(stockid, gtk.ICON_SIZE_BUTTON) b.set_image(img) b.show_all() self.add_action_widget(b, respid) return b def set_text_and_icon(self, stockid, primary_text, secondary_text=None): hbox_content = gtk.HBox(False, 8) hbox_content.show() image = gtk.Image() image.set_from_stock(stockid, gtk.ICON_SIZE_BUTTON) image.show() hbox_content.pack_start(image, False, False, 0) image.set_alignment(0.5, 0.5) vbox = gtk.VBox(False, 6) vbox.show() hbox_content.pack_start (vbox, True, True, 0) primary_markup = "%s" % (primary_text,) primary_label = gtk.Label(primary_markup) primary_label.show() vbox.pack_start(primary_label, True, True, 0) primary_label.set_use_markup(True) primary_label.set_line_wrap(True) primary_label.set_alignment(0, 0.5) primary_label.set_flags(gtk.CAN_FOCUS) primary_label.set_selectable(True) if secondary_text: secondary_markup = "%s" % (secondary_text,) secondary_label = gtk.Label(secondary_markup) secondary_label.show() vbox.pack_start(secondary_label, True, True, 0) secondary_label.set_flags(gtk.CAN_FOCUS) secondary_label.set_use_markup(True) secondary_label.set_line_wrap(True) secondary_label.set_selectable(True) secondary_label.set_alignment(0, 0.5) self.set_contents(hbox_content) else: class MsgArea(gtk.InfoBar): def __init__(self, buttons): super(MsgArea, self).__init__() self._current_contents = None if buttons: self.add_buttons(buttons) def add_buttons(self, args): for (btext, respid) in args: self.add_button(btext, respid) def clear_buttons(self): for child in self.get_action_area().get_children(): self.get_action_area().remove(child) child.destroy() def set_contents(self, contents): content_area = self.get_content_area() if self._current_contents is not None: content_area.remove(self._current_contents) self._current_contents = contents content_area.pack_start(contents, True, True, 0) def set_text_and_icon(self, stockid, primary_text, secondary_text=None): hbox_content = gtk.HBox(False, 8) hbox_content.show() image = gtk.Image() image.set_from_stock(stockid, gtk.ICON_SIZE_BUTTON) image.show() hbox_content.pack_start(image, False, False, 0) image.set_alignment(0.5, 0.5) vbox = gtk.VBox(False, 6) vbox.show() hbox_content.pack_start (vbox, True, True, 0) primary_markup = "%s" % (primary_text,) primary_label = gtk.Label(primary_markup) primary_label.show() vbox.pack_start(primary_label, True, True, 0) primary_label.set_use_markup(True) primary_label.set_line_wrap(True) primary_label.set_alignment(0, 0.5) primary_label.set_flags(gtk.CAN_FOCUS) primary_label.set_selectable(True) if secondary_text: secondary_markup = "%s" % (secondary_text,) secondary_label = gtk.Label(secondary_markup) secondary_label.show() vbox.pack_start(secondary_label, True, True, 0) secondary_label.set_flags(gtk.CAN_FOCUS) secondary_label.set_use_markup(True) secondary_label.set_line_wrap(True) secondary_label.set_selectable(True) secondary_label.set_alignment(0, 0.5) self.set_contents(hbox_content) class MsgAreaController(gtk.HBox): def __init__(self): super(MsgAreaController, self).__init__() self.__msgarea = None def clear(self): if self.__msgarea is not None: self.remove(self.__msgarea) self.__msgarea.destroy() self.__msgarea = None def new_from_text_and_icon(self, stockid, primary, secondary=None, buttons=[]): self.clear() msgarea = self.__msgarea = MsgArea(buttons) msgarea.set_text_and_icon(stockid, primary, secondary) self.pack_start(msgarea, expand=True) return msgarea dnsclient.py000064400000024220147645272700007117 0ustar00# # Copyright 2001, 2005 Red Hat, Inc. # # This is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA import struct import socket import sys import acutil DNS_C_IN = 1 DNS_C_CS = 2 DNS_C_CHAOS = 3 DNS_C_HS = 4 DNS_C_ANY = 255 DNS_T_A = 1 DNS_T_NS = 2 DNS_T_CNAME = 5 DNS_T_SOA = 6 DNS_T_NULL = 10 DNS_T_WKS = 11 DNS_T_PTR = 12 DNS_T_HINFO = 13 DNS_T_MX = 15 DNS_T_TXT = 16 DNS_T_SRV = 33 DNS_T_ANY = 255 DEBUG_DNSCLIENT = False class DNSQueryHeader: FORMAT = "!HBBHHHH" def __init__(self): self.dns_id = 0 self.dns_rd = 0 self.dns_tc = 0 self.dns_aa = 0 self.dns_opcode = 0 self.dns_qr = 0 self.dns_rcode = 0 self.dns_z = 0 self.dns_ra = 0 self.dns_qdcount = 0 self.dns_ancount = 0 self.dns_nscount = 0 self.dns_arcount = 0 def pack(self): return struct.pack(DNSQueryHeader.FORMAT, self.dns_id, (self.dns_rd & 1) | (self.dns_tc & 1) << 1 | (self.dns_aa & 1) << 2 | (self.dns_opcode & 15) << 3 | (self.dns_qr & 1) << 7, (self.dns_rcode & 15) | (self.dns_z & 7) << 4 | (self.dns_ra & 1) << 7, self.dns_qdcount, self.dns_ancount, self.dns_nscount, self.dns_arcount) def unpack(self, data): (self.dns_id, byte1, byte2, self.dns_qdcount, self.dns_ancount, self.dns_nscount, self.dns_arcount) = struct.unpack(DNSQueryHeader.FORMAT, data[0:self.size()]) self.dns_rd = byte1 & 1 self.dns_tc = (byte1 >> 1) & 1 self.dns_aa = (byte1 >> 2) & 1 self.dns_opcode = (byte1 >> 3) & 15 self.dns_qr = (byte1 >> 7) & 1 self.dns_rcode = byte2 & 15 self.dns_z = (byte2 >> 4) & 7 self.dns_ra = (byte1 >> 7) & 1 def size(self): return struct.calcsize(DNSQueryHeader.FORMAT) def unpackQueryHeader(data): header = DNSQueryHeader() header.unpack(data) return header class DNSResult: FORMAT = "!HHIH" QFORMAT = "!HH" def __init__(self): self.dns_name = "" self.dns_type = 0 self.dns_class = 0 self.dns_ttl = 0 self.dns_rlength = 0 self.rdata = None def unpack(self, data): (self.dns_type, self.dns_class, self.dns_ttl, self.dns_rlength) = struct.unpack(DNSResult.FORMAT, data[0:self.size()]) def qunpack(self, data): (self.dns_type, self.dns_class) = struct.unpack(DNSResult.QFORMAT, data[0:self.qsize()]) def size(self): return struct.calcsize(DNSResult.FORMAT) def qsize(self): return struct.calcsize(DNSResult.QFORMAT) class DNSRData: def __init__(self): pass #typedef struct dns_rr_a { # u_int32_t address; #} dns_rr_a_t; # #typedef struct dns_rr_cname { # const char *cname; #} dns_rr_cname_t; # #typedef struct dns_rr_hinfo { # const char *cpu, *os; #} dns_rr_hinfo_t; # #typedef struct dns_rr_mx { # u_int16_t preference; # const char *exchange; #} dns_rr_mx_t; # #typedef struct dns_rr_null { # unsigned const char *data; #} dns_rr_null_t; # #typedef struct dns_rr_ns { # const char *nsdname; #} dns_rr_ns_t; # #typedef struct dns_rr_ptr { # const char *ptrdname; #} dns_rr_ptr_t; # #typedef struct dns_rr_soa { # const char *mname; # const char *rname; # u_int32_t serial; # int32_t refresh; # int32_t retry; # int32_t expire; # int32_t minimum; #} dns_rr_soa_t; # #typedef struct dns_rr_txt { # const char *data; #} dns_rr_txt_t; # #typedef struct dns_rr_srv { # const char *server; # u_int16_t priority; # u_int16_t weight; # u_int16_t port; #} dns_rr_srv_t; def dnsNameToLabel(name): out = "" name = name.split(".") for part in name: out += chr(len(part)) + part return out def dnsFormatQuery(query, qclass, qtype): header = DNSQueryHeader() header.dns_id = 0 # FIXME: id = 0 header.dns_rd = 1 # don't know why the original code didn't request recursion for non SOA requests header.dns_qr = 0 # query header.dns_opcode = 0 # standard query header.dns_qdcount = 1 # single query qlabel = dnsNameToLabel(query) if not qlabel: return "" out = header.pack() + qlabel out += chr(qtype >> 8) out += chr(qtype & 0xff) out += chr(qclass >> 8) out += chr(qclass & 0xff) return out def dnsParseLabel(label, base): # returns (output, rest) if not label: return ("", None) update = 1 rest = label output = "" skip = 0 try: while ord(rest[0]): if ord(rest[0]) & 0xc0: rest = base[((ord(rest[0]) & 0x3f) << 8) + ord(rest[1]):] if update: skip += 2 update = 0 continue output += rest[1:ord(rest[0]) + 1] + "." if update: skip += ord(rest[0]) + 1 rest = rest[ord(rest[0]) + 1:] except IndexError: return ("", None) return (label[skip+update:], output) def dnsParseA(data, base): rdata = DNSRData() if len(data) < 4: rdata.address = 0 return None rdata.address = (ord(data[0])<<24) | (ord(data[1])<<16) | (ord(data[2])<<8) | (ord(data[3])<<0) if DEBUG_DNSCLIENT: print "A = %d.%d.%d.%d." % (ord(data[0]), ord(data[1]), ord(data[2]), ord(data[3])) return rdata def dnsParseText(data): if len(data) < 1: return ("", None) tlen = ord(data[0]) if len(data) < tlen + 1: return ("", None) return (data[tlen+1:], data[1:tlen+1]) def dnsParseNS(data, base): rdata = DNSRData() (rest, rdata.nsdname) = dnsParseLabel(data, base) if DEBUG_DNSCLIENT: print "NS DNAME = \"%s\"." % (rdata.nsdname) return rdata def dnsParseCNAME(data, base): rdata = DNSRData() (rest, rdata.cname) = dnsParseLabel(data, base) if DEBUG_DNSCLIENT: print "CNAME = \"%s\"." % (rdata.cname) return rdata def dnsParseSOA(data, base): rdata = DNSRData() format = "!IIIII" (rest, rdata.mname) = dnsParseLabel(data, base) if rdata.mname is None: return None (rest, rdata.rname) = dnsParseLabel(rest, base) if rdata.rname is None: return None if len(rest) < struct.calcsize(format): return None (rdata.serial, rdata.refresh, rdata.retry, rdata.expire, rdata.minimum) = struct.unpack(format, rest[:struct.calcsize(format)]) if DEBUG_DNSCLIENT: print "SOA(mname) = \"%s\"." % rdata.mname print "SOA(rname) = \"%s\"." % rdata.rname print "SOA(serial) = %d." % rdata.serial print "SOA(refresh) = %d." % rdata.refresh print "SOA(retry) = %d." % rdata.retry print "SOA(expire) = %d." % rdata.expire print "SOA(minimum) = %d." % rdata.minimum return rdata def dnsParseNULL(data, base): # um, yeah return None def dnsParseWKS(data, base): return None def dnsParseHINFO(data, base): rdata = DNSRData() (rest, rdata.cpu) = dnsParseText(data) if rest: (rest, rdata.os) = dnsParseText(rest) if DEBUG_DNSCLIENT: print "HINFO(cpu) = \"%s\"." % rdata.cpu print "HINFO(os) = \"%s\"." % rdata.os return rdata def dnsParseMX(data, base): rdata = DNSRData() if len(data) < 2: return None rdata.preference = (ord(data[0]) << 8) | ord(data[1]) (rest, rdata.exchange) = dnsParseLabel(data[2:], base) if DEBUG_DNSCLIENT: print "MX(exchanger) = \"%s\"." % rdata.exchange print "MX(preference) = %d." % rdata.preference return rdata def dnsParseTXT(data, base): rdata = DNSRData() (rest, rdata.data) = dnsParseText(data) if DEBUG_DNSCLIENT: print "TXT = \"%s\"." % rdata.data return rdata def dnsParsePTR(data, base): rdata = DNSRData() (rest, rdata.ptrdname) = dnsParseLabel(data, base) if DEBUG_DNSCLIENT: print "PTR = \"%s\"." % rdata.ptrdname def dnsParseSRV(data, base): rdata = DNSRData() format = "!HHH" flen = struct.calcsize(format) if len(data) < flen: return None (rdata.priority, rdata.weight, rdata.port) = struct.unpack(format, data[:flen]) (rest, rdata.server) = dnsParseLabel(data[flen:], base) if DEBUG_DNSCLIENT: print "SRV(server) = \"%s\"." % rdata.server print "SRV(weight) = %d." % rdata.weight print "SRV(priority) = %d." % rdata.priority print "SRV(port) = %d." % rdata.port return rdata def dnsParseResults(results): try: header = unpackQueryHeader(results) except struct.error: return [] if header.dns_qr != 1: # should be a response return [] if header.dns_rcode != 0: # should be no error return [] rest = results[header.size():] rrlist = [] for i in xrange(header.dns_qdcount): if not rest: return [] rr = DNSResult() (rest, label) = dnsParseLabel(rest, results) if label is None: return [] if len(rest) < rr.qsize(): return [] rr.qunpack(rest) rest = rest[rr.qsize():] if DEBUG_DNSCLIENT: print "Queried for '%s', class = %d, type = %d." % (label, rr.dns_class, rr.dns_type) for i in xrange(header.dns_ancount + header.dns_nscount + header.dns_arcount): (rest, label) = dnsParseLabel(rest, results) if label is None: return [] rr = DNSResult() rr.dns_name = label if len(rest) < rr.size(): return [] rr.unpack(rest) rest = rest[rr.size():] if DEBUG_DNSCLIENT: print "Answer %d for '%s', class = %d, type = %d, ttl = %d." % (i, rr.dns_name, rr.dns_class, rr.dns_type, rr.dns_ttl) if len(rest) < rr.dns_rlength: if DEBUG_DNSCLIENT: print "Answer too short." return [] fmap = { DNS_T_A: dnsParseA, DNS_T_NS: dnsParseNS, DNS_T_CNAME: dnsParseCNAME, DNS_T_SOA: dnsParseSOA, DNS_T_NULL: dnsParseNULL, DNS_T_WKS: dnsParseWKS, DNS_T_PTR: dnsParsePTR, DNS_T_HINFO: dnsParseHINFO, DNS_T_MX: dnsParseMX, DNS_T_TXT: dnsParseTXT, DNS_T_SRV: dnsParseSRV} if not rr.dns_type in fmap: if DEBUG_DNSCLIENT: print "Don't know how to parse RR type %d!" % rr.dns_type else: rr.rdata = fmap[rr.dns_type](rest[:rr.dns_rlength], results) rest = rest[rr.dns_rlength:] rrlist += [rr] if not rrlist: rrlist = [rr] return rrlist def query(query, qclass, qtype): qdata = dnsFormatQuery(query, qclass, qtype) if not qdata: return [] answer = acutil.res_send(qdata) if not answer: return [] return dnsParseResults(answer) if __name__ == '__main__': DEBUG_DNSCLIENT = True print "Sending query." rr = query(len(sys.argv) > 1 and sys.argv[1] or "devserv.devel.redhat.com.", DNS_C_IN, DNS_T_ANY) sys.exit(0) dnsclient.pyc000064400000026605147645272700007273 0ustar00 8Yc@sddlZddlZddlZddlZdZdZdZdZdZdZ dZ dZ dZ d Z d Zd Zd Zd ZdZdZdZeZdd,dYZdZdd-dYZdd.dYZdZdZdZdZdZdZ dZ!dZ"dZ#d Z$d!Z%d"Z&d#Z'd$Z(d%Z)d&Z*d'Z+e,d(kre-Zd)GHe+e.ej/dkrej/dpd*eeZ0ej1d+ndS(/iNiiiiiiii i i i iii!tDNSQueryHeadercBs2eZdZdZdZdZdZRS(s!HBBHHHHcCsyd|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ dS(Ni( tdns_idtdns_rdtdns_tctdns_aat dns_opcodetdns_qrt dns_rcodetdns_ztdns_rat dns_qdcountt dns_ancountt dns_nscountt dns_arcount(tself((s"/usr/share/authconfig/dnsclient.pyt__init__/s            c Cstjtj|j|jd@|jd@d>B|jd@d>B|jd@d>B|j d@d>B|j d@|j d@d>B|j d@d>B|j |j|j|jS(Niiiiii(tstructtpackRtFORMATRRRRRRRRR R R R R (R((s"/usr/share/authconfig/dnsclient.pyR>s 7cCstjtj|d|j!\|_}}|_|_|_|_ |d@|_ |d?d@|_ |d?d@|_ |d?d@|_ |d?d@|_|d@|_|d?d@|_|d?d@|_dS(Niiiiiii(RtunpackRRtsizeRR R R R RRRRRRRR (Rtdatatbyte1tbyte2((s"/usr/share/authconfig/dnsclient.pyRNsF  cCstjtjS(N(RtcalcsizeRR(R((s"/usr/share/authconfig/dnsclient.pyRZs(t__name__t __module__RRRRR(((s"/usr/share/authconfig/dnsclient.pyR-s    cCst}|j||S(N(RR(Rtheader((s"/usr/share/authconfig/dnsclient.pytunpackQueryHeader]s  t DNSResultcBsAeZdZdZdZdZdZdZdZRS(s!HHIHs!HHcCs:d|_d|_d|_d|_d|_d|_dS(Nti(tdns_nametdns_typet dns_classtdns_ttlt dns_rlengthtNonetrdata(R((s"/usr/share/authconfig/dnsclient.pyRes      cCs>tjtj|d|j!\|_|_|_|_dS(Ni( RRRRRR R!R"R#(RR((s"/usr/share/authconfig/dnsclient.pyRmscCs2tjtj|d|j!\|_|_dS(Ni(RRRtQFORMATtqsizeR R!(RR((s"/usr/share/authconfig/dnsclient.pytqunpackqscCstjtjS(N(RRRR(R((s"/usr/share/authconfig/dnsclient.pyRtscCstjtjS(N(RRRR&(R((s"/usr/share/authconfig/dnsclient.pyR'ws( RRRR&RRR(RR'(((s"/usr/share/authconfig/dnsclient.pyRbs    tDNSRDatacBseZdZRS(cCsdS(N((R((s"/usr/share/authconfig/dnsclient.pyR{s(RRR(((s"/usr/share/authconfig/dnsclient.pyR)zscCsDd}|jd}x(|D] }|tt||7}qW|S(NRt.(tsplittchrtlen(tnametouttpart((s"/usr/share/authconfig/dnsclient.pytdnsNameToLabels  cCst}d|_d|_d|_d|_d|_t|}|sLdS|j|}|t|d?7}|t|d@7}|t|d?7}|t|d@7}|S(NiiRii( RRRRRR R1RR,(tquerytqclasstqtypeRtqlabelR/((s"/usr/share/authconfig/dnsclient.pytdnsFormatQuerys       cCs|s d Sd}|}d}d}yxt|drt|dd@r|t|dd@d>t|d}|r|d7}nd}q(n||dt|dd!d7}|r|t|dd7}n|t|dd}q(WWntk r d SX||||fS( NRiiii?iiR*(RN(RN(R$tordt IndexError(tlabeltbasetupdatetresttoutputtskip((s"/usr/share/authconfig/dnsclient.pyt dnsParseLabels** #  cCst}t|dkr(d|_dSt|dd>t|dd>Bt|dd>Bt|dd>B|_trd t|dt|dt|dt|dfGHn|S( NiiiiiiiisA = %d.%d.%d.%d.(R)R-taddressR$R7tDEBUG_DNSCLIENT(RR:R%((s"/usr/share/authconfig/dnsclient.pyt dnsParseAs  M@cCs]t|dkrdSt|d}t||dkr@dS||d|d|d!fS(NiRi(RN(RN(R-R$R7(Rttlen((s"/usr/share/authconfig/dnsclient.pyt dnsParseTexts cCs:t}t||\}|_tr6d|jGHn|S(NsNS DNAME = "%s".(R)R?tnsdnameRA(RR:R%R<((s"/usr/share/authconfig/dnsclient.pyt dnsParseNSs  cCs:t}t||\}|_tr6d|jGHn|S(Ns CNAME = "%s".(R)R?tcnameRA(RR:R%R<((s"/usr/share/authconfig/dnsclient.pyt dnsParseCNAMEs  cCs"t}d}t||\}|_|jdkr:dSt||\}|_|jdkredSt|tj|krdStj||tj| \|_ |_ |_ |_ |_ trd|jGHd|jGHd|j GHd|j GHd|j GHd|j GHd|j GHn|S( Ns!IIIIIsSOA(mname) = "%s".sSOA(rname) = "%s".sSOA(serial) = %d.sSOA(refresh) = %d.sSOA(retry) = %d.sSOA(expire) = %d.sSOA(minimum) = %d.(R)R?tmnameR$trnameR-RRRtserialtrefreshtretrytexpiretminimumRA(RR:R%tformatR<((s"/usr/share/authconfig/dnsclient.pyt dnsParseSOAs( =      cCsdS(N(R$(RR:((s"/usr/share/authconfig/dnsclient.pyt dnsParseNULL"scCsdS(N(R$(RR:((s"/usr/share/authconfig/dnsclient.pyt dnsParseWKS&scCsat}t|\}|_|r<t|\}|_ntr]d|jGHd|jGHn|S(NsHINFO(cpu) = "%s".sHINFO(os) = "%s".(R)RDtcputosRA(RR:R%R<((s"/usr/share/authconfig/dnsclient.pyt dnsParseHINFO)s  cCst}t|dkrdSt|dd>t|dB|_t|d|\}|_trd|jGHd|jGHn|S(NiiiisMX(exchanger) = "%s".sMX(preference) = %d.(R)R-R$R7t preferenceR?texchangeRA(RR:R%R<((s"/usr/share/authconfig/dnsclient.pyt dnsParseMX3s % cCs7t}t|\}|_tr3d|jGHn|S(Ns TXT = "%s".(R)RDRRA(RR:R%R<((s"/usr/share/authconfig/dnsclient.pyt dnsParseTXT>s  cCs:t}t||\}|_tr6d|jGHndS(Ns PTR = "%s".(R)R?tptrdnameRA(RR:R%R<((s"/usr/share/authconfig/dnsclient.pyt dnsParsePTREs cCst}d}tj|}t||kr4dStj||| \|_|_|_t |||\}|_ t rd|j GHd|jGHd|jGHd|jGHn|S(Ns!HHHsSRV(server) = "%s".sSRV(weight) = %d.sSRV(priority) = %d.sSRV(port) = %d.( R)RRR-R$RtprioritytweighttportR?tserverRA(RR:R%RPtflenR<((s"/usr/share/authconfig/dnsclient.pyt dnsParseSRVKs (   cCsyt|}Wntjk r'gSX|jdkr;gS|jdkrNgS||j}g}xt|jD]}|sgSt}t ||\}}|dkrgSt ||j krgS|j |||j }trtd||j|jfGHqtqtWxt|j|j|jD]~}t ||\}}|dkrYgSt}||_t ||jkrgS|j|||j}trd||j|j|j|jfGHnt ||jkrtrdGHngSi tt6tt6tt6tt6t t!6t"t#6t$t%6t&t'6t(t)6t*t+6t,t-6}|j|krrtrd|jGHqn ||j||j ||_.||j}||g7}q.W|s|g}n|S(Niis(Queried for '%s', class = %d, type = %d.s4Answer %d for '%s', class = %d, type = %d, ttl = %d.sAnswer too short.s#Don't know how to parse RR type %d!(/RRterrorRRRtxrangeR RR?R$R-R'R(RAR!R R R R RRR"R#RBtDNS_T_ARFtDNS_T_NSRHt DNS_T_CNAMERQt DNS_T_SOARRt DNS_T_NULLRSt DNS_T_WKSR\t DNS_T_PTRRVt DNS_T_HINFORYtDNS_T_MXRZt DNS_T_TXTRbt DNS_T_SRVR%(tresultsRR<trrlisttitrrR9tfmap((s"/usr/share/authconfig/dnsclient.pytdnsParseResults[sr   $        cCs?t|||}|sgStj|}|s5gSt|S(N(R6tacutiltres_sendRu(R2R3R4tqdatatanswer((s"/usr/share/authconfig/dnsclient.pyR2st__main__sSending query.sdevserv.devel.redhat.com.i((((2RtsockettsysRvtDNS_C_INtDNS_C_CSt DNS_C_CHAOStDNS_C_HSt DNS_C_ANYReRfRgRhRiRjRkRlRmRnRot DNS_T_ANYtFalseRARRRR)R1R6R?RBRDRFRHRQRRRSRVRYRZR\RbRuR2RtTrueR-targvRstexit(((s"/usr/share/authconfig/dnsclient.pyts`    0 6             S ( authconfig-tui.pyo000064400000117747147645272700010262 0ustar00 8Yc@sddlZddlZddlZddlZddlZddlZejZddlm Z m Z ddl Z ye j e j dWn$e jk rejjdnXdZedrddlZnde fdYZd e fd YZd fd YZd efdYZedkrejejejejdedrqeZn eZejejndS(iN(t OptionParsertIndentedHelpFormatterts%Warning: Unsupported locale setting. cCstjdj|dkS(Ni(tsystargvtfind(tname((s'/usr/share/authconfig/authconfig-tui.pytrunsAs%ssauthconfig-tuitUnihelpOptionParsercBseZddZRS(cCs~|dkrtj}ntj}t|dd}| sI|dkrR|}n|j|jj|j |ddS(Ntencodingtasciitreplace( tNoneRtstdouttlocaletgetpreferredencodingtgetattrtwritet format_helptdecodetencode(tselftfilet srcencodingR ((s'/usr/share/authconfig/authconfig-tui.pyt print_help,s    N(t__name__t __module__R R(((s'/usr/share/authconfig/authconfig-tui.pyR+stNonWrapFormattercBseZdZRS(cCsg}|j|}|j|jd}t||kr[d|jd|f}|j}n8d|jd||f}d|jd||f}d}|j||jr|j|}|jd|d|fn |ddkr|jdndj|S(Nis%*s%s Rs %*s%-*s iis (toption_stringst help_positiontcurrent_indenttlentappendthelptexpand_defaulttjoin(Rtoptiontresulttoptst opt_widtht indent_firstt help_text((s'/usr/share/authconfig/authconfig-tui.pyt format_option6s     (RRR*(((s'/usr/share/authconfig/authconfig-tui.pyR5st AuthconfigcBs}eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d ZRS( cCsCt|_t|_t|_t|_t|_t|_d|_dS(Ni(tFalset nis_availtkerberos_availt ldap_availt sssd_availt cache_availt fprintd_availtretval(R((s'/usr/share/authconfig/authconfig-tui.pyt__init__Zs      cCsdS(Nt authconfig((R((s'/usr/share/authconfig/authconfig-tui.pytmodulecscCs$tjjd|j|fdS(Ns%s: %s (RtstderrRR6(Rterror((s'/usr/share/authconfig/authconfig-tui.pyt printErrorfscCsud}d}xX|D]P}|dkr2|d7}n|rO|t|d7}n||7}|d7}qW|d7}|S(Nit(tstr(RtltaddidxtidxR!titem((s'/usr/share/authconfig/authconfig-tui.pytlistHelpis     c CsBtd|j}|jdkr5|d7}nt|dtdt}|jdddd d td |jd d dd d td|jddd d td|jdddd d td|jddd d td|jdd|jtjtd td|jddd d td|jddd d td|jddtdd td|jd dtd!d td"|jd#dd d td$|jd%dd d td&|jd'dd d td(|jd)dd d td*|jd+dtd!d td,|jd-dtd.d td/|jd0d1dd d td2|jd3d4dd d td5|jd6dd d td7|jd8dd d td9|jd:dtd;d td<|jd=dd d td>|jd?dd d td@|jdAdd d tdB|jdCdd d tdD|jdEdtdFd tdG|jtj t }|jdHd|d tdI|jdJdd d tdK|jdLdd d tdM|jdNdd d tdO|jdPdd d tdQ|jdRdd d tdS|jdTdd d tdU|jdVdtd!d tdW|jdXdtd!d tdY|jdZdtd[d td\|jd]dd d td^|jd_dd d td`|jdadd d tdb|jdcdd d tdd|jdedd d tdf|jdgdd d tdh|jdidd d tdj|jdkdd d tdl|jdmddnd tdo|jdpdtd[d tdq|jdrdtdsd tdt|jdudtdvd tdw|jdxdydzdtd{d td||jd}dd~d td|jdddd td|jdddd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jdddd td|jddd d td|jddd d td|jddtdd td|jddtd[d td|jddtdsd td|jddd d td|jddd d td|jdddd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jdddd td|jdddd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddtdd td|jddtdd td|jddtdd td|jddtdd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddtdd td|jddd d td|jddd d td|jdkr|jddd d td|jddd d tdn"|jdddd d td|jddd d td|jd dd d td |jd dtd d td |jddtd d td|jddd d td|j \|_ }|r|j tdtjdn|jdk r>|j j r>|j j r>|j j r>|j j r>|j j r>|j j r>|j j r>|jtjdndS(Nsusage: %s [options]R5se {--update|--updateall|--test|--probe|--restorebackup |--savebackup |--restorelastbackup}tadd_help_optiont formatters-hs--helptactionR!sshow this help message and exits--enableshadows --useshadowt store_trues$enable shadowed passwords by defaults--disableshadows%disable shadowed passwords by defaults --enablemd5s--usemd5senable MD5 passwords by defaults --disablemd5s disable MD5 passwords by defaults --passalgotmetavars&hash/crypt algorithm for new passwordss --enableniss*enable NIS for user information by defaults --disableniss+disable NIS for user information by defaults --nisdomainssdefault NIS domains --nisserverssdefault NIS servers --enableldaps+enable LDAP for user information by defaults --disableldaps,disable LDAP for user information by defaults--enableldapauths)enable LDAP for authentication by defaults--disableldapauths*disable LDAP for authentication by defaults --ldapservers#default LDAP server hostname or URIs --ldapbasednssdefault LDAP base DNs--enableldaptlss--enableldapstarttlss&enable use of TLS with LDAP (RFC-2830)s--disableldaptlss--disableldapstarttlss'disable use of TLS with LDAP (RFC-2830)s--enablerfc2307bissBenable use of RFC-2307bis schema for LDAP user information lookupss--disablerfc2307bissCdisable use of RFC-2307bis schema for LDAP user information lookupss--ldaploadcacertss load CA certificate from the URLs--enablesmartcards0enable authentication with smart card by defaults--disablesmartcards1disable authentication with smart card by defaults--enablerequiresmartcards0require smart card for authentication by defaults--disablerequiresmartcards7do not require smart card for authentication by defaults--smartcardmoduless default smart card module to uses--smartcardactions(action to be taken on smart card removals--enablefingerprints9enable authentication with fingerprint readers by defaults--disablefingerprints:disable authentication with fingerprint readers by defaults--enableecryptfss"enable automatic per-user ecryptfss--disableecryptfss#disable automatic per-user ecryptfss --enablekrb5s)enable kerberos authentication by defaults --disablekrb5s*disable kerberos authentication by defaults --krb5kdcsdefault kerberos KDCs--krb5adminserversdefault kerberos admin servers --krb5realmssdefault kerberos realms--enablekrb5kdcdnss'enable use of DNS to find kerberos KDCss--disablekrb5kdcdnss(disable use of DNS to find kerberos KDCss--enablekrb5realmdnss)enable use of DNS to find kerberos realmss--disablekrb5realmdnss*disable use of DNS to find kerberos realmss--enablewinbinds.enable winbind for user information by defaults--disablewinbinds/disable winbind for user information by defaults--enablewinbindauths,enable winbind for authentication by defaults--disablewinbindauths-disable winbind for authentication by defaults --smbsecurityss*security mode to use for samba and winbinds --smbrealms5default realm for samba and winbind when security=adss --smbserverss s(names of servers to authenticate againsts--smbworkgroups s'workgroup authentication servers are ins--smbidmapranges --smbidmapuids --smbidmapgidss4uid range winbind will assign to domain or ads userss--winbindseparators<\>sthe character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enableds--winbindtemplatehomedirs sGthe directory which winbind-created users will have as home directoriess--winbindtemplateshells sDthe shell which winbind-created users will have as their login shells--enablewinbindusedefaultdomains[configures winbind to assume that users with no domain in their user names are domain userss --disablewinbindusedefaultdomains_configures winbind to assume that users with no domain in their user names are not domain userss--enablewinbindofflines)configures winbind to allow offline logins--disablewinbindofflines+configures winbind to prevent offline logins--enablewinbindkrb5s+winbind will use Kerberos 5 to authenticates--disablewinbindkrb5s2winbind will use the default authentication methods --winbindjoinss>join the winbind domain or ads realm now as this administrators --enableipav2s?enable IPAv2 for user information and authentication by defaults--disableipav2s@disable IPAv2 for user information and authentication by defaults --ipav2domains-the IPAv2 domain the system should be part ofs --ipav2realmsthe realm for the IPAv2 domains --ipav2serversthe server for the IPAv2 domains--enableipav2nontps-do not setup the NTP against the IPAv2 domains--disableipav2nontps0setup the NTP against the IPAv2 domain (default)s --ipav2joins s%join the IPAv2 domain as this accounts --enablewinss#enable wins for hostname resolutions --disablewinss$disable wins for hostname resolutions--enablepreferdnss3prefer dns over wins or nis for hostname resolutions--disablepreferdnss:do not prefer dns over wins or nis for hostname resolutions--enablehesiods-enable hesiod for user information by defaults--disablehesiods.disable hesiod for user information by defaults --hesiodlhsssdefault hesiod LHSs --hesiodrhsssdefault hesiod RHSs --enablesssdsOenable SSSD for user information by default with manually managed configurations --disablesssdsVdisable SSSD for user information by default (still used for supported configurations)s--enablesssdauthsMenable SSSD for authentication by default with manually managed configurations--disablesssdauthsTdisable SSSD for authentication by default (still used for supported configurations)s--enableforcelegacys;never use SSSD implicitly even for supported configurationss--disableforcelegacys4use SSSD implicitly if it supports the configurations--enablecachecredss5enable caching of user credentials in SSSD by defaults--disablecachecredss6disable caching of user credentials in SSSD by defaults --enablecachesXenable caching of user information by default (automatically disabled when SSSD is used)s--disablecaches.disable caching of user information by defaults--enablelocauthorizes1local authorization is sufficient for local userss--disablelocauthorizes1authorize local users also through remote services--enablepamaccesss.check access.conf during account authorizations--disablepamaccesss5do not check access.conf during account authorizations--enablesysnetauths0authenticate system accounts by network servicess--disablesysnetauths0authenticate system accounts by local files onlys--enablemkhomedirs6create home directories for users on their first logins--disablemkhomedirs=do not create home directories for users on their first logins --passminlenssminimum length of a passwords--passminclasss1minimum number of character classes in a passwords--passmaxrepeats;maximum number of same consecutive characters in a passwords--passmaxclassrepeatsDmaximum number of consecutive characters of same class in a passwords--enablereqlowers6require at least one lowercase character in a passwords--disablereqlowers1do not require lowercase characters in a passwords--enablerequppers6require at least one uppercase character in a passwords--disablerequppers1do not require uppercase characters in a passwords--enablereqdigits(require at least one digit in a passwords--disablereqdigits#do not require digits in a passwords--enablereqothers2require at least one other character in a passwords--disablereqothers-do not require other characters in a passwords--enablefaillocksNenable account locking in case of too many consecutive authentication failuress--disablefaillocksGdisable account locking on too many consecutive authentication failuress--faillockargss sthe pam_faillock module optionss --nostarts+do not start/stop portmap, ypbind, and nscds--tests>do not update the configuration files, only print new settingssauthconfig-tuis--backs<display Back instead of Cancel in the main dialog of the TUIs --kickstarts1do not display the deprecated text user interfaces--updatesDopposite of --test, update configuration files with changed settingss --updateallsupdate all configuration filess--probes)probe network for defaults and print thems --savebackupss(save a backup of all configuration filess--restorebackups)restore the backup of configuration filess--restorelastbackupsXrestore the backup of configuration files saved before the previous configuration changesunexpected argumenti(t_R6RR,Rt add_optionRCtauthinfotpassword_algorithmstgetSmartcardActionstTruet parse_argstoptionsR9Rtexittprobettesttupdatet updateallt savebackupt restorebackuptrestorelastbackupR(Rtusagetparsertactshelptargs((s'/usr/share/authconfig/authconfig-tui.pyt parseOptionsvs                                                                                                                        '  cCstj|j}|j|jrF|jrFd|j|jfGHn|jrp|jrpd|j|jfGHn|jrd|j|j pd|j pdfGHndS(Ns hesiod %s/%ss ldap %s/%s skrb5 %s/%s/%s R( RKtAuthInfoR9RRt hesiodLHSt hesiodRHSt ldapServert ldapBaseDNt kerberosRealmt kerberosKDCtkerberosAdminServer(Rtinfo((s'/usr/share/authconfig/authconfig-tui.pyRRs     cCsLtj|j|_|jj|_|jjdkrHt|j_ndS(N( RKtreadR9Rftcopyt pristineinfotenableLocAuthorizeR RN(R((s'/usr/share/authconfig/authconfig-tui.pyt readAuthInfoscCstjtjtjo-tjtjtj|_tjtjtj|_tjtj tjo{tjtj tj|_ tjtj tjotjtj tj|_tjtjtj|_tjtjtj|_dS(N(tostaccessRKt PATH_YPBINDtX_OKtPATH_LIBNSS_NISR-t PATH_PAM_KRB5R.t PATH_PAM_LDAPtPATH_LIBNSS_LDAPR/t PATH_PAM_SSStPATH_LIBNSS_SSSR0t PATH_NSCDR1tPATH_PAM_FPRINTDR2(R((s'/usr/share/authconfig/authconfig-tui.pyttestAvailableSubsysscCsi%dd6dd6dd6dd6d d 6d d 6d d6dd6dd6dd6dd6dd6dd6dd6dd6dd 6d!d"6d#d$6d%d&6d'd(6d)d*6d+d,6d-d.6d/d06d1d26d3d46d5d66d7d86d9d:6d;d<6d=d>6d?d@6dAdB6dCdD6dEdF6dGdH6dIdJ6}idKdL6dMdN6dOdP6dQdR6dSdT6dUdV6dWdX6dYdZ6d[d\6d]d^6d_d`6dadb6dcdd6dedf6dgdh6didj6dkdl6dmdn6dodp6dqdr6dsdt6dudv6dwdx6dydz6d{d|6d}d~6dd6dd6dd6}xr|jD]d\}}t|jd|rt|j|tnt|jd|rt|j|tqqWy+|jjrmd|j_n d|j_Wnt k rnX|jj r|jj |jj kr|jj |jj |j_ |jj|jj |j_nyb|jj}|dkrRt|}|dkrR|jtdd|j_d|_qRnWn9tk r|jtdd|j_d|_nXy|jj}|dkr't|}|dkr|jtdd|j_d|_n|dkr'|jtdd|j_d|_q'nWn9tk rc|jtdd|j_d|_nXyb|jj}|dkrt|}|dkr|jtdd|j_d|_qnWn9tk r|jtdd|j_d|_nXyb|jj}|dkrct|}|dkrc|jtdd|j_d|_qcnWn9tk r|jtdd|j_d|_nXxT|jD]F\}}t|j|dkrt|j|t|j|qqW|jjrS|jjjdd}|d|j_t|dkrS|d|j_qSn|jjdkrz|jj|j_n|jj ry,t|jj }t!j"||j_#Wqtt$fk r|jtdd|j_#qXn|jj%r.|jj&d8kr.|jtdt|j_%n|jj'ss|jj(rUd|j_)n|jj*rd|j_)qn@|jj't!j+kr|jtdd|j_)d|_ndS(Nt enableShadowtshadowRjt locauthorizetenablePAMAccesst pamaccesstenableSysNetAutht sysnetauthtenableMkHomeDirt mkhomedirt enableCachetcachetenableEcryptfstecryptfst enableHesiodthesiodt enableLDAPtldapt enableLDAPStldaptlstenableRFC2307bist rfc2307bistenableLDAPAuthtldapauthtenableKerberostkrb5t enableNIStnistkerberosKDCviaDNSt krb5kdcdnstkerberosRealmviaDNSt krb5realmdnstenableSmartcardt smartcardt enableFprintdt fingerprinttforceSmartcardtrequiresmartcardt enableWinbindtwinbindtenableWinbindAutht winbindauthtwinbindUseDefaultDomaintwinbindusedefaultdomaintwinbindOfflinetwinbindofflinet winbindKrb5t winbindkrb5t enableIPAv2tipav2t ipav2NoNTPt ipav2nontpt enableWINStwinst enableSSSDtsssdtenableSSSDAuthtsssdauthtenableForceLegacyt forcelegacytenableCacheCredst cachecredstpreferDNSinHostst preferdnst passReqLowertreqlowert passReqUppertrequppert passReqDigittreqdigitt passReqOthertreqothertenableFaillocktfaillocktpasswordAlgorithmtpassalgoR_t hesiodlhsR`t hesiodrhsRat ldapserverRbt ldapbasednt ldapCacertURLtldaploadcacertRct krb5realmRdtkrb5kdcRetkrb5adminservertsmartcardModuletsmartcardmoduletsmartcardActiontsmartcardactiont nisDomaint nisdomaint nisServert nisservert smbWorkgroupt smbworkgroupt smbServerst smbserverst smbSecurityt smbsecuritytsmbRealmtsmbrealmt smbIdmapRanget smbidmaprangetwinbindSeparatortwinbindseparatortwinbindTemplateHomedirtwinbindtemplatehomedirtwinbindTemplateShelltwinbindtemplateshellt ipav2Domaint ipav2domaint ipav2Realmt ipav2realmt ipav2Servert ipav2servert passMinLent passminlent passMinClasst passminclasst passMaxRepeatt passmaxrepeattpassMaxClassRepeattpassmaxclassrepeatt faillockArgst faillockargstenabletdisableRis!The passminlen minimum value is 6is-The passminlen option value is not an integeris+The passminclass value must not be negativeis0The passminclass value must not be higher than 4s/The passminclass option value is not an integers,The passmaxrepeat value must not be negatives0The passmaxrepeat option value is not an integers1The passmaxclassrepeat value must not be negatives5The passmaxclassrepeat option value is not an integert%is(Bad smart card removal action specified.sO--enablerequiresmartcard is not supported for module 'sssd', option is ignored.tmd5tdescrypts;Unknown password hashing algorithm specified, using sha256.tsha256(,t iteritemsRRPtsetattrRfRNR,Rt ldapSchematAttributeErrorRRctgetKerberosKDCRdtgetKerberosAdminServerReRR tintR9RIR3t ValueErrorRRRt winbindjointsplittjoinUserRt joinPasswordt ipav2joinRRKRMRt IndexErrortenablerequiresmartcardRRt enablemd5Rt disablemd5RL(Rt bool_settingststring_settingstopttaivaltvaltlstRA((s'/usr/share/authconfig/authconfig-tui.pytoverrideSettingssB      $!                                   &      cCstS(N(RN(R((s'/usr/share/authconfig/authconfig-tui.pytdoUIgscCsht}|jjr'|jjt}n|jjdkrd|jjtr[|jjqdt }n|S(N( RNRPRRft joinDomainRR t joinIPADomaintwriteSysconfigR,(Rtret((s'/usr/share/authconfig/authconfig-tui.pyRjs  cCs|jj|jjr7|jjs7d|_q7n|jj|jjrn|jjsd|_qn!|jj |j sd|_n|j sd|_n|jj |jj dS(Niiii(RfttestLDAPCACertsRtdownloadLDAPCACertR3trehashLDAPCACertsRPRURt writeChangedRiRtposttnostart(R((s'/usr/share/authconfig/authconfig-tui.pyt writeAuthInfoxs       cCs|j|jjr0|jtjdn|jj rrtjdkrr|jt dtjdn|j |jj r|j j }tjt| n|jjr|j j|jj}tjt| n|jjr$|j j|jj}tjt| n|j|j|jsv|jjrf|jt dntjdn|jjr|j jn |j|jS(Niscan only be run as rootisdialog was cancelledi(R]RPRRRRQRSRltgetuidR9RIRkRXRft restoreLastRRWt restoreBackupRVt saveBackupRxRRt printInfoRR3(Rtrv((s'/usr/share/authconfig/authconfig-tui.pytruns6             (RRR4R6R9RCR]RRRkRxRRRRR%(((s'/usr/share/authconfig/authconfig-tui.pyR+Ys   $    t AuthconfigTUIcBseZdZdZdZdZdddZdZdZ dZ dZ d Z d Z d Zd Zd ZdZRS(cCsdS(Nsauthconfig-tui((R((s'/usr/share/authconfig/authconfig-tui.pyR6scCs/|jjr+|jjr+|jjtndS(N(RPt kickstartRRfRRN(R((s'/usr/share/authconfig/authconfig-tui.pyRscCs|s dSx|r|d}|d}t|tkrv|jjr_|d}|d}qv|d}|d}ntj|tjstd||d|f}tj |j td|tdgn|d}q WdS(NiiisThe %s file was not found, but it is required for %s support to work properly. Install the %s package, which provides this file.tWarningtOki( ttypettupleRft sssdSupportedRlRmtR_OKRItsnacktButtonChoiceWindowtscreen(Rttoggletwarningtpathtpackagettext((s'/usr/share/authconfig/authconfig-tui.pytwarns         +c# CsEtjtdddg}tjtdddg}tjtjftdd6dg}tjtjftdd7dg}tjtj ftd d8dg}tj td d dg}tj tdddg}tj tdddg}tj tdd|g} tjtdd| g} tjdd} tjtd} | j| ddddddtjtdt|jj} }| j|ddddddtjtdt|jj}}| j|ddddddtjtdt|jj}}| j|ddddddtjtdt|jj}}| j|dd ddddtjtd!t|jj}}| j|dd"ddddtjdd#}tjtd$} |j| ddddddtjtd%t|jjd&k}}|j|ddddddtjtd't|jj}}|j|ddddddtjtd(t|jj}}|j|ddddddtjtd)t|jj}}|j|dd ddddtjtd*t|jj}}|j|dd"ddddtjtd+t|jj }}|j|ddddddtjtd,t|jj!}}|j|dd-ddddtjdd}|j| ddddd.dd/d9|j|ddd0dd.dd/d:tjdd}tj"|j#j$rtd1ptd2}tj"td3}|j|dd|j|ddtjdd}|j|dddd|j|ddddtj%} |j&j'|td4| j(|| j)} | |kr.| j*|j_|j*|j_|j*|j_|j*|j_|j*|j_|j*|j_|j*rd&|j_n!|jjd&krd5|j_n|j*|j_|j*|j_|j*|j_ |j*|j_!|j*|j_|jj|f|jj|f|jj|f|jj| f|jj|f|jj|f|jj|f|jj|f|jj | fg }!x)|!D]}"|j+|"d|"dq Wn|j&j,| |kS(;NtcachingtnscdsFingerprint readert pam_fprintdtKerberostpam_krb5s sssd-clientsLDAP authenticationtpam_ldaptLDAPs nss-pam-ldapdtNIStypbindsshadow passwords shadow-utilstWinbinds samba-clientsWinbind authentications samba-winbindiisUser Informationit anchorLefttgrowxsCache InformationsUse LDAPisUse NISis Use IPAv2is Use WinbindiitAuthenticationsUse MD5 PasswordsRsUse Shadow PasswordssUse LDAP Authentications Use KerberossUse Fingerprint readersUse Winbind Authentications!Local authorization is sufficientit anchorToptpaddingt anchorRighttBacktCanceltNextsAuthentication ConfigurationR(R;s sssd-client(R<s sssd-client(s nss-pam-ldapds sssd-client(iiii(iiii(-RKRvRIR RwRqRtRrRsRuRnt PATH_PWCONVtPATH_WINBIND_NETtPATH_PAM_WINBINDtPATH_LIBNSS_WINBINDR.tGridtLabeltsetFieldtCheckboxtboolRfRRRRRRRyRRRRRjtButtonRPtbacktFormR0tgridWrappedWindowtaddR%tselectedR6t popWindow(#Rt warnCachet warnFprintdt warnKerberost warnLDAPAuthtwarnLDAPtwarnNISt warnShadowtwarnWinbindNettwarnWinbindAutht warnWinbindtinfoGridtcompRtcbRRRRtauthGridRRztldapaRtfprintdRR{tmechGridt buttonGridtcanceltoktmainGridtformt allwarningsR2((s'/usr/share/authconfig/authconfig-tui.pytgetMainChoicess$$$(((((.((((((%%-       cCst|}tjd|}d} g} xn|D]f\} } } }| dkrtj| tt|j| }| j||jtj dd| dd|j|d| ddn| dkrEtj | }|j|d| d dddtj d t|j| d |}| j||j|d| d dnH| d kr:tj | }|j|d| d dddddy#t|j| }|j |Wnt k r|d}nXd}g}x*|D]"}|j||||kfqWtjd|}| j||j|d| ddnS| dkrtjd| dddd}| j||j|d| ddn| d7} q1Wtj|rdpdd}tj|}tj|}|rtj|pd}|j|dd|r!|j|ddn|j||r6dp9ddtjdd}|j|ddd dd d|j|ddd dd dtj}|jj|||j|xtr|j}||krPn| }x|D]\} } } }| dkr2t|j| |jdjq| dkrct|j| |jdjq| d krt|j| |jdjq| dkr|jdqqW||krPn|r|qqW|jj||kS(NiittfvalueRRFiRAtsvalueREi(thiddenRBtrvalueRDtlvaluei2tflexDowntflexUpi(iiii(iiii(iiii(iiii(RR.RNRQRRRRfR RPROtEntrytindexRR tRadioBartTextboxReflowedRSRUR0RVRWRNR%RtpopRXtvaluet getSelectionRY(Rtdtitletitemst canceltxttoktxtt anothertxtt anothercbtrowst questionGridtrowtwidgetstttdesctattrRRfRetselt buttonlisttvtradioBarRkRlRmtanotherRnRotwcopy((s'/usr/share/authconfig/authconfig-tui.pytgetGenericChoices6s  $ " $  %            % % %   c Csdtdddfdtdddfdtdddfg}|jtd |td |rrtd p{td d tdd|jS(NRssDomain:RisRealm:RsServer:RsIPAv2 SettingsRGRIR)Rs Join DomainR(RIRtmaybeGetJoinSettings(Rtnextt questions((s'/usr/share/authconfig/authconfig-tui.pytgetIPAv2Settingss *cCsdtdddfdtdddfdtdd dfg}|jtd |td |rrtd p{td S(NRrsUse TLSRRssServer:RaisBase DN:Rbs LDAP SettingsRGRIR)(RIR R(RRR((s'/usr/share/authconfig/authconfig-tui.pytgetLDAPSettingss cCsjdtdddfdtdddfg}|jtd|td|r]td pftd S( NRssDomain:RisServer:Rs NIS SettingsRGRIR)(RIR(RRR((s'/usr/share/authconfig/authconfig-tui.pytgetNISSettingsscCsdtdddfdtdddfdtdddfd td d dfd td d dfg}|jtd|td|rtdptdS(NRssRealm:RcisKDC:Rds Admin Server:ReRrs"Use DNS to resolve hosts to realmsRs!Use DNS to locate KDCs for realmsRsKerberos SettingsRGRIR)(RIR R(RRR((s'/usr/share/authconfig/authconfig-tui.pytgetKerberosSettingsscCsdtdddfdtdddfg}|jjsKd|j_n|jtd |td td r|jj|jj|jjr|jjt n|jj r|jj t n|jj nt S( NRssDomain Administrator:Ris Password:Rit Administrators Join SettingsRHR)( RIRfRRR0tsuspendRTRRRNRRtresume(RR((s'/usr/share/authconfig/authconfig-tui.pytgetJoinSettingss     cCsdtdddfg}tj|j}|j|jjt}|jj|r|j td|tdtd}n|r|jj n|j t S(NRvsSome of the configuration changes you've made should be saved to disk before continuing. If you do not save them, then your attempt to join the domain may fail. Save changes?s Save SettingstNotYes( RIR RKRgR9RTRfR,tdiffersRRRRN(RRt orig_infoR((s'/usr/share/authconfig/authconfig-tui.pyRs    c Csddg}ddddddg}d }t||}d td d |fd tdddfd tdddfd tdddfd tdd|fg}|jtd|td|rtdptddtdd|jS(Ntadstdomains /sbin/nologins/bin/shs /bin/bashs /bin/tcshs/bin/kshs/bin/zshcSstj|tjS(N(RlRmRo(tshell((s'/usr/share/authconfig/authconfig-tui.pyt shellexistssRusSecurity Model:RRssDomain:RisDomain Controllers:Rs ADS Realm:RsTemplate Shell:RsWinbind SettingsRGRIR)Rs Join DomainR(tfilterRIRR(RRtsecuritytshellsRR((s'/usr/share/authconfig/authconfig-tui.pytgetWinbindSettingss   *cCs:d}t}x!|dkr/|dkr/|jj|dkrO|j}n|dkr|jjr|jjp|jjp|jjp|jjp|jj p|jj }|j |}qn>|dkr-|jjs|jjr|jjp|jjp|jj p|jj }|j |}qn|dkr~|jjr|jjpf|jj pf|jj }|j |}qn|dkr|jjr|jj p|jj }|j|}qn?|dkr|jj s|jj rt}|j|}qn|jj|r"|d7}q|d8}qW|dkS( Niiiiiiii(R,RfRTRqRRRRRRRRRRRR(RRtrctmore((s'/usr/share/authconfig/authconfig-tui.pyt getChoicessT                           cCsBtd|jj}tj|jtd|tdgdS(NsTo connect to a LDAP server with TLS protocol enabled you need a CA certificate which signed your server's certificate. Copy the certificate in the PEM format to the '%s' directory. Then press OK.R(R)(RIRft ldapCacertDirR.R/R0(RR5((s'/usr/share/authconfig/authconfig-tui.pytdisplayCACertsMessages  cCs|jjrtSztj|_|j}|jjtd|jj dd|d|j s{|jj t S|j jr|j jr|jnWd|jj XtS(NsN / between elements | selects | next screenis - (c) 1999-2005 Red Hat, Inc.(RPR'RNR.t SnackScreenR0R6t pushHelpLineRIt drawRootTextRtfinishR,RfRRR(Rtpackageversion((s'/usr/share/authconfig/authconfig-tui.pyRs    N(RRR6RR6RqR RRRRRRRRRRR(((s'/usr/share/authconfig/authconfig-tui.pyR&s    r_       - t__main__R5(RKtacutiltgettextRltsignalRtlgettextRItoptparseRRRt setlocaletLC_ALLtErrorR7RRR.RRR+R&RtSIGINTtSIG_DFLt textdomainR6RQR%(((s'/usr/share/authconfig/authconfig-tui.pyts20     $P     shvfile.pyc000064400000010716147645272700006744 0ustar00 8Yc@sGddlZdZdZdZdZdddYZdS( iNcCs't}|j|d|j|S(Ntr(tSHVFiletopentparse(tfilenametshv((s /usr/share/authconfig/shvfile.pytreads  cCs't}|j|d|j|S(Nsr+(RRR(RR((s /usr/share/authconfig/shvfile.pytrcreate s  cCs|s |St|}|ddks6|ddkrb|d||dkrb|d|d!}nd}xvtr|jd|}|dkrPn|dt|kr|d|!}Pn|d|!||d}|d7}qkW|S(Nis"t'is\(tlentTruetfind(tstslenti((s /usr/share/authconfig/shvfile.pytunescape's  8   cCs|jdd}|jdd}|jdd}|jdd}|jd d }|jd d }|jd dks|jddkrd|d}n|S(Ns\s\\s"s\"Rs\'t$s\\$t~s\\~t`s\\`t is (treplaceR (R ((s /usr/share/authconfig/shvfile.pytescape:s*RcBsYeZdZdZdZdZdZdZdZdZ dZ RS( cCsd|_d|_i|_dS(Nt(RtNonetft variables(tself((s /usr/share/authconfig/shvfile.pyt__init__Fs  cCsX||_|dkr*t|||_n*yt|||_Wntk rSnXdS(NR(RRRtIOError(RRtmode((s /usr/share/authconfig/shvfile.pyRKs   cCsp|js dSx\|jD]Q}|jjdd}t|dkrMqnt|d|j|dnsRs (RtosRRtO_RDWRtO_CREATtOSErrortfdopenRtclosetseekttruncateRtitemstsorttwriteRtflushtfsynctfileno(Rtpermstfdt ordereditemstnametvalue((s /usr/share/authconfig/shvfile.pyR2_s* &    &  cCs>|jr:y|jjWntk r-nXd|_ndS(N(RR-RR(R((s /usr/share/authconfig/shvfile.pyR-ws   cCs(y|j|SWntk r#dSXdS(NR(RtKeyError(RR9((s /usr/share/authconfig/shvfile.pytgetValues cCsy|j|j}Wntk r0tnX|dksa|dksa|dksa|dkretS|dks|dks|dks|dkrtStdS( NtyesttruettR&tnotfalseRtn(RtlowerR;t ValueErrorR tFalse(RR9tval((s /usr/share/authconfig/shvfile.pyt getBoolValues  00cCs6|s%||jkr2|j|=q2n ||j|s     dnsclient.pyo000064400000026605147645272700007307 0ustar00 8Yc@sddlZddlZddlZddlZdZdZdZdZdZdZ dZ dZ dZ d Z d Zd Zd Zd ZdZdZdZeZdd,dYZdZdd-dYZdd.dYZdZdZdZdZdZdZ dZ!dZ"dZ#d Z$d!Z%d"Z&d#Z'd$Z(d%Z)d&Z*d'Z+e,d(kre-Zd)GHe+e.ej/dkrej/dpd*eeZ0ej1d+ndS(/iNiiiiiiii i i i iii!tDNSQueryHeadercBs2eZdZdZdZdZdZRS(s!HBBHHHHcCsyd|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ dS(Ni( tdns_idtdns_rdtdns_tctdns_aat dns_opcodetdns_qrt dns_rcodetdns_ztdns_rat dns_qdcountt dns_ancountt dns_nscountt dns_arcount(tself((s"/usr/share/authconfig/dnsclient.pyt__init__/s            c Cstjtj|j|jd@|jd@d>B|jd@d>B|jd@d>B|j d@d>B|j d@|j d@d>B|j d@d>B|j |j|j|jS(Niiiiii(tstructtpackRtFORMATRRRRRRRRR R R R R (R((s"/usr/share/authconfig/dnsclient.pyR>s 7cCstjtj|d|j!\|_}}|_|_|_|_ |d@|_ |d?d@|_ |d?d@|_ |d?d@|_ |d?d@|_|d@|_|d?d@|_|d?d@|_dS(Niiiiiii(RtunpackRRtsizeRR R R R RRRRRRRR (Rtdatatbyte1tbyte2((s"/usr/share/authconfig/dnsclient.pyRNsF  cCstjtjS(N(RtcalcsizeRR(R((s"/usr/share/authconfig/dnsclient.pyRZs(t__name__t __module__RRRRR(((s"/usr/share/authconfig/dnsclient.pyR-s    cCst}|j||S(N(RR(Rtheader((s"/usr/share/authconfig/dnsclient.pytunpackQueryHeader]s  t DNSResultcBsAeZdZdZdZdZdZdZdZRS(s!HHIHs!HHcCs:d|_d|_d|_d|_d|_d|_dS(Nti(tdns_nametdns_typet dns_classtdns_ttlt dns_rlengthtNonetrdata(R((s"/usr/share/authconfig/dnsclient.pyRes      cCs>tjtj|d|j!\|_|_|_|_dS(Ni( RRRRRR R!R"R#(RR((s"/usr/share/authconfig/dnsclient.pyRmscCs2tjtj|d|j!\|_|_dS(Ni(RRRtQFORMATtqsizeR R!(RR((s"/usr/share/authconfig/dnsclient.pytqunpackqscCstjtjS(N(RRRR(R((s"/usr/share/authconfig/dnsclient.pyRtscCstjtjS(N(RRRR&(R((s"/usr/share/authconfig/dnsclient.pyR'ws( RRRR&RRR(RR'(((s"/usr/share/authconfig/dnsclient.pyRbs    tDNSRDatacBseZdZRS(cCsdS(N((R((s"/usr/share/authconfig/dnsclient.pyR{s(RRR(((s"/usr/share/authconfig/dnsclient.pyR)zscCsDd}|jd}x(|D] }|tt||7}qW|S(NRt.(tsplittchrtlen(tnametouttpart((s"/usr/share/authconfig/dnsclient.pytdnsNameToLabels  cCst}d|_d|_d|_d|_d|_t|}|sLdS|j|}|t|d?7}|t|d@7}|t|d?7}|t|d@7}|S(NiiRii( RRRRRR R1RR,(tquerytqclasstqtypeRtqlabelR/((s"/usr/share/authconfig/dnsclient.pytdnsFormatQuerys       cCs|s d Sd}|}d}d}yxt|drt|dd@r|t|dd@d>t|d}|r|d7}nd}q(n||dt|dd!d7}|r|t|dd7}n|t|dd}q(WWntk r d SX||||fS( NRiiii?iiR*(RN(RN(R$tordt IndexError(tlabeltbasetupdatetresttoutputtskip((s"/usr/share/authconfig/dnsclient.pyt dnsParseLabels** #  cCst}t|dkr(d|_dSt|dd>t|dd>Bt|dd>Bt|dd>B|_trd t|dt|dt|dt|dfGHn|S( NiiiiiiiisA = %d.%d.%d.%d.(R)R-taddressR$R7tDEBUG_DNSCLIENT(RR:R%((s"/usr/share/authconfig/dnsclient.pyt dnsParseAs  M@cCs]t|dkrdSt|d}t||dkr@dS||d|d|d!fS(NiRi(RN(RN(R-R$R7(Rttlen((s"/usr/share/authconfig/dnsclient.pyt dnsParseTexts cCs:t}t||\}|_tr6d|jGHn|S(NsNS DNAME = "%s".(R)R?tnsdnameRA(RR:R%R<((s"/usr/share/authconfig/dnsclient.pyt dnsParseNSs  cCs:t}t||\}|_tr6d|jGHn|S(Ns CNAME = "%s".(R)R?tcnameRA(RR:R%R<((s"/usr/share/authconfig/dnsclient.pyt dnsParseCNAMEs  cCs"t}d}t||\}|_|jdkr:dSt||\}|_|jdkredSt|tj|krdStj||tj| \|_ |_ |_ |_ |_ trd|jGHd|jGHd|j GHd|j GHd|j GHd|j GHd|j GHn|S( Ns!IIIIIsSOA(mname) = "%s".sSOA(rname) = "%s".sSOA(serial) = %d.sSOA(refresh) = %d.sSOA(retry) = %d.sSOA(expire) = %d.sSOA(minimum) = %d.(R)R?tmnameR$trnameR-RRRtserialtrefreshtretrytexpiretminimumRA(RR:R%tformatR<((s"/usr/share/authconfig/dnsclient.pyt dnsParseSOAs( =      cCsdS(N(R$(RR:((s"/usr/share/authconfig/dnsclient.pyt dnsParseNULL"scCsdS(N(R$(RR:((s"/usr/share/authconfig/dnsclient.pyt dnsParseWKS&scCsat}t|\}|_|r<t|\}|_ntr]d|jGHd|jGHn|S(NsHINFO(cpu) = "%s".sHINFO(os) = "%s".(R)RDtcputosRA(RR:R%R<((s"/usr/share/authconfig/dnsclient.pyt dnsParseHINFO)s  cCst}t|dkrdSt|dd>t|dB|_t|d|\}|_trd|jGHd|jGHn|S(NiiiisMX(exchanger) = "%s".sMX(preference) = %d.(R)R-R$R7t preferenceR?texchangeRA(RR:R%R<((s"/usr/share/authconfig/dnsclient.pyt dnsParseMX3s % cCs7t}t|\}|_tr3d|jGHn|S(Ns TXT = "%s".(R)RDRRA(RR:R%R<((s"/usr/share/authconfig/dnsclient.pyt dnsParseTXT>s  cCs:t}t||\}|_tr6d|jGHndS(Ns PTR = "%s".(R)R?tptrdnameRA(RR:R%R<((s"/usr/share/authconfig/dnsclient.pyt dnsParsePTREs cCst}d}tj|}t||kr4dStj||| \|_|_|_t |||\}|_ t rd|j GHd|jGHd|jGHd|jGHn|S(Ns!HHHsSRV(server) = "%s".sSRV(weight) = %d.sSRV(priority) = %d.sSRV(port) = %d.( R)RRR-R$RtprioritytweighttportR?tserverRA(RR:R%RPtflenR<((s"/usr/share/authconfig/dnsclient.pyt dnsParseSRVKs (   cCsyt|}Wntjk r'gSX|jdkr;gS|jdkrNgS||j}g}xt|jD]}|sgSt}t ||\}}|dkrgSt ||j krgS|j |||j }trtd||j|jfGHqtqtWxt|j|j|jD]~}t ||\}}|dkrYgSt}||_t ||jkrgS|j|||j}trd||j|j|j|jfGHnt ||jkrtrdGHngSi tt6tt6tt6tt6t t!6t"t#6t$t%6t&t'6t(t)6t*t+6t,t-6}|j|krrtrd|jGHqn ||j||j ||_.||j}||g7}q.W|s|g}n|S(Niis(Queried for '%s', class = %d, type = %d.s4Answer %d for '%s', class = %d, type = %d, ttl = %d.sAnswer too short.s#Don't know how to parse RR type %d!(/RRterrorRRRtxrangeR RR?R$R-R'R(RAR!R R R R RRR"R#RBtDNS_T_ARFtDNS_T_NSRHt DNS_T_CNAMERQt DNS_T_SOARRt DNS_T_NULLRSt DNS_T_WKSR\t DNS_T_PTRRVt DNS_T_HINFORYtDNS_T_MXRZt DNS_T_TXTRbt DNS_T_SRVR%(tresultsRR<trrlisttitrrR9tfmap((s"/usr/share/authconfig/dnsclient.pytdnsParseResults[sr   $        cCs?t|||}|sgStj|}|s5gSt|S(N(R6tacutiltres_sendRu(R2R3R4tqdatatanswer((s"/usr/share/authconfig/dnsclient.pyR2st__main__sSending query.sdevserv.devel.redhat.com.i((((2RtsockettsysRvtDNS_C_INtDNS_C_CSt DNS_C_CHAOStDNS_C_HSt DNS_C_ANYReRfRgRhRiRjRkRlRmRnRot DNS_T_ANYtFalseRARRRR)R1R6R?RBRDRFRHRQRRRSRVRYRZR\RbRuR2RtTrueR-targvRstexit(((s"/usr/share/authconfig/dnsclient.pyts`    0 6             S ( shvfile.py000064400000007302147645272700006576 0ustar00# # shvfile.py # # Implementation of non-destructively reading/writing files containing # only shell variable declarations and full-line comments. # # Copyright 1999 - 2005 Red Hat, Inc. # # This is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # import os def read(filename): shv = SHVFile() shv.open(filename, "r") shv.parse() return shv def rcreate(filename): shv = SHVFile() shv.open(filename, "r+") shv.parse() return shv # remove escaped characters in place def unescape(s): if not s: return s slen = len(s) if (s[0] == "\"" or s[0] == "'") and s[0] == s[slen-1]: s = s[1:slen-1] i = 0 while True: i = s.find("\\", i) if i < 0: break if i+1 >= len(s): s = s[0:i] break s = s[0:i] + s[i+1:] i += 1 return s # create a new string with all necessary characters escaped. def escape(s): s = s.replace("\\", "\\\\") s = s.replace("\"", "\\\"") s = s.replace("'", "\\\'") s = s.replace("$", "\\\$") s = s.replace("~", "\\\~") s = s.replace("`", "\\\`") if s.find(" ") > 0 or s.find("\t") > 0: s = "\"" + s + "\"" return s class SHVFile: def __init__(self): self.filename = "" self.f = None self.variables = {} def open(self, filename, mode): self.filename = filename if mode == "r": self.f = open(filename, mode) else: try: self.f = open(filename, mode) except IOError: pass return def parse(self): if not self.f: return for line in self.f: vs = line.rstrip().split("=",1) if len(vs) < 2: continue self.variables[vs[0]] = unescape(vs[1]) def write(self, perms): if not self.f: try: fd = os.open(self.filename, os.O_RDWR | os.O_CREAT, perms) except OSError: return try: self.f = os.fdopen(fd, "w") except IOError: os.close(fd) return try: self.f.seek(0) self.f.truncate() ordereditems = self.variables.items() ordereditems.sort(lambda x, y: cmp(x[0], y[0])) for name, value in ordereditems: self.f.write(name + "=" + escape(value) + "\n") self.f.flush() os.fsync(self.f.fileno()) except IOError: # we cannot do much in case of error anyway pass def close(self): if self.f: try: self.f.close() except IOError: # we cannot do much in case of error anyway pass self.f = None def getValue(self, name): try: return self.variables[name] except KeyError: return "" def getBoolValue(self, name): # return True if resolves to any truth value (e.g. "yes", "y", "true") # return False if resolves to any non-truth value (e.g. "no", "n", "false") # raise ValueError otherwise try: val = self.variables[name].lower() except KeyError: raise ValueError if val == "yes" or val == "true" or val == "t" or val == "y": return True if val == "no" or val == "false" or val == "f" or val == "n": return False raise ValueError def setValue(self, name, value): if not value: if name in self.variables: del self.variables[name] else: self.variables[name] = value def setBoolValue(self, name, value): if value: self.variables[name] = "yes" else: self.variables[name] = "no" shvfile.pyo000064400000010716147645272700006760 0ustar00 8Yc@sGddlZdZdZdZdZdddYZdS( iNcCs't}|j|d|j|S(Ntr(tSHVFiletopentparse(tfilenametshv((s /usr/share/authconfig/shvfile.pytreads  cCs't}|j|d|j|S(Nsr+(RRR(RR((s /usr/share/authconfig/shvfile.pytrcreate s  cCs|s |St|}|ddks6|ddkrb|d||dkrb|d|d!}nd}xvtr|jd|}|dkrPn|dt|kr|d|!}Pn|d|!||d}|d7}qkW|S(Nis"t'is\(tlentTruetfind(tstslenti((s /usr/share/authconfig/shvfile.pytunescape's  8   cCs|jdd}|jdd}|jdd}|jdd}|jd d }|jd d }|jd dks|jddkrd|d}n|S(Ns\s\\s"s\"Rs\'t$s\\$t~s\\~t`s\\`t is (treplaceR (R ((s /usr/share/authconfig/shvfile.pytescape:s*RcBsYeZdZdZdZdZdZdZdZdZ dZ RS( cCsd|_d|_i|_dS(Nt(RtNonetft variables(tself((s /usr/share/authconfig/shvfile.pyt__init__Fs  cCsX||_|dkr*t|||_n*yt|||_Wntk rSnXdS(NR(RRRtIOError(RRtmode((s /usr/share/authconfig/shvfile.pyRKs   cCsp|js dSx\|jD]Q}|jjdd}t|dkrMqnt|d|j|dnsRs (RtosRRtO_RDWRtO_CREATtOSErrortfdopenRtclosetseekttruncateRtitemstsorttwriteRtflushtfsynctfileno(Rtpermstfdt ordereditemstnametvalue((s /usr/share/authconfig/shvfile.pyR2_s* &    &  cCs>|jr:y|jjWntk r-nXd|_ndS(N(RR-RR(R((s /usr/share/authconfig/shvfile.pyR-ws   cCs(y|j|SWntk r#dSXdS(NR(RtKeyError(RR9((s /usr/share/authconfig/shvfile.pytgetValues cCsy|j|j}Wntk r0tnX|dksa|dksa|dksa|dkretS|dks|dks|dks|dkrtStdS( NtyesttruettR&tnotfalseRtn(RtlowerR;t ValueErrorR tFalse(RR9tval((s /usr/share/authconfig/shvfile.pyt getBoolValues  00cCs6|s%||jkr2|j|=q2n ||j|s     authconfig-tui.pyc000064400000117747147645272700010246 0ustar00 8Yc@sddlZddlZddlZddlZddlZddlZejZddlm Z m Z ddl Z ye j e j dWn$e jk rejjdnXdZedrddlZnde fdYZd e fd YZd fd YZd efdYZedkrejejejejdedrqeZn eZejejndS(iN(t OptionParsertIndentedHelpFormatterts%Warning: Unsupported locale setting. cCstjdj|dkS(Ni(tsystargvtfind(tname((s'/usr/share/authconfig/authconfig-tui.pytrunsAs%ssauthconfig-tuitUnihelpOptionParsercBseZddZRS(cCs~|dkrtj}ntj}t|dd}| sI|dkrR|}n|j|jj|j |ddS(Ntencodingtasciitreplace( tNoneRtstdouttlocaletgetpreferredencodingtgetattrtwritet format_helptdecodetencode(tselftfilet srcencodingR ((s'/usr/share/authconfig/authconfig-tui.pyt print_help,s    N(t__name__t __module__R R(((s'/usr/share/authconfig/authconfig-tui.pyR+stNonWrapFormattercBseZdZRS(cCsg}|j|}|j|jd}t||kr[d|jd|f}|j}n8d|jd||f}d|jd||f}d}|j||jr|j|}|jd|d|fn |ddkr|jdndj|S(Nis%*s%s Rs %*s%-*s iis (toption_stringst help_positiontcurrent_indenttlentappendthelptexpand_defaulttjoin(Rtoptiontresulttoptst opt_widtht indent_firstt help_text((s'/usr/share/authconfig/authconfig-tui.pyt format_option6s     (RRR*(((s'/usr/share/authconfig/authconfig-tui.pyR5st AuthconfigcBs}eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d ZRS( cCsCt|_t|_t|_t|_t|_t|_d|_dS(Ni(tFalset nis_availtkerberos_availt ldap_availt sssd_availt cache_availt fprintd_availtretval(R((s'/usr/share/authconfig/authconfig-tui.pyt__init__Zs      cCsdS(Nt authconfig((R((s'/usr/share/authconfig/authconfig-tui.pytmodulecscCs$tjjd|j|fdS(Ns%s: %s (RtstderrRR6(Rterror((s'/usr/share/authconfig/authconfig-tui.pyt printErrorfscCsud}d}xX|D]P}|dkr2|d7}n|rO|t|d7}n||7}|d7}qW|d7}|S(Nit(tstr(RtltaddidxtidxR!titem((s'/usr/share/authconfig/authconfig-tui.pytlistHelpis     c CsBtd|j}|jdkr5|d7}nt|dtdt}|jdddd d td |jd d dd d td|jddd d td|jdddd d td|jddd d td|jdd|jtjtd td|jddd d td|jddd d td|jddtdd td|jd dtd!d td"|jd#dd d td$|jd%dd d td&|jd'dd d td(|jd)dd d td*|jd+dtd!d td,|jd-dtd.d td/|jd0d1dd d td2|jd3d4dd d td5|jd6dd d td7|jd8dd d td9|jd:dtd;d td<|jd=dd d td>|jd?dd d td@|jdAdd d tdB|jdCdd d tdD|jdEdtdFd tdG|jtj t }|jdHd|d tdI|jdJdd d tdK|jdLdd d tdM|jdNdd d tdO|jdPdd d tdQ|jdRdd d tdS|jdTdd d tdU|jdVdtd!d tdW|jdXdtd!d tdY|jdZdtd[d td\|jd]dd d td^|jd_dd d td`|jdadd d tdb|jdcdd d tdd|jdedd d tdf|jdgdd d tdh|jdidd d tdj|jdkdd d tdl|jdmddnd tdo|jdpdtd[d tdq|jdrdtdsd tdt|jdudtdvd tdw|jdxdydzdtd{d td||jd}dd~d td|jdddd td|jdddd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jdddd td|jddd d td|jddd d td|jddtdd td|jddtd[d td|jddtdsd td|jddd d td|jddd d td|jdddd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jdddd td|jdddd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddtdd td|jddtdd td|jddtdd td|jddtdd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddtdd td|jddd d td|jddd d td|jdkr|jddd d td|jddd d tdn"|jdddd d td|jddd d td|jd dd d td |jd dtd d td |jddtd d td|jddd d td|j \|_ }|r|j tdtjdn|jdk r>|j j r>|j j r>|j j r>|j j r>|j j r>|j j r>|j j r>|jtjdndS(Nsusage: %s [options]R5se {--update|--updateall|--test|--probe|--restorebackup |--savebackup |--restorelastbackup}tadd_help_optiont formatters-hs--helptactionR!sshow this help message and exits--enableshadows --useshadowt store_trues$enable shadowed passwords by defaults--disableshadows%disable shadowed passwords by defaults --enablemd5s--usemd5senable MD5 passwords by defaults --disablemd5s disable MD5 passwords by defaults --passalgotmetavars&hash/crypt algorithm for new passwordss --enableniss*enable NIS for user information by defaults --disableniss+disable NIS for user information by defaults --nisdomainssdefault NIS domains --nisserverssdefault NIS servers --enableldaps+enable LDAP for user information by defaults --disableldaps,disable LDAP for user information by defaults--enableldapauths)enable LDAP for authentication by defaults--disableldapauths*disable LDAP for authentication by defaults --ldapservers#default LDAP server hostname or URIs --ldapbasednssdefault LDAP base DNs--enableldaptlss--enableldapstarttlss&enable use of TLS with LDAP (RFC-2830)s--disableldaptlss--disableldapstarttlss'disable use of TLS with LDAP (RFC-2830)s--enablerfc2307bissBenable use of RFC-2307bis schema for LDAP user information lookupss--disablerfc2307bissCdisable use of RFC-2307bis schema for LDAP user information lookupss--ldaploadcacertss load CA certificate from the URLs--enablesmartcards0enable authentication with smart card by defaults--disablesmartcards1disable authentication with smart card by defaults--enablerequiresmartcards0require smart card for authentication by defaults--disablerequiresmartcards7do not require smart card for authentication by defaults--smartcardmoduless default smart card module to uses--smartcardactions(action to be taken on smart card removals--enablefingerprints9enable authentication with fingerprint readers by defaults--disablefingerprints:disable authentication with fingerprint readers by defaults--enableecryptfss"enable automatic per-user ecryptfss--disableecryptfss#disable automatic per-user ecryptfss --enablekrb5s)enable kerberos authentication by defaults --disablekrb5s*disable kerberos authentication by defaults --krb5kdcsdefault kerberos KDCs--krb5adminserversdefault kerberos admin servers --krb5realmssdefault kerberos realms--enablekrb5kdcdnss'enable use of DNS to find kerberos KDCss--disablekrb5kdcdnss(disable use of DNS to find kerberos KDCss--enablekrb5realmdnss)enable use of DNS to find kerberos realmss--disablekrb5realmdnss*disable use of DNS to find kerberos realmss--enablewinbinds.enable winbind for user information by defaults--disablewinbinds/disable winbind for user information by defaults--enablewinbindauths,enable winbind for authentication by defaults--disablewinbindauths-disable winbind for authentication by defaults --smbsecurityss*security mode to use for samba and winbinds --smbrealms5default realm for samba and winbind when security=adss --smbserverss s(names of servers to authenticate againsts--smbworkgroups s'workgroup authentication servers are ins--smbidmapranges --smbidmapuids --smbidmapgidss4uid range winbind will assign to domain or ads userss--winbindseparators<\>sthe character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enableds--winbindtemplatehomedirs sGthe directory which winbind-created users will have as home directoriess--winbindtemplateshells sDthe shell which winbind-created users will have as their login shells--enablewinbindusedefaultdomains[configures winbind to assume that users with no domain in their user names are domain userss --disablewinbindusedefaultdomains_configures winbind to assume that users with no domain in their user names are not domain userss--enablewinbindofflines)configures winbind to allow offline logins--disablewinbindofflines+configures winbind to prevent offline logins--enablewinbindkrb5s+winbind will use Kerberos 5 to authenticates--disablewinbindkrb5s2winbind will use the default authentication methods --winbindjoinss>join the winbind domain or ads realm now as this administrators --enableipav2s?enable IPAv2 for user information and authentication by defaults--disableipav2s@disable IPAv2 for user information and authentication by defaults --ipav2domains-the IPAv2 domain the system should be part ofs --ipav2realmsthe realm for the IPAv2 domains --ipav2serversthe server for the IPAv2 domains--enableipav2nontps-do not setup the NTP against the IPAv2 domains--disableipav2nontps0setup the NTP against the IPAv2 domain (default)s --ipav2joins s%join the IPAv2 domain as this accounts --enablewinss#enable wins for hostname resolutions --disablewinss$disable wins for hostname resolutions--enablepreferdnss3prefer dns over wins or nis for hostname resolutions--disablepreferdnss:do not prefer dns over wins or nis for hostname resolutions--enablehesiods-enable hesiod for user information by defaults--disablehesiods.disable hesiod for user information by defaults --hesiodlhsssdefault hesiod LHSs --hesiodrhsssdefault hesiod RHSs --enablesssdsOenable SSSD for user information by default with manually managed configurations --disablesssdsVdisable SSSD for user information by default (still used for supported configurations)s--enablesssdauthsMenable SSSD for authentication by default with manually managed configurations--disablesssdauthsTdisable SSSD for authentication by default (still used for supported configurations)s--enableforcelegacys;never use SSSD implicitly even for supported configurationss--disableforcelegacys4use SSSD implicitly if it supports the configurations--enablecachecredss5enable caching of user credentials in SSSD by defaults--disablecachecredss6disable caching of user credentials in SSSD by defaults --enablecachesXenable caching of user information by default (automatically disabled when SSSD is used)s--disablecaches.disable caching of user information by defaults--enablelocauthorizes1local authorization is sufficient for local userss--disablelocauthorizes1authorize local users also through remote services--enablepamaccesss.check access.conf during account authorizations--disablepamaccesss5do not check access.conf during account authorizations--enablesysnetauths0authenticate system accounts by network servicess--disablesysnetauths0authenticate system accounts by local files onlys--enablemkhomedirs6create home directories for users on their first logins--disablemkhomedirs=do not create home directories for users on their first logins --passminlenssminimum length of a passwords--passminclasss1minimum number of character classes in a passwords--passmaxrepeats;maximum number of same consecutive characters in a passwords--passmaxclassrepeatsDmaximum number of consecutive characters of same class in a passwords--enablereqlowers6require at least one lowercase character in a passwords--disablereqlowers1do not require lowercase characters in a passwords--enablerequppers6require at least one uppercase character in a passwords--disablerequppers1do not require uppercase characters in a passwords--enablereqdigits(require at least one digit in a passwords--disablereqdigits#do not require digits in a passwords--enablereqothers2require at least one other character in a passwords--disablereqothers-do not require other characters in a passwords--enablefaillocksNenable account locking in case of too many consecutive authentication failuress--disablefaillocksGdisable account locking on too many consecutive authentication failuress--faillockargss sthe pam_faillock module optionss --nostarts+do not start/stop portmap, ypbind, and nscds--tests>do not update the configuration files, only print new settingssauthconfig-tuis--backs<display Back instead of Cancel in the main dialog of the TUIs --kickstarts1do not display the deprecated text user interfaces--updatesDopposite of --test, update configuration files with changed settingss --updateallsupdate all configuration filess--probes)probe network for defaults and print thems --savebackupss(save a backup of all configuration filess--restorebackups)restore the backup of configuration filess--restorelastbackupsXrestore the backup of configuration files saved before the previous configuration changesunexpected argumenti(t_R6RR,Rt add_optionRCtauthinfotpassword_algorithmstgetSmartcardActionstTruet parse_argstoptionsR9Rtexittprobettesttupdatet updateallt savebackupt restorebackuptrestorelastbackupR(Rtusagetparsertactshelptargs((s'/usr/share/authconfig/authconfig-tui.pyt parseOptionsvs                                                                                                                        '  cCstj|j}|j|jrF|jrFd|j|jfGHn|jrp|jrpd|j|jfGHn|jrd|j|j pd|j pdfGHndS(Ns hesiod %s/%ss ldap %s/%s skrb5 %s/%s/%s R( RKtAuthInfoR9RRt hesiodLHSt hesiodRHSt ldapServert ldapBaseDNt kerberosRealmt kerberosKDCtkerberosAdminServer(Rtinfo((s'/usr/share/authconfig/authconfig-tui.pyRRs     cCsLtj|j|_|jj|_|jjdkrHt|j_ndS(N( RKtreadR9Rftcopyt pristineinfotenableLocAuthorizeR RN(R((s'/usr/share/authconfig/authconfig-tui.pyt readAuthInfoscCstjtjtjo-tjtjtj|_tjtjtj|_tjtj tjo{tjtj tj|_ tjtj tjotjtj tj|_tjtjtj|_tjtjtj|_dS(N(tostaccessRKt PATH_YPBINDtX_OKtPATH_LIBNSS_NISR-t PATH_PAM_KRB5R.t PATH_PAM_LDAPtPATH_LIBNSS_LDAPR/t PATH_PAM_SSStPATH_LIBNSS_SSSR0t PATH_NSCDR1tPATH_PAM_FPRINTDR2(R((s'/usr/share/authconfig/authconfig-tui.pyttestAvailableSubsysscCsi%dd6dd6dd6dd6d d 6d d 6d d6dd6dd6dd6dd6dd6dd6dd6dd6dd 6d!d"6d#d$6d%d&6d'd(6d)d*6d+d,6d-d.6d/d06d1d26d3d46d5d66d7d86d9d:6d;d<6d=d>6d?d@6dAdB6dCdD6dEdF6dGdH6dIdJ6}idKdL6dMdN6dOdP6dQdR6dSdT6dUdV6dWdX6dYdZ6d[d\6d]d^6d_d`6dadb6dcdd6dedf6dgdh6didj6dkdl6dmdn6dodp6dqdr6dsdt6dudv6dwdx6dydz6d{d|6d}d~6dd6dd6dd6}xr|jD]d\}}t|jd|rt|j|tnt|jd|rt|j|tqqWy+|jjrmd|j_n d|j_Wnt k rnX|jj r|jj |jj kr|jj |jj |j_ |jj|jj |j_nyb|jj}|dkrRt|}|dkrR|jtdd|j_d|_qRnWn9tk r|jtdd|j_d|_nXy|jj}|dkr't|}|dkr|jtdd|j_d|_n|dkr'|jtdd|j_d|_q'nWn9tk rc|jtdd|j_d|_nXyb|jj}|dkrt|}|dkr|jtdd|j_d|_qnWn9tk r|jtdd|j_d|_nXyb|jj}|dkrct|}|dkrc|jtdd|j_d|_qcnWn9tk r|jtdd|j_d|_nXxT|jD]F\}}t|j|dkrt|j|t|j|qqW|jjrS|jjjdd}|d|j_t|dkrS|d|j_qSn|jjdkrz|jj|j_n|jj ry,t|jj }t!j"||j_#Wqtt$fk r|jtdd|j_#qXn|jj%r.|jj&d8kr.|jtdt|j_%n|jj'ss|jj(rUd|j_)n|jj*rd|j_)qn@|jj't!j+kr|jtdd|j_)d|_ndS(Nt enableShadowtshadowRjt locauthorizetenablePAMAccesst pamaccesstenableSysNetAutht sysnetauthtenableMkHomeDirt mkhomedirt enableCachetcachetenableEcryptfstecryptfst enableHesiodthesiodt enableLDAPtldapt enableLDAPStldaptlstenableRFC2307bist rfc2307bistenableLDAPAuthtldapauthtenableKerberostkrb5t enableNIStnistkerberosKDCviaDNSt krb5kdcdnstkerberosRealmviaDNSt krb5realmdnstenableSmartcardt smartcardt enableFprintdt fingerprinttforceSmartcardtrequiresmartcardt enableWinbindtwinbindtenableWinbindAutht winbindauthtwinbindUseDefaultDomaintwinbindusedefaultdomaintwinbindOfflinetwinbindofflinet winbindKrb5t winbindkrb5t enableIPAv2tipav2t ipav2NoNTPt ipav2nontpt enableWINStwinst enableSSSDtsssdtenableSSSDAuthtsssdauthtenableForceLegacyt forcelegacytenableCacheCredst cachecredstpreferDNSinHostst preferdnst passReqLowertreqlowert passReqUppertrequppert passReqDigittreqdigitt passReqOthertreqothertenableFaillocktfaillocktpasswordAlgorithmtpassalgoR_t hesiodlhsR`t hesiodrhsRat ldapserverRbt ldapbasednt ldapCacertURLtldaploadcacertRct krb5realmRdtkrb5kdcRetkrb5adminservertsmartcardModuletsmartcardmoduletsmartcardActiontsmartcardactiont nisDomaint nisdomaint nisServert nisservert smbWorkgroupt smbworkgroupt smbServerst smbserverst smbSecurityt smbsecuritytsmbRealmtsmbrealmt smbIdmapRanget smbidmaprangetwinbindSeparatortwinbindseparatortwinbindTemplateHomedirtwinbindtemplatehomedirtwinbindTemplateShelltwinbindtemplateshellt ipav2Domaint ipav2domaint ipav2Realmt ipav2realmt ipav2Servert ipav2servert passMinLent passminlent passMinClasst passminclasst passMaxRepeatt passmaxrepeattpassMaxClassRepeattpassmaxclassrepeatt faillockArgst faillockargstenabletdisableRis!The passminlen minimum value is 6is-The passminlen option value is not an integeris+The passminclass value must not be negativeis0The passminclass value must not be higher than 4s/The passminclass option value is not an integers,The passmaxrepeat value must not be negatives0The passmaxrepeat option value is not an integers1The passmaxclassrepeat value must not be negatives5The passmaxclassrepeat option value is not an integert%is(Bad smart card removal action specified.sO--enablerequiresmartcard is not supported for module 'sssd', option is ignored.tmd5tdescrypts;Unknown password hashing algorithm specified, using sha256.tsha256(,t iteritemsRRPtsetattrRfRNR,Rt ldapSchematAttributeErrorRRctgetKerberosKDCRdtgetKerberosAdminServerReRR tintR9RIR3t ValueErrorRRRt winbindjointsplittjoinUserRt joinPasswordt ipav2joinRRKRMRt IndexErrortenablerequiresmartcardRRt enablemd5Rt disablemd5RL(Rt bool_settingststring_settingstopttaivaltvaltlstRA((s'/usr/share/authconfig/authconfig-tui.pytoverrideSettingssB      $!                                   &      cCstS(N(RN(R((s'/usr/share/authconfig/authconfig-tui.pytdoUIgscCsht}|jjr'|jjt}n|jjdkrd|jjtr[|jjqdt }n|S(N( RNRPRRft joinDomainRR t joinIPADomaintwriteSysconfigR,(Rtret((s'/usr/share/authconfig/authconfig-tui.pyRjs  cCs|jj|jjr7|jjs7d|_q7n|jj|jjrn|jjsd|_qn!|jj |j sd|_n|j sd|_n|jj |jj dS(Niiii(RfttestLDAPCACertsRtdownloadLDAPCACertR3trehashLDAPCACertsRPRURt writeChangedRiRtposttnostart(R((s'/usr/share/authconfig/authconfig-tui.pyt writeAuthInfoxs       cCs|j|jjr0|jtjdn|jj rrtjdkrr|jt dtjdn|j |jj r|j j }tjt| n|jjr|j j|jj}tjt| n|jjr$|j j|jj}tjt| n|j|j|jsv|jjrf|jt dntjdn|jjr|j jn |j|jS(Niscan only be run as rootisdialog was cancelledi(R]RPRRRRQRSRltgetuidR9RIRkRXRft restoreLastRRWt restoreBackupRVt saveBackupRxRRt printInfoRR3(Rtrv((s'/usr/share/authconfig/authconfig-tui.pytruns6             (RRR4R6R9RCR]RRRkRxRRRRR%(((s'/usr/share/authconfig/authconfig-tui.pyR+Ys   $    t AuthconfigTUIcBseZdZdZdZdZdddZdZdZ dZ dZ d Z d Z d Zd Zd ZdZRS(cCsdS(Nsauthconfig-tui((R((s'/usr/share/authconfig/authconfig-tui.pyR6scCs/|jjr+|jjr+|jjtndS(N(RPt kickstartRRfRRN(R((s'/usr/share/authconfig/authconfig-tui.pyRscCs|s dSx|r|d}|d}t|tkrv|jjr_|d}|d}qv|d}|d}ntj|tjstd||d|f}tj |j td|tdgn|d}q WdS(NiiisThe %s file was not found, but it is required for %s support to work properly. Install the %s package, which provides this file.tWarningtOki( ttypettupleRft sssdSupportedRlRmtR_OKRItsnacktButtonChoiceWindowtscreen(Rttoggletwarningtpathtpackagettext((s'/usr/share/authconfig/authconfig-tui.pytwarns         +c# CsEtjtdddg}tjtdddg}tjtjftdd6dg}tjtjftdd7dg}tjtj ftd d8dg}tj td d dg}tj tdddg}tj tdddg}tj tdd|g} tjtdd| g} tjdd} tjtd} | j| ddddddtjtdt|jj} }| j|ddddddtjtdt|jj}}| j|ddddddtjtdt|jj}}| j|ddddddtjtdt|jj}}| j|dd ddddtjtd!t|jj}}| j|dd"ddddtjdd#}tjtd$} |j| ddddddtjtd%t|jjd&k}}|j|ddddddtjtd't|jj}}|j|ddddddtjtd(t|jj}}|j|ddddddtjtd)t|jj}}|j|dd ddddtjtd*t|jj}}|j|dd"ddddtjtd+t|jj }}|j|ddddddtjtd,t|jj!}}|j|dd-ddddtjdd}|j| ddddd.dd/d9|j|ddd0dd.dd/d:tjdd}tj"|j#j$rtd1ptd2}tj"td3}|j|dd|j|ddtjdd}|j|dddd|j|ddddtj%} |j&j'|td4| j(|| j)} | |kr.| j*|j_|j*|j_|j*|j_|j*|j_|j*|j_|j*|j_|j*rd&|j_n!|jjd&krd5|j_n|j*|j_|j*|j_|j*|j_ |j*|j_!|j*|j_|jj|f|jj|f|jj|f|jj| f|jj|f|jj|f|jj|f|jj|f|jj | fg }!x)|!D]}"|j+|"d|"dq Wn|j&j,| |kS(;NtcachingtnscdsFingerprint readert pam_fprintdtKerberostpam_krb5s sssd-clientsLDAP authenticationtpam_ldaptLDAPs nss-pam-ldapdtNIStypbindsshadow passwords shadow-utilstWinbinds samba-clientsWinbind authentications samba-winbindiisUser Informationit anchorLefttgrowxsCache InformationsUse LDAPisUse NISis Use IPAv2is Use WinbindiitAuthenticationsUse MD5 PasswordsRsUse Shadow PasswordssUse LDAP Authentications Use KerberossUse Fingerprint readersUse Winbind Authentications!Local authorization is sufficientit anchorToptpaddingt anchorRighttBacktCanceltNextsAuthentication ConfigurationR(R;s sssd-client(R<s sssd-client(s nss-pam-ldapds sssd-client(iiii(iiii(-RKRvRIR RwRqRtRrRsRuRnt PATH_PWCONVtPATH_WINBIND_NETtPATH_PAM_WINBINDtPATH_LIBNSS_WINBINDR.tGridtLabeltsetFieldtCheckboxtboolRfRRRRRRRyRRRRRjtButtonRPtbacktFormR0tgridWrappedWindowtaddR%tselectedR6t popWindow(#Rt warnCachet warnFprintdt warnKerberost warnLDAPAuthtwarnLDAPtwarnNISt warnShadowtwarnWinbindNettwarnWinbindAutht warnWinbindtinfoGridtcompRtcbRRRRtauthGridRRztldapaRtfprintdRR{tmechGridt buttonGridtcanceltoktmainGridtformt allwarningsR2((s'/usr/share/authconfig/authconfig-tui.pytgetMainChoicess$$$(((((.((((((%%-       cCst|}tjd|}d} g} xn|D]f\} } } }| dkrtj| tt|j| }| j||jtj dd| dd|j|d| ddn| dkrEtj | }|j|d| d dddtj d t|j| d |}| j||j|d| d dnH| d kr:tj | }|j|d| d dddddy#t|j| }|j |Wnt k r|d}nXd}g}x*|D]"}|j||||kfqWtjd|}| j||j|d| ddnS| dkrtjd| dddd}| j||j|d| ddn| d7} q1Wtj|rdpdd}tj|}tj|}|rtj|pd}|j|dd|r!|j|ddn|j||r6dp9ddtjdd}|j|ddd dd d|j|ddd dd dtj}|jj|||j|xtr|j}||krPn| }x|D]\} } } }| dkr2t|j| |jdjq| dkrct|j| |jdjq| d krt|j| |jdjq| dkr|jdqqW||krPn|r|qqW|jj||kS(NiittfvalueRRFiRAtsvalueREi(thiddenRBtrvalueRDtlvaluei2tflexDowntflexUpi(iiii(iiii(iiii(iiii(RR.RNRQRRRRfR RPROtEntrytindexRR tRadioBartTextboxReflowedRSRUR0RVRWRNR%RtpopRXtvaluet getSelectionRY(Rtdtitletitemst canceltxttoktxtt anothertxtt anothercbtrowst questionGridtrowtwidgetstttdesctattrRRfRetselt buttonlisttvtradioBarRkRlRmtanotherRnRotwcopy((s'/usr/share/authconfig/authconfig-tui.pytgetGenericChoices6s  $ " $  %            % % %   c Csdtdddfdtdddfdtdddfg}|jtd |td |rrtd p{td d tdd|jS(NRssDomain:RisRealm:RsServer:RsIPAv2 SettingsRGRIR)Rs Join DomainR(RIRtmaybeGetJoinSettings(Rtnextt questions((s'/usr/share/authconfig/authconfig-tui.pytgetIPAv2Settingss *cCsdtdddfdtdddfdtdd dfg}|jtd |td |rrtd p{td S(NRrsUse TLSRRssServer:RaisBase DN:Rbs LDAP SettingsRGRIR)(RIR R(RRR((s'/usr/share/authconfig/authconfig-tui.pytgetLDAPSettingss cCsjdtdddfdtdddfg}|jtd|td|r]td pftd S( NRssDomain:RisServer:Rs NIS SettingsRGRIR)(RIR(RRR((s'/usr/share/authconfig/authconfig-tui.pytgetNISSettingsscCsdtdddfdtdddfdtdddfd td d dfd td d dfg}|jtd|td|rtdptdS(NRssRealm:RcisKDC:Rds Admin Server:ReRrs"Use DNS to resolve hosts to realmsRs!Use DNS to locate KDCs for realmsRsKerberos SettingsRGRIR)(RIR R(RRR((s'/usr/share/authconfig/authconfig-tui.pytgetKerberosSettingsscCsdtdddfdtdddfg}|jjsKd|j_n|jtd |td td r|jj|jj|jjr|jjt n|jj r|jj t n|jj nt S( NRssDomain Administrator:Ris Password:Rit Administrators Join SettingsRHR)( RIRfRRR0tsuspendRTRRRNRRtresume(RR((s'/usr/share/authconfig/authconfig-tui.pytgetJoinSettingss     cCsdtdddfg}tj|j}|j|jjt}|jj|r|j td|tdtd}n|r|jj n|j t S(NRvsSome of the configuration changes you've made should be saved to disk before continuing. If you do not save them, then your attempt to join the domain may fail. Save changes?s Save SettingstNotYes( RIR RKRgR9RTRfR,tdiffersRRRRN(RRt orig_infoR((s'/usr/share/authconfig/authconfig-tui.pyRs    c Csddg}ddddddg}d }t||}d td d |fd tdddfd tdddfd tdddfd tdd|fg}|jtd|td|rtdptddtdd|jS(Ntadstdomains /sbin/nologins/bin/shs /bin/bashs /bin/tcshs/bin/kshs/bin/zshcSstj|tjS(N(RlRmRo(tshell((s'/usr/share/authconfig/authconfig-tui.pyt shellexistssRusSecurity Model:RRssDomain:RisDomain Controllers:Rs ADS Realm:RsTemplate Shell:RsWinbind SettingsRGRIR)Rs Join DomainR(tfilterRIRR(RRtsecuritytshellsRR((s'/usr/share/authconfig/authconfig-tui.pytgetWinbindSettingss   *cCs:d}t}x!|dkr/|dkr/|jj|dkrO|j}n|dkr|jjr|jjp|jjp|jjp|jjp|jj p|jj }|j |}qn>|dkr-|jjs|jjr|jjp|jjp|jj p|jj }|j |}qn|dkr~|jjr|jjpf|jj pf|jj }|j |}qn|dkr|jjr|jj p|jj }|j|}qn?|dkr|jj s|jj rt}|j|}qn|jj|r"|d7}q|d8}qW|dkS( Niiiiiiii(R,RfRTRqRRRRRRRRRRRR(RRtrctmore((s'/usr/share/authconfig/authconfig-tui.pyt getChoicessT                           cCsBtd|jj}tj|jtd|tdgdS(NsTo connect to a LDAP server with TLS protocol enabled you need a CA certificate which signed your server's certificate. Copy the certificate in the PEM format to the '%s' directory. Then press OK.R(R)(RIRft ldapCacertDirR.R/R0(RR5((s'/usr/share/authconfig/authconfig-tui.pytdisplayCACertsMessages  cCs|jjrtSztj|_|j}|jjtd|jj dd|d|j s{|jj t S|j jr|j jr|jnWd|jj XtS(NsN / between elements | selects | next screenis - (c) 1999-2005 Red Hat, Inc.(RPR'RNR.t SnackScreenR0R6t pushHelpLineRIt drawRootTextRtfinishR,RfRRR(Rtpackageversion((s'/usr/share/authconfig/authconfig-tui.pyRs    N(RRR6RR6RqR RRRRRRRRRRR(((s'/usr/share/authconfig/authconfig-tui.pyR&s    r_       - t__main__R5(RKtacutiltgettextRltsignalRtlgettextRItoptparseRRRt setlocaletLC_ALLtErrorR7RRR.RRR+R&RtSIGINTtSIG_DFLt textdomainR6RQR%(((s'/usr/share/authconfig/authconfig-tui.pyts20     $P     authinfo.py000064400000420702147645272700006756 0ustar00# -*- coding: UTF-8 -*- # # Authconfig - client authentication configuration program # Copyright (c) 1999-2014 Red Hat, Inc. # # Authors: Preston Brown # Nalin Dahyabhai # Matt Wilson # Tomas Mraz # Ray Strode # Paolo Bonzini # Miloslav Trmac # Jan Lieskovsky # # This is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA import string import re import os import copy import fcntl import socket import select import signal import stat import shvfile import dnsclient import sys import errno import urllib2 import urlparse import time import tempfile from subprocess import * import acutil import gettext _ = gettext.lgettext try: import SSSDConfig except ImportError: SSSDConfig = None SYSCONFDIR = "/etc" AUTH_PAM_SERVICE = "system-auth" AUTH_PAM_SERVICE_AC = "system-auth-ac" POSTLOGIN_PAM_SERVICE = "postlogin" POSTLOGIN_PAM_SERVICE_AC = "postlogin-ac" PASSWORD_AUTH_PAM_SERVICE = "password-auth" PASSWORD_AUTH_PAM_SERVICE_AC = "password-auth-ac" FINGERPRINT_AUTH_PAM_SERVICE = "fingerprint-auth" FINGERPRINT_AUTH_PAM_SERVICE_AC = "fingerprint-auth-ac" SMARTCARD_AUTH_PAM_SERVICE = "smartcard-auth" SMARTCARD_AUTH_PAM_SERVICE_AC = "smartcard-auth-ac" SSSD_AUTHCONFIG_DOMAIN = "default" if "lib64" in str(globals()["acutil"]): LIBDIR = "/usr/lib64" else: LIBDIR = "/usr/lib" AUTH_MODULE_DIR = LIBDIR + "/security" PATH_PWCONV = "/usr/sbin/pwconv" PATH_RPCBIND = "/sbin/rpcbind" PATH_NSCD = "/usr/sbin/nscd" PATH_NSLCD = "/usr/sbin/nslcd" PATH_WINBIND = "/usr/sbin/winbindd" PATH_SSSD = "/usr/sbin/sssd" PATH_YPBIND = "/usr/sbin/ypbind" PATH_ODDJOBD = "/usr/sbin/oddjobd" PATH_SEBOOL = "/usr/sbin/setsebool" PATH_SCEVENTD = "/usr/bin/pkcs11_eventmgr" PATH_SCSETUP = "/usr/bin/pkcs11_setup" PATH_LIBNSS_DB = LIBDIR + "/libnss_db.so.2" PATH_LIBNSS_LDAP = LIBDIR + "/libnss_ldap.so.2" if not os.path.isfile(PATH_LIBNSS_LDAP): PATH_LIBNSS_LDAP = LIBDIR + "/libnss_ldap.so.2" PATH_LIBNSS_NIS = LIBDIR + "/libnss_nis.so.2" PATH_LIBNSS_HESIOD = LIBDIR + "/libnss_hesiod.so.2" PATH_LIBNSS_ODBCBIND = LIBDIR + "/libnss_odbcbind.so.2" PATH_LIBNSS_WINBIND = LIBDIR + "/libnss_winbind.so.2" PATH_LIBNSS_WINS = LIBDIR + "/libnss_wins.so.2" PATH_LIBNSS_SSS = LIBDIR + "/libnss_sss.so.2" PATH_PAM_KRB5 = AUTH_MODULE_DIR + "/pam_krb5.so" PATH_PAM_LDAP = AUTH_MODULE_DIR + "/pam_ldap.so" PATH_PAM_WINBIND = AUTH_MODULE_DIR + "/pam_winbind.so" PATH_PAM_PKCS11 = AUTH_MODULE_DIR + "/pam_pkcs11.so" PATH_PAM_FPRINTD = AUTH_MODULE_DIR + "/pam_fprintd.so" PATH_PAM_SSS = AUTH_MODULE_DIR + "/pam_sss.so" PATH_LIBSSS_AUTOFS = LIBDIR + "/sssd/modules/libsss_autofs.so" PATH_KRB5_INCLUDEDIR = "/var/lib/sss/pubconf/krb5.include.d/" PATH_WINBIND_NET = "/usr/bin/net" PATH_IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install" PATH_LDAP_CACERTS = "/etc/openldap/cacerts" LDAP_CACERT_DOWNLOADED = "authconfig_downloaded.pem" PATH_CONFIG_BACKUPS = "/var/lib/authconfig" PATH_SSSD_CONFIG = SYSCONFDIR + "/sssd/sssd.conf" LOGIC_REQUIRED = "required" LOGIC_REQUISITE = "requisite" LOGIC_SUFFICIENT = "sufficient" LOGIC_OPTIONAL = "optional" LOGIC_IGNORE_UNKNOWN = "[default=bad success=ok user_unknown=ignore]" LOGIC_IGNORE_AUTH_ERR = "[default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore]" LOGIC_PKCS11 = "[success=done authinfo_unavail=ignore ignore=ignore default=die]" LOGIC_FORCE_PKCS11 = "[success=done ignore=ignore default=die]" LOGIC_PKCS11_KRB5 = "[success=ok authinfo_unavail=2 ignore=2 default=die]" LOGIC_FORCE_PKCS11_KRB5 = "[success=ok ignore=2 default=die]" LOGIC_SKIPNEXT = "[success=1 default=ignore]" LOGIC_SKIPNEXT3 = "[success=3 default=ignore]" LOGIC_ALWAYS_SKIP = "[default=1]" LOGIC_SKIPNEXT_ON_FAILURE = "[default=1 ignore=ignore success=ok]" # Snip off line terminators and final whitespace from a passed-in string. def snipString(s): return s.split("\n",1)[0].rstrip() # Make a list presentable. def cleanList(lst): if not lst: return lst s = lst.replace("\t"," ") return ",".join(filter(None, s.split(" "))) def matchKey(line, key): if line.startswith(key): # Skip intervening whitespace. return line[len(key):].lstrip() else: return False def matchKeyEquals(line, key): if line.startswith(key): # Skip intervening whitespace. return line[len(key):].lstrip(string.whitespace+"=") else: return False def matchLine(line, key): return line.startswith(key) def matchLineI(line, key): return line.lower().startswith(key.lower()) def commaAppend(lst, value): if lst: return lst + "," + value else: return value def stringsDiffer(a, b, case_sensitive): if not a and not b: return False if not a or not b: return True if case_sensitive: return a != b else: return a.lower() != b.lower() # Heuristic check whether a string is LDAP DN def checkDN(value): lst = value.lstrip().split("=",1) if len(lst) != 2: return False if " " in lst[0]: return False return True def matchBaseLine(line, key): value = matchKey(line, key) if value: return checkDN(value) else: return False # Check for a string in an nss configuration line. def checkNSS(configuration, candidate): lst = configuration.split(":",1) if len(lst) > 1: configuration = lst[1] start = 0 clen = len(candidate) while True: start = configuration.find(candidate, start) if start < 0: return None if start > 0 and configuration[start-1].isalnum(): start += clen continue if start+clen < len(configuration) and configuration[start+clen].isalnum(): start += clen continue return start return None def openfdLocked(filename, mode, perms): fd = None try: fd = os.open(filename, mode, perms) if mode == os.O_RDONLY: fcntl.lockf(fd, fcntl.LOCK_SH) else: fcntl.lockf(fd, fcntl.LOCK_EX) except OSError as (errno, strerr): if fd != None: try: os.close(fd) except OSError: pass raise IOError(errno, strerr) return fd def openLocked(filename, perms): return os.fdopen(openfdLocked(filename, os.O_RDWR | os.O_CREAT, perms), "r+") def krbKdc(kdclist): output = "" kdclist = kdclist.split(",") for kdc in kdclist: if kdc: output += " kdc = " + kdc + "\n" return output def krbAdminServer(adminservers): output = "" adminservers = adminservers.split(",") for adminserver in adminservers: if adminserver: output += " admin_server = " output += adminserver + "\n" return output def krbRealm(realm, kdclist, adminservers): output = "" if realm: output += " " + realm + " = {\n" output += krbKdc(kdclist) output += krbAdminServer(adminservers) output += " }\n\n" return output # Compare two strings, one a possible data line, the other a Samba-style key # name. Returns False on non-match, value of the key if matched. def matchLineSMB(line, key): linelst = line.split("=", 1) if len(linelst) < 2: param = "" else: param = linelst[1] linelst = linelst[0].lower().split(None) keylst = key.lower().split(None) # Compare the lists if keylst == linelst: return param.lstrip(string.whitespace+"=") return False # Mandatory arguments for the various modules. argv_unix_auth = [ "try_first_pass" ] argv_unix_password = [ "try_first_pass", "use_authtok" ] argv_afs_auth = [ "use_first_pass" ] argv_afs_password = [ # It looks like current pam_afs (from OpenAFS 1.1.1) doesn't support # "use_authtok", so it'll probably interact badly with pam_pwquality, # but thanks to stack-traversal changes in Linux-PAM 0.75 and higher, # the password-changing should work anyway. "use_first_pass" ] argv_pwquality_password = [ "try_first_pass", "local_users_only", "retry=3", "authtok_type=" ] argv_passwdqc_password = [ "enforce=users" ] argv_eps_auth = [ "use_first_pass" ] argv_eps_password = [ "use_authtok" ] argv_fprintd_auth = [ ] argv_pkcs11_auth = [ "nodebug" ] argv_force_pkcs11_auth = [ "nodebug", "wait_for_card" ] argv_sssd_missing_name = [ "allow_missing_name" ] argv_krb5_auth = [ "use_first_pass" ] argv_krb5_sc_auth = [ "use_first_pass", "no_subsequent_prompt" ] argv_krb5_password = [ "use_authtok" ] argv_ldap_auth = [ "use_first_pass" ] argv_ldap_password = [ "use_authtok" ] # This probably won't work straight-off because pam_unix won't give the right # challenge, but what the heck. argv_otp_auth = [ "use_first_pass" ] argv_succeed_if_auth = [ "uid >=", "500", # this must be the second arg - to be replaced "quiet_success" # this will be replaced in the first entry ] argv_succeed_if_account = [ "uid <", "500", # this must be the second arg - to be replaced "quiet" ] argv_succeed_if_session = [ "service in crond", "quiet", "use_uid" ] argv_succeed_if_nonlogin = [ "service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver", "quiet", "use_uid" ] argv_winbind_auth = [ "use_first_pass" ] argv_winbind_password = [ "use_authtok" ] argv_sss_auth = [ "use_first_pass" ] argv_sss_password = [ "use_authtok" ] argv_keyinit_session = [ "revoke" ] argv_ecryptfs_auth = [ "unwrap" ] argv_ecryptfs_password = [ "unwrap" ] argv_ecryptfs_session = [ "unwrap" ] argv_succeed_if_not_gdm = [ "service !~ gdm*", "service !~ su*", "quiet" ] argv_lastlog_gdm = [ "nowtmp", "showfailed" ] argv_lastlog_not_gdm = [ "silent", "noupdate", "showfailed" ] argv_faildelay = [ "delay=2000000" ] # Password hashing algorithms. password_algorithms = ["descrypt", "bigcrypt", "md5", "sha256", "sha512"] # Enumerations for PAM control flags and stack names. (AUTH, ACCOUNT, SESSION, PASSWORD) = range(0,4) pam_stacks = ["auth", "account", "session", "password"] (MANDATORY, STACK, LOGIC, NAME, ARGV) = range(0,5) (STANDARD, POSTLOGIN, PASSWORD_ONLY, FINGERPRINT, SMARTCARD) = range(0,5) pam_modules = [[] for service in (STANDARD, POSTLOGIN, PASSWORD_ONLY, FINGERPRINT, SMARTCARD)] # The list of stacks, module flags, and arguments, if there are any. # [ MANDATORY, STACK, LOGIC, NAME, ARGV ] pam_modules[STANDARD] = [ [True, AUTH, LOGIC_REQUIRED, "env", []], [True, AUTH, LOGIC_REQUIRED, "faildelay", argv_faildelay], [False, AUTH, LOGIC_REQUIRED, "faillock", ["preauth", "silent"]], [False, AUTH, LOGIC_SKIPNEXT, "succeed_if", argv_succeed_if_nonlogin], [False, AUTH, LOGIC_PKCS11, "pkcs11", argv_pkcs11_auth], [False, AUTH, LOGIC_OPTIONAL, "krb5", argv_krb5_sc_auth], [False, AUTH, LOGIC_SUFFICIENT, "permit", []], [False, AUTH, LOGIC_SUFFICIENT, "fprintd", []], [False, AUTH, LOGIC_SKIPNEXT_ON_FAILURE, "succeed_if", argv_succeed_if_auth], [False, AUTH, LOGIC_SKIPNEXT_ON_FAILURE, "localuser", []], [True, AUTH, LOGIC_SUFFICIENT, "unix", argv_unix_auth], [False, AUTH, LOGIC_REQUISITE, "succeed_if", argv_succeed_if_auth], [False, AUTH, LOGIC_SUFFICIENT, "sss", argv_sss_auth], [False, AUTH, LOGIC_SUFFICIENT, "afs", argv_afs_auth], [False, AUTH, LOGIC_SUFFICIENT, "afs.krb", argv_afs_auth], [False, AUTH, LOGIC_SUFFICIENT, "eps_auth", argv_eps_auth], [False, AUTH, LOGIC_SUFFICIENT, "krb5", argv_krb5_auth], [False, AUTH, LOGIC_SUFFICIENT, "ldap", argv_ldap_auth], [False, AUTH, LOGIC_SUFFICIENT, "otp", argv_otp_auth], [False, AUTH, LOGIC_SUFFICIENT, "winbind", argv_winbind_auth], [False, AUTH, LOGIC_REQUIRED, "faillock", ["authfail"]], [True, AUTH, LOGIC_REQUIRED, "deny", []], # Account management is tricky. Because we've implicitly committed to # getting it "right" for any combination of nss and pam, we have to be # careful about how we handle cases where networked sources of information # are unavailable. # At the very least, proper handling of password expiration depends on # this, and in the case of pam_ldap, we also may be depending on the # directory server for actual "is allowed to log in on this host" data. # The frequently-suggested method of using pam_localuser to short-circuit # pam_ldap may be only optional, but we can use pam_succeed_if # to short-circuit any network checks for *system* accounts # without allowing actual users in who should be legitimately denied by # LDAP (if not overriden by enabling the optional pam_localuser). # Because we'd now be ending the stack with sufficient modules, and PAM's # behavior isn't defined if none of them return success, we add a # successful call to pam_permit at the end as a requirement. [False, ACCOUNT, LOGIC_REQUIRED, "access", []], [False, ACCOUNT, LOGIC_REQUIRED, "faillock", []], [True, ACCOUNT, LOGIC_REQUIRED, "unix", []], [False, ACCOUNT, LOGIC_SUFFICIENT, "localuser", []], [True, ACCOUNT, LOGIC_SUFFICIENT, "succeed_if", argv_succeed_if_account], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "sss", []], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "ldap", []], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "krb5", []], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "winbind", []], [True, ACCOUNT, LOGIC_REQUIRED, "permit", []], [False, PASSWORD, LOGIC_REQUISITE, "pwquality", argv_pwquality_password], [False, PASSWORD, LOGIC_REQUISITE, "passwdqc", argv_passwdqc_password], [True, PASSWORD, LOGIC_SUFFICIENT, "unix", argv_unix_password], [False, PASSWORD, LOGIC_SUFFICIENT, "sss", argv_sss_password], [False, PASSWORD, LOGIC_SUFFICIENT, "afs", argv_afs_password], [False, PASSWORD, LOGIC_SUFFICIENT, "afs.krb", argv_afs_password], [False, PASSWORD, LOGIC_SUFFICIENT, "eps_passwd", argv_eps_password], [False, PASSWORD, LOGIC_SUFFICIENT, "krb5", argv_krb5_password], [False, PASSWORD, LOGIC_SUFFICIENT, "ldap", argv_ldap_password], [False, PASSWORD, LOGIC_SUFFICIENT, "winbind", argv_winbind_password], [True, PASSWORD, LOGIC_REQUIRED, "deny", []], [True, SESSION, LOGIC_OPTIONAL, "keyinit", argv_keyinit_session], [True, SESSION, LOGIC_REQUIRED, "limits", []], [True, SESSION, LOGIC_OPTIONAL, "systemd", []], [False, SESSION, LOGIC_OPTIONAL, "mkhomedir", []], [True, SESSION, LOGIC_SKIPNEXT, "succeed_if", argv_succeed_if_session], [True, SESSION, LOGIC_REQUIRED, "unix", []], [False, SESSION, LOGIC_OPTIONAL, "sss", []], [False, SESSION, LOGIC_OPTIONAL, "afs", []], [False, SESSION, LOGIC_OPTIONAL, "afs.krb", []], [False, SESSION, LOGIC_OPTIONAL, "krb5", []], [False, SESSION, LOGIC_OPTIONAL, "ldap", []], [False, SESSION, LOGIC_OPTIONAL, "winbind", []] ] pam_modules[POSTLOGIN] = [ [False, AUTH, LOGIC_OPTIONAL, "ecryptfs", argv_ecryptfs_auth], [False, PASSWORD, LOGIC_OPTIONAL, "ecryptfs", argv_ecryptfs_password], [False, SESSION, LOGIC_OPTIONAL, "ecryptfs", argv_ecryptfs_session], [True, SESSION, LOGIC_SKIPNEXT, "succeed_if", argv_succeed_if_not_gdm], [True, SESSION, LOGIC_ALWAYS_SKIP, "lastlog", argv_lastlog_gdm], [True, SESSION, LOGIC_OPTIONAL, "lastlog", argv_lastlog_not_gdm], ] pam_modules[PASSWORD_ONLY] = [ [True, AUTH, LOGIC_REQUIRED, "env", []], [True, AUTH, LOGIC_REQUIRED, "faildelay", argv_faildelay], [False, AUTH, LOGIC_REQUIRED, "faillock", ["preauth", "silent"]], [False, AUTH, LOGIC_REQUIRED, "deny", []], [False, AUTH, LOGIC_SKIPNEXT_ON_FAILURE, "succeed_if", argv_succeed_if_auth], [False, AUTH, LOGIC_SKIPNEXT_ON_FAILURE, "localuser", []], [True, AUTH, LOGIC_SUFFICIENT, "unix", argv_unix_auth], [False, AUTH, LOGIC_REQUISITE, "succeed_if", argv_succeed_if_auth], [False, AUTH, LOGIC_SUFFICIENT, "sss", argv_sss_auth], [False, AUTH, LOGIC_SUFFICIENT, "afs", argv_afs_auth], [False, AUTH, LOGIC_SUFFICIENT, "afs.krb", argv_afs_auth], [False, AUTH, LOGIC_SUFFICIENT, "eps_auth", argv_eps_auth], [False, AUTH, LOGIC_SUFFICIENT, "krb5", argv_krb5_auth], [False, AUTH, LOGIC_SUFFICIENT, "ldap", argv_ldap_auth], [False, AUTH, LOGIC_SUFFICIENT, "otp", argv_otp_auth], [False, AUTH, LOGIC_SUFFICIENT, "winbind", argv_winbind_auth], [True, AUTH, LOGIC_REQUIRED, "deny", []], [False, ACCOUNT, LOGIC_REQUIRED, "access", []], [False, ACCOUNT, LOGIC_REQUIRED, "faillock", []], [True, ACCOUNT, LOGIC_REQUIRED, "unix", []], [False, ACCOUNT, LOGIC_SUFFICIENT, "localuser", []], [True, ACCOUNT, LOGIC_SUFFICIENT, "succeed_if", argv_succeed_if_account], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "sss", []], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "ldap", []], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "krb5", []], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "winbind", []], [True, ACCOUNT, LOGIC_REQUIRED, "permit", []], [False, PASSWORD, LOGIC_REQUISITE, "pwquality", argv_pwquality_password], [False, PASSWORD, LOGIC_REQUISITE, "passwdqc", argv_passwdqc_password], [True, PASSWORD, LOGIC_SUFFICIENT, "unix", argv_unix_password], [False, PASSWORD, LOGIC_SUFFICIENT, "sss", argv_sss_password], [False, PASSWORD, LOGIC_SUFFICIENT, "afs", argv_afs_password], [False, PASSWORD, LOGIC_SUFFICIENT, "afs.krb", argv_afs_password], [False, PASSWORD, LOGIC_SUFFICIENT, "eps_passwd", argv_eps_password], [False, PASSWORD, LOGIC_SUFFICIENT, "krb5", argv_krb5_password], [False, PASSWORD, LOGIC_SUFFICIENT, "ldap", argv_ldap_password], [False, PASSWORD, LOGIC_SUFFICIENT, "winbind", argv_winbind_password], [False, AUTH, LOGIC_REQUIRED, "faillock", ["authfail"]], [True, PASSWORD, LOGIC_REQUIRED, "deny", []], [True, SESSION, LOGIC_OPTIONAL, "keyinit", argv_keyinit_session], [True, SESSION, LOGIC_REQUIRED, "limits", []], [True, SESSION, LOGIC_OPTIONAL, "systemd", []], [False, SESSION, LOGIC_OPTIONAL, "mkhomedir", []], [True, SESSION, LOGIC_SKIPNEXT, "succeed_if", argv_succeed_if_session], [True, SESSION, LOGIC_REQUIRED, "unix", []], [False, SESSION, LOGIC_OPTIONAL, "sss", []], [False, SESSION, LOGIC_OPTIONAL, "afs", []], [False, SESSION, LOGIC_OPTIONAL, "afs.krb", []], [False, SESSION, LOGIC_OPTIONAL, "krb5", []], [False, SESSION, LOGIC_OPTIONAL, "ldap", []], [False, SESSION, LOGIC_OPTIONAL, "winbind", []] ] pam_modules[FINGERPRINT] = [ [True, AUTH, LOGIC_REQUIRED, "env", []], [False, AUTH, LOGIC_REQUIRED, "faillock", ["preauth", "silent"]], [False, AUTH, LOGIC_REQUIRED, "deny", []], [False, AUTH, LOGIC_SUFFICIENT, "fprintd", []], [False, AUTH, LOGIC_REQUIRED, "faillock", ["authfail"]], [True, AUTH, LOGIC_REQUIRED, "deny", []], [False, ACCOUNT, LOGIC_REQUIRED, "access", []], [False, ACCOUNT, LOGIC_REQUIRED, "faillock", []], [True, ACCOUNT, LOGIC_REQUIRED, "unix", []], [False, ACCOUNT, LOGIC_SUFFICIENT, "localuser", []], [True, ACCOUNT, LOGIC_SUFFICIENT, "succeed_if", argv_succeed_if_account], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "sss", []], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "ldap", []], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "krb5", []], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "winbind", []], [True, ACCOUNT, LOGIC_REQUIRED, "permit", []], [True, PASSWORD, LOGIC_REQUIRED, "deny", []], [True, SESSION, LOGIC_OPTIONAL, "keyinit", argv_keyinit_session], [True, SESSION, LOGIC_REQUIRED, "limits", []], [True, SESSION, LOGIC_OPTIONAL, "systemd", []], [False, SESSION, LOGIC_OPTIONAL, "mkhomedir", []], [True, SESSION, LOGIC_SKIPNEXT, "succeed_if", argv_succeed_if_session], [True, SESSION, LOGIC_REQUIRED, "unix", []], [False, SESSION, LOGIC_OPTIONAL, "sss", []], [False, SESSION, LOGIC_OPTIONAL, "afs", []], [False, SESSION, LOGIC_OPTIONAL, "afs.krb", []], [False, SESSION, LOGIC_OPTIONAL, "krb5", []], [False, SESSION, LOGIC_OPTIONAL, "ldap", []], [False, SESSION, LOGIC_OPTIONAL, "winbind", []] ] pam_modules[SMARTCARD] = [ [True, AUTH, LOGIC_REQUIRED, "env", []], [False, AUTH, LOGIC_REQUIRED, "faillock", ["preauth", "silent"]], [False, AUTH, LOGIC_SUFFICIENT, "sss", argv_sssd_missing_name], [False, AUTH, LOGIC_PKCS11, "pkcs11", argv_force_pkcs11_auth], [False, AUTH, LOGIC_OPTIONAL, "krb5", argv_krb5_sc_auth], [False, AUTH, LOGIC_SUFFICIENT, "permit", []], [False, AUTH, LOGIC_REQUIRED, "faillock", ["authfail"]], [True, AUTH, LOGIC_REQUIRED, "deny", []], [False, ACCOUNT, LOGIC_REQUIRED, "access", []], [False, ACCOUNT, LOGIC_REQUIRED, "faillock", []], [True, ACCOUNT, LOGIC_REQUIRED, "unix", []], [False, ACCOUNT, LOGIC_SUFFICIENT, "localuser", []], [True, ACCOUNT, LOGIC_SUFFICIENT, "succeed_if", argv_succeed_if_account], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "sss", []], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "ldap", []], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "krb5", []], [False, ACCOUNT, LOGIC_IGNORE_UNKNOWN, "winbind", []], [True, ACCOUNT, LOGIC_REQUIRED, "permit", []], [False, PASSWORD, LOGIC_REQUIRED, "pkcs11", []], [True, SESSION, LOGIC_OPTIONAL, "keyinit", argv_keyinit_session], [True, SESSION, LOGIC_REQUIRED, "limits", []], [True, SESSION, LOGIC_OPTIONAL, "systemd", []], [False, SESSION, LOGIC_OPTIONAL, "mkhomedir", []], [True, SESSION, LOGIC_SKIPNEXT, "succeed_if", argv_succeed_if_session], [True, SESSION, LOGIC_REQUIRED, "unix", []], [False, SESSION, LOGIC_OPTIONAL, "sss", []], [False, SESSION, LOGIC_OPTIONAL, "afs", []], [False, SESSION, LOGIC_OPTIONAL, "afs.krb", []], [False, SESSION, LOGIC_OPTIONAL, "krb5", []], [False, SESSION, LOGIC_OPTIONAL, "ldap", []], [False, SESSION, LOGIC_OPTIONAL, "winbind", []] ] def domain2dn(domain): output = "DC=" domain = domain.rstrip(".") output += domain.replace(".", ",DC=") return output DEFAULT_DNS_QUERY_SIZE = 1024 # No, this is not particularly nice, but "compatible" is more important than # "beautiful". ld_line_re = re.compile(r'^[ \t]*' # Initial whitespace r'([^ \t]+)' # Variable name r'[ \t][ \t"]*' # Separator - yes, may have multiple \"s r'(([^"]*)".*' # Value, case 1 - terminated by \" r'|([^"]*\S)?\s*' # Value, case 2 - only drop trailing \s r')$') # for matching uid in succeeded if options succ_if_re = re.compile(r'^.*[ \t]*uid[ \t]+(<|>=)[ \t]+([0-9]+)') class SysVInitService: def start(self, service): os.system("/sbin/service " + service + " start") def stop(self, service): os.system("/sbin/service " + service + " stop >/dev/null 2>&1") def enable(self, service): os.system("/sbin/chkconfig --add " + service) os.system("/sbin/chkconfig --level 345 " + service + " on") def disable(self, service): os.system("/sbin/chkconfig --level 345 " + service + " off") def isEnabled(self, service): rv = os.system("/sbin/chkconfig " + service + " >/dev/null 2>&1") return os.WIFEXITED(rv) and os.WEXITSTATUS(rv) == 0 def tryRestart(self, service): os.system("/sbin/service " + service + " condrestart >/dev/null 2>&1") class SystemdService: def start(self, service): os.system("/bin/systemctl start " + service + ".service") def stop(self, service): os.system("/bin/systemctl stop " + service + ".service >/dev/null 2>&1") def enable(self, service): os.system("/bin/systemctl enable " + service + ".service >/dev/null 2>&1") def disable(self, service): os.system("/bin/systemctl disable " + service + ".service >/dev/null 2>&1") def isEnabled(self, service): rv = os.system("/bin/systemctl is-enabled " + service + ".service >/dev/null 2>&1") return os.WIFEXITED(rv) and os.WEXITSTATUS(rv) == 0 def tryRestart(self, service): os.system("/bin/systemctl try-restart " + service + ".service >/dev/null 2>&1") try: if "systemd" in os.readlink("/sbin/init"): Service = SystemdService() else: Service = SysVInitService() except OSError: Service = SysVInitService() def toggleSplatbindService(enable, path, name, nostart): if enable: try: os.stat(path) Service.enable(name) if not nostart: Service.stop(name) Service.start(name) except OSError: pass else: try: os.stat(path) if not nostart: try: Service.stop(name) except OSError: pass Service.disable(name) except OSError: pass return True def formatBool(val): if val: return "enabled" else: return "disabled" def feedFork(command, echo, query, response): try: (pid, master) = os.forkpty() except OSError: return 255 if not pid: # child if query: child = Popen([command], shell=True) else: child = Popen([command], stdin=PIPE, shell=True) child.communicate(input=(response or '')+'\n') # wait for the child to terminate & set the returncode child.wait() status = child.returncode os._exit(status) (output, error) = ("","") try: i = fcntl.fcntl(master, fcntl.F_GETFL) fcntl.fcntl(master, fcntl.F_SETFL, i & ~os.O_NONBLOCK) except IOError: pass eof = False while not eof: try: ifds = [] efds = [] (ifds,ofds,efds) = select.select([master],[],[master], 60) except select.error, (err, text): sys.stderr.write("select: " + text + "\n") if not ifds and not efds: # timeout or error os.close(master) eof = True continue c = "" try: c = os.read(master, 1) except OSError as (err, text): if err == errno.EINTR or err == errno.EAGAIN: pass elif err == errno.EIO: os.close(master) eof = True else: sys.stderr.write("read: " + text + "\n") os.close(master) eof = True continue if c: try: output += c error += c if echo: sys.stderr.write(c) if query and query in output: # Search for password prompt start index = error.rfind("\r\n") os.write(master, response or '') os.write(master, "\r\n") if index != -1: # Drop password prompt substring from error error = "\n" + error[:index] else: # Drop whole error content, password prompt # was the first line error = "" output = "" if echo: sys.stderr.write("<...>\n") except OSError, (err, text): sys.stderr.write("write: " + text + "\n") os.close(master) eof = True else: os.close(master) eof = True try: os.kill(pid, signal.SIGTERM) except OSError: pass status = 255 try: (child, status) = os.waitpid(pid, 0) except OSError, (err, text): sys.stderr.write("waitpid: " + text + "\n") return (status, error) def isEmptyDir(path): try: lst = os.listdir(path) except OSError: # we don't know but return True anyway return True for filename in lst: try: st = os.stat(path + "/" + filename) if stat.S_ISREG(st.st_mode): return False except OSError: pass return True def callPKCS11Setup(options): try: child = Popen([PATH_SCSETUP] + options, stdout=PIPE) lst = child.communicate()[0].split("\n") if child.returncode != 0: return None if lst[-1] == '': del lst[-1:] except OSError: return None return lst def getSmartcardModules(): mods = callPKCS11Setup(["list_modules"]) if mods == None: return [] return mods def getSmartcardActions(): return [_("Lock"), _("Ignore")] def read(msgcb): info = AuthInfo(msgcb) info.read() return info class SaveGroup: def __init__(self, savefunc, togglefunc, attrlist): self.saveFunction = savefunc self.toggleFunction = togglefunc self.attrlist = attrlist def attrsDiffer(self, a, b): for (aname, atype) in self.attrlist: if aname in a.inconsistentAttrs: return True if atype == "b": if getattr(a, aname) != getattr(b, aname): return True elif atype == "c": if stringsDiffer(getattr(a, aname), getattr(b, aname), True): return True elif atype == "i": if stringsDiffer(getattr(a, aname), getattr(b, aname), False): return True return False class SafeFile: def __init__(self, filename, default_mode): (base, name) = os.path.split(filename) self.missing = False self.file = tempfile.NamedTemporaryFile(dir=base, prefix=name, delete=True) # overwrite the inode attributes and contents if call(["/bin/cp", "-af", filename, self.file.name], stderr=os.open('/dev/null', os.O_WRONLY)) == 1: self.missing = True # the mode was not copied, use the default os.fchmod(self.file.fileno(), default_mode) self.filename = filename def save(self): self.file.flush() os.fsync(self.file.fileno()) os.rename(self.file.name, self.filename) if self.missing: call(["/usr/sbin/restorecon", self.filename], stderr=os.open('/dev/null', os.O_WRONLY)) def close(self): # we may have renamed the temp file, need to catch OSError try: self.file.close() except OSError: pass def write(self, s): return self.file.write(s) def rewind(self): self.file.seek(0) self.file.truncate(0) class FileBackup: def __init__(self, backupname, origpath): self.backupName = backupname self.origPath = origpath def safeCopy(self, src, dest): rv = True srcfd = None destfile = None try: srcfd = openfdLocked(src, os.O_RDONLY, 0) except IOError: return True try: mode = stat.S_IMODE(os.fstat(srcfd).st_mode) except (IOError, OSError): os.close(srcfd) return True try: destfile = SafeFile(dest, mode) destfile.rewind() except IOError: rv = False try: while rv: b = os.read(srcfd, 4096) if not b: rv = True break os.write(destfile.file.fileno(), b) except (IOError, OSError): rv = False try: if srcfd: os.close(srcfd) except (IOError, OSError): pass try: if destfile and rv: destfile.save() destfile.close() except (IOError, OSError): rv = False return rv def backup(self, destdir): rv = True try: if not os.path.isdir(destdir): os.mkdir(destdir) except (OSError, IOError): rv = False backuppath = destdir+"/"+self.backupName if rv: rv = self.safeCopy(self.origPath, backuppath) return rv def restore(self, backupdir): rv = True try: if not os.path.isdir(backupdir): return False except (IOError, OSError): rv = False backuppath = backupdir+"/"+self.backupName if rv and os.path.isfile(backuppath): rv = self.safeCopy(backuppath, self.origPath) try: if rv: call(["/usr/sbin/restorecon", self.origPath], stderr=os.open('/dev/null', os.O_WRONLY)) except (IOError, OSError): pass return rv def readCache(): return Service.isEnabled("nscd") def writeCache(enabled): if enabled: Service.enable("nscd") else: try: os.stat(PATH_NSCD) Service.disable("nscd") except OSError: pass return True class CacheBackup(FileBackup): def backup(self, destdir): rv = True try: if not os.path.isdir(destdir): os.mkdir(destdir) except (OSError, IOError): rv = False backuppath = destdir+"/"+self.backupName if rv: dest = None try: enabled = readCache() dest = open(backuppath, "w") dest.write(str(int(enabled))) except IOError: rv = False if dest: dest.close() if not rv: try: os.unlink(backuppath) except OSError: pass return rv def restore(self, backupdir): rv = True try: if not os.path.isdir(backupdir): return False except (IOError, OSError): rv = False backuppath = backupdir+"/"+self.backupName if rv and os.path.isfile(backuppath): backup = None try: backup = open(backuppath, "r") enabled = int(backup.read()) writeCache(enabled) except (IOError, OSError, ValueError): rv = False if backup: backup.close() return rv # indexes for the configs (CFG_HESIOD, CFG_YP, CFG_LDAP, CFG_NSSLDAP, CFG_PAMLDAP, CFG_NSLCD, CFG_OPENLDAP, CFG_KRB5, CFG_KRB, CFG_PAM_PKCS11, CFG_SMB, CFG_NSSWITCH, CFG_CACHE, CFG_PAM, CFG_POSTLOGIN_PAM, CFG_PASSWORD_PAM, CFG_FINGERPRINT_PAM, CFG_SMARTCARD_PAM, CFG_AUTHCONFIG, CFG_NETWORK, CFG_LIBUSER, CFG_PWQUALITY, CFG_LOGIN_DEFS, CFG_SSSD, CFG_SHADOW, CFG_PASSWD, CFG_GSHADOW, CFG_GROUP, CFG_DCONF, CFG_DCONF_LOCKS) = range(0, 30) all_configs = [ FileBackup("hesiod.conf", SYSCONFDIR+"/hesiod.conf"), FileBackup("yp.conf", SYSCONFDIR+"/yp.conf"), FileBackup("ldap.conf", SYSCONFDIR+"/ldap.conf"), FileBackup("nss_ldap.conf", SYSCONFDIR+"/nss_ldap.conf"), FileBackup("pam_ldap.conf", SYSCONFDIR+"/pam_ldap.conf"), FileBackup("nslcd.conf", SYSCONFDIR+"/nslcd.conf"), FileBackup("openldap.conf", SYSCONFDIR+"/openldap/ldap.conf"), FileBackup("krb5.conf", SYSCONFDIR+"/krb5.conf"), FileBackup("krb.conf", SYSCONFDIR+"/krb.conf"), FileBackup("pam_pkcs11.conf", SYSCONFDIR+"/pam_pkcs11/pam_pkcs11.conf"), FileBackup("smb.conf", SYSCONFDIR+"/samba/smb.conf"), FileBackup("nsswitch.conf", SYSCONFDIR+"/nsswitch.conf"), CacheBackup("cacheenabled.conf", ""), FileBackup("system-auth-ac", SYSCONFDIR+"/pam.d/"+AUTH_PAM_SERVICE_AC), FileBackup("postlogin-ac", SYSCONFDIR+"/pam.d/"+POSTLOGIN_PAM_SERVICE_AC), FileBackup("password-auth-ac", SYSCONFDIR+"/pam.d/"+PASSWORD_AUTH_PAM_SERVICE_AC), FileBackup("fingerprint-auth-ac", SYSCONFDIR+"/pam.d/"+FINGERPRINT_AUTH_PAM_SERVICE_AC), FileBackup("smartcard-auth-ac", SYSCONFDIR+"/pam.d/"+SMARTCARD_AUTH_PAM_SERVICE_AC), FileBackup("authconfig", SYSCONFDIR+"/sysconfig/authconfig"), FileBackup("network", SYSCONFDIR+"/sysconfig/network"), FileBackup("libuser.conf", SYSCONFDIR+"/libuser.conf"), FileBackup("pwquality.conf", SYSCONFDIR+"/security/pwquality.conf"), FileBackup("login.defs", SYSCONFDIR+"/login.defs"), FileBackup("sssd.conf", PATH_SSSD_CONFIG), FileBackup("shadow", SYSCONFDIR+"/shadow"), FileBackup("passwd", SYSCONFDIR+"/passwd"), FileBackup("gshadow", SYSCONFDIR+"/gshadow"), FileBackup("group", SYSCONFDIR+"/group"), FileBackup("10-authconfig", SYSCONFDIR+"/dconf/db/distro.d/10-authconfig"), FileBackup("10-authconfig-locks", SYSCONFDIR+"/dconf/db/distro.d/locks/10-authconfig-locks")] sssd_options = [ ('ldapServer', 'ldap_uri'), ('ldapBaseDN', 'ldap_search_base'), ('enableLDAPS', 'ldap_id_use_start_tls'), ('ldapSchema', 'ldap_schema'), ('ldapCacertDir', 'ldap_tls_cacertdir'), ('kerberosKDC', 'krb5_server'), ('kerberosAdminServer', 'krb5_kpasswd'), ('kerberosRealm', 'krb5_realm'), ('enableCacheCreds', 'cache_credentials'), ('enableCacheCreds', 'krb5_store_password_if_offline')] class AuthInfo: def __init__(self, msgcb): self.messageCB = msgcb self.backupDir = "" self.inconsistentAttrs = [] # Service-specific settings. self.hesiodLHS = "" self.hesiodRHS = "" self.ldapServer = "" self.ldapBaseDN = "" self.kerberosRealm = None self.kerberosRealmviaDNS = None self.kerberosKDC = "" self.kerberosKDCviaDNS = None self.kerberosAdminServer = "" self.nisServer = "" self.nisDomain = "" self.nisLocalDomain = "" self.smbWorkgroup = "" self.smbRealm = "" self.smbServers = "" self.smbSecurity = "" self.smbIdmapRange = "" self.winbindSeparator = "" self.winbindTemplateHomedir = "" self.winbindTemplateShell = "" self.winbindUseDefaultDomain = None self.winbindOffline = None self.winbindKrb5 = None self.ipav2Server = None self.ipav2Domain = None self.ipav2Realm = None self.ipav2NoNTP = None self.ipaDomainJoined = False self.ipaUninstall = False self.smartcardModule = "" self.smartcardAction = "" # NSSwitch setup. Files is always in there. self.enableCache = None self.enableCompat = None self.enableDB = None self.enableDirectories = None self.enableHesiod = None self.enableLDAP = None self.enableLDAPS = None self.enableNIS = None self.enableNIS3 = None self.enableDBbind = None self.enableDBIbind = None self.enableHesiodbind = None self.enableLDAPbind = None self.enableOdbcbind = None self.enableWinbind = None self.enableWINS = None self.enableMDNS = None self.enableMyhostname = None self.preferDNSinHosts = None self.enableSSSD = None self.enableIPAv2 = None # This one we don't have a config entry, we just # preserve the entry if we see it. self.enableAltfiles = None # Authentication setup. self.enableAFS = None self.enableAFSKerberos = None self.enableNullOk = True self.enablePWQuality = None self.enableEcryptfs = None self.enableEPS = None self.enableKerberos = None self.enableLDAPAuth = None self.passwordAlgorithm = "" self.algoRounds = "" self.uidMin = None self.enableOTP = None self.enablePasswdQC = None self.enableShadow = None self.enableWinbindAuth = None self.enableLocAuthorize = None self.enablePAMAccess = None self.enableSysNetAuth = None self.enableMkHomeDir = None self.enableSmartcard = None self.enableSSSDAuth = None self.brokenShadow = None self.forceBrokenShadow = None self.forceSmartcard = None self.enableFprintd = None self.enableForceLegacy = None self.implicitSSSD = False self.implicitSSSDAuth = False self.enableCacheCreds = None # Password quality self.passMinLen = "9" self.passMinClass = "1" self.passMaxRepeat = "0" self.passMaxClassRepeat = "0" self.passReqLower = None self.passReqUpper = None self.passReqDigit = None self.passReqOther = None # Faillock self.enableFaillock = None self.faillockArgs = "deny=4 unlock_time=1200" # Not really options. self.joinUser = "" self.joinPassword = "" self.pwqualityArgs = "" self.passwdqcArgs = "" self.localuserArgs = "" self.pamAccessArgs = "" self.mkhomedirArgs = "umask=0077" self.systemdArgs = "" self.ldapCacertDir = "" self.ldapCacertURL = "" self.ldapSchema = "" self.pamLinked = True global SSSDConfig self.sssdConfig = None self.sssdDomain = None self.forceSSSDUpdate = None self.sssdConfigPresent = False if SSSDConfig: try: self.sssdConfig = SSSDConfig.SSSDConfig() self.sssdConfig.new_config() except IOError: pass self.toggleFunctions = set() self.save_groups = [ SaveGroup(self.writeCache, self.toggleCachingService, [("enableCache", "b"), ("implicitSSSD", "b")]), SaveGroup(self.writeHesiod, None, [("hesiodLHS", "i"), ("hesiodRHS", "i")]), SaveGroup(self.writeNIS, self.toggleNisService, [("nisDomain", "c"), ("nisLocalDomain", "c"), ("nisServer", "c")]), SaveGroup(self.writeLDAP, None, [("ldapServer", "i"), ("ldapBaseDN", "c"), ("enableLDAPS", "b"), ("ldapSchema", "c"), ("ldapCacertDir", "c"), ("passwordAlgorithm", "i")]), SaveGroup(self.writeLibuser, None, [("passwordAlgorithm", "i")]), SaveGroup(self.writeLogindefs, None, [("passwordAlgorithm", "i")]), # for now we do not rewrite uidMin SaveGroup(self.writePWQuality, None, [("passMinLen", "c"), ("passMinClass", "c"), ("passMaxRepeat", "c"), ("passMaxClassRepeat", "c"), ("passReqLower", "b"), ("passReqUpper", "b"), ("passReqDigit", "b"), ("passReqOther", "b")]), SaveGroup(self.writeKerberos, None, [("kerberosRealm", "c"), ("kerberosKDC", "i"), ("smbSecurity", "i"), ("smbRealm", "c"), ("smbServers", "i"), ("kerberosAdminServer", "i"), ("kerberosRealmviaDNS", "b"), ("kerberosKDCviaDNS", "b")]), SaveGroup(self.writeSSSD, self.toggleSSSDService, [("ldapServer", "i"), ("ldapBaseDN", "c"), ("enableLDAPS", "b"), ("ldapSchema", "c"), ("ldapCacertDir", "c"), ("enableCacheCreds", "b"), ("enableSmartcard", "b"), ("kerberosRealm", "c"), ("kerberosKDC", "i"), ("kerberosAdminServer", "i"), ("forceSSSDUpdate", "b"), ("enableLDAP", "b"), ("enableKerberos", "b"), ("enableLDAPAuth", "b"), ("enableIPAv2", "b")]), SaveGroup(self.writeSmartcard, None, [("smartcardAction", "i"), ("smartcardModule", "c")]), SaveGroup(self.writeDConf, None, [("smartcardAction", "i"), ("smartcardModule", "c"), ("enableFprintd", "b"), ("enableSmartcard", "b"), ("forceSmartcard", "b")]), SaveGroup(self.writeWinbind, self.toggleWinbindService, [("smbWorkgroup", "i"), ("smbServers", "i"), ("smbRealm", "c"), ("smbSecurity", "i"), ("smbIdmapRange", "i"), ("winbindSeparator", "c"), ("winbindTemplateHomedir", "c"), ("winbindTemplateShell", "c"), ("winbindUseDefaultDomain", "b"), ("winbindOffline", "b"), ("winbindKrb5", "b")]), SaveGroup(self.writeNSS, None, [("enableDB", "b"), ("enableDirectories", "b"), ("enableWinbind", "b"), ("enableOdbcbind", "b"), ("enableNIS3", "b"), ("enableNIS", "b"), ("enableLDAPbind", "b"), ("enableLDAP", "b"), ("enableHesiodbind", "b"), ("enableHesiod", "b"), ("enableDBIbind", "b"), ("enableDBbind", "b"), ("enableCompat", "b"), ("enableWINS", "b"), ("enableMDNS", "b"), ("enableMyhostname", "b"), ("enableNIS3", "b"), ("enableNIS", "b"), ("enableIPAv2", "b"), ("enableSSSD", "b"), ("preferDNSinHosts", "b"), ("implicitSSSD", "b")]), SaveGroup(self.writePAM, None, [("pwqualityArgs", "c"), ("passwdqcArgs", "c"), ("faillockArgs", "c"), ("enableFaillock", "b"), ("localuserArgs", "c"), ("pamAccessArgs", "c"), ("enablePAMAccess", "b"), ("mkhomedirArgs", "c"), ("enableMkHomeDir", "b"), ("algoRounds", "c"), ("passwordAlgorithm", "i"), ("enableShadow", "b"), ("enableNIS", "b"), ("enableNullOk", "b"), ("forceBrokenShadow", "b"), ("enableLDAPAuth", "b"), ("enableKerberos", "b"), ("enableSmartcard", "b"), ("forceSmartcard", "b"), ("enableWinbindAuth", "b"), ("enableMkHomeDir", "b"), ("enableAFS", "b"), ("enableAFSKerberos", "b"), ("enablePWQuality", "b"), ("enableEPS", "b"), ("enableEcryptfs", "b"), ("enableOTP", "b"), ("enablePasswdQC", "b"), ("enableLocAuthorize", "b"), ("enableSysNetAuth", "b"), ("winbindOffline", "b"), ("winbindKrb5", "b"), ("enableSSSDAuth", "b"), ("enableFprintd", "b"), ("pamLinked", "b"), ("implicitSSSDAuth", "b"), ("systemdArgs", "c"), ("uidMin", "i"), ("enableIPAv2", "b")]), SaveGroup(self.writeSysconfig, None, [("passwordAlgorithm", "i"), ("enableShadow", "b"), ("enableNIS", "b"), ("enableLDAP", "b"), ("enableLDAPAuth", "b"), ("enableKerberos", "b"), ("enableEcryptfs", "b"), ("enableSmartcard", "b"), ("forceSmartcard", "b"), ("enableWinbindAuth", "b"), ("enableWinbind", "b"), ("winbindKrb5", "b"), ("enableDB", "b"), ("enableHesiod", "b"), ("enablePWQuality", "b"), ("enablePasswdQC", "b"), ("enableFaillock", "b"), ("faillockArgs", "c"), ("enableLocAuthorize", "b"), ("enablePAMAccess", "b"), ("enableCacheCreds", "b"), ("enableMkHomeDir", "b"), ("enableSysNetAuth", "b"), ("enableFprintd", "b"), ("enableSSSD", "b"), ("enableSSSDAuth", "b"), ("enableForceLegacy", "b"), ("ipav2Server", "i"), ("ipav2Domain", "i"), ("ipav2Realm", "c"), ("enableIPAv2", "b"), ("ipaDomainJoined", "b"), ("ipav2NoNTP", "b")]), SaveGroup(self.writeNetwork, None, [("nisDomain", "c")]), SaveGroup(self.toggleShadow, None, [("enableShadow", "b")]), SaveGroup(None, self.toggleNisService, [("enableNIS", "b")]), SaveGroup(None, self.toggleOddjobService, [("enableMkHomeDir", "b")]), SaveGroup(None, self.toggleLDAPService, [("enableLDAP", "b"), ("enableLDAPAuth", "b"), ("implicitSSSD", "b"), ("implicitSSSDAuth", "b"), ("enableForceLegacy", "b")]), SaveGroup(None, self.toggleSSSDService, [("implicitSSSD", "b"), ("implicitSSSDAuth", "b"), ("enableIPAv2", "b"), ("enableSSSD", "b"), ("enableSSSDAuth", "b"), ("enableForceLegacy", "b")]), SaveGroup(None, self.toggleWinbindService, [("enableWinbind", "b"), ("enableWinbindAuth", "b")])] def setParam(self, attr, value, ref): oldval = getattr(self, attr) if oldval != value: setattr(self, attr, value) if oldval != getattr(ref, attr): self.inconsistentAttrs.append(attr) def setIntParam(self, attr, value, ref): try: value = int(value) except ValueError: return return self.setParam(attr, str(value), ref) def setClassReqParam(self, attr, value, ref): try: value = int(value) except ValueError: return if value < 0: return self.setParam(attr, True, ref) return self.setParam(attr, False, ref) def sssdSupported(self): if self.enableForceLegacy or not self.sssdConfig: return False # we just ignore things which have no support on command line nssall = ('NIS', 'LDAP', 'Winbind', 'Hesiod', 'IPAv2') pamall = ('Kerberos', 'LDAPAuth', 'WinbindAuth', 'Smartcard') idsupported = ('LDAP') authsupported = ('Kerberos', 'LDAPAuth') num = 0 for t in nssall: if getattr(self, 'enable'+t): if t not in idsupported: return False num += 1 if num != 1: return False num = 0 for t in pamall: if getattr(self, 'enable'+t): if t not in authsupported: return False num += 1 if num != 1: return False # realm via DNS is not supported by the current SSSD if self.enableKerberos and self.kerberosRealmviaDNS: return False return True # Read hesiod setup. Luckily, /etc/hesiod.conf is simple enough that shvfile # can read it just fine. def readHesiod(self, ref): # Open the file. Bail if it's not there. try: shv = shvfile.read(all_configs[CFG_HESIOD].origPath) except IOError: return False # Read the LHS. self.setParam("hesiodLHS", snipString(shv.getValue("lhs")), ref) # Read the RHS. self.setParam("hesiodRHS", snipString(shv.getValue("rhs")), ref) shv.close() return True # Read NIS setup from /etc/yp.conf. def readNIS(self, ref): # Open the file. Bail if it's not there or there's some problem # reading it. try: f = open(all_configs[CFG_YP].origPath, "r") except IOError: return False nisserver = "" for line in f: line = line.strip() # Is it a "ypserver" statement? If so, extract the server. value = matchKey(line, "ypserver") if value and self.nisLocalDomain: # Save the server's name. nisserver = commaAppend(nisserver, value) continue # It had better be a "domain" statement, because the man page # for this file states that this is all there is. value = matchKey(line, "domain") if value: # Save the domain's name. To do that, find its end. value = value.split(None, 1) if len(value) < 1: continue if value[0] != self.nisLocalDomain: continue if len(value) < 2: continue value = value[1] # Is it "server"? If not, assume "broadcast". value = matchKey(value, "server") if value: nisserver = commaAppend(nisserver, value) self.setParam("nisServer", nisserver, ref) f.close() return True def validateLDAPURI(self, s): """ Check whether LDAP URI is valid. """ if ',' in s: uris = s.split(',') else: uris = s.split() for uri in uris: try: p = urlparse.urlparse(uri).port except (ValueError, socket.error): return False return True def ldapHostsToURIs(self, s, validate): if ',' in s: l = s.split(',') else: l = s.split() ret = "" for item in l: if item: if ret: ret += "," if "://" in item: ret += item else: ret += "ldap://" + item + "/" if validate and not self.validateLDAPURI(ret): self.messageCB(_("Invalid LDAP URI.")) return ret # Read LDAP setup from /etc/ldap.conf. def readLDAP(self, ref): self.ldapCacertDir = PATH_LDAP_CACERTS # Open the file. Bail if it's not there or there's some problem # reading it. try: f = open(all_configs[CFG_NSSLDAP].origPath, "r") except IOError: try: f = open(all_configs[CFG_NSLCD].origPath, "r") except IOError: try: f = open(all_configs[CFG_PAMLDAP].origPath, "r") except IOError: try: f = open(all_configs[CFG_LDAP].origPath, "r") except IOError: return False for line in f: line = line.strip() # Is it a "base" statement? value = matchKey(line, "base") if value and checkDN(value): # Save the base DN. self.setParam("ldapBaseDN", value, ref) continue # Is it a "host" statement? value = matchKey(line, "host") if value: # Save the host name or IP. self.setParam("ldapServer", value, ref) continue # Is it a "uri" statement? value = matchKey(line, "uri") if value: # Save the host name or IP. self.setParam("ldapServer", value, ref) continue # Is it a "ssl" statement? value = matchKey(line, "ssl") if value: self.setParam("enableLDAPS", matchLine(value, "start_tls"), ref) continue # Is it a "nss_schema" statement? value = matchKey(line, "nss_schema") if value: self.setParam("ldapSchema", value, ref) continue # We'll pull MD5/DES crypt ("pam_password") from the config # file, or from the pam_unix PAM config lines. self.ldapServer = self.ldapHostsToURIs(cleanList(self.ldapServer), False) f.close() return True # Read Kerberos setup from /etc/krb5.conf. def getKerberosKDC(self, realm): try: return self.allKerberosKDCs[realm] except KeyError: return "" def getKerberosAdminServer(self, realm): try: return self.allKerberosAdminServers[realm] except KeyError: return "" def readKerberos(self, ref): section = "" self.allKerberosKDCs = {} self.allKerberosAdminServers = {} realm_found = False # Open the file. Bail if it's not there or there's some problem # reading it. try: f = open(all_configs[CFG_KRB5].origPath, "r") except IOError: return False for line in f: line = line.split('#')[0] line = line.strip() # If it's a new section, note which one we're "in". if line[0:1] == "[": section = line[1:-1] subsection = "" continue; if section == "libdefaults": # Check for the default realm setting. value = matchKeyEquals(line, "default_realm") if value: self.setParam("kerberosRealm", value, ref) realm_found = True; continue; # Check for the DNS settings. value = matchKeyEquals(line, "dns_lookup_kdc") if value: self.setParam("kerberosKDCviaDNS", matchKey(value, "true") == "", ref) continue value = matchKeyEquals(line, "dns_lookup_realm") if value: self.setParam("kerberosRealmviaDNS", matchKey(value, "true") == "", ref) continue; elif section == "realms": if not subsection: # Read the name of the realm. value = line.split(None,1) if len(value) < 1: continue subsection = value[0] # Check for the end of a realm section. else: if line[0:1] == "}": subsection = "" continue if not self.kerberosRealm: # No reason to use setParam here self.kerberosRealm = subsection realm_found = True; # See if this is a key we care about. value = matchKeyEquals(line, "kdc") if value: self.allKerberosKDCs[subsection] = commaAppend(self.getKerberosKDC(subsection), value) continue value = matchKeyEquals(line, "admin_server") if value: self.allKerberosAdminServers[subsection] = commaAppend(self.getKerberosAdminServer(subsection), value) f.close() if realm_found: if self.kerberosRealm: self.setParam("kerberosKDC", self.getKerberosKDC(self.kerberosRealm), ref) self.setParam("kerberosAdminServer", self.getKerberosAdminServer(self.kerberosRealm), ref) else: if self.kerberosRealm: self.inconsistentAttrs.append("kerberosRealm") else: self.setParam("kerberosRealm", "", ref) return True def readLibuser(self, ref): section = "" # Open the file. Bail if it's not there or there's some problem # reading it. try: f = open(all_configs[CFG_LIBUSER].origPath, "r") except IOError: return False for line in f: line = line.strip() # If it's a new section, note which one we're "in". if line[0:1] == "[": section = line[1:-1] subsection = "" continue; if section == "defaults": # Check for the crypt style setting. value = matchKeyEquals(line, "crypt_style") if value: self.setParam("passwordAlgorithm", value.lower(), ref) continue; f.close() return True def readLogindefs(self, ref): # Open the file. Bail if it's not there or there's some problem # reading it. try: f = open(all_configs[CFG_LOGIN_DEFS].origPath, "r") except IOError: return False for line in f: match = ld_line_re.match(line) if match is not None: name = match.group(1) if name.startswith('#'): continue value = match.group(3) if value is None: value = match.group(4) if value is None: value = '' else: continue if name == "MD5_CRYPT_ENAB" and value == "yes": self.setParam("passwordAlgorithm", "md5", ref) continue if name == "ENCRYPT_METHOD": if value == "DES": value = "descrypt" self.setParam("passwordAlgorithm", value.lower(), ref) continue if name == "UID_MIN": self.setParam("uidMin", value, ref) f.close() return True def readPWQuality(self, ref): section = "" # Open the file. Bail if it's not there or there's some problem # reading it. try: f = open(all_configs[CFG_PWQUALITY].origPath, "r") except IOError: return False for line in f: line = line.split('#')[0] line = line.strip() # Check for the settings that interest us. value = matchKeyEquals(line, "minlen") if value: self.setIntParam("passMinLen", value, ref) continue; value = matchKeyEquals(line, "minclass") if value: self.setIntParam("passMinClass", value, ref) continue; value = matchKeyEquals(line, "maxrepeat") if value: self.setIntParam("passMaxRepeat", value, ref) continue; value = matchKeyEquals(line, "maxclassrepeat") if value: self.setIntParam("passMaxClassRepeat", value, ref) continue; value = matchKeyEquals(line, "lcredit") if value: self.setClassReqParam("passReqLower", value, ref) continue; value = matchKeyEquals(line, "ucredit") if value: self.setClassReqParam("passReqUpper", value, ref) continue; value = matchKeyEquals(line, "dcredit") if value: self.setClassReqParam("passReqDigit", value, ref) continue; value = matchKeyEquals(line, "ocredit") if value: self.setClassReqParam("passReqOther", value, ref) continue; f.close() return True def readSSSD(self, ref): if not self.sssdConfig: return True self.sssdConfig = SSSDConfig.SSSDConfig() try: self.sssdConfig.import_config(all_configs[CFG_SSSD].origPath) self.sssdConfigPresent = True except (IOError, SSSDConfig.ParsingError): self.sssdConfig = SSSDConfig.SSSDConfig() self.sssdConfig.new_config() try: domain = self.sssdDomain = self.sssdConfig.get_domain(SSSD_AUTHCONFIG_DOMAIN) except SSSDConfig.NoDomainError: try: domname = self.sssdConfig.list_active_domains()[0] except IndexError: try: domname = self.sssdConfig.list_domains()[0] except IndexError: return True domain = self.sssdConfig.get_domain(domname) try: idprov = domain.get_option('id_provider') except SSSDConfig.NoOptionError: idprov = None try: authprov = domain.get_option('auth_provider') except SSSDConfig.NoOptionError: authprov = None for (attr, opt) in sssd_options: try: val = domain.get_option(opt) if opt == 'ldap_uri': val = " ".join(val.split(",")) elif opt == 'ldap_schema' and val == 'rfc2307': continue elif opt == 'krb5_store_password_if_offline': continue self.setParam(attr, val, ref) except SSSDConfig.NoOptionError: pass def readSmartcard(self, ref): lock = False smartcardmodule = callPKCS11Setup(["use_module"]) if smartcardmodule == None: self.smartcardModule = "" return False self.setParam("smartcardModule", smartcardmodule[0], ref) rmactions = callPKCS11Setup(["rm_action"]) if rmactions == None: return False for action in rmactions: if "lockhelper.sh" in action: lock = True if lock: self.setParam("smartcardAction", _("Lock"), ref) else: self.setParam("smartcardAction", _("Ignore"), ref) return True # Read Samba setup from /etc/samba/smb.conf. def readWinbindGlobal(self, key): result = "" section = "" # Open the file. Bail if it's not there or there's some problem # reading it. try: f = open(all_configs[CFG_SMB].origPath, "r") except IOError: return result for line in f: line = line.strip() # Skip comments. if matchLine(line, "#"): continue if matchLine(line, ";"): continue # If it's a new section, note which one we're "in". value = matchKey(line, "[") if value: section = value.split("]")[0].lower() continue # Check for global settings. Anything else we can skip. if not section or section != "global": continue # Check for a match with the requested setting name. res = matchLineSMB(line, key) if res: result = res f.close() return result def readWinbindGlobalBool(self, key): tmp = self.readWinbindGlobal(key) if tmp: if tmp.lower() == "yes" or tmp.lower() == "true" or tmp == "1": return True else: return False return None # Read winbind settings from /etc/samba/smb.conf. def readWinbind(self, ref): tmp = self.readWinbindGlobal("workgroup") if tmp: self.setParam("smbWorkgroup", tmp, ref) tmp = self.readWinbindGlobal("password server") if tmp: self.setParam("smbServers", tmp, ref) tmp = self.readWinbindGlobal("realm") if tmp: self.setParam("smbRealm", tmp, ref) tmp = self.readWinbindGlobal("security") if tmp: self.setParam("smbSecurity", tmp, ref) if not self.smbSecurity: self.smbSecurity = "user" tmp = self.readWinbindGlobal("idmap config * : range") if tmp: self.setParam("smbIdmapRange", tmp, ref) if not self.smbIdmapRange: # 2^24 to 2^25 - 1 should be safe self.smbIdmapRange = "16777216-33554431" tmp = self.readWinbindGlobal("winbind separator") if tmp: self.setParam("winbindSeparator", tmp, ref) tmp = self.readWinbindGlobal("template homedir") if tmp: self.setParam("winbindTemplateHomedir", tmp, ref) tmp = self.readWinbindGlobal("template shell") if tmp: self.setParam("winbindTemplateShell", tmp, ref) if not self.winbindTemplateShell: self.winbindTemplateShell = "/bin/false" tmp = self.readWinbindGlobalBool("winbind use default domain") if tmp != None: self.setParam("winbindUseDefaultDomain", tmp, ref) tmp = self.readWinbindGlobalBool("winbind offline logon") if tmp != None: self.setParam("winbindOffline", tmp, ref) return True # Read NSS setup from /etc/nsswitch.conf. def readNSS(self, ref): # Open the file. Bail if it's not there or there's some problem # reading it. nssconfig = "" initgroups = "" try: f = open(all_configs[CFG_NSSWITCH].origPath, "r") except IOError: return False for line in f: line = line.strip() value = matchKey(line, "passwd:") if value: nssconfig = value else: # wins can be found in hosts only value = matchKey(line, "hosts:") if value: if checkNSS(value, "wins"): self.setParam("enableWINS", True, ref) if checkNSS(value, "mdns4_minimal [NOTFOUND=return]"): self.setParam("enableMDNS", True, ref) if checkNSS(value, "myhostname"): self.setParam("enableMyhostname", True, ref) nispos = checkNSS(value, "nis") if nispos == None: nispos = checkNSS(value, "wins") dnspos = checkNSS(value, "dns") if nispos != None and dnspos != None: self.setParam("preferDNSinHosts", dnspos < nispos, ref) else: value = matchKey(line, "initgroups:") if value: initgroups = value if nssconfig: nssmap = (('Compat', 'compat'), ('DB', 'db'), ('Directories', 'directories'), ('Hesiod', 'hesiod'), ('LDAP', 'ldap'), ('NIS', 'nis'), ('Altfiles', 'altfiles'), ('NIS3', 'nisplus'), ('Winbind', 'winbind')) for attr, nssentry in nssmap: if checkNSS(nssconfig, nssentry): self.setParam('enable' + attr, True, ref) if initgroups and checkNSS(nssconfig, 'sss') and not checkNSS(initgroups, 'sss'): self.inconsistentAttrs.append('implicitSSSD') self.setParam("implicitSSSD", bool(checkNSS(nssconfig, "sss")), ref) f.close() return True # Read whether or not caching is enabled. def readCache(self, ref): self.setParam("enableCache", readCache(), ref) return True # Read hints from the PAM control file. def readPAM(self, ref): # Open the system-auth file. Bail if it's not there or # there's some problem reading it. try: f = open(all_configs[CFG_PAM].origPath, "r") except IOError: try: f = open(SYSCONFDIR+"/pam.d/"+AUTH_PAM_SERVICE, "r") except IOError: return False self.readPAMFile(ref, f) f.close() # Open the postlogin file. It's ok if it's not there. try: f = open(all_configs[CFG_POSTLOGIN_PAM].origPath, "r") except IOError: try: f = open(SYSCONFDIR+"/pam.d/"+POSTLOGIN_PAM_SERVICE, "r") except IOError: return True self.readPAMFile(ref, f) f.close() return True def readPAMFile(self, ref, f): prevline = "" for line in f: lst = line.split("#", 1) if len(lst) > 1: line = lst[0] line = line.rstrip() # Join lines ending with "\\" if line[-1:] == "\\": prevline += line[:-1] + " " continue line = prevline + line prevline = "" line = line.lstrip() args = "" lst = line.split(None, 1) if len(lst) < 2: continue (stack, line) = lst if (stack != "auth" and stack != "account" and stack != "password" and stack != "session"): continue if line.startswith("["): lst = line.split("]", 1) else: lst = line.split(None, 1) if len(lst) < 2: continue if lst[0] == "include": continue control = lst[0] if control.startswith("["): control += "]" line = lst[1] lst = line.split(None, 1) if len(lst) < 1: continue (module,) = lst[0].split("/")[-1:] if len(lst) == 2: args = lst[1] if module.startswith("pam_cracklib") or module.startswith("pam_pwquality"): self.setParam("enablePWQuality", True, ref) if args: self.setParam("pwqualityArgs", args, ref) continue if module.startswith("pam_ecryptfs"): self.setParam("enableEcryptfs", True, ref) continue if module.startswith("pam_krb5"): self.setParam("enableKerberos", True, ref) continue if module.startswith("pam_ldap"): self.setParam("enableLDAPAuth", True, ref) continue if module.startswith("pam_pkcs11"): self.setParam("enableSmartcard", True, ref) if "authinfo_unavail" not in control: self.setParam("forceSmartcard", True, ref) else: self.setParam("forceSmartcard", False, ref) continue if module.startswith("pam_fprintd"): self.setParam("enableFprintd", True, ref) continue if module.startswith("pam_passwdqc"): self.setParam("enablePasswdQC", True, ref) if args: self.setParam("passwdqcArgs", args, ref) continue if module.startswith("pam_winbind"): self.setParam("enableWinbindAuth", True, ref) self.setParam("winbindKrb5", args.find("krb5_auth") >= 0, ref) continue if module.startswith("pam_sss"): self.setParam("implicitSSSDAuth", True, ref) continue if module.startswith("pam_access"): self.setParam("enablePAMAccess", True, ref) if args: self.setParam("pamAccessArgs", args, ref) continue if module.startswith("pam_mkhomedir") or module.startswith("pam_oddjob_mkhomedir"): self.setParam("enableMkHomeDir", True, ref) if args: # first place where we are setting them self.mkhomedirArgs = args continue if module.startswith("pam_localuser"): self.setParam("enableLocAuthorize", True, ref) if args: self.setParam("localuserArgs", args, ref) continue if module.startswith("pam_systemd"): if args: self.setParam("systemdArgs", args, ref) continue if stack == "password": if module.startswith("pam_unix"): for algo in password_algorithms: if args.find(algo) >= 0: self.setParam("passwordAlgorithm", algo, ref) try: ridx = args.index("rounds=") rounds = args[ridx+7:].split(None,1) self.setParam("algoRounds", str(int(rounds[0])), ref) except (ValueError, IndexError): pass try: os.stat("/etc/shadow") self.setParam("enableShadow", True, ref) except OSError: self.setParam("enableShadow", False, ref) if stack == "auth": if module.startswith("pam_unix"): self.setParam("enableNullOk", args.find("nullok") >= 0, ref) if module.startswith("pam_faillock"): self.setParam("enableFaillock", True, ref) if args and 'authfail' in args: args = args.replace('authfail', '').strip() self.setParam("faillockArgs", args, ref) continue if stack == "account": if module.startswith("pam_unix"): self.setParam("brokenShadow", args.find("broken_shadow") >= 0, ref) if stack == "auth" or stack == "account": if module.startswith("pam_succeed_if"): match = succ_if_re.match(args) if match != None and match.group(2) != None: self.setParam("uidMin", match.group(2), ref) # Special handling for pam_pwquality and pam_passwdqc: there can be # only one. if self.enablePWQuality and self.enablePasswdQC: self.setParam("enablePasswdQC", False, ref) if not self.enablePWQuality and not self.enablePasswdQC: self.setParam("enablePWQuality", True, ref) # Special handling for broken_shadow option if (self.brokenShadow and not self.enableLDAPAuth and not self.enableKerberos and not self.enableWinbindAuth and not self.enableSSSDAuth and not self.enableSmartcard): self.forceBrokenShadow = True def readSysconfig(self): # Read settings from our config file, which provide defaults for anything we # figure out by examination. # We do not use setParam here as sysconfig is the default and read first try: shv = shvfile.read(all_configs[CFG_AUTHCONFIG].origPath) try: self.enableAFS = shv.getBoolValue("USEAFS") except ValueError: pass try: self.enableAFSKerberos = shv.getBoolValue("USEAFSKERBEROS") except ValueError: pass try: self.enableDB = shv.getBoolValue("USEDB") except ValueError: pass try: self.enablePWQuality = shv.getBoolValue("USEPWQUALITY") except ValueError: pass try: self.enableDBbind = shv.getBoolValue("USEDBBIND") except ValueError: pass try: self.enableDBIbind = shv.getBoolValue("USEDBIBIND") except ValueError: pass try: self.enableDirectories = shv.getBoolValue("USEDIRECTORIES") except ValueError: pass try: self.enableFaillock = shv.getBoolValue("USEFAILLOCK") self.faillockArgs = shv.getValue("FAILLOCKARGS") except ValueError: pass try: self.enableEcryptfs = shv.getBoolValue("USEECRYPTFS") except ValueError: pass try: self.enableEPS = shv.getBoolValue("USEEPS") except ValueError: pass try: self.enableHesiod = shv.getBoolValue("USEHESIOD") except ValueError: pass try: self.enableHesiodbind = shv.getBoolValue("USEHESIODBIND") except ValueError: pass try: self.enableKerberos = shv.getBoolValue("USEKERBEROS") except ValueError: pass try: self.enableLDAP = shv.getBoolValue("USELDAP") except ValueError: pass try: self.enableLDAPAuth = shv.getBoolValue("USELDAPAUTH") except ValueError: pass try: self.enableSmartcard = shv.getBoolValue("USESMARTCARD") except ValueError: pass try: self.enableFprintd = shv.getBoolValue("USEFPRINTD") except ValueError: pass try: self.forceSmartcard = shv.getBoolValue("FORCESMARTCARD") except ValueError: pass try: self.enableLDAPbind = shv.getBoolValue("USELDAPBIND") except ValueError: pass try: enableMD5 = shv.getBoolValue("USEMD5") if enableMD5: self.passwordAlgorithm = 'md5' else: self.passwordAlgorithm = 'descrypt' except ValueError: pass try: self.enableNIS = shv.getBoolValue("USENIS") except ValueError: pass try: self.enableNISP3 = shv.getBoolValue("USENISPLUS") except ValueError: pass try: self.enableOdbcbind = shv.getBoolValue("USEODBCBIND") except ValueError: pass try: self.enableOTP = shv.getBoolValue("USEOTP") except ValueError: pass try: self.enablePasswdQC = shv.getBoolValue("USEPASSWDQC") except ValueError: pass try: self.enableShadow = shv.getBoolValue("USESHADOW") except ValueError: pass try: self.enableWinbind = shv.getBoolValue("USEWINBIND") except ValueError: pass try: self.enableWinbindAuth = shv.getBoolValue("USEWINBINDAUTH") except ValueError: pass try: self.winbindKrb5 = shv.getBoolValue("WINBINDKRB5") except ValueError: pass try: self.enableSSSD = shv.getBoolValue("USESSSD") except ValueError: pass try: self.enableSSSDAuth = shv.getBoolValue("USESSSDAUTH") except ValueError: pass try: self.enableLocAuthorize = shv.getBoolValue("USELOCAUTHORIZE") except ValueError: pass try: self.enablePAMAccess = shv.getBoolValue("USEPAMACCESS") except ValueError: pass try: self.enableMkHomeDir = shv.getBoolValue("USEMKHOMEDIR") except ValueError: pass try: self.enableSysNetAuth = shv.getBoolValue("USESYSNETAUTH") except ValueError: pass try: self.enableForceLegacy = shv.getBoolValue("FORCELEGACY") except ValueError: pass try: self.enableCacheCreds = shv.getBoolValue("CACHECREDENTIALS") except ValueError: pass try: self.enableIPAv2 = shv.getBoolValue("USEIPAV2") except ValueError: pass try: self.ipaDomainJoined = shv.getBoolValue("IPADOMAINJOINED") except ValueError: pass try: self.ipav2NoNTP = shv.getBoolValue("IPAV2NONTP") except ValueError: pass self.ipav2Server = shv.getValue("IPAV2SERVER") self.ipav2Domain = shv.getValue("IPAV2DOMAIN") self.ipav2Realm = shv.getValue("IPAV2REALM") algo = shv.getValue("PASSWDALGORITHM") if algo in password_algorithms: self.passwordAlgorithm = algo shv.close() except IOError: pass return True # Read hints from the network control file. def readNetwork(self, ref): # Open the file. Bail if it's not there. try: shv = shvfile.read(all_configs[CFG_NETWORK].origPath) except IOError: return False tmp = shv.getValue("NISDOMAIN") if tmp: self.nisLocalDomain = tmp shv.close() if self.nisLocalDomain: self.setParam("nisDomain", self.nisLocalDomain, ref) return True # Compare two authInfoType structures and return True if they have any # meaningful differences. def differs(self, b): sssdsupported = self.sssdSupported() if bool(b.implicitSSSD) != sssdsupported or bool(b.implicitSSSDAuth) != sssdsupported: return True # There is slight inefficiency in that a few of the attributes # are duplicated in the save groups, but better than maintain # the whole list at two places. for group in self.save_groups: if group.attrsDiffer(self, b): return True return False # There's some serious strangeness in here, because we get called in two # different-but-closely-related scenarios. The first case is when we're # initializing the authInfo structure and we want to fill in defaults with # suggestions we "know". The second case is when the user has just made a # change to one field and we need to update another field to somehow # compensate for the change. def update(self, validate=False): self.smbServers = cleanList(self.smbServers) self.ipav2Server = cleanList(self.ipav2Server) self.kerberosKDC = cleanList(self.kerberosKDC) self.kerberosAdminServer = cleanList(self.kerberosAdminServer) self.ldapServer = self.ldapHostsToURIs(self.ldapServer, validate) if self.smbSecurity == "ads": # As of this writing, an ADS implementation always # upper-cases the realm name, even if only internally, # and we need to reflect that in the krb5.conf file. if self.smbRealm: self.smbRealm = self.smbRealm.upper() self.passwordAlgorithm = self.passwordAlgorithm.lower() if self.enableCacheCreds == None: self.enableCacheCreds = True # enabled by default if self.kerberosRealm == None: self.kerberosRealm = "" def read(self): ref = self.copy() self.readSysconfig() self.readNSS(ref) self.readLibuser(ref) self.readPAM(ref) reallyimplicit = self.sssdSupported() if self.implicitSSSD and not reallyimplicit and not self.enableIPAv2: self.setParam("enableSSSD", True, ref) self.implicitSSSD = False if self.implicitSSSDAuth and not reallyimplicit and not self.enableIPAv2: self.setParam("enableSSSDAuth", True, ref) self.implicitSSSDAuth = False self.readLogindefs(ref) self.readPWQuality(ref) self.readHesiod(ref) self.readWinbind(ref) self.readNetwork(ref) self.readNIS(ref) # if SSSD not implicitely enabled if not self.implicitSSSD and not self.implicitSSSDAuth: self.readSSSD(ref) self.readLDAP(ref) self.readKerberos(ref) if self.implicitSSSD or self.implicitSSSDAuth: self.readSSSD(ref) self.readSmartcard(ref) self.readCache(ref) self.update() def copy(self): ret = copy.copy(self) ret.joinUser = "" ret.joinPassword = "" return ret def writeCache(self): all_configs[CFG_CACHE].backup(self.backupDir) writeCache(self.enableCache and not self.implicitSSSD) return True def writeHesiod(self): all_configs[CFG_HESIOD].backup(self.backupDir) try: shv = shvfile.rcreate(all_configs[CFG_HESIOD].origPath) except IOError: return False shv.setValue("lhs", self.hesiodLHS) shv.setValue("rhs", self.hesiodRHS) shv.write(0644) shv.close() return True # Write NIS setup to /etc/yp.conf. def writeNIS(self): written = False f = None output = "" all_configs[CFG_YP].backup(self.backupDir) try: f = SafeFile(all_configs[CFG_YP].origPath, 0644) # Read in the old file. for line in f.file: ls = line.strip() value = matchKey(ls, "domain") if value: # Save the domain's name. To do that, find its end. value = value.split(None, 1) if len(value) < 1: continue if value[0] != self.nisDomain and value[0] != self.nisLocalDomain: # The domain name doesn't match current or previous domain output += line continue if not written and self.nisDomain: output += "domain " + self.nisDomain # Take an empty server name to mean that we # want to use broadcast. servers = self.nisServer.split(",") if self.nisServer: output += " server " output += servers[0] else: output += " broadcast" output += "\n" servers = servers[1:] for s in servers: if s: output += "ypserver " + s + "\n" written = True elif matchLine(ls, "ypserver"): # If it's a 'ypserver' line, insert ours instead. if not written and not self.nisDomain and self.nisServer: servers = self.nisServer.split(",") for s in servers: if s: output += "ypserver " + s + "\n" written = True else: # Otherwise, just copy the current line out. output += line # If we haven't encountered a domain line yet... if not written: servers = self.nisServer.split(",") if self.nisDomain: output += "domain " + self.nisDomain # Take an empty server name to mean that we # want to use broadcast. if servers[0]: output += " server " output += servers[0] servers = servers[1:] else: output += " broadcast" output += "\n" for s in servers: if s: output += "ypserver " + s + "\n" # Write it out and close it. f.rewind() f.write(output) f.save() finally: try: if f: f.close() except IOError: pass return True # Write LDAP setup to an ldap.conf using host and base as keys. def writeLDAP2(self, filename, uri, host, base, writepadl, writeschema, writepam): wrotebasedn = False wroteserver = False wrotessl = False wroteschema = False wrotepass = False wrotecacertdir = False f = None output = "" if (self.passwordAlgorithm and self.passwordAlgorithm != "descrypt" and self.passwordAlgorithm != "bigcrypt"): passalgo = "md5" else: passalgo = "crypt" try: f = SafeFile(filename, 0644) # Read in the old file. for line in f.file: ls = line.strip() # If it's a 'uri' line, insert ours instead. if matchLine(ls, uri): if not wroteserver and self.ldapServer: output += uri + " " output += " ".join(self.ldapServer.split(",")) output += "\n" wroteserver = True # If it's a 'host' line, comment it out. elif matchLine(ls, host): if self.ldapServer: output += "#" + line elif matchBaseLine(ls, base): # If it's a 'base' line, insert ours instead. if not wrotebasedn and self.ldapBaseDN: output += base + " " output += self.ldapBaseDN output += "\n" wrotebasedn = True elif writepadl and matchLine(ls, "ssl"): # If it's an 'ssl' line, insert ours instead. if not wrotessl: output += "ssl " if self.enableLDAPS: output += "start_tls" else: output += "no" output += "\n" wrotessl = True elif writeschema and matchLine(ls, "nss_schema"): # If it's an 'nss_schema' line, insert ours instead. if not wroteschema and self.ldapSchema: output += "nss_schema " output += self.ldapSchema output += "\n" wroteschema = True elif matchLineI(ls, "tls_cacertdir"): # If it's an 'tls_cacertdir' line, insert ours instead. if not wrotecacertdir: if writepadl: output += "tls_cacertdir" else: output += "TLS_CACERTDIR" output += " " + self.ldapCacertDir output += "\n" wrotecacertdir = True elif writepam and matchLine(ls, "pam_password"): # If it's a 'pam_password' line, write the correct setting. if not wrotepass: output += "pam_password " + passalgo output += "\n" wrotepass = True else: # Otherwise, just copy the current line out. output += line # If we haven't encountered either of the config lines yet... if not wroteserver and self.ldapServer: output += uri + " " output += " ".join(self.ldapServer.split(",")) output += "\n" if not wrotebasedn and self.ldapBaseDN: output += base + " " output += self.ldapBaseDN output += "\n" if writepadl and not wrotessl: output += "ssl " if self.enableLDAPS: output += "start_tls" else: output += "no" output += "\n" if writeschema and not wroteschema and self.ldapSchema: output += "nss_schema " output += self.ldapSchema output += "\n" if not wrotecacertdir: if writepadl: output += "tls_cacertdir" else: output += "TLS_CACERTDIR" output += " " + self.ldapCacertDir output += "\n" if writepam and not wrotepass: output += "pam_password " + passalgo output += "\n" # Write it out and close it. f.rewind() f.write(output) f.save() finally: try: if f: f.close() except IOError: pass return True def writeLDAP(self): if os.path.isfile(all_configs[CFG_LDAP].origPath): all_configs[CFG_LDAP].backup(self.backupDir) self.writeLDAP2(all_configs[CFG_LDAP].origPath, "uri", "host", "base", True, True, True) if os.path.isfile(all_configs[CFG_NSSLDAP].origPath): all_configs[CFG_NSSLDAP].backup(self.backupDir) self.writeLDAP2(all_configs[CFG_NSSLDAP].origPath, "uri", "host", "base", True, True, False) if os.path.isfile(all_configs[CFG_PAMLDAP].origPath): all_configs[CFG_PAMLDAP].backup(self.backupDir) self.writeLDAP2(all_configs[CFG_PAMLDAP].origPath, "uri", "host", "base", True, False, True) if os.path.isfile(all_configs[CFG_NSLCD].origPath): all_configs[CFG_NSLCD].backup(self.backupDir) self.writeLDAP2(all_configs[CFG_NSLCD].origPath, "uri", "host", "base", True, False, False) all_configs[CFG_OPENLDAP].backup(self.backupDir) ret = self.writeLDAP2(all_configs[CFG_OPENLDAP].origPath, "URI", "HOST", "BASE", False, False, False) return ret def cryptStyle(self): ret = "crypt_style = " if self.passwordAlgorithm == "md5": return ret + "md5" elif self.passwordAlgorithm == "sha256" or self.passwordAlgorithm == "sha512": return ret + self.passwordAlgorithm else: return ret + "des" # Write libuser's password algo setting to /etc/libuser.conf. def writeLibuser(self): wrotecryptstyle = False wrotedefaults = False section = "" f = None output = "" all_configs[CFG_LIBUSER].backup(self.backupDir) try: f = SafeFile(all_configs[CFG_LIBUSER].origPath, 0644) # Read in the old file. for line in f.file: ls = line.strip() # If this is the "crypt_style" in the defaults section, # replace it with the values we now have. if section == "defaults" and matchLine(ls, "crypt_style"): output += self.cryptStyle() + "\n" wrotecryptstyle = True continue # If it's the beginning of a section, record its name. if matchLine(ls, "["): # If the previous section was "defaults", and we didn't # see the crypt_style setting , write it out. if section == "defaults" and not wrotecryptstyle: output += self.cryptStyle() + "\n" wrotecryptstyle = True section = ls[1:].split("]", 1)[0] if section == "defaults": wrotedefaults = True output += line # If we haven't encountered a defaults section yet... if not wrotedefaults: output += "[defaults]\n" output += self.cryptStyle() + "\n" wrotedefaults = True wrotecryptstyle = True # Write it out and close it. f.rewind() f.write(output) f.save() finally: try: if f: f.close() except IOError: pass return True # Write shadow utils password algo setting to /etc/login.defs. def writeLogindefs(self): wrotemd5crypt = False wroteencmethod = False section = "" f = None output = "" all_configs[CFG_LOGIN_DEFS].backup(self.backupDir) if self.passwordAlgorithm == "md5": md5crypt = "MD5_CRYPT_ENAB yes\n" else: md5crypt = "MD5_CRYPT_ENAB no\n" if self.passwordAlgorithm == "descrypt" or self.passwordAlgorithm =="bigcrypt": encmethod = "ENCRYPT_METHOD DES\n" else: encmethod = "ENCRYPT_METHOD " + self.passwordAlgorithm.upper() + "\n" try: f = SafeFile(all_configs[CFG_LOGIN_DEFS].origPath, 0644) # Read in the old file. for line in f.file: match = ld_line_re.match(line) if match is not None: name = match.group(1) if name.startswith('#'): output += line continue value = match.group(3) if value is None: value = match.group(4) if value is None: value = '' else: output += line continue if name == "MD5_CRYPT_ENAB": output += md5crypt wrotemd5crypt = True continue if name == "ENCRYPT_METHOD": output += encmethod wroteencmethod = True continue output += line # If we haven't encountered a defaults section yet... if not wrotemd5crypt: output += md5crypt if not wroteencmethod: output += encmethod # Write it out and close it. f.rewind() f.write(output) f.save() finally: try: if f: f.close() except IOError: pass return True def formatClassReqParam(self, line, value): ls = line.split('=') if len(ls) <= 1: ls = line.split(' ') if len(ls) > 1: try: oldval = int(ls[1]) if value == None: return line if value and oldval >= 0: return ls[0] + " = -1" if not value and oldval < 0: return ls[0] + " = 0" except ValueError: pass if value: value = "-1" else: value = "0" return ls[0] + " = " + value # Write pwquality password requirements settings to /etc/security/pwquality.conf. def writePWQuality(self): wroteminlen = False wroteminclass = False wrotemaxrepeat = False wrotemaxclassrepeat = False wrotereqlower = False wroterequpper = False wrotereqdigit = False wrotereqother = False f = None output = "" all_configs[CFG_PWQUALITY].backup(self.backupDir) try: f = SafeFile(all_configs[CFG_PWQUALITY].origPath, 0644) # Read in the old file. for line in f.file: ls = line.split('#')[0].strip() if matchLine(ls, "minlen"): if not wroteminlen: output += "minlen = " + self.passMinLen + "\n" wroteminlen = True continue if matchLine(ls, "minclass"): if not wroteminclass: output += "minclass = " + self.passMinClass + "\n" wroteminclass = True continue if matchLine(ls, "maxrepeat"): if not wrotemaxrepeat: output += "maxrepeat = " + self.passMaxRepeat + "\n" wrotemaxrepeat = True continue if matchLine(ls, "maxclassrepeat"): if not wrotemaxclassrepeat: output += "maxclassrepeat = " + self.passMaxClassRepeat + "\n" wrotemaxclassrepeat = True continue if matchLine(ls, "lcredit"): if not wrotereqlower: output += self.formatClassReqParam(ls, self.passReqLower) + "\n" wrotereqlower = True continue if matchLine(ls, "ucredit"): if not wroterequpper: output += self.formatClassReqParam(ls, self.passReqUpper) + "\n" wroterequpper = True continue if matchLine(ls, "dcredit"): if not wrotereqdigit: output += self.formatClassReqParam(ls, self.passReqDigit) + "\n" wrotereqdigit = True continue if matchLine(ls, "ocredit"): if not wrotereqother: output += self.formatClassReqParam(ls, self.passReqOther) + "\n" wrotereqother = True continue output += line if not wroteminlen: output += "minlen = " + self.passMinLen + "\n" if not wroteminclass: output += "minclass = " + self.passMinClass + "\n" if not wrotemaxrepeat: output += "maxrepeat = " + self.passMaxRepeat + "\n" if not wrotemaxclassrepeat: output += "maxclassrepeat = " + self.passMaxClassRepeat + "\n" if not wrotereqlower: output += self.formatClassReqParam("lcredit", self.passReqLower) + "\n" if not wroterequpper: output += self.formatClassReqParam("ucredit", self.passReqUpper) + "\n" if not wrotereqdigit: output += self.formatClassReqParam("dcredit", self.passReqDigit) + "\n" if not wrotereqother: output += self.formatClassReqParam("ocredit", self.passReqOther) + "\n" # Write it out and close it. f.rewind() f.write(output) f.save() finally: try: if f: f.close() except IOError: pass return True # Write Kerberos 5 setup to /etc/krb5.conf. def writeKerberos(self): wroterealm = False wrotekdc = False wroteadmin = False wrotesmbrealm = False wrotesmbkdc = False wroterealms = False wrotelibdefaults = False wroterealms2 = False wrotelibdefaults2 = False wrotedefaultrealm = False wrotednsrealm = False wrotednskdc = False wroteourdomrealm = False wrotedomrealm = False wrotedomrealm2 = False # No dir -> no incdir line, set as if already written wroteincdir = not os.access(PATH_KRB5_INCLUDEDIR, os.R_OK) section = "" subsection = "" f = None output = "" all_configs[CFG_KRB5].backup(self.backupDir) if self.enableKerberos and self.kerberosRealm: defaultrealm = self.kerberosRealm elif (self.enableWinbind or self.enableWinbindAuth) and self.smbSecurity == "ads" and self.smbRealm: defaultrealm = self.smbRealm else: defaultrealm = self.kerberosRealm if self.kerberosRealm == self.smbRealm: wrotesmbrealm = True try: f = SafeFile(all_configs[CFG_KRB5].origPath, 0644) # Read in the old file. for line in f.file: ls = line.strip() if matchLine(ls, "includedir " + PATH_KRB5_INCLUDEDIR): if not wroteincdir: wroteincdir = True else: # already written or should be removed continue # If this is the "kdc" in our realm, replace it with # the values we now have. if (section == "realms" and subsection and subsection == self.kerberosRealm and matchLine(ls, "kdc")): if not wrotekdc: if self.kerberosKDC: output += krbKdc(self.kerberosKDC) wrotekdc = True continue # If this is the "kdc" in the SMB realm, replace it with # the values we now have. if (section == "realms" and self.smbSecurity == "ads" and subsection and subsection == self.smbRealm and matchLine(ls, "kdc")): if not wrotesmbkdc: if self.smbServers: output += krbKdc(self.smbServers) wrotesmbkdc = True continue # If this is the "admin_server" in our realm, replace it with # the values we now have. if (section == "realms" and subsection and subsection == self.kerberosRealm and matchLine(ls, "admin_server")): if not wroteadmin: if self.kerberosAdminServer: output += krbAdminServer(self.kerberosAdminServer) wroteadmin = True continue # If we're in the realms section, but not in a realm, we'd # better be looking at the beginning of one. if section == "realms" and not subsection: # Read the name of the realm. value = ls.split(None,1) if len(value) < 1: output += line continue subsection = value[0] # If this is the section for our realm, mark # that. if self.kerberosRealm and subsection == self.kerberosRealm: wroterealm = True if self.smbRealm and subsection == self.smbRealm: wrotesmbrealm = True # If it's the end of a subsection, mark that. if section == "realms" and subsection and matchLine(ls, "}"): # If it's the right section of realms, write out # info we haven't already written. if self.kerberosRealm and subsection == self.kerberosRealm: if not wrotekdc: output += krbKdc(self.kerberosKDC) wrotekdc = True if not wroteadmin: output += krbAdminServer(self.kerberosAdminServer) wroteadmin = True if self.smbRealm and subsection == self.smbRealm: if not wrotesmbkdc: output += krbKdc(self.smbServers) wrotesmbkdc = True subsection = "" # If we're in the libdefaults section, and this is the # default_realm keyword, replace it with ours. if section == "libdefaults" and matchLine(ls, "default_realm"): if defaultrealm and not wrotedefaultrealm: output += " default_realm = " output += defaultrealm output += "\n" wrotedefaultrealm = True continue if section == "libdefaults" and matchLine(ls, "dns_lookup_realm"): if not wrotednsrealm: output += " dns_lookup_realm = " output += str(bool(self.kerberosRealmviaDNS)).lower() output += "\n" wrotednsrealm = True continue if section == "libdefaults" and matchLine(ls, "dns_lookup_kdc"): if not wrotednskdc: output += " dns_lookup_kdc = " output += str(bool(self.kerberosKDCviaDNS)).lower() output += "\n" wrotednskdc = True continue # don't change the domain_realm mapping if it's already there if section == "domain_realm" and self.kerberosRealm and (matchLine(ls, self.kerberosRealm.lower()) or matchLine(ls, "."+self.kerberosRealm.lower())): output += line wroteourdomrealm = True continue # If it's the beginning of a section, record its name. if matchLine(ls, "["): if not wroteincdir: output += "includedir " + PATH_KRB5_INCLUDEDIR + "\n" wroteincdir = True # If the previous section was "realms", and we didn't # see ours, write our realm out. if (section == "realms" and self.kerberosRealm and not wroterealm): output += krbRealm(self.kerberosRealm, self.kerberosKDC, self.kerberosAdminServer) wroterealm = True # If the previous section was "realms", and we didn't # see the SMB realm, write it out. if (section == "realms" and self.smbRealm and not wrotesmbrealm): output += krbRealm(self.smbRealm, self.smbServers, "") wrotesmbrealm = True # If the previous section was "libdefaults", and we # didn't see a "default_realm", write it out. if section == "libdefaults": if defaultrealm and not wrotedefaultrealm: output += " default_realm = " output += defaultrealm output += "\n" wrotedefaultrealm = True if self.kerberosRealmviaDNS != None and not wrotednsrealm: output += " dns_lookup_realm = " output += str(bool(self.kerberosRealmviaDNS)).lower() output += "\n" wrotednsrealm = True if self.kerberosKDCviaDNS != None and not wrotednskdc: output += " dns_lookup_kdc = " output += str(bool(self.kerberosKDCviaDNS)).lower() output += "\n" wrotednskdc = True if section == "domain_realm": if self.kerberosRealm and not wroteourdomrealm: output += " " + self.kerberosRealm.lower() output += " = " + self.kerberosRealm output += "\n" output += " ." + self.kerberosRealm.lower() output += " = " + self.kerberosRealm output += "\n" wroteourdomrealm = True if section: if section == "realms": wroterealms2 = True elif section == "libdefaults": wrotelibdefaults2 = True elif section == "domain_realm": wrotedomrealm2 = True section = ls[1:].split("]", 1)[0] if section == "realms": wroterealms = True elif section == "libdefaults": wrotelibdefaults = True elif section == "domain_realm": wrotedomrealm = True # Otherwise, just copy the current line out. output += line # If we haven't encountered a libdefaults section yet... if not wrotelibdefaults2: if not wrotelibdefaults: output += "[libdefaults]\n" if defaultrealm and not wrotedefaultrealm: output += " default_realm = " output += defaultrealm output += "\n" if self.kerberosRealmviaDNS != None and not wrotednsrealm: output += " dns_lookup_realm = " output += str(bool(self.kerberosRealmviaDNS)).lower() output += "\n" if self.kerberosKDCviaDNS != None and not wrotednskdc: output += " dns_lookup_kdc = " output += str(bool(self.kerberosKDCviaDNS)).lower() output += "\n" # If we haven't encountered a realms section yet... if not wroterealms2 and (self.kerberosRealm or self.smbRealm): if not wroterealms: output += "[realms]\n" if not wroterealm: output += krbRealm(self.kerberosRealm, self.kerberosKDC, self.kerberosAdminServer) if not wrotesmbrealm: output += krbRealm(self.smbRealm, self.smbServers, "") if not wrotedomrealm2 and self.kerberosRealm: if not wrotedomrealm: output += "[domain_realm]\n" if self.kerberosRealm and not wroteourdomrealm: output += " " + self.kerberosRealm.lower() output += " = " + self.kerberosRealm output += "\n" output += " ." + self.kerberosRealm.lower() output += " = " + self.kerberosRealm output += "\n" # Write it out and close it. f.rewind() f.write(output) f.save() finally: try: if f: f.close() except IOError: pass return True def changeProvider(self, domain, newprovider, subtype): try: prov = domain.get_option(subtype + '_provider') except SSSDConfig.NoOptionError: prov = None if prov != newprovider: if prov != None: domain.remove_provider(subtype) domain.add_provider(newprovider, subtype) def writeSSSDPAM(self, write_config): if not self.sssdConfig: return True if not self.sssdConfigPresent and not self.implicitSSSD: # do not write to sssd.conf since the file does not exist yet and # we are not creating the domain ourselves return True try: pam = self.sssdConfig.get_service('pam') except SSSDConfig.NoServiceError: pam = self.sssdConfig.new_service('pam') if self.enableSmartcard and self.enableSSSDAuth and self.smartcardModule == "sssd" : pam.set_option('pam_cert_auth', 'True') else: try: pam.remove_option('pam_cert_auth') except SSSDConfig.NoOptionError: pass self.sssdConfig.save_service(pam) if write_config: try: self.sssdConfig.write(all_configs[CFG_SSSD].origPath) except IOError: pass return True def writeSSSD(self): if not self.sssdConfig: return True all_configs[CFG_SSSD].backup(self.backupDir) # do not write to the file yet since we will write all changes at ones self.writeSSSDPAM(False) if self.enableIPAv2: # just save the backup return True if not self.sssdDomain: if not self.implicitSSSD: # do not create a domain that would be incomplete anyway return True try: self.sssdDomain = self.sssdConfig.new_domain(SSSD_AUTHCONFIG_DOMAIN) except SSSDConfig.DomainAlreadyExistsError: self.sssdDomain = self.sssdConfig.get_domain(SSSD_AUTHCONFIG_DOMAIN) domain = self.sssdDomain try: self.sssdConfig.get_service('autofs') except SSSDConfig.NoServiceError: self.sssdConfig.new_service('autofs') self.sssdConfig.activate_service('autofs') activate = False if self.enableLDAP: activate = True self.changeProvider(domain, 'ldap', 'id') self.changeProvider(domain, 'ldap', 'autofs') if self.enableKerberos: self.changeProvider(domain, 'krb5', 'auth') self.changeProvider(domain, 'krb5', 'chpass') elif self.enableLDAPAuth: self.changeProvider(domain, 'ldap', 'auth') self.changeProvider(domain, 'ldap', 'chpass') for (attr, option) in sssd_options: try: val = getattr(self, attr) if option == 'ldap_uri': val = cleanList(val) if type(val) == bool: domain.set_option(option, val) elif type(val) == str: if val: domain.set_option(option, val) else: domain.remove_option(option) else: domain.remove_option(option) except SSSDConfig.NoOptionError: pass self.sssdConfig.save_domain(domain) if activate: self.sssdConfig.activate_domain(domain.get_name()) else: self.sssdConfig.deactivate_domain(domain.get_name()) try: self.sssdConfig.write(all_configs[CFG_SSSD].origPath) except IOError: pass return True def writeSmartcard(self): if self.smartcardModule == None: # pam_pkcs11 not installed return True all_configs[CFG_PAM_PKCS11].backup(self.backupDir) insact = "/usr/sbin/gdm-safe-restart" rmact = "/usr/sbin/gdm-safe-restart" lock = "none" if self.smartcardAction == _("Lock"): insact += ",/etc/pkcs11/lockhelper.sh -lock" rmact += ",/etc/pkcs11/lockhelper.sh -deactivate" lock = "lock_screen" callPKCS11Setup(["use_module="+self.smartcardModule, "ins_action="+insact, "rm_action="+rmact]) return True def writeDConf(self): f = None output = "" locks = "" all_configs[CFG_DCONF].backup(self.backupDir) all_configs[CFG_DCONF_LOCKS].backup(self.backupDir) # create the dconf directories if needed locksdir = os.path.dirname(all_configs[CFG_DCONF_LOCKS].origPath) if not os.path.isdir(locksdir): if self.enableSmartcard: os.makedirs(locksdir) else: # smart cards not enabled - ignore return True header = "# Generated by authconfig on " + time.strftime("%Y/%m/%d %H:%M:%S") + "\n" groupHeader = "\n[org/gnome/login-screen]\n" if not self.enableSmartcard or not self.smartcardModule: output += header header = "" output += groupHeader groupHeader ="" output += "enable-smartcard-authentication=false\n" locks += "/org/gnome/login-screen/enable-smartcard-authentication" if self.enableSmartcard and self.forceSmartcard: output += header header = "" output += groupHeader groupHeader ="" output += "enable-password-authentication=false\n" locks += "/org/gnome/login-screen/enable-password-authentication\n" if not self.enableFprintd or (self.enableSmartcard and self.smartcardModule and self.forceSmartcard): output += header header = "" output += groupHeader groupHeader ="" output += "enable-fingerprint-authentication=false\n" locks += "/org/gnome/login-screen/enable-fingerprint-authentication\n" groupHeader = "\n[org/gnome/settings-daemon/peripherals/smartcard]\n" if self.smartcardAction == _("Lock"): output += header header = "" output += groupHeader groupHeader ="" output += "removal-action='lock-screen'\n" locks += "/org/gnome/settings-daemon/peripherals/smartcard\n" try: os.unlink(all_configs[CFG_DCONF].origPath) except OSError: pass try: os.unlink(all_configs[CFG_DCONF_LOCKS].origPath) except OSError: pass if locks != "": try: f = SafeFile(all_configs[CFG_DCONF].origPath, 0644) f.rewind() f.write(output) f.save() finally: try: if f: f.close() except IOError: pass try: f = SafeFile(all_configs[CFG_DCONF_LOCKS].origPath, 0644) f.rewind() f.write(locks) f.save() finally: try: if f: f.close() except IOError: pass os.system("dconf update") return True def paramsWinbind(self): output = "#--authconfig--start-line--\n" output += "\n" output += "# Generated by authconfig on " + time.strftime("%Y/%m/%d %H:%M:%S") + "\n" output += "# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)\n" output += "# Any modification may be deleted or altered by authconfig in future\n" output += "\n" if self.smbWorkgroup: output += " workgroup = " output += self.smbWorkgroup output += "\n" if self.smbServers: output += " password server = " output += self.smbServers.replace(",", " ") output += "\n" if self.smbRealm: output += " realm = " output += self.smbRealm output += "\n" if self.smbSecurity: output += " security = " output += self.smbSecurity output += "\n" if self.smbIdmapRange: output += " idmap config * : range = " output += self.smbIdmapRange output += "\n" if self.winbindSeparator: output += " winbind separator = " output += self.winbindSeparator output += "\n" if self.winbindTemplateHomedir: output += " template homedir = " output += self.winbindTemplateHomedir output += "\n" if self.winbindTemplateShell: output += " template shell = " output += self.winbindTemplateShell output += "\n" if self.winbindKrb5: output += " kerberos method = secrets and keytab" output += "\n" else: output += " kerberos method = secrets only" output += "\n" output += " winbind use default domain = " output += str(bool(self.winbindUseDefaultDomain)).lower() output += "\n" output += " winbind offline logon = " output += str(bool(self.winbindOffline)).lower() output += "\n" output += "\n" output += "#--authconfig--end-line--\n" return output def checkLineWinbind(self, line, ls, options): output = "" # Check if this is a setting we care about. for opt in options: if matchLineSMB(ls, opt): output = ";" break output += line return output; # Write winbind settings to /etc/samba/smb.conf. def writeWinbind(self): authsection = False wroteauthsection = False section = "" all_configs[CFG_SMB].backup(self.backupDir) options = ["workgroup", "password server", "realm", "security", "domain logons", "domain master", "idmap uid", "idmap gid", "winbind separator", "template homedir", "template shell", "winbind use default domain", "winbind offline logon", "kerberos method"] f = None output = "" try: f = SafeFile(all_configs[CFG_SMB].origPath, 0644) # Read in the old file. for line in f.file: ls = line.strip() if authsection: if matchLine(ls, "#--authconfig--end-line--"): authsection = False #skip all previous authconfig generated lines continue if matchLine(ls, "#--authconfig--start-line--"): authsection = True continue # If it's a comment, just pass it through. if matchLine(ls, ";") or matchLine(ls, "#"): output += line continue # If it's a section start, note the section name. value = matchKey(ls, "[") if value and "]" in value: section = value.split("]")[0].lower() output += line if section == "global": output += self.paramsWinbind() wroteauthsection = True continue # Comment out options we set. if section == "global": output += self.checkLineWinbind(line, ls, options) continue # Copy anything else as is. output += line if not wroteauthsection: output += "[global]\n" output += self.paramsWinbind() # Write it out and close it. f.rewind() f.write(output) f.save() finally: try: if f: f.close() except IOError: pass return True # Write NSS setup to /etc/nsswitch.conf. def writeNSS(self): users = "" normal = "" hosts = "" wrotepasswd = False wrotegroup = False wroteshadow = False wrotenetgroup = False wroteautomount = False wrotehosts = False wroteinitgroups = False wroteservices = False f = None output = "" all_configs[CFG_NSSWITCH].backup(self.backupDir) try: f = SafeFile(all_configs[CFG_NSSWITCH].origPath, 0644) # Determine what we want in that file for most of the databases. If # we're using DB, we're doing it for speed, so put it in first. Then # comes files. Then everything else in reverse alphabetic order. if self.enableDB: normal += " db" normal += " files" if self.enableAltfiles: normal += " altfiles" services = normal if self.enableDirectories: normal += " directories" if self.enableOdbcbind: normal += " odbcbind" if self.enableNIS3: normal += " nisplus" if self.enableNIS: normal += " nis" if self.enableSSSD or self.implicitSSSD or self.enableIPAv2: normal += " sss" services += " sss" if self.enableLDAPbind: normal += " ldapbind" if self.enableLDAP and not self.implicitSSSD: normal += " ldap" if self.enableHesiodbind: normal += " hesiodbind" if self.enableHesiod: normal += " hesiod" if self.enableDBIbind: normal += " dbibind" if self.enableDBbind: normal += " dbbind" netgroup = normal # Generate the list for users and groups. The same as most other # services, just use "compat" instead of "files" if "compat" is # enabled. if self.enableCompat: users = normal.replace("files", "compat") else: users = normal if self.enableWinbind: users += " winbind" if not os.access(PATH_LIBSSS_AUTOFS, os.R_OK): # No support for automount in sssd if self.enableLDAP and self.implicitSSSD: normal = normal.replace("sss", "ldap") else: normal = normal.replace(" sss", "") # Hostnames we treat specially. hosts += " files" if self.enableMDNS: hosts += " mdns4_minimal [NOTFOUND=return]" if self.preferDNSinHosts: hosts += " dns" if self.enableWINS: hosts += " wins" if self.enableNIS3: hosts += " nisplus" if self.enableNIS: hosts += " nis" if not self.preferDNSinHosts: hosts += " dns" if self.enableMyhostname: hosts += " myhostname" # Read in the old file. for line in f.file: ls = line.strip() # If it's a 'passwd' line, insert ours instead. if matchLine(ls, "passwd:"): if not wrotepasswd: output += "passwd: " output += users output += "\n" wrotepasswd = True # If it's a 'shadow' line, insert ours instead. elif matchLine(ls, "shadow:"): if not wroteshadow: output += "shadow: " output += users output += "\n" wroteshadow = True # If it's a 'group' line, insert ours instead. elif matchLine(ls, "group:"): if not wrotegroup: output += "group: " output += users output += "\n" wrotegroup = True # If it's a 'initgroups' line, comment it out instead. elif matchLine(ls, "initgroups:"): if not wroteinitgroups: output += "#" output += line wroteinitgroups = True # If it's a 'netgroup' line, insert ours instead. elif matchLine(ls, "netgroup:"): if not wrotenetgroup: output += "netgroup: " output += netgroup output += "\n" wrotenetgroup = True # If it's a 'automount' line, insert ours instead. elif matchLine(ls, "automount:"): if not wroteautomount: output += "automount: " output += normal output += "\n" wroteautomount = True # If it's a 'hosts' line, insert ours instead. elif matchLine(ls, "hosts:"): if not wrotehosts: output += "hosts: " output += hosts output += "\n" wrotehosts = True # If it's a 'services' line, insert ours instead. elif matchLine(ls, "services:"): if not wroteservices: output += "services: " output += services output += "\n" wroteservices = True # Otherwise, just copy the current line out. else: output += line # If we haven't encountered any of the config lines yet... if not wrotepasswd: output += "passwd: " output += users output += "\n" if not wroteshadow: output += "shadow: " output += users output += "\n" if not wrotegroup: output += "group: " output += users output += "\n" if not wrotenetgroup: output += "netgroup: " output += netgroup output += "\n" if not wroteautomount: output += "automount: " output += normal output += "\n" if not wrotehosts: output += "hosts: " output += hosts output += "\n" if not wroteservices: output += "services: " output += services output += "\n" # For now we do not write initgroups # line if not encountered. # Write it out and close it. f.rewind() f.write(output) f.save() finally: try: if f: f.close() except IOError: pass return True def formatPAMModule(self, module, forcescard, warn): stack = pam_stacks[module[STACK]] logic = module[LOGIC] name = module[NAME] output = "" if stack and logic: args = "" if name == "pkcs11" and stack == "auth": if forcescard: if self.enableKerberos: logic = LOGIC_FORCE_PKCS11_KRB5 else: logic = LOGIC_FORCE_PKCS11 args = " ".join(argv_force_pkcs11_auth) else: if self.enableKerberos: logic = LOGIC_PKCS11_KRB5 if name == "krb5" and stack == "account": if self.enableSmartcard: logic = LOGIC_IGNORE_AUTH_ERR else: logic = LOGIC_IGNORE_UNKNOWN if name == "succeed_if": if stack == "auth" and logic == LOGIC_SKIPNEXT: if self.enableKerberos: logic = LOGIC_SKIPNEXT3 elif stack == "auth" or stack == "account": if self.uidMin != None: argv = module[ARGV][0:] # shallow copy argv[1] = self.uidMin args = " ".join(argv) # do not continue to following modules if authentication fails if name == "unix" and stack == "auth" and (self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and (not self.enableNIS): logic = LOGIC_SUFFICIENT # use oddjob_mkhomedir if available if name == "mkhomedir" and os.access("%s/pam_%s.so" % (AUTH_MODULE_DIR, "oddjob_mkhomedir"), os.X_OK): name = "oddjob_mkhomedir" # the missing pam_systemd module should not be logged as error if name == "systemd": output += "-" warn = False output += "%-12s%-13s pam_%s.so" % (stack, logic, name) if warn and not name in self.module_missing and not os.access("%s/pam_%s.so" % (AUTH_MODULE_DIR, name), os.X_OK): self.messageCB(_("Authentication module %s/pam_%s.so is missing. Authentication process might not work correctly." % (AUTH_MODULE_DIR, name))) self.module_missing[name] = True if name == "pwquality": args = self.pwqualityArgs if name == "passwdqc": args = self.passwdqcArgs if name == "localuser": args = self.localuserArgs if name == "access": args = self.pamAccessArgs if name == "mkhomedir" or name =="oddjob_mkhomedir": args = self.mkhomedirArgs if name == "systemd": args = self.systemdArgs if name == "sss" and stack == "auth" and not self.enableNIS and not module[ARGV] == argv_sssd_missing_name: args = "forward_pass" if not args and module[ARGV]: args = " ".join(module[ARGV]) if name == "winbind" and self.winbindOffline and stack != "password": output += " cached_login" if name == "winbind" and self.winbindKrb5: output += " krb5_auth krb5_ccache_type=KEYRING" if name == "unix": if stack == "password": if self.passwordAlgorithm and self.passwordAlgorithm != "descrypt": output += " " + self.passwordAlgorithm if self.algoRounds: output += " rounds=" + self.algoRounds if self.enableShadow: output += " shadow" if self.enableNIS: output += " nis" if self.enableNullOk: output += " nullok" if stack == "auth": if self.enableNullOk: output += " nullok" if stack == "account": if (self.forceBrokenShadow or self.enableLDAPAuth or self.enableKerberos or self.enableWinbindAuth): output += " broken_shadow" if name == "faillock" and stack == "auth": args = " ".join(module[ARGV]) + " " + self.faillockArgs if name == "succeed_if" and stack == "auth" and logic == LOGIC_SKIPNEXT_ON_FAILURE: args = args.replace("quiet_success", "quiet") if args: output += " " + args output += "\n" return output def linkPAMService(self, src, dest): f = os.path.isfile(dest) l = os.path.islink(dest) if (f and not l) or (l and not f): # Create the link only if it doesn't exist yet or is invalid try: os.unlink(dest) except OSError: pass try: os.symlink(src, dest) except OSError: pass def checkPAMLinked(self): for dest in [AUTH_PAM_SERVICE, POSTLOGIN_PAM_SERVICE, PASSWORD_AUTH_PAM_SERVICE, FINGERPRINT_AUTH_PAM_SERVICE, SMARTCARD_AUTH_PAM_SERVICE]: dest = SYSCONFDIR + "/pam.d/" + dest f = os.path.isfile(dest) l = os.path.islink(dest) if (f and not l) or (l and not f): self.pamLinked = False return def writePAMService(self, service, cfg, cfg_basename, cfg_link): f = None output = "" all_configs[cfg].backup(self.backupDir) try: f = SafeFile(all_configs[cfg].origPath, 0644) output += "#%PAM-1.0\n" output += "# This file is auto-generated.\n" output += "# User changes will be destroyed the next time " output += "authconfig is run.\n" forceSmartcard = self.forceSmartcard enableSmartcard = self.enableSmartcard enableFprintd = self.enableFprintd warn = False if service == STANDARD: warn = True if service == FINGERPRINT: enableFprintd = True elif service == SMARTCARD: enableSmartcard = True forceSmartcard = True # configure SSSD Smartcard support instead of # pam_pkcs11 if SSSD is used for authentication and no # Smartcard module is set, e.g. if pam_pkcs11 is not installed. use_sssd_smartcard_support = self.enableSSSDAuth and self.smartcardModule == "sssd" prevmodule = [] for module in pam_modules[service]: if prevmodule and module[STACK] != prevmodule[STACK]: output += "\n" prevmodule = module if (module[MANDATORY] or (self.enableAFS and module[NAME] == "afs") or (self.enableAFSKerberos and module[NAME] == "afs.krb") or (self.enablePWQuality and module[NAME] == "pwquality") or (self.enableFaillock and module[NAME] == "faillock") or (self.enableEcryptfs and module[NAME] == "ecryptfs") or (self.enableEPS and module[NAME] == "eps") or ((self.enableKerberos and not self.implicitSSSDAuth)and module[NAME] == "krb5" and not module[ARGV] == argv_krb5_sc_auth) or (self.enableKerberos and enableSmartcard and ((module[NAME] == "krb5" and module[ARGV] == argv_krb5_sc_auth) or (module[NAME] == "permit" and module[STACK] == AUTH))) or ((self.enableLDAPAuth and not self.implicitSSSDAuth) and module[NAME] == "ldap") or (enableSmartcard and use_sssd_smartcard_support and module[NAME] == "sss" and module[ARGV] == argv_sssd_missing_name) or (enableSmartcard and not use_sssd_smartcard_support and module[STACK] == AUTH and module[NAME] == "succeed_if" and module[LOGIC] == LOGIC_SKIPNEXT) or (enableSmartcard and not use_sssd_smartcard_support and module[NAME] == "pkcs11") or (enableSmartcard and not use_sssd_smartcard_support and forceSmartcard and module[NAME] == "deny") or (enableSmartcard and forceSmartcard and module[NAME] == "deny") or (enableFprintd and module[NAME] == "fprintd") or (self.enableOTP and module[NAME] == "otp") or (self.enablePasswdQC and module[NAME] == "passwdqc") or (self.enableWinbindAuth and module[NAME] == "winbind") or ((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and module[NAME] == "sss" and module[ARGV] != argv_sssd_missing_name) or ((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and (not self.enableNIS) and (module[NAME] == "localuser" or (module[NAME] == "succeed_if" and module[LOGIC] == LOGIC_SKIPNEXT_ON_FAILURE and not self.enableSysNetAuth)) and module[STACK] == AUTH) or (self.enableLocAuthorize and module[NAME] == "localuser" and module[STACK] == ACCOUNT) or (self.enablePAMAccess and module[NAME] == "access") or (self.enableMkHomeDir and module[NAME] == "mkhomedir") or (not self.enableSysNetAuth and module[STACK] == AUTH and module[NAME] == "succeed_if" and module[LOGIC] == LOGIC_REQUISITE)): output += self.formatPAMModule(module, forceSmartcard, warn) # Write it out and close it. f.rewind() f.write(output) f.save() finally: try: if f: f.close() except IOError: pass self.linkPAMService(cfg_basename, SYSCONFDIR+"/pam.d/"+cfg_link) return True # Write PAM setup to the control file(s). def writePAM(self): self.module_missing = {} self.writePAMService(STANDARD, CFG_PAM, AUTH_PAM_SERVICE_AC, AUTH_PAM_SERVICE) self.writePAMService(POSTLOGIN, CFG_POSTLOGIN_PAM, POSTLOGIN_PAM_SERVICE_AC, POSTLOGIN_PAM_SERVICE) self.writePAMService(PASSWORD_ONLY, CFG_PASSWORD_PAM, PASSWORD_AUTH_PAM_SERVICE_AC, PASSWORD_AUTH_PAM_SERVICE) self.writePAMService(FINGERPRINT, CFG_FINGERPRINT_PAM, FINGERPRINT_AUTH_PAM_SERVICE_AC, FINGERPRINT_AUTH_PAM_SERVICE) self.writePAMService(SMARTCARD, CFG_SMARTCARD_PAM, SMARTCARD_AUTH_PAM_SERVICE_AC, SMARTCARD_AUTH_PAM_SERVICE) return True def writeSysconfig(self): all_configs[CFG_AUTHCONFIG].backup(self.backupDir) try: shv = shvfile.rcreate(all_configs[CFG_AUTHCONFIG].origPath) except IOError: return False shv.setBoolValue("USEPWQUALITY", self.enablePWQuality) shv.setBoolValue("USEFAILLOCK", self.enableFaillock) shv.setValue("FAILLOCKARGS", self.faillockArgs) shv.setBoolValue("USEDB", self.enableDB) shv.setBoolValue("USEHESIOD", self.enableHesiod) shv.setBoolValue("USELDAP", self.enableLDAP) shv.setBoolValue("USENIS", self.enableNIS) shv.setBoolValue("USEECRYPTFS", self.enableEcryptfs) shv.setBoolValue("USEPASSWDQC", self.enablePasswdQC) shv.setBoolValue("USEWINBIND", self.enableWinbind) shv.setBoolValue("WINBINDKRB5", self.winbindKrb5) shv.setBoolValue("USESSSD", self.enableSSSD) shv.setBoolValue("USEKERBEROS", self.enableKerberos) shv.setBoolValue("USELDAPAUTH", self.enableLDAPAuth) shv.setBoolValue("USESMARTCARD", self.enableSmartcard) shv.setBoolValue("FORCESMARTCARD", self.forceSmartcard) shv.setBoolValue("USEFPRINTD", self.enableFprintd) shv.setValue("PASSWDALGORITHM", self.passwordAlgorithm) shv.setValue("USEMD5", None) shv.setBoolValue("USESHADOW", self.enableShadow) shv.setBoolValue("USEWINBINDAUTH", self.enableWinbindAuth) shv.setBoolValue("USESSSDAUTH", self.enableSSSDAuth) shv.setBoolValue("USELOCAUTHORIZE", self.enableLocAuthorize) shv.setBoolValue("USEPAMACCESS", self.enablePAMAccess) shv.setBoolValue("USEMKHOMEDIR", self.enableMkHomeDir) shv.setBoolValue("USESYSNETAUTH", self.enableSysNetAuth) shv.setBoolValue("FORCELEGACY", self.enableForceLegacy) shv.setBoolValue("CACHECREDENTIALS", self.enableCacheCreds) shv.setBoolValue("USEIPAV2", self.enableIPAv2) shv.setBoolValue("IPADOMAINJOINED", self.ipaDomainJoined) shv.setBoolValue("IPAV2NONTP", self.ipav2NoNTP) shv.setValue("IPAV2SERVER", self.ipav2Server) shv.setValue("IPAV2DOMAIN", self.ipav2Domain) shv.setValue("IPAV2REALM", self.ipav2Realm) shv.write(0644) shv.close() return True def writeNetwork(self): all_configs[CFG_NETWORK].backup(self.backupDir) try: shv = shvfile.rcreate(all_configs[CFG_NETWORK].origPath) except IOError: return False shv.setValue("NISDOMAIN", self.nisDomain) shv.write(0644) shv.close() return True def prewriteUpdate(self): oldimplicit = self.implicitSSSD self.implicitSSSD = self.implicitSSSDAuth = self.sssdSupported() if not self.enableSSSD and not self.enableSSSDAuth: if self.implicitSSSD and not oldimplicit: self.inconsistentAttrs.append('forceSSSDUpdate') modules = getSmartcardModules() if len(modules) > 0 and self.smartcardModule not in modules: self.smartcardModule = modules[0] if self.ipaDomainJoined and not self.enableIPAv2: # must uninstall IPAv2 self.ipaDomainJoined = False self.ipaUninstall = True def write(self): self.update(True) self.prewriteUpdate() self.setupBackup(PATH_CONFIG_BACKUPS + "/last") try: ret = self.writeLibuser() ret = ret and self.writeLogindefs() ret = ret and self.writeCache() if self.enableHesiod: ret = ret and self.writeHesiod() if self.enableLDAP or self.enableLDAPAuth: ret = ret and self.writeLDAP() if (self.enableKerberos or (self.enableWinbindAuth and self.smbSecurity == "ads")): ret = ret and self.writeKerberos() if self.enableSmartcard: ret = ret and self.writeSmartcard() if self.enableNIS: ret = ret and self.writeNIS() if self.enableWinbind or self.enableWinbindAuth: ret = ret and self.writeWinbind() if self.implicitSSSD or self.implicitSSSDAuth: ret = ret and self.writeSSSD() elif self.enableSSSDAuth: ret = ret and self.writeSSSDPAM(True) ret = ret and self.writeNSS() ret = ret and self.writePAM() ret = ret and self.writeSysconfig() ret = ret and self.writeNetwork() ret = ret and self.toggleShadow() ret = ret and self.writeDConf() except (OSError, IOError): sys.stderr.write(str(sys.exc_info()[1]) + "\n") return False for group in self.save_groups: if group.toggleFunction: self.toggleFunctions.add(group.toggleFunction) return ret def writeChanged(self, ref): self.checkPAMLinked() self.update(True) self.prewriteUpdate() self.setupBackup(PATH_CONFIG_BACKUPS + "/last") ret = True try: for group in self.save_groups: if group.attrsDiffer(self, ref): if group.saveFunction: ret = ret and group.saveFunction() if group.toggleFunction: self.toggleFunctions.add(group.toggleFunction) except (OSError, IOError): sys.stderr.write(str(sys.exc_info()[1]) + "\n") return False return ret def probe(self): hostname = "" qname = "" results = [] result = [] hesiod = [ [dnsclient.DNS_C_IN, "hs"], [dnsclient.DNS_C_IN, "ns"], [dnsclient.DNS_C_HS, "hs"], [dnsclient.DNS_C_HS, "ns"] ] # get the local host name hostname = socket.getfqdn() if not hostname: return # terminate the host name if not hostname.endswith("."): hostname += "." # first, check for an LDAP server for the local domain domain = hostname[hostname.find("."):] qname = "_ldap._tcp" + domain results = dnsclient.query(qname, dnsclient.DNS_C_IN, dnsclient.DNS_T_SRV) for result in results: if result.dns_type == dnsclient.DNS_T_SRV: self.ldapServer = result.rdata.server.rstrip(".") self.ldapBaseDN = domain2dn(domain) # now, check for a Kerberos realm the local host or domain is in qname = "_kerberos." + hostname results = dnsclient.query(qname, dnsclient.DNS_C_IN, dnsclient.DNS_T_TXT) if not results: qname = "_kerberos" + domain results = dnsclient.query(qname, dnsclient.DNS_C_IN, dnsclient.DNS_T_TXT) for result in results: if result.dns_type == dnsclient.DNS_T_TXT: self.kerberosRealm = result.rdata.data if self.kerberosRealm: break if self.kerberosRealm: # now fetch server information for the realm qname = "_kerberos._udp." + self.kerberosRealm results = dnsclient.query(qname, dnsclient.DNS_C_IN, dnsclient.DNS_T_SRV) for result in results: if result.dns_type == dnsclient.DNS_T_SRV: qname = result.rdata.server.rstrip(".") if result.rdata.port: qname += ":" + result.rdata.port if self.kerberosKDC: self.kerberosKDC += "," + qname else: self.kerberosKDC = qname # now fetch admin server information for the realm qname = "_kerberos-adm._udp." + self.kerberosRealm results = dnsclient.query(qname, dnsclient.DNS_C_IN, dnsclient.DNS_T_SRV) for result in results: if result.dns_type == dnsclient.DNS_T_SRV: qname = result.rdata.server.rstrip(".") if result.rdata.port: qname += ":" + result.rdata.port if self.kerberosAdminServer: self.kerberosAdminServer += "," + qname else: self.kerberosAdminServer = qname # now check for SOA records for hesiod-style domains under .hs.DOMAIN # and .ns.DOMAIN for h in hesiod: qname = h[1] + domain results = dnsclient.query(qname, h[0], dnsclient.DNS_T_SOA) for result in results: if (result.dns_type == dnsclient.DNS_T_SOA and result.dns_name == qname): self.hesiodLHS = "." + h[1] self.hesiodRHS = domain.rstrip(".") break def printInfo(self): print "caching is %s" % formatBool(self.enableCache) print "nss_files is always enabled" print "nss_compat is %s" % formatBool(self.enableCompat) print "nss_db is %s" % formatBool(self.enableDB) print "nss_hesiod is %s" % formatBool(self.enableHesiod) print " hesiod LHS = \"%s\"" % self.hesiodLHS print " hesiod RHS = \"%s\"" % self.hesiodRHS print "nss_ldap is %s" % formatBool(self.enableLDAP) print " LDAP+TLS is %s" % formatBool(self.enableLDAPS) print " LDAP server = \"%s\"" % self.ldapServer print " LDAP base DN = \"%s\"" % self.ldapBaseDN print "nss_nis is %s" % formatBool(self.enableNIS) print " NIS server = \"%s\"" % self.nisServer print " NIS domain = \"%s\"" % self.nisDomain print "nss_nisplus is %s" % formatBool(self.enableNIS3) print "nss_winbind is %s" % formatBool(self.enableWinbind) print " SMB workgroup = \"%s\"" % self.smbWorkgroup print " SMB servers = \"%s\"" % self.smbServers print " SMB security = \"%s\"" % self.smbSecurity print " SMB realm = \"%s\"" % self.smbRealm print " Winbind template shell = \"%s\"" % self.winbindTemplateShell print " SMB idmap range = \"%s\"" % self.smbIdmapRange print "nss_sss is %s by default" % formatBool(self.enableSSSD) print "nss_wins is %s" % formatBool(self.enableWINS) print "nss_mdns4_minimal is %s" % formatBool(self.enableMDNS) print "myhostname is %s" % formatBool(self.enableMyhostname) print "DNS preference over NSS or WINS is %s" % formatBool(self.preferDNSinHosts) print "pam_unix is always enabled" print " shadow passwords are %s" % formatBool(self.enableShadow) print " password hashing algorithm is %s" % self.passwordAlgorithm print "pam_krb5 is %s" % formatBool(self.enableKerberos) print " krb5 realm = \"%s\"" % self.kerberosRealm print " krb5 realm via dns is %s" % formatBool(self.kerberosRealmviaDNS) print " krb5 kdc = \"%s\"" % self.kerberosKDC print " krb5 kdc via dns is %s" % formatBool(self.kerberosKDCviaDNS) print " krb5 admin server = \"%s\"" % self.kerberosAdminServer print "pam_ldap is %s" % formatBool(self.enableLDAPAuth) print " LDAP+TLS is %s" % formatBool(self.enableLDAPS) print " LDAP server = \"%s\"" % self.ldapServer print " LDAP base DN = \"%s\"" % self.ldapBaseDN print " LDAP schema = \"%s\"" % (self.ldapSchema or "rfc2307") print "pam_pkcs11 is %s" % formatBool(self.enableSmartcard and not (self.enableSSSDAuth and self.smartcardModule == "sssd")) print "SSSD smartcard support is %s" % formatBool(self.enableSmartcard and (self.enableSSSDAuth and self.smartcardModule == "sssd")) print " use only smartcard for login is %s" % formatBool(self.forceSmartcard) print " smartcard module = \"%s\"" % self.smartcardModule print " smartcard removal action = \"%s\"" % self.smartcardAction print "pam_fprintd is %s" % formatBool(self.enableFprintd) print "pam_ecryptfs is %s" % (formatBool(self.enableEcryptfs)) print "pam_winbind is %s" % formatBool(self.enableWinbindAuth) print " SMB workgroup = \"%s\"" % self.smbWorkgroup print " SMB servers = \"%s\"" % self.smbServers print " SMB security = \"%s\"" % self.smbSecurity print " SMB realm = \"%s\"" % self.smbRealm print "pam_sss is %s by default" % formatBool(self.enableSSSDAuth) print " credential caching in SSSD is %s" % formatBool(self.enableCacheCreds) print " SSSD use instead of legacy services if possible is %s" % formatBool(not self.enableForceLegacy) print "IPAv2 is %s" % formatBool(self.enableIPAv2) print "IPAv2 domain was %sjoined" % (not self.ipaDomainJoined and "not " or "") print " IPAv2 server = \"%s\"" % self.ipav2Server print " IPAv2 realm = \"%s\"" % self.ipav2Realm print " IPAv2 domain = \"%s\"" % self.ipav2Domain print "pam_pwquality is %s (%s)" % (formatBool(self.enablePWQuality), self.pwqualityArgs) print "pam_passwdqc is %s (%s)" % (formatBool(self.enablePasswdQC), self.passwdqcArgs) print "pam_access is %s (%s)" % (formatBool(self.enablePAMAccess), self.pamAccessArgs) print "pam_faillock is %s (%s)" % (formatBool(self.enableFaillock), self.faillockArgs) print "pam_mkhomedir or pam_oddjob_mkhomedir is %s (%s)" % (formatBool(self.enableMkHomeDir), self.mkhomedirArgs) print "Always authorize local users is %s (%s)" % (formatBool(self.enableLocAuthorize), self.localuserArgs) print "Authenticate system accounts against network services is %s" % formatBool(self.enableSysNetAuth) def toggleShadow(self): for cfg in (CFG_SHADOW, CFG_PASSWD, CFG_GSHADOW, CFG_GROUP): all_configs[cfg].backup(self.backupDir) # now, do file manipulation on the password files themselves. if self.enableShadow: os.system("/usr/sbin/pwconv") os.system("/usr/sbin/grpconv") else: os.system("/usr/sbin/pwunconv") os.system("/usr/sbin/grpunconv") return True def joinDomain(self, echo): status = 0 if (self.enableWinbind or self.enableWinbindAuth) and self.joinUser: server = self.smbServers.split(",", 1)[0].split(" ", 1)[0].split("\t", 1)[0] domain = self.smbWorkgroup protocol = self.smbSecurity if not protocol: protocol = "ads" if protocol != "ads" and protocol != "domain": # Not needed -- "joining" is meaningless for other # models. return cmd = PATH_WINBIND_NET + " join %s%s %s%s -U %s" % ( domain and "-w " or "", domain, server and "-S " or "", server, self.joinUser) if echo: sys.stderr.write("[%s]\n" % cmd) if self.joinPassword or not echo: status, error = feedFork(cmd, echo, "sword:", self.joinPassword) else: child = Popen([cmd], shell=True) child.communicate() status = child.returncode if echo: if status != 0: self.messageCB(_("Winbind domain join was not successful.")) else: if status != 0: errmsg = _("Winbind domain join was not successful. The net join command failed with the following error:") errmsg += "\n" + error self.messageCB(errmsg) return status == 0 def joinIPADomain(self, echo): status = 0 if self.enableIPAv2: server = self.ipav2Server domain = self.ipav2Domain realm = self.ipav2Realm principal = self.joinUser password = self.joinPassword if self.ipav2NoNTP: nontp = "-N" else: nontp = "" cmd = PATH_IPA_CLIENT_INSTALL + " --noac %s%s %s%s %s%s %s%s %s %s" % ( domain and "--domain=" or "", domain, server and "--server=" or "", server, realm and "--realm=" or "", realm, principal and "--principal=" or "", principal, nontp, not echo and "--unattended" or "-W") if echo: sys.stderr.write("[%s]\n" % cmd) child = Popen([cmd], shell=True) child.communicate() status = child.returncode else: status, error = feedFork(cmd, echo, '', password) if status == 0: self.ipaDomainJoined = True if echo: if status != 0: self.messageCB(_("IPAv2 domain join was not successful.")) else: if status != 0: errmsg = _("IPAv2 domain join was not successful. The ipa-client-install command failed with the following error:") errmsg += "\n" + error self.messageCB(errmsg) return status == 0 def uninstallIPA(self): cmd = PATH_IPA_CLIENT_INSTALL + " --uninstall --noac --unattended" os.system(cmd) def toggleCachingService(self, nostart): if not nostart: if self.enableCache: Service.stop("nscd") Service.start("nscd") else: try: Service.stop("nscd") except OSError: pass return True def toggleNisService(self, nostart): if self.enableNIS and self.nisDomain: if not nostart: os.system("/bin/domainname " + self.nisDomain) try: os.system("[[ $(getsebool allow_ypbind) == *off* ]] && setsebool -P allow_ypbind 1") os.stat(PATH_RPCBIND) Service.enable("rpcbind") if not nostart: Service.start("rpcbind") except OSError: pass try: os.stat(PATH_YPBIND) Service.enable("ypbind") if not nostart: Service.stop("ypbind") Service.start("ypbind") except OSError: pass else: if not nostart: os.system("/bin/domainname \"(none)\"") try: os.system("[[ $(getsebool allow_ypbind) == *on* ]] && setsebool -P allow_ypbind 0") os.stat(PATH_YPBIND) if not nostart: try: Service.stop("ypbind") except OSError: pass Service.disable("ypbind") except OSError: pass return True def toggleLDAPService(self, nostart): toggleSplatbindService((self.enableLDAP or self.enableLDAPAuth) and not self.implicitSSSD, PATH_NSLCD, "nslcd", nostart) if self.enableLDAP: try: os.system("[[ $(getsebool authlogin_nsswitch_use_ldap) == *off* ]] && setsebool -P authlogin_nsswitch_use_ldap 1") except OSError: pass else: try: os.system("[[ $(getsebool authlogin_nsswitch_use_ldap) == *on* ]] && setsebool -P authlogin_nsswitch_use_ldap 0") except OSError: pass return True def toggleWinbindService(self, nostart): toggleSplatbindService(self.enableWinbind or self.enableWinbindAuth, PATH_WINBIND, "winbind", nostart) def toggleSSSDService(self, nostart): explicitenable = ((self.enableSSSD and self.enableSSSDAuth) or (self.enableSSSD and os.path.exists(PATH_SSSD_CONFIG)) or (self.enableSSSDAuth and os.path.exists(PATH_SSSD_CONFIG))) enable = (self.implicitSSSD or self.implicitSSSDAuth or self.enableIPAv2 or explicitenable) toggleSplatbindService(enable, PATH_SSSD, "sssd", nostart or (enable and not (self.implicitSSSD or self.implicitSSSDAuth or self.enableIPAv2))) def toggleOddjobService(self, nostart): if self.enableMkHomeDir and os.access("%s/pam_%s.so" % (AUTH_MODULE_DIR, "oddjob_mkhomedir"), os.X_OK): # only switch on and only if pam_oddjob_mkhomedir exists toggleSplatbindService(True, PATH_ODDJOBD, "oddjobd", nostart) def post(self, nostart): for togglefunc in self.toggleFunctions: togglefunc(nostart) if self.ipaUninstall: self.uninstallIPA() def testLDAPCACerts(self): if self.enableLDAP or self.enableLDAPAuth: try: os.stat(self.ldapCacertDir) except OSError as (err, text): if err == errno.ENOENT: os.mkdir(self.ldapCacertDir, 0755) return isEmptyDir(self.ldapCacertDir) return False def rehashLDAPCACerts(self): if ((self.enableLDAP or self.enableLDAPAuth) and (self.enableLDAPS or 'ldaps:' in self.ldapServer)): os.system("/usr/sbin/cacertdir_rehash " + self.ldapCacertDir) def downloadLDAPCACert(self): if not self.ldapCacertURL: return False self.testLDAPCACerts() try: readf = urllib2.urlopen(self.ldapCacertURL) writef = openLocked(self.ldapCacertDir + "/" + LDAP_CACERT_DOWNLOADED, 0644) writef.write(readf.read()) readf.close() writef.close() except (IOError, OSError, ValueError): self.messageCB(_("Error downloading CA certificate")) return False self.rehashLDAPCACerts() return True def setupBackup(self, backupdir): if backupdir[0] != "/": backupdir = PATH_CONFIG_BACKUPS + "/backup-" + backupdir self.backupDir = backupdir if not isEmptyDir(backupdir): try: lst = os.listdir(backupdir) for filename in lst: try: os.unlink(backupdir+"/"+filename) except OSError: pass except OSError: pass def saveBackup(self, backupdir): self.setupBackup(backupdir) ret = True for cfg in all_configs: ret = cfg.backup(self.backupDir) and ret return ret def restoreBackup(self, backupdir): if backupdir[0] != "/": backupdir = PATH_CONFIG_BACKUPS + "/backup-" + backupdir ret = True for cfg in all_configs: ret = cfg.restore(backupdir) and ret return ret def restoreLast(self): return self.restoreBackup(PATH_CONFIG_BACKUPS + "/last") msgarea.pyc000064400000023350147645272700006721 0ustar00 8Yc@syddlZddlZejd krCdejfdYZndejfdYZdejfdYZdS( iNiitMsgAreacBseZiejejejffd6ejejgfd6ZdZdZdZ dZ dZ dZ dZ d Zd Zd Zd Zd ZdZdZdZdZddZRS(tresponsetclosecKstt|j|d|_t|_tjtd|_ |j j |j j dtjt d|_ |j j |j j|j tt d|j|j t t d|jt |jd|j|j jd|j|j|dS(Niiiis expose-events style-set(tsuperRt__init__tNonet_MsgArea__contentstFalset_MsgArea__changing_styletgtktHBoxt_MsgArea__main_hboxtshowtset_border_widthtTruet_MsgArea__action_areatpack_endt pack_starttset_app_paintabletconnectt_MsgArea__paintt_MsgArea__on_style_sett add_buttons(tselftbuttonstkwargs((s /usr/share/authconfig/msgarea.pyRs     cCsE|jd}|dkrA|rAidd6}|jd|n|S(Nshotwire-msg-area-datatrespid(tget_dataRtset_data(Rtwtcreatetd((s /usr/share/authconfig/msgarea.pyt__get_response_data;s  cCsV|jj}x@|D]8}|j|t}|dk r|d|kr|SqWdS(NR(t_MsgArea__actionareat get_childrent_MsgArea__get_response_dataRR(RRtchildrentchildtrd((s /usr/share/authconfig/msgarea.pyt __find_buttonBs  cCs6|jtj}|dkr"dS|jtjdS(N(t_MsgArea__find_buttonR tRESPONSE_CANCELRR(Rtcancel((s /usr/share/authconfig/msgarea.pyt__closeIs c Csftjj|j|jtjtjd|d|jj d|jj d|jj d|jj d t S(Nttooltipii(R tStyletpaint_flat_boxtstyletwindowt STATE_NORMALt SHADOW_OUTRt allocationtxtytwidththeightR(RRtevent((s /usr/share/authconfig/msgarea.pyt__paintOs   cCsh|jr dS|jj}tjjd|jtj%s(R R RR R_R`RaRt set_alignmenttVBoxRtLabeltset_use_markupt set_line_wrapRRt CAN_FOCUStset_selectableRO( RRet primary_texttsecondary_textt hbox_contenttimagetvboxtprimary_markupt primary_labeltsecondary_markuptsecondary_label((s /usr/share/authconfig/msgarea.pytset_text_and_icons<              N(t__name__t __module__tgobjecttSIGNAL_RUN_LASTt TYPE_NONEtTYPE_INTt __gsignals__RR#R(t_MsgArea__closeRRRDRKRMRORVRRZR\RRhRRy(((s /usr/share/authconfig/msgarea.pyRs(              cBs8eZdZdZdZdZddZRS(cCs6tt|jd|_|r2|j|ndS(N(RRRRt_current_contentsR(RR((s /usr/share/authconfig/msgarea.pyRs cCs+x$|D]\}}|j||qWdS(N(RV(RRWRTR((s /usr/share/authconfig/msgarea.pyRscCs>x7|jjD]#}|jj||jqWdS(N(tget_action_areaR"tremovetdestroy(RR%((s /usr/share/authconfig/msgarea.pyt clear_buttonsscCsQ|j}|jdk r.|j|jn||_|j|ttddS(Ni(tget_content_areaRRRRR(RRNt content_area((s /usr/share/authconfig/msgarea.pyROs   c Cstjtd}|jtj}|j|tj|j|j|ttd|jddtj td}|j|j|t t dd|f}tj |}|j|j|t t d|j t |j t |jdd|jtj|jt |rd|f} tj | } | j|j| t t d| jtj| j t | j t | jt | jddn|j|dS(Niig?is%ss%s(R R RR R_R`RaRRiRjRRkRlRmRRRnRoRO( RReRpRqRrRsRtRuRvRwRx((s /usr/share/authconfig/msgarea.pyRys<              N(RzR{RRRRORRy(((s /usr/share/authconfig/msgarea.pyRs     tMsgAreaControllercBs)eZdZdZdgdZRS(cCs tt|jd|_dS(N(RRRRt_MsgAreaController__msgarea(R((s /usr/share/authconfig/msgarea.pyRscCs<|jdk r8|j|j|jjd|_ndS(N(RRRR(R((s /usr/share/authconfig/msgarea.pytclears cCsG|jt|}|_|j||||j|dt|S(Ntexpand(RRRRyRR(RRetprimaryt secondaryRtmsgarea((s /usr/share/authconfig/msgarea.pytnew_from_text_and_icons  N(RzR{RRRR(((s /usr/share/authconfig/msgarea.pyRs  (ii(R R|t pygtk_versionR RtInfoBarR(((s /usr/share/authconfig/msgarea.pyts=authconfig.pyo000064400000117523147645272700007453 0ustar00 8Yc@sddlZddlZddlZddlZddlZddlZejZddlm Z m Z ddl Z ye j e j dWn$e jk rejjdnXdZedrddlZnde fdYZd e fd YZd fd YZd efdYZedkrejejejejdedrqeZn eZejejndS(iN(t OptionParsertIndentedHelpFormatterts%Warning: Unsupported locale setting. cCstjdj|dkS(Ni(tsystargvtfind(tname((s#/usr/share/authconfig/authconfig.pytrunsAs%ssauthconfig-tuitUnihelpOptionParsercBseZddZRS(cCs~|dkrtj}ntj}t|dd}| sI|dkrR|}n|j|jj|j |ddS(Ntencodingtasciitreplace( tNoneRtstdouttlocaletgetpreferredencodingtgetattrtwritet format_helptdecodetencode(tselftfilet srcencodingR ((s#/usr/share/authconfig/authconfig.pyt print_help,s    N(t__name__t __module__R R(((s#/usr/share/authconfig/authconfig.pyR+stNonWrapFormattercBseZdZRS(cCsg}|j|}|j|jd}t||kr[d|jd|f}|j}n8d|jd||f}d|jd||f}d}|j||jr|j|}|jd|d|fn |ddkr|jdndj|S(Nis%*s%s Rs %*s%-*s iis (toption_stringst help_positiontcurrent_indenttlentappendthelptexpand_defaulttjoin(Rtoptiontresulttoptst opt_widtht indent_firstt help_text((s#/usr/share/authconfig/authconfig.pyt format_option6s     (RRR*(((s#/usr/share/authconfig/authconfig.pyR5st AuthconfigcBs}eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d ZRS( cCsCt|_t|_t|_t|_t|_t|_d|_dS(Ni(tFalset nis_availtkerberos_availt ldap_availt sssd_availt cache_availt fprintd_availtretval(R((s#/usr/share/authconfig/authconfig.pyt__init__Zs      cCsdS(Nt authconfig((R((s#/usr/share/authconfig/authconfig.pytmodulecscCs$tjjd|j|fdS(Ns%s: %s (RtstderrRR6(Rterror((s#/usr/share/authconfig/authconfig.pyt printErrorfscCsud}d}xX|D]P}|dkr2|d7}n|rO|t|d7}n||7}|d7}qW|d7}|S(Nit(tstr(RtltaddidxtidxR!titem((s#/usr/share/authconfig/authconfig.pytlistHelpis     c CsBtd|j}|jdkr5|d7}nt|dtdt}|jdddd d td |jd d dd d td|jddd d td|jdddd d td|jddd d td|jdd|jtjtd td|jddd d td|jddd d td|jddtdd td|jd dtd!d td"|jd#dd d td$|jd%dd d td&|jd'dd d td(|jd)dd d td*|jd+dtd!d td,|jd-dtd.d td/|jd0d1dd d td2|jd3d4dd d td5|jd6dd d td7|jd8dd d td9|jd:dtd;d td<|jd=dd d td>|jd?dd d td@|jdAdd d tdB|jdCdd d tdD|jdEdtdFd tdG|jtj t }|jdHd|d tdI|jdJdd d tdK|jdLdd d tdM|jdNdd d tdO|jdPdd d tdQ|jdRdd d tdS|jdTdd d tdU|jdVdtd!d tdW|jdXdtd!d tdY|jdZdtd[d td\|jd]dd d td^|jd_dd d td`|jdadd d tdb|jdcdd d tdd|jdedd d tdf|jdgdd d tdh|jdidd d tdj|jdkdd d tdl|jdmddnd tdo|jdpdtd[d tdq|jdrdtdsd tdt|jdudtdvd tdw|jdxdydzdtd{d td||jd}dd~d td|jdddd td|jdddd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jdddd td|jddd d td|jddd d td|jddtdd td|jddtd[d td|jddtdsd td|jddd d td|jddd d td|jdddd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jdddd td|jdddd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddtdd td|jddtdd td|jddtdd td|jddtdd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddtdd td|jddd d td|jddd d td|jdkr|jddd d td|jddd d tdn"|jdddd d td|jddd d td|jd dd d td |jd dtd d td |jddtd d td|jddd d td|j \|_ }|r|j tdtjdn|jdk r>|j j r>|j j r>|j j r>|j j r>|j j r>|j j r>|j j r>|jtjdndS(Nsusage: %s [options]R5se {--update|--updateall|--test|--probe|--restorebackup |--savebackup |--restorelastbackup}tadd_help_optiont formatters-hs--helptactionR!sshow this help message and exits--enableshadows --useshadowt store_trues$enable shadowed passwords by defaults--disableshadows%disable shadowed passwords by defaults --enablemd5s--usemd5senable MD5 passwords by defaults --disablemd5s disable MD5 passwords by defaults --passalgotmetavars&hash/crypt algorithm for new passwordss --enableniss*enable NIS for user information by defaults --disableniss+disable NIS for user information by defaults --nisdomainssdefault NIS domains --nisserverssdefault NIS servers --enableldaps+enable LDAP for user information by defaults --disableldaps,disable LDAP for user information by defaults--enableldapauths)enable LDAP for authentication by defaults--disableldapauths*disable LDAP for authentication by defaults --ldapservers#default LDAP server hostname or URIs --ldapbasednssdefault LDAP base DNs--enableldaptlss--enableldapstarttlss&enable use of TLS with LDAP (RFC-2830)s--disableldaptlss--disableldapstarttlss'disable use of TLS with LDAP (RFC-2830)s--enablerfc2307bissBenable use of RFC-2307bis schema for LDAP user information lookupss--disablerfc2307bissCdisable use of RFC-2307bis schema for LDAP user information lookupss--ldaploadcacertss load CA certificate from the URLs--enablesmartcards0enable authentication with smart card by defaults--disablesmartcards1disable authentication with smart card by defaults--enablerequiresmartcards0require smart card for authentication by defaults--disablerequiresmartcards7do not require smart card for authentication by defaults--smartcardmoduless default smart card module to uses--smartcardactions(action to be taken on smart card removals--enablefingerprints9enable authentication with fingerprint readers by defaults--disablefingerprints:disable authentication with fingerprint readers by defaults--enableecryptfss"enable automatic per-user ecryptfss--disableecryptfss#disable automatic per-user ecryptfss --enablekrb5s)enable kerberos authentication by defaults --disablekrb5s*disable kerberos authentication by defaults --krb5kdcsdefault kerberos KDCs--krb5adminserversdefault kerberos admin servers --krb5realmssdefault kerberos realms--enablekrb5kdcdnss'enable use of DNS to find kerberos KDCss--disablekrb5kdcdnss(disable use of DNS to find kerberos KDCss--enablekrb5realmdnss)enable use of DNS to find kerberos realmss--disablekrb5realmdnss*disable use of DNS to find kerberos realmss--enablewinbinds.enable winbind for user information by defaults--disablewinbinds/disable winbind for user information by defaults--enablewinbindauths,enable winbind for authentication by defaults--disablewinbindauths-disable winbind for authentication by defaults --smbsecurityss*security mode to use for samba and winbinds --smbrealms5default realm for samba and winbind when security=adss --smbserverss s(names of servers to authenticate againsts--smbworkgroups s'workgroup authentication servers are ins--smbidmapranges --smbidmapuids --smbidmapgidss4uid range winbind will assign to domain or ads userss--winbindseparators<\>sthe character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enableds--winbindtemplatehomedirs sGthe directory which winbind-created users will have as home directoriess--winbindtemplateshells sDthe shell which winbind-created users will have as their login shells--enablewinbindusedefaultdomains[configures winbind to assume that users with no domain in their user names are domain userss --disablewinbindusedefaultdomains_configures winbind to assume that users with no domain in their user names are not domain userss--enablewinbindofflines)configures winbind to allow offline logins--disablewinbindofflines+configures winbind to prevent offline logins--enablewinbindkrb5s+winbind will use Kerberos 5 to authenticates--disablewinbindkrb5s2winbind will use the default authentication methods --winbindjoinss>join the winbind domain or ads realm now as this administrators --enableipav2s?enable IPAv2 for user information and authentication by defaults--disableipav2s@disable IPAv2 for user information and authentication by defaults --ipav2domains-the IPAv2 domain the system should be part ofs --ipav2realmsthe realm for the IPAv2 domains --ipav2serversthe server for the IPAv2 domains--enableipav2nontps-do not setup the NTP against the IPAv2 domains--disableipav2nontps0setup the NTP against the IPAv2 domain (default)s --ipav2joins s%join the IPAv2 domain as this accounts --enablewinss#enable wins for hostname resolutions --disablewinss$disable wins for hostname resolutions--enablepreferdnss3prefer dns over wins or nis for hostname resolutions--disablepreferdnss:do not prefer dns over wins or nis for hostname resolutions--enablehesiods-enable hesiod for user information by defaults--disablehesiods.disable hesiod for user information by defaults --hesiodlhsssdefault hesiod LHSs --hesiodrhsssdefault hesiod RHSs --enablesssdsOenable SSSD for user information by default with manually managed configurations --disablesssdsVdisable SSSD for user information by default (still used for supported configurations)s--enablesssdauthsMenable SSSD for authentication by default with manually managed configurations--disablesssdauthsTdisable SSSD for authentication by default (still used for supported configurations)s--enableforcelegacys;never use SSSD implicitly even for supported configurationss--disableforcelegacys4use SSSD implicitly if it supports the configurations--enablecachecredss5enable caching of user credentials in SSSD by defaults--disablecachecredss6disable caching of user credentials in SSSD by defaults --enablecachesXenable caching of user information by default (automatically disabled when SSSD is used)s--disablecaches.disable caching of user information by defaults--enablelocauthorizes1local authorization is sufficient for local userss--disablelocauthorizes1authorize local users also through remote services--enablepamaccesss.check access.conf during account authorizations--disablepamaccesss5do not check access.conf during account authorizations--enablesysnetauths0authenticate system accounts by network servicess--disablesysnetauths0authenticate system accounts by local files onlys--enablemkhomedirs6create home directories for users on their first logins--disablemkhomedirs=do not create home directories for users on their first logins --passminlenssminimum length of a passwords--passminclasss1minimum number of character classes in a passwords--passmaxrepeats;maximum number of same consecutive characters in a passwords--passmaxclassrepeatsDmaximum number of consecutive characters of same class in a passwords--enablereqlowers6require at least one lowercase character in a passwords--disablereqlowers1do not require lowercase characters in a passwords--enablerequppers6require at least one uppercase character in a passwords--disablerequppers1do not require uppercase characters in a passwords--enablereqdigits(require at least one digit in a passwords--disablereqdigits#do not require digits in a passwords--enablereqothers2require at least one other character in a passwords--disablereqothers-do not require other characters in a passwords--enablefaillocksNenable account locking in case of too many consecutive authentication failuress--disablefaillocksGdisable account locking on too many consecutive authentication failuress--faillockargss sthe pam_faillock module optionss --nostarts+do not start/stop portmap, ypbind, and nscds--tests>do not update the configuration files, only print new settingssauthconfig-tuis--backs<display Back instead of Cancel in the main dialog of the TUIs --kickstarts1do not display the deprecated text user interfaces--updatesDopposite of --test, update configuration files with changed settingss --updateallsupdate all configuration filess--probes)probe network for defaults and print thems --savebackupss(save a backup of all configuration filess--restorebackups)restore the backup of configuration filess--restorelastbackupsXrestore the backup of configuration files saved before the previous configuration changesunexpected argumenti(t_R6RR,Rt add_optionRCtauthinfotpassword_algorithmstgetSmartcardActionstTruet parse_argstoptionsR9Rtexittprobettesttupdatet updateallt savebackupt restorebackuptrestorelastbackupR(Rtusagetparsertactshelptargs((s#/usr/share/authconfig/authconfig.pyt parseOptionsvs                                                                                                                        '  cCstj|j}|j|jrF|jrFd|j|jfGHn|jrp|jrpd|j|jfGHn|jrd|j|j pd|j pdfGHndS(Ns hesiod %s/%ss ldap %s/%s skrb5 %s/%s/%s R( RKtAuthInfoR9RRt hesiodLHSt hesiodRHSt ldapServert ldapBaseDNt kerberosRealmt kerberosKDCtkerberosAdminServer(Rtinfo((s#/usr/share/authconfig/authconfig.pyRRs     cCsLtj|j|_|jj|_|jjdkrHt|j_ndS(N( RKtreadR9Rftcopyt pristineinfotenableLocAuthorizeR RN(R((s#/usr/share/authconfig/authconfig.pyt readAuthInfoscCstjtjtjo-tjtjtj|_tjtjtj|_tjtj tjo{tjtj tj|_ tjtj tjotjtj tj|_tjtjtj|_tjtjtj|_dS(N(tostaccessRKt PATH_YPBINDtX_OKtPATH_LIBNSS_NISR-t PATH_PAM_KRB5R.t PATH_PAM_LDAPtPATH_LIBNSS_LDAPR/t PATH_PAM_SSStPATH_LIBNSS_SSSR0t PATH_NSCDR1tPATH_PAM_FPRINTDR2(R((s#/usr/share/authconfig/authconfig.pyttestAvailableSubsysscCsi%dd6dd6dd6dd6d d 6d d 6d d6dd6dd6dd6dd6dd6dd6dd6dd6dd 6d!d"6d#d$6d%d&6d'd(6d)d*6d+d,6d-d.6d/d06d1d26d3d46d5d66d7d86d9d:6d;d<6d=d>6d?d@6dAdB6dCdD6dEdF6dGdH6dIdJ6}idKdL6dMdN6dOdP6dQdR6dSdT6dUdV6dWdX6dYdZ6d[d\6d]d^6d_d`6dadb6dcdd6dedf6dgdh6didj6dkdl6dmdn6dodp6dqdr6dsdt6dudv6dwdx6dydz6d{d|6d}d~6dd6dd6dd6}xr|jD]d\}}t|jd|rt|j|tnt|jd|rt|j|tqqWy+|jjrmd|j_n d|j_Wnt k rnX|jj r|jj |jj kr|jj |jj |j_ |jj|jj |j_nyb|jj}|dkrRt|}|dkrR|jtdd|j_d|_qRnWn9tk r|jtdd|j_d|_nXy|jj}|dkr't|}|dkr|jtdd|j_d|_n|dkr'|jtdd|j_d|_q'nWn9tk rc|jtdd|j_d|_nXyb|jj}|dkrt|}|dkr|jtdd|j_d|_qnWn9tk r|jtdd|j_d|_nXyb|jj}|dkrct|}|dkrc|jtdd|j_d|_qcnWn9tk r|jtdd|j_d|_nXxT|jD]F\}}t|j|dkrt|j|t|j|qqW|jjrS|jjjdd}|d|j_t|dkrS|d|j_qSn|jjdkrz|jj|j_n|jj ry,t|jj }t!j"||j_#Wqtt$fk r|jtdd|j_#qXn|jj%r.|jj&d8kr.|jtdt|j_%n|jj'ss|jj(rUd|j_)n|jj*rd|j_)qn@|jj't!j+kr|jtdd|j_)d|_ndS(Nt enableShadowtshadowRjt locauthorizetenablePAMAccesst pamaccesstenableSysNetAutht sysnetauthtenableMkHomeDirt mkhomedirt enableCachetcachetenableEcryptfstecryptfst enableHesiodthesiodt enableLDAPtldapt enableLDAPStldaptlstenableRFC2307bist rfc2307bistenableLDAPAuthtldapauthtenableKerberostkrb5t enableNIStnistkerberosKDCviaDNSt krb5kdcdnstkerberosRealmviaDNSt krb5realmdnstenableSmartcardt smartcardt enableFprintdt fingerprinttforceSmartcardtrequiresmartcardt enableWinbindtwinbindtenableWinbindAutht winbindauthtwinbindUseDefaultDomaintwinbindusedefaultdomaintwinbindOfflinetwinbindofflinet winbindKrb5t winbindkrb5t enableIPAv2tipav2t ipav2NoNTPt ipav2nontpt enableWINStwinst enableSSSDtsssdtenableSSSDAuthtsssdauthtenableForceLegacyt forcelegacytenableCacheCredst cachecredstpreferDNSinHostst preferdnst passReqLowertreqlowert passReqUppertrequppert passReqDigittreqdigitt passReqOthertreqothertenableFaillocktfaillocktpasswordAlgorithmtpassalgoR_t hesiodlhsR`t hesiodrhsRat ldapserverRbt ldapbasednt ldapCacertURLtldaploadcacertRct krb5realmRdtkrb5kdcRetkrb5adminservertsmartcardModuletsmartcardmoduletsmartcardActiontsmartcardactiont nisDomaint nisdomaint nisServert nisservert smbWorkgroupt smbworkgroupt smbServerst smbserverst smbSecurityt smbsecuritytsmbRealmtsmbrealmt smbIdmapRanget smbidmaprangetwinbindSeparatortwinbindseparatortwinbindTemplateHomedirtwinbindtemplatehomedirtwinbindTemplateShelltwinbindtemplateshellt ipav2Domaint ipav2domaint ipav2Realmt ipav2realmt ipav2Servert ipav2servert passMinLent passminlent passMinClasst passminclasst passMaxRepeatt passmaxrepeattpassMaxClassRepeattpassmaxclassrepeatt faillockArgst faillockargstenabletdisableRis!The passminlen minimum value is 6is-The passminlen option value is not an integeris+The passminclass value must not be negativeis0The passminclass value must not be higher than 4s/The passminclass option value is not an integers,The passmaxrepeat value must not be negatives0The passmaxrepeat option value is not an integers1The passmaxclassrepeat value must not be negatives5The passmaxclassrepeat option value is not an integert%is(Bad smart card removal action specified.sO--enablerequiresmartcard is not supported for module 'sssd', option is ignored.tmd5tdescrypts;Unknown password hashing algorithm specified, using sha256.tsha256(,t iteritemsRRPtsetattrRfRNR,Rt ldapSchematAttributeErrorRRctgetKerberosKDCRdtgetKerberosAdminServerReRR tintR9RIR3t ValueErrorRRRt winbindjointsplittjoinUserRt joinPasswordt ipav2joinRRKRMRt IndexErrortenablerequiresmartcardRRt enablemd5Rt disablemd5RL(Rt bool_settingststring_settingstopttaivaltvaltlstRA((s#/usr/share/authconfig/authconfig.pytoverrideSettingssB      $!                                   &      cCstS(N(RN(R((s#/usr/share/authconfig/authconfig.pytdoUIgscCsht}|jjr'|jjt}n|jjdkrd|jjtr[|jjqdt }n|S(N( RNRPRRft joinDomainRR t joinIPADomaintwriteSysconfigR,(Rtret((s#/usr/share/authconfig/authconfig.pyRjs  cCs|jj|jjr7|jjs7d|_q7n|jj|jjrn|jjsd|_qn!|jj |j sd|_n|j sd|_n|jj |jj dS(Niiii(RfttestLDAPCACertsRtdownloadLDAPCACertR3trehashLDAPCACertsRPRURt writeChangedRiRtposttnostart(R((s#/usr/share/authconfig/authconfig.pyt writeAuthInfoxs       cCs|j|jjr0|jtjdn|jj rrtjdkrr|jt dtjdn|j |jj r|j j }tjt| n|jjr|j j|jj}tjt| n|jjr$|j j|jj}tjt| n|j|j|jsv|jjrf|jt dntjdn|jjr|j jn |j|jS(Niscan only be run as rootisdialog was cancelledi(R]RPRRRRQRSRltgetuidR9RIRkRXRft restoreLastRRWt restoreBackupRVt saveBackupRxRRt printInfoRR3(Rtrv((s#/usr/share/authconfig/authconfig.pytruns6             (RRR4R6R9RCR]RRRkRxRRRRR%(((s#/usr/share/authconfig/authconfig.pyR+Ys   $    t AuthconfigTUIcBseZdZdZdZdZdddZdZdZ dZ dZ d Z d Z d Zd Zd ZdZRS(cCsdS(Nsauthconfig-tui((R((s#/usr/share/authconfig/authconfig.pyR6scCs/|jjr+|jjr+|jjtndS(N(RPt kickstartRRfRRN(R((s#/usr/share/authconfig/authconfig.pyRscCs|s dSx|r|d}|d}t|tkrv|jjr_|d}|d}qv|d}|d}ntj|tjstd||d|f}tj |j td|tdgn|d}q WdS(NiiisThe %s file was not found, but it is required for %s support to work properly. Install the %s package, which provides this file.tWarningtOki( ttypettupleRft sssdSupportedRlRmtR_OKRItsnacktButtonChoiceWindowtscreen(Rttoggletwarningtpathtpackagettext((s#/usr/share/authconfig/authconfig.pytwarns         +c# CsEtjtdddg}tjtdddg}tjtjftdd6dg}tjtjftdd7dg}tjtj ftd d8dg}tj td d dg}tj tdddg}tj tdddg}tj tdd|g} tjtdd| g} tjdd} tjtd} | j| ddddddtjtdt|jj} }| j|ddddddtjtdt|jj}}| j|ddddddtjtdt|jj}}| j|ddddddtjtdt|jj}}| j|dd ddddtjtd!t|jj}}| j|dd"ddddtjdd#}tjtd$} |j| ddddddtjtd%t|jjd&k}}|j|ddddddtjtd't|jj}}|j|ddddddtjtd(t|jj}}|j|ddddddtjtd)t|jj}}|j|dd ddddtjtd*t|jj}}|j|dd"ddddtjtd+t|jj }}|j|ddddddtjtd,t|jj!}}|j|dd-ddddtjdd}|j| ddddd.dd/d9|j|ddd0dd.dd/d:tjdd}tj"|j#j$rtd1ptd2}tj"td3}|j|dd|j|ddtjdd}|j|dddd|j|ddddtj%} |j&j'|td4| j(|| j)} | |kr.| j*|j_|j*|j_|j*|j_|j*|j_|j*|j_|j*|j_|j*rd&|j_n!|jjd&krd5|j_n|j*|j_|j*|j_|j*|j_ |j*|j_!|j*|j_|jj|f|jj|f|jj|f|jj| f|jj|f|jj|f|jj|f|jj|f|jj | fg }!x)|!D]}"|j+|"d|"dq Wn|j&j,| |kS(;NtcachingtnscdsFingerprint readert pam_fprintdtKerberostpam_krb5s sssd-clientsLDAP authenticationtpam_ldaptLDAPs nss-pam-ldapdtNIStypbindsshadow passwords shadow-utilstWinbinds samba-clientsWinbind authentications samba-winbindiisUser Informationit anchorLefttgrowxsCache InformationsUse LDAPisUse NISis Use IPAv2is Use WinbindiitAuthenticationsUse MD5 PasswordsRsUse Shadow PasswordssUse LDAP Authentications Use KerberossUse Fingerprint readersUse Winbind Authentications!Local authorization is sufficientit anchorToptpaddingt anchorRighttBacktCanceltNextsAuthentication ConfigurationR(R;s sssd-client(R<s sssd-client(s nss-pam-ldapds sssd-client(iiii(iiii(-RKRvRIR RwRqRtRrRsRuRnt PATH_PWCONVtPATH_WINBIND_NETtPATH_PAM_WINBINDtPATH_LIBNSS_WINBINDR.tGridtLabeltsetFieldtCheckboxtboolRfRRRRRRRyRRRRRjtButtonRPtbacktFormR0tgridWrappedWindowtaddR%tselectedR6t popWindow(#Rt warnCachet warnFprintdt warnKerberost warnLDAPAuthtwarnLDAPtwarnNISt warnShadowtwarnWinbindNettwarnWinbindAutht warnWinbindtinfoGridtcompRtcbRRRRtauthGridRRztldapaRtfprintdRR{tmechGridt buttonGridtcanceltoktmainGridtformt allwarningsR2((s#/usr/share/authconfig/authconfig.pytgetMainChoicess$$$(((((.((((((%%-       cCst|}tjd|}d} g} xn|D]f\} } } }| dkrtj| tt|j| }| j||jtj dd| dd|j|d| ddn| dkrEtj | }|j|d| d dddtj d t|j| d |}| j||j|d| d dnH| d kr:tj | }|j|d| d dddddy#t|j| }|j |Wnt k r|d}nXd}g}x*|D]"}|j||||kfqWtjd|}| j||j|d| ddnS| dkrtjd| dddd}| j||j|d| ddn| d7} q1Wtj|rdpdd}tj|}tj|}|rtj|pd}|j|dd|r!|j|ddn|j||r6dp9ddtjdd}|j|ddd dd d|j|ddd dd dtj}|jj|||j|xtr|j}||krPn| }x|D]\} } } }| dkr2t|j| |jdjq| dkrct|j| |jdjq| d krt|j| |jdjq| dkr|jdqqW||krPn|r|qqW|jj||kS(NiittfvalueRRFiRAtsvalueREi(thiddenRBtrvalueRDtlvaluei2tflexDowntflexUpi(iiii(iiii(iiii(iiii(RR.RNRQRRRRfR RPROtEntrytindexRR tRadioBartTextboxReflowedRSRUR0RVRWRNR%RtpopRXtvaluet getSelectionRY(Rtdtitletitemst canceltxttoktxtt anothertxtt anothercbtrowst questionGridtrowtwidgetstttdesctattrRRfRetselt buttonlisttvtradioBarRkRlRmtanotherRnRotwcopy((s#/usr/share/authconfig/authconfig.pytgetGenericChoices6s  $ " $  %            % % %   c Csdtdddfdtdddfdtdddfg}|jtd |td |rrtd p{td d tdd|jS(NRssDomain:RisRealm:RsServer:RsIPAv2 SettingsRGRIR)Rs Join DomainR(RIRtmaybeGetJoinSettings(Rtnextt questions((s#/usr/share/authconfig/authconfig.pytgetIPAv2Settingss *cCsdtdddfdtdddfdtdd dfg}|jtd |td |rrtd p{td S(NRrsUse TLSRRssServer:RaisBase DN:Rbs LDAP SettingsRGRIR)(RIR R(RRR((s#/usr/share/authconfig/authconfig.pytgetLDAPSettingss cCsjdtdddfdtdddfg}|jtd|td|r]td pftd S( NRssDomain:RisServer:Rs NIS SettingsRGRIR)(RIR(RRR((s#/usr/share/authconfig/authconfig.pytgetNISSettingsscCsdtdddfdtdddfdtdddfd td d dfd td d dfg}|jtd|td|rtdptdS(NRssRealm:RcisKDC:Rds Admin Server:ReRrs"Use DNS to resolve hosts to realmsRs!Use DNS to locate KDCs for realmsRsKerberos SettingsRGRIR)(RIR R(RRR((s#/usr/share/authconfig/authconfig.pytgetKerberosSettingsscCsdtdddfdtdddfg}|jjsKd|j_n|jtd |td td r|jj|jj|jjr|jjt n|jj r|jj t n|jj nt S( NRssDomain Administrator:Ris Password:Rit Administrators Join SettingsRHR)( RIRfRRR0tsuspendRTRRRNRRtresume(RR((s#/usr/share/authconfig/authconfig.pytgetJoinSettingss     cCsdtdddfg}tj|j}|j|jjt}|jj|r|j td|tdtd}n|r|jj n|j t S(NRvsSome of the configuration changes you've made should be saved to disk before continuing. If you do not save them, then your attempt to join the domain may fail. Save changes?s Save SettingstNotYes( RIR RKRgR9RTRfR,tdiffersRRRRN(RRt orig_infoR((s#/usr/share/authconfig/authconfig.pyRs    c Csddg}ddddddg}d }t||}d td d |fd tdddfd tdddfd tdddfd tdd|fg}|jtd|td|rtdptddtdd|jS(Ntadstdomains /sbin/nologins/bin/shs /bin/bashs /bin/tcshs/bin/kshs/bin/zshcSstj|tjS(N(RlRmRo(tshell((s#/usr/share/authconfig/authconfig.pyt shellexistssRusSecurity Model:RRssDomain:RisDomain Controllers:Rs ADS Realm:RsTemplate Shell:RsWinbind SettingsRGRIR)Rs Join DomainR(tfilterRIRR(RRtsecuritytshellsRR((s#/usr/share/authconfig/authconfig.pytgetWinbindSettingss   *cCs:d}t}x!|dkr/|dkr/|jj|dkrO|j}n|dkr|jjr|jjp|jjp|jjp|jjp|jj p|jj }|j |}qn>|dkr-|jjs|jjr|jjp|jjp|jj p|jj }|j |}qn|dkr~|jjr|jjpf|jj pf|jj }|j |}qn|dkr|jjr|jj p|jj }|j|}qn?|dkr|jj s|jj rt}|j|}qn|jj|r"|d7}q|d8}qW|dkS( Niiiiiiii(R,RfRTRqRRRRRRRRRRRR(RRtrctmore((s#/usr/share/authconfig/authconfig.pyt getChoicessT                           cCsBtd|jj}tj|jtd|tdgdS(NsTo connect to a LDAP server with TLS protocol enabled you need a CA certificate which signed your server's certificate. Copy the certificate in the PEM format to the '%s' directory. Then press OK.R(R)(RIRft ldapCacertDirR.R/R0(RR5((s#/usr/share/authconfig/authconfig.pytdisplayCACertsMessages  cCs|jjrtSztj|_|j}|jjtd|jj dd|d|j s{|jj t S|j jr|j jr|jnWd|jj XtS(NsN / between elements | selects | next screenis - (c) 1999-2005 Red Hat, Inc.(RPR'RNR.t SnackScreenR0R6t pushHelpLineRIt drawRootTextRtfinishR,RfRRR(Rtpackageversion((s#/usr/share/authconfig/authconfig.pyRs    N(RRR6RR6RqR RRRRRRRRRRR(((s#/usr/share/authconfig/authconfig.pyR&s    r_       - t__main__R5(RKtacutiltgettextRltsignalRtlgettextRItoptparseRRRt setlocaletLC_ALLtErrorR7RRR.RRR+R&RtSIGINTtSIG_DFLt textdomainR6RQR%(((s#/usr/share/authconfig/authconfig.pyts20     $P     msgarea.pyo000064400000023350147645272700006735 0ustar00 8Yc@syddlZddlZejd krCdejfdYZndejfdYZdejfdYZdS( iNiitMsgAreacBseZiejejejffd6ejejgfd6ZdZdZdZ dZ dZ dZ dZ d Zd Zd Zd Zd ZdZdZdZdZddZRS(tresponsetclosecKstt|j|d|_t|_tjtd|_ |j j |j j dtjt d|_ |j j |j j|j tt d|j|j t t d|jt |jd|j|j jd|j|j|dS(Niiiis expose-events style-set(tsuperRt__init__tNonet_MsgArea__contentstFalset_MsgArea__changing_styletgtktHBoxt_MsgArea__main_hboxtshowtset_border_widthtTruet_MsgArea__action_areatpack_endt pack_starttset_app_paintabletconnectt_MsgArea__paintt_MsgArea__on_style_sett add_buttons(tselftbuttonstkwargs((s /usr/share/authconfig/msgarea.pyRs     cCsE|jd}|dkrA|rAidd6}|jd|n|S(Nshotwire-msg-area-datatrespid(tget_dataRtset_data(Rtwtcreatetd((s /usr/share/authconfig/msgarea.pyt__get_response_data;s  cCsV|jj}x@|D]8}|j|t}|dk r|d|kr|SqWdS(NR(t_MsgArea__actionareat get_childrent_MsgArea__get_response_dataRR(RRtchildrentchildtrd((s /usr/share/authconfig/msgarea.pyt __find_buttonBs  cCs6|jtj}|dkr"dS|jtjdS(N(t_MsgArea__find_buttonR tRESPONSE_CANCELRR(Rtcancel((s /usr/share/authconfig/msgarea.pyt__closeIs c Csftjj|j|jtjtjd|d|jj d|jj d|jj d|jj d t S(Nttooltipii(R tStyletpaint_flat_boxtstyletwindowt STATE_NORMALt SHADOW_OUTRt allocationtxtytwidththeightR(RRtevent((s /usr/share/authconfig/msgarea.pyt__paintOs   cCsh|jr dS|jj}tjjd|jtj%s(R R RR R_R`RaRt set_alignmenttVBoxRtLabeltset_use_markupt set_line_wrapRRt CAN_FOCUStset_selectableRO( RRet primary_texttsecondary_textt hbox_contenttimagetvboxtprimary_markupt primary_labeltsecondary_markuptsecondary_label((s /usr/share/authconfig/msgarea.pytset_text_and_icons<              N(t__name__t __module__tgobjecttSIGNAL_RUN_LASTt TYPE_NONEtTYPE_INTt __gsignals__RR#R(t_MsgArea__closeRRRDRKRMRORVRRZR\RRhRRy(((s /usr/share/authconfig/msgarea.pyRs(              cBs8eZdZdZdZdZddZRS(cCs6tt|jd|_|r2|j|ndS(N(RRRRt_current_contentsR(RR((s /usr/share/authconfig/msgarea.pyRs cCs+x$|D]\}}|j||qWdS(N(RV(RRWRTR((s /usr/share/authconfig/msgarea.pyRscCs>x7|jjD]#}|jj||jqWdS(N(tget_action_areaR"tremovetdestroy(RR%((s /usr/share/authconfig/msgarea.pyt clear_buttonsscCsQ|j}|jdk r.|j|jn||_|j|ttddS(Ni(tget_content_areaRRRRR(RRNt content_area((s /usr/share/authconfig/msgarea.pyROs   c Cstjtd}|jtj}|j|tj|j|j|ttd|jddtj td}|j|j|t t dd|f}tj |}|j|j|t t d|j t |j t |jdd|jtj|jt |rd|f} tj | } | j|j| t t d| jtj| j t | j t | jt | jddn|j|dS(Niig?is%ss%s(R R RR R_R`RaRRiRjRRkRlRmRRRnRoRO( RReRpRqRrRsRtRuRvRwRx((s /usr/share/authconfig/msgarea.pyRys<              N(RzR{RRRRORRy(((s /usr/share/authconfig/msgarea.pyRs     tMsgAreaControllercBs)eZdZdZdgdZRS(cCs tt|jd|_dS(N(RRRRt_MsgAreaController__msgarea(R((s /usr/share/authconfig/msgarea.pyRscCs<|jdk r8|j|j|jjd|_ndS(N(RRRR(R((s /usr/share/authconfig/msgarea.pytclears cCsG|jt|}|_|j||||j|dt|S(Ntexpand(RRRRyRR(RRetprimaryt secondaryRtmsgarea((s /usr/share/authconfig/msgarea.pytnew_from_text_and_icons  N(RzR{RRRR(((s /usr/share/authconfig/msgarea.pyRs  (ii(R R|t pygtk_versionR RtInfoBarR(((s /usr/share/authconfig/msgarea.pyts=authconfig.pyc000064400000117523147645272700007437 0ustar00 8Yc@sddlZddlZddlZddlZddlZddlZejZddlm Z m Z ddl Z ye j e j dWn$e jk rejjdnXdZedrddlZnde fdYZd e fd YZd fd YZd efdYZedkrejejejejdedrqeZn eZejejndS(iN(t OptionParsertIndentedHelpFormatterts%Warning: Unsupported locale setting. cCstjdj|dkS(Ni(tsystargvtfind(tname((s#/usr/share/authconfig/authconfig.pytrunsAs%ssauthconfig-tuitUnihelpOptionParsercBseZddZRS(cCs~|dkrtj}ntj}t|dd}| sI|dkrR|}n|j|jj|j |ddS(Ntencodingtasciitreplace( tNoneRtstdouttlocaletgetpreferredencodingtgetattrtwritet format_helptdecodetencode(tselftfilet srcencodingR ((s#/usr/share/authconfig/authconfig.pyt print_help,s    N(t__name__t __module__R R(((s#/usr/share/authconfig/authconfig.pyR+stNonWrapFormattercBseZdZRS(cCsg}|j|}|j|jd}t||kr[d|jd|f}|j}n8d|jd||f}d|jd||f}d}|j||jr|j|}|jd|d|fn |ddkr|jdndj|S(Nis%*s%s Rs %*s%-*s iis (toption_stringst help_positiontcurrent_indenttlentappendthelptexpand_defaulttjoin(Rtoptiontresulttoptst opt_widtht indent_firstt help_text((s#/usr/share/authconfig/authconfig.pyt format_option6s     (RRR*(((s#/usr/share/authconfig/authconfig.pyR5st AuthconfigcBs}eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d ZRS( cCsCt|_t|_t|_t|_t|_t|_d|_dS(Ni(tFalset nis_availtkerberos_availt ldap_availt sssd_availt cache_availt fprintd_availtretval(R((s#/usr/share/authconfig/authconfig.pyt__init__Zs      cCsdS(Nt authconfig((R((s#/usr/share/authconfig/authconfig.pytmodulecscCs$tjjd|j|fdS(Ns%s: %s (RtstderrRR6(Rterror((s#/usr/share/authconfig/authconfig.pyt printErrorfscCsud}d}xX|D]P}|dkr2|d7}n|rO|t|d7}n||7}|d7}qW|d7}|S(Nit(tstr(RtltaddidxtidxR!titem((s#/usr/share/authconfig/authconfig.pytlistHelpis     c CsBtd|j}|jdkr5|d7}nt|dtdt}|jdddd d td |jd d dd d td|jddd d td|jdddd d td|jddd d td|jdd|jtjtd td|jddd d td|jddd d td|jddtdd td|jd dtd!d td"|jd#dd d td$|jd%dd d td&|jd'dd d td(|jd)dd d td*|jd+dtd!d td,|jd-dtd.d td/|jd0d1dd d td2|jd3d4dd d td5|jd6dd d td7|jd8dd d td9|jd:dtd;d td<|jd=dd d td>|jd?dd d td@|jdAdd d tdB|jdCdd d tdD|jdEdtdFd tdG|jtj t }|jdHd|d tdI|jdJdd d tdK|jdLdd d tdM|jdNdd d tdO|jdPdd d tdQ|jdRdd d tdS|jdTdd d tdU|jdVdtd!d tdW|jdXdtd!d tdY|jdZdtd[d td\|jd]dd d td^|jd_dd d td`|jdadd d tdb|jdcdd d tdd|jdedd d tdf|jdgdd d tdh|jdidd d tdj|jdkdd d tdl|jdmddnd tdo|jdpdtd[d tdq|jdrdtdsd tdt|jdudtdvd tdw|jdxdydzdtd{d td||jd}dd~d td|jdddd td|jdddd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jdddd td|jddd d td|jddd d td|jddtdd td|jddtd[d td|jddtdsd td|jddd d td|jddd d td|jdddd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jdddd td|jdddd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddtdd td|jddtdd td|jddtdd td|jddtdd td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddd d td|jddtdd td|jddd d td|jddd d td|jdkr|jddd d td|jddd d tdn"|jdddd d td|jddd d td|jd dd d td |jd dtd d td |jddtd d td|jddd d td|j \|_ }|r|j tdtjdn|jdk r>|j j r>|j j r>|j j r>|j j r>|j j r>|j j r>|j j r>|jtjdndS(Nsusage: %s [options]R5se {--update|--updateall|--test|--probe|--restorebackup |--savebackup |--restorelastbackup}tadd_help_optiont formatters-hs--helptactionR!sshow this help message and exits--enableshadows --useshadowt store_trues$enable shadowed passwords by defaults--disableshadows%disable shadowed passwords by defaults --enablemd5s--usemd5senable MD5 passwords by defaults --disablemd5s disable MD5 passwords by defaults --passalgotmetavars&hash/crypt algorithm for new passwordss --enableniss*enable NIS for user information by defaults --disableniss+disable NIS for user information by defaults --nisdomainssdefault NIS domains --nisserverssdefault NIS servers --enableldaps+enable LDAP for user information by defaults --disableldaps,disable LDAP for user information by defaults--enableldapauths)enable LDAP for authentication by defaults--disableldapauths*disable LDAP for authentication by defaults --ldapservers#default LDAP server hostname or URIs --ldapbasednssdefault LDAP base DNs--enableldaptlss--enableldapstarttlss&enable use of TLS with LDAP (RFC-2830)s--disableldaptlss--disableldapstarttlss'disable use of TLS with LDAP (RFC-2830)s--enablerfc2307bissBenable use of RFC-2307bis schema for LDAP user information lookupss--disablerfc2307bissCdisable use of RFC-2307bis schema for LDAP user information lookupss--ldaploadcacertss load CA certificate from the URLs--enablesmartcards0enable authentication with smart card by defaults--disablesmartcards1disable authentication with smart card by defaults--enablerequiresmartcards0require smart card for authentication by defaults--disablerequiresmartcards7do not require smart card for authentication by defaults--smartcardmoduless default smart card module to uses--smartcardactions(action to be taken on smart card removals--enablefingerprints9enable authentication with fingerprint readers by defaults--disablefingerprints:disable authentication with fingerprint readers by defaults--enableecryptfss"enable automatic per-user ecryptfss--disableecryptfss#disable automatic per-user ecryptfss --enablekrb5s)enable kerberos authentication by defaults --disablekrb5s*disable kerberos authentication by defaults --krb5kdcsdefault kerberos KDCs--krb5adminserversdefault kerberos admin servers --krb5realmssdefault kerberos realms--enablekrb5kdcdnss'enable use of DNS to find kerberos KDCss--disablekrb5kdcdnss(disable use of DNS to find kerberos KDCss--enablekrb5realmdnss)enable use of DNS to find kerberos realmss--disablekrb5realmdnss*disable use of DNS to find kerberos realmss--enablewinbinds.enable winbind for user information by defaults--disablewinbinds/disable winbind for user information by defaults--enablewinbindauths,enable winbind for authentication by defaults--disablewinbindauths-disable winbind for authentication by defaults --smbsecurityss*security mode to use for samba and winbinds --smbrealms5default realm for samba and winbind when security=adss --smbserverss s(names of servers to authenticate againsts--smbworkgroups s'workgroup authentication servers are ins--smbidmapranges --smbidmapuids --smbidmapgidss4uid range winbind will assign to domain or ads userss--winbindseparators<\>sthe character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enableds--winbindtemplatehomedirs sGthe directory which winbind-created users will have as home directoriess--winbindtemplateshells sDthe shell which winbind-created users will have as their login shells--enablewinbindusedefaultdomains[configures winbind to assume that users with no domain in their user names are domain userss --disablewinbindusedefaultdomains_configures winbind to assume that users with no domain in their user names are not domain userss--enablewinbindofflines)configures winbind to allow offline logins--disablewinbindofflines+configures winbind to prevent offline logins--enablewinbindkrb5s+winbind will use Kerberos 5 to authenticates--disablewinbindkrb5s2winbind will use the default authentication methods --winbindjoinss>join the winbind domain or ads realm now as this administrators --enableipav2s?enable IPAv2 for user information and authentication by defaults--disableipav2s@disable IPAv2 for user information and authentication by defaults --ipav2domains-the IPAv2 domain the system should be part ofs --ipav2realmsthe realm for the IPAv2 domains --ipav2serversthe server for the IPAv2 domains--enableipav2nontps-do not setup the NTP against the IPAv2 domains--disableipav2nontps0setup the NTP against the IPAv2 domain (default)s --ipav2joins s%join the IPAv2 domain as this accounts --enablewinss#enable wins for hostname resolutions --disablewinss$disable wins for hostname resolutions--enablepreferdnss3prefer dns over wins or nis for hostname resolutions--disablepreferdnss:do not prefer dns over wins or nis for hostname resolutions--enablehesiods-enable hesiod for user information by defaults--disablehesiods.disable hesiod for user information by defaults --hesiodlhsssdefault hesiod LHSs --hesiodrhsssdefault hesiod RHSs --enablesssdsOenable SSSD for user information by default with manually managed configurations --disablesssdsVdisable SSSD for user information by default (still used for supported configurations)s--enablesssdauthsMenable SSSD for authentication by default with manually managed configurations--disablesssdauthsTdisable SSSD for authentication by default (still used for supported configurations)s--enableforcelegacys;never use SSSD implicitly even for supported configurationss--disableforcelegacys4use SSSD implicitly if it supports the configurations--enablecachecredss5enable caching of user credentials in SSSD by defaults--disablecachecredss6disable caching of user credentials in SSSD by defaults --enablecachesXenable caching of user information by default (automatically disabled when SSSD is used)s--disablecaches.disable caching of user information by defaults--enablelocauthorizes1local authorization is sufficient for local userss--disablelocauthorizes1authorize local users also through remote services--enablepamaccesss.check access.conf during account authorizations--disablepamaccesss5do not check access.conf during account authorizations--enablesysnetauths0authenticate system accounts by network servicess--disablesysnetauths0authenticate system accounts by local files onlys--enablemkhomedirs6create home directories for users on their first logins--disablemkhomedirs=do not create home directories for users on their first logins --passminlenssminimum length of a passwords--passminclasss1minimum number of character classes in a passwords--passmaxrepeats;maximum number of same consecutive characters in a passwords--passmaxclassrepeatsDmaximum number of consecutive characters of same class in a passwords--enablereqlowers6require at least one lowercase character in a passwords--disablereqlowers1do not require lowercase characters in a passwords--enablerequppers6require at least one uppercase character in a passwords--disablerequppers1do not require uppercase characters in a passwords--enablereqdigits(require at least one digit in a passwords--disablereqdigits#do not require digits in a passwords--enablereqothers2require at least one other character in a passwords--disablereqothers-do not require other characters in a passwords--enablefaillocksNenable account locking in case of too many consecutive authentication failuress--disablefaillocksGdisable account locking on too many consecutive authentication failuress--faillockargss sthe pam_faillock module optionss --nostarts+do not start/stop portmap, ypbind, and nscds--tests>do not update the configuration files, only print new settingssauthconfig-tuis--backs<display Back instead of Cancel in the main dialog of the TUIs --kickstarts1do not display the deprecated text user interfaces--updatesDopposite of --test, update configuration files with changed settingss --updateallsupdate all configuration filess--probes)probe network for defaults and print thems --savebackupss(save a backup of all configuration filess--restorebackups)restore the backup of configuration filess--restorelastbackupsXrestore the backup of configuration files saved before the previous configuration changesunexpected argumenti(t_R6RR,Rt add_optionRCtauthinfotpassword_algorithmstgetSmartcardActionstTruet parse_argstoptionsR9Rtexittprobettesttupdatet updateallt savebackupt restorebackuptrestorelastbackupR(Rtusagetparsertactshelptargs((s#/usr/share/authconfig/authconfig.pyt parseOptionsvs                                                                                                                        '  cCstj|j}|j|jrF|jrFd|j|jfGHn|jrp|jrpd|j|jfGHn|jrd|j|j pd|j pdfGHndS(Ns hesiod %s/%ss ldap %s/%s skrb5 %s/%s/%s R( RKtAuthInfoR9RRt hesiodLHSt hesiodRHSt ldapServert ldapBaseDNt kerberosRealmt kerberosKDCtkerberosAdminServer(Rtinfo((s#/usr/share/authconfig/authconfig.pyRRs     cCsLtj|j|_|jj|_|jjdkrHt|j_ndS(N( RKtreadR9Rftcopyt pristineinfotenableLocAuthorizeR RN(R((s#/usr/share/authconfig/authconfig.pyt readAuthInfoscCstjtjtjo-tjtjtj|_tjtjtj|_tjtj tjo{tjtj tj|_ tjtj tjotjtj tj|_tjtjtj|_tjtjtj|_dS(N(tostaccessRKt PATH_YPBINDtX_OKtPATH_LIBNSS_NISR-t PATH_PAM_KRB5R.t PATH_PAM_LDAPtPATH_LIBNSS_LDAPR/t PATH_PAM_SSStPATH_LIBNSS_SSSR0t PATH_NSCDR1tPATH_PAM_FPRINTDR2(R((s#/usr/share/authconfig/authconfig.pyttestAvailableSubsysscCsi%dd6dd6dd6dd6d d 6d d 6d d6dd6dd6dd6dd6dd6dd6dd6dd6dd 6d!d"6d#d$6d%d&6d'd(6d)d*6d+d,6d-d.6d/d06d1d26d3d46d5d66d7d86d9d:6d;d<6d=d>6d?d@6dAdB6dCdD6dEdF6dGdH6dIdJ6}idKdL6dMdN6dOdP6dQdR6dSdT6dUdV6dWdX6dYdZ6d[d\6d]d^6d_d`6dadb6dcdd6dedf6dgdh6didj6dkdl6dmdn6dodp6dqdr6dsdt6dudv6dwdx6dydz6d{d|6d}d~6dd6dd6dd6}xr|jD]d\}}t|jd|rt|j|tnt|jd|rt|j|tqqWy+|jjrmd|j_n d|j_Wnt k rnX|jj r|jj |jj kr|jj |jj |j_ |jj|jj |j_nyb|jj}|dkrRt|}|dkrR|jtdd|j_d|_qRnWn9tk r|jtdd|j_d|_nXy|jj}|dkr't|}|dkr|jtdd|j_d|_n|dkr'|jtdd|j_d|_q'nWn9tk rc|jtdd|j_d|_nXyb|jj}|dkrt|}|dkr|jtdd|j_d|_qnWn9tk r|jtdd|j_d|_nXyb|jj}|dkrct|}|dkrc|jtdd|j_d|_qcnWn9tk r|jtdd|j_d|_nXxT|jD]F\}}t|j|dkrt|j|t|j|qqW|jjrS|jjjdd}|d|j_t|dkrS|d|j_qSn|jjdkrz|jj|j_n|jj ry,t|jj }t!j"||j_#Wqtt$fk r|jtdd|j_#qXn|jj%r.|jj&d8kr.|jtdt|j_%n|jj'ss|jj(rUd|j_)n|jj*rd|j_)qn@|jj't!j+kr|jtdd|j_)d|_ndS(Nt enableShadowtshadowRjt locauthorizetenablePAMAccesst pamaccesstenableSysNetAutht sysnetauthtenableMkHomeDirt mkhomedirt enableCachetcachetenableEcryptfstecryptfst enableHesiodthesiodt enableLDAPtldapt enableLDAPStldaptlstenableRFC2307bist rfc2307bistenableLDAPAuthtldapauthtenableKerberostkrb5t enableNIStnistkerberosKDCviaDNSt krb5kdcdnstkerberosRealmviaDNSt krb5realmdnstenableSmartcardt smartcardt enableFprintdt fingerprinttforceSmartcardtrequiresmartcardt enableWinbindtwinbindtenableWinbindAutht winbindauthtwinbindUseDefaultDomaintwinbindusedefaultdomaintwinbindOfflinetwinbindofflinet winbindKrb5t winbindkrb5t enableIPAv2tipav2t ipav2NoNTPt ipav2nontpt enableWINStwinst enableSSSDtsssdtenableSSSDAuthtsssdauthtenableForceLegacyt forcelegacytenableCacheCredst cachecredstpreferDNSinHostst preferdnst passReqLowertreqlowert passReqUppertrequppert passReqDigittreqdigitt passReqOthertreqothertenableFaillocktfaillocktpasswordAlgorithmtpassalgoR_t hesiodlhsR`t hesiodrhsRat ldapserverRbt ldapbasednt ldapCacertURLtldaploadcacertRct krb5realmRdtkrb5kdcRetkrb5adminservertsmartcardModuletsmartcardmoduletsmartcardActiontsmartcardactiont nisDomaint nisdomaint nisServert nisservert smbWorkgroupt smbworkgroupt smbServerst smbserverst smbSecurityt smbsecuritytsmbRealmtsmbrealmt smbIdmapRanget smbidmaprangetwinbindSeparatortwinbindseparatortwinbindTemplateHomedirtwinbindtemplatehomedirtwinbindTemplateShelltwinbindtemplateshellt ipav2Domaint ipav2domaint ipav2Realmt ipav2realmt ipav2Servert ipav2servert passMinLent passminlent passMinClasst passminclasst passMaxRepeatt passmaxrepeattpassMaxClassRepeattpassmaxclassrepeatt faillockArgst faillockargstenabletdisableRis!The passminlen minimum value is 6is-The passminlen option value is not an integeris+The passminclass value must not be negativeis0The passminclass value must not be higher than 4s/The passminclass option value is not an integers,The passmaxrepeat value must not be negatives0The passmaxrepeat option value is not an integers1The passmaxclassrepeat value must not be negatives5The passmaxclassrepeat option value is not an integert%is(Bad smart card removal action specified.sO--enablerequiresmartcard is not supported for module 'sssd', option is ignored.tmd5tdescrypts;Unknown password hashing algorithm specified, using sha256.tsha256(,t iteritemsRRPtsetattrRfRNR,Rt ldapSchematAttributeErrorRRctgetKerberosKDCRdtgetKerberosAdminServerReRR tintR9RIR3t ValueErrorRRRt winbindjointsplittjoinUserRt joinPasswordt ipav2joinRRKRMRt IndexErrortenablerequiresmartcardRRt enablemd5Rt disablemd5RL(Rt bool_settingststring_settingstopttaivaltvaltlstRA((s#/usr/share/authconfig/authconfig.pytoverrideSettingssB      $!                                   &      cCstS(N(RN(R((s#/usr/share/authconfig/authconfig.pytdoUIgscCsht}|jjr'|jjt}n|jjdkrd|jjtr[|jjqdt }n|S(N( RNRPRRft joinDomainRR t joinIPADomaintwriteSysconfigR,(Rtret((s#/usr/share/authconfig/authconfig.pyRjs  cCs|jj|jjr7|jjs7d|_q7n|jj|jjrn|jjsd|_qn!|jj |j sd|_n|j sd|_n|jj |jj dS(Niiii(RfttestLDAPCACertsRtdownloadLDAPCACertR3trehashLDAPCACertsRPRURt writeChangedRiRtposttnostart(R((s#/usr/share/authconfig/authconfig.pyt writeAuthInfoxs       cCs|j|jjr0|jtjdn|jj rrtjdkrr|jt dtjdn|j |jj r|j j }tjt| n|jjr|j j|jj}tjt| n|jjr$|j j|jj}tjt| n|j|j|jsv|jjrf|jt dntjdn|jjr|j jn |j|jS(Niscan only be run as rootisdialog was cancelledi(R]RPRRRRQRSRltgetuidR9RIRkRXRft restoreLastRRWt restoreBackupRVt saveBackupRxRRt printInfoRR3(Rtrv((s#/usr/share/authconfig/authconfig.pytruns6             (RRR4R6R9RCR]RRRkRxRRRRR%(((s#/usr/share/authconfig/authconfig.pyR+Ys   $    t AuthconfigTUIcBseZdZdZdZdZdddZdZdZ dZ dZ d Z d Z d Zd Zd ZdZRS(cCsdS(Nsauthconfig-tui((R((s#/usr/share/authconfig/authconfig.pyR6scCs/|jjr+|jjr+|jjtndS(N(RPt kickstartRRfRRN(R((s#/usr/share/authconfig/authconfig.pyRscCs|s dSx|r|d}|d}t|tkrv|jjr_|d}|d}qv|d}|d}ntj|tjstd||d|f}tj |j td|tdgn|d}q WdS(NiiisThe %s file was not found, but it is required for %s support to work properly. Install the %s package, which provides this file.tWarningtOki( ttypettupleRft sssdSupportedRlRmtR_OKRItsnacktButtonChoiceWindowtscreen(Rttoggletwarningtpathtpackagettext((s#/usr/share/authconfig/authconfig.pytwarns         +c# CsEtjtdddg}tjtdddg}tjtjftdd6dg}tjtjftdd7dg}tjtj ftd d8dg}tj td d dg}tj tdddg}tj tdddg}tj tdd|g} tjtdd| g} tjdd} tjtd} | j| ddddddtjtdt|jj} }| j|ddddddtjtdt|jj}}| j|ddddddtjtdt|jj}}| j|ddddddtjtdt|jj}}| j|dd ddddtjtd!t|jj}}| j|dd"ddddtjdd#}tjtd$} |j| ddddddtjtd%t|jjd&k}}|j|ddddddtjtd't|jj}}|j|ddddddtjtd(t|jj}}|j|ddddddtjtd)t|jj}}|j|dd ddddtjtd*t|jj}}|j|dd"ddddtjtd+t|jj }}|j|ddddddtjtd,t|jj!}}|j|dd-ddddtjdd}|j| ddddd.dd/d9|j|ddd0dd.dd/d:tjdd}tj"|j#j$rtd1ptd2}tj"td3}|j|dd|j|ddtjdd}|j|dddd|j|ddddtj%} |j&j'|td4| j(|| j)} | |kr.| j*|j_|j*|j_|j*|j_|j*|j_|j*|j_|j*|j_|j*rd&|j_n!|jjd&krd5|j_n|j*|j_|j*|j_|j*|j_ |j*|j_!|j*|j_|jj|f|jj|f|jj|f|jj| f|jj|f|jj|f|jj|f|jj|f|jj | fg }!x)|!D]}"|j+|"d|"dq Wn|j&j,| |kS(;NtcachingtnscdsFingerprint readert pam_fprintdtKerberostpam_krb5s sssd-clientsLDAP authenticationtpam_ldaptLDAPs nss-pam-ldapdtNIStypbindsshadow passwords shadow-utilstWinbinds samba-clientsWinbind authentications samba-winbindiisUser Informationit anchorLefttgrowxsCache InformationsUse LDAPisUse NISis Use IPAv2is Use WinbindiitAuthenticationsUse MD5 PasswordsRsUse Shadow PasswordssUse LDAP Authentications Use KerberossUse Fingerprint readersUse Winbind Authentications!Local authorization is sufficientit anchorToptpaddingt anchorRighttBacktCanceltNextsAuthentication ConfigurationR(R;s sssd-client(R<s sssd-client(s nss-pam-ldapds sssd-client(iiii(iiii(-RKRvRIR RwRqRtRrRsRuRnt PATH_PWCONVtPATH_WINBIND_NETtPATH_PAM_WINBINDtPATH_LIBNSS_WINBINDR.tGridtLabeltsetFieldtCheckboxtboolRfRRRRRRRyRRRRRjtButtonRPtbacktFormR0tgridWrappedWindowtaddR%tselectedR6t popWindow(#Rt warnCachet warnFprintdt warnKerberost warnLDAPAuthtwarnLDAPtwarnNISt warnShadowtwarnWinbindNettwarnWinbindAutht warnWinbindtinfoGridtcompRtcbRRRRtauthGridRRztldapaRtfprintdRR{tmechGridt buttonGridtcanceltoktmainGridtformt allwarningsR2((s#/usr/share/authconfig/authconfig.pytgetMainChoicess$$$(((((.((((((%%-       cCst|}tjd|}d} g} xn|D]f\} } } }| dkrtj| tt|j| }| j||jtj dd| dd|j|d| ddn| dkrEtj | }|j|d| d dddtj d t|j| d |}| j||j|d| d dnH| d kr:tj | }|j|d| d dddddy#t|j| }|j |Wnt k r|d}nXd}g}x*|D]"}|j||||kfqWtjd|}| j||j|d| ddnS| dkrtjd| dddd}| j||j|d| ddn| d7} q1Wtj|rdpdd}tj|}tj|}|rtj|pd}|j|dd|r!|j|ddn|j||r6dp9ddtjdd}|j|ddd dd d|j|ddd dd dtj}|jj|||j|xtr|j}||krPn| }x|D]\} } } }| dkr2t|j| |jdjq| dkrct|j| |jdjq| d krt|j| |jdjq| dkr|jdqqW||krPn|r|qqW|jj||kS(NiittfvalueRRFiRAtsvalueREi(thiddenRBtrvalueRDtlvaluei2tflexDowntflexUpi(iiii(iiii(iiii(iiii(RR.RNRQRRRRfR RPROtEntrytindexRR tRadioBartTextboxReflowedRSRUR0RVRWRNR%RtpopRXtvaluet getSelectionRY(Rtdtitletitemst canceltxttoktxtt anothertxtt anothercbtrowst questionGridtrowtwidgetstttdesctattrRRfRetselt buttonlisttvtradioBarRkRlRmtanotherRnRotwcopy((s#/usr/share/authconfig/authconfig.pytgetGenericChoices6s  $ " $  %            % % %   c Csdtdddfdtdddfdtdddfg}|jtd |td |rrtd p{td d tdd|jS(NRssDomain:RisRealm:RsServer:RsIPAv2 SettingsRGRIR)Rs Join DomainR(RIRtmaybeGetJoinSettings(Rtnextt questions((s#/usr/share/authconfig/authconfig.pytgetIPAv2Settingss *cCsdtdddfdtdddfdtdd dfg}|jtd |td |rrtd p{td S(NRrsUse TLSRRssServer:RaisBase DN:Rbs LDAP SettingsRGRIR)(RIR R(RRR((s#/usr/share/authconfig/authconfig.pytgetLDAPSettingss cCsjdtdddfdtdddfg}|jtd|td|r]td pftd S( NRssDomain:RisServer:Rs NIS SettingsRGRIR)(RIR(RRR((s#/usr/share/authconfig/authconfig.pytgetNISSettingsscCsdtdddfdtdddfdtdddfd td d dfd td d dfg}|jtd|td|rtdptdS(NRssRealm:RcisKDC:Rds Admin Server:ReRrs"Use DNS to resolve hosts to realmsRs!Use DNS to locate KDCs for realmsRsKerberos SettingsRGRIR)(RIR R(RRR((s#/usr/share/authconfig/authconfig.pytgetKerberosSettingsscCsdtdddfdtdddfg}|jjsKd|j_n|jtd |td td r|jj|jj|jjr|jjt n|jj r|jj t n|jj nt S( NRssDomain Administrator:Ris Password:Rit Administrators Join SettingsRHR)( RIRfRRR0tsuspendRTRRRNRRtresume(RR((s#/usr/share/authconfig/authconfig.pytgetJoinSettingss     cCsdtdddfg}tj|j}|j|jjt}|jj|r|j td|tdtd}n|r|jj n|j t S(NRvsSome of the configuration changes you've made should be saved to disk before continuing. If you do not save them, then your attempt to join the domain may fail. Save changes?s Save SettingstNotYes( RIR RKRgR9RTRfR,tdiffersRRRRN(RRt orig_infoR((s#/usr/share/authconfig/authconfig.pyRs    c Csddg}ddddddg}d }t||}d td d |fd tdddfd tdddfd tdddfd tdd|fg}|jtd|td|rtdptddtdd|jS(Ntadstdomains /sbin/nologins/bin/shs /bin/bashs /bin/tcshs/bin/kshs/bin/zshcSstj|tjS(N(RlRmRo(tshell((s#/usr/share/authconfig/authconfig.pyt shellexistssRusSecurity Model:RRssDomain:RisDomain Controllers:Rs ADS Realm:RsTemplate Shell:RsWinbind SettingsRGRIR)Rs Join DomainR(tfilterRIRR(RRtsecuritytshellsRR((s#/usr/share/authconfig/authconfig.pytgetWinbindSettingss   *cCs:d}t}x!|dkr/|dkr/|jj|dkrO|j}n|dkr|jjr|jjp|jjp|jjp|jjp|jj p|jj }|j |}qn>|dkr-|jjs|jjr|jjp|jjp|jj p|jj }|j |}qn|dkr~|jjr|jjpf|jj pf|jj }|j |}qn|dkr|jjr|jj p|jj }|j|}qn?|dkr|jj s|jj rt}|j|}qn|jj|r"|d7}q|d8}qW|dkS( Niiiiiiii(R,RfRTRqRRRRRRRRRRRR(RRtrctmore((s#/usr/share/authconfig/authconfig.pyt getChoicessT                           cCsBtd|jj}tj|jtd|tdgdS(NsTo connect to a LDAP server with TLS protocol enabled you need a CA certificate which signed your server's certificate. Copy the certificate in the PEM format to the '%s' directory. Then press OK.R(R)(RIRft ldapCacertDirR.R/R0(RR5((s#/usr/share/authconfig/authconfig.pytdisplayCACertsMessages  cCs|jjrtSztj|_|j}|jjtd|jj dd|d|j s{|jj t S|j jr|j jr|jnWd|jj XtS(NsN / between elements | selects | next screenis - (c) 1999-2005 Red Hat, Inc.(RPR'RNR.t SnackScreenR0R6t pushHelpLineRIt drawRootTextRtfinishR,RfRRR(Rtpackageversion((s#/usr/share/authconfig/authconfig.pyRs    N(RRR6RR6RqR RRRRRRRRRRR(((s#/usr/share/authconfig/authconfig.pyR&s    r_       - t__main__R5(RKtacutiltgettextRltsignalRtlgettextRItoptparseRRRt setlocaletLC_ALLtErrorR7RRR.RRR+R&RtSIGINTtSIG_DFLt textdomainR6RQR%(((s#/usr/share/authconfig/authconfig.pyts20     $P