forked from obel1x/fedora-OEMDRV
Daniel unbrot Pätzold
6806a218a9
SSSD >= 2.10.1 no longer raises CAP_DAC_READ_SEARCH to effective in offline mode, so validate_tgt fails with EACCES reading /etc/krb5.keytab before the cached-credential fallback is reached. Adding krb5_validate = False disables the keytab validation step and restores reliable offline authentication for FreeIPA domain users. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
178 lines
8.9 KiB
Bash
Executable File
178 lines
8.9 KiB
Bash
Executable File
#!/usr/bin/env sh
|
|
# SPDX-FileCopyrightText: Daniel Pätzold
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
#
|
|
# Central sofwareinstallation script. Should be called from logon-script via sudo and prereserved env
|
|
|
|
#Check for root
|
|
if [ "$EUID" -ne 0 ]; then
|
|
echo "Error: Script requires root privileges. It should be executed via logon-script and not standalone."
|
|
echo "Press any key to continue" && read -n 1 -s -r && exit 1
|
|
fi
|
|
|
|
# Ensure krb5_validate = False in sssd.conf to restore offline auth
|
|
# (SSSD >= 2.10.1 skips the CAP_DAC_READ_SEARCH raise in offline mode, so validate_tgt
|
|
# fails with EACCES before the cached-credential fallback is reached)
|
|
_SSSD_CONF="/etc/sssd/sssd.conf"
|
|
if [ -f "${_SSSD_CONF}" ] && ! grep -q "^krb5_validate" "${_SSSD_CONF}"; then
|
|
echo "Patching sssd.conf: adding 'krb5_validate = False' to restore offline authentication"
|
|
sed -i "/^\[domain\/${DOMAIN}\]/a krb5_validate = False" "${_SSSD_CONF}"
|
|
systemctl restart sssd
|
|
fi
|
|
|
|
#Check Token
|
|
if [ "${DAVTOKEN_USER}." == "." ]; then
|
|
echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environment from logon-script."
|
|
echo "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$'
|
|
echo "Hint: the rule must contain the !authenticate and setenv option to work."
|
|
echo "Press any key to continue" && read -n 1 -s -r && exit 1
|
|
fi
|
|
|
|
#Install or update Nextcloud com.nextcloud.desktopclient.nextcloud
|
|
echo "Update or install Nextcloud client"
|
|
/usr/bin/flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo && \
|
|
/usr/bin/flatpak install -y --or-update --noninteractive flathub com.nextcloud.desktopclient.nextcloud && echo "Done Update/Install of Nextcloud."
|
|
if [[ $? -ne 0 ]]; then
|
|
echo ""
|
|
echo "There seems to be a problem with your network connection. Please first check, if your network can be established before reuming."
|
|
echo "You can press CRTL+C to abort now. Than your data wont be accessible and you need to run \"$0\" again."
|
|
echo "You can also continue without network. You may need your personal encryptionkey for accessing your data."
|
|
read -n 1 -s -r -p "Please check Network and press any Key to continue"
|
|
fi
|
|
echo ""
|
|
|
|
# Ensure session bus access for Nextcloud (may be blocked by Flatseal or missing from manifest)
|
|
/usr/bin/flatpak override --system --socket=session-bus com.nextcloud.desktopclient.nextcloud
|
|
|
|
#Do an upgrade of the Base package if its configured and if there are changes
|
|
chown root:${CLIENTADMINGROUP} -R ${SYSCONFIGPATH}
|
|
chmod ug+rwX,o=rX -R ${SYSCONFIGPATH}
|
|
if [[ ! -z "${REPO_URL}" ]]; then
|
|
echo "Checking for Upgrades on ${REPO_URL} and Branch ${REPO_BRANCH}"
|
|
REMOTEURL=$( git config --get remote.origin.url )
|
|
echo "Remote git URL is ${REMOTEURL}"
|
|
if [[ "${REMOTEURL}" != "${REPO_URL}" ]]; then
|
|
echo "This Repo is not on the matching URL, so no update is possible. If you want to change this, check out the docs on how to setup from scratch."
|
|
else
|
|
GITBRANCH=$( git rev-parse --abbrev-ref HEAD )
|
|
echo "Current branch is ${GITBRANCH}"
|
|
if [[ "${GITBRANCH}" != "${REPO_BRANCH}" ]]; then
|
|
echo "This Repo is not on the right branch, so no update is possible."
|
|
else
|
|
# Doing upgrade, discarding all local changes frist (is more save than forced pull)
|
|
echo "Checks have passed, we are now upgrading via git."
|
|
#Fetch latest commit only (depth=1), reset working tree, purge old history and untracked files
|
|
git fetch --depth=1 origin ${REPO_BRANCH} && git reset --hard FETCH_HEAD && git -C "${SYSCONFIGPATH}" clean -fd && git gc --prune=now --quiet
|
|
if [[ $? -ne 0 ]]; then
|
|
echo "Error: Failure while updating, will continue as is."
|
|
fi
|
|
fi
|
|
fi
|
|
else
|
|
echo "REPO_URL is not specified in conf - No Upgrade option available."
|
|
fi
|
|
echo ""
|
|
|
|
# At first, sync central configs if they are configured to be synced
|
|
if [[ ! -z "${DISTCONFIGPATH_SRC}" ]]; then
|
|
echo "Synced config path was found, doing remote sync."
|
|
SYNCCMD="sudo -i /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=nextcloudcmd com.nextcloud.desktopclient.nextcloud -h -u ${DAVTOKEN_USER} -p ${DAVTOKEN_PASS} --path ${DISTCONFIGPATH_SRC} ${DISTCONFIGPATH} https://${SERVERFQDN_NC}"
|
|
SYNCCMD_HIDDENPW=$( echo "${SYNCCMD/${DAVTOKEN_PASS}/***HIDDEN***}" )
|
|
echo "Exec: ${SYNCCMD_HIDDENPW}"
|
|
echo "Sync Configuration"
|
|
${SYNCCMD} >${TEMPDIR}/synccmd_last.log 2>&1
|
|
if [[ $? -ne 0 ]]; then
|
|
echo "Error in sync:"
|
|
echo ""
|
|
cat ${TEMPDIR}/synccmd_last.log
|
|
echo ""
|
|
echo "Please check if your Token is setup right and for the above Output"
|
|
read -n 1 -s -r -p "Press any key to continue"
|
|
echo ""
|
|
exit 1
|
|
fi
|
|
echo "Sucessfully synced."
|
|
echo ""
|
|
|
|
# Check, if we are in configure-mode and if so, remove the file and reread the now new synced configuration
|
|
if [ -f $(dirname "$0")/../config.d/configure.conf ]; then
|
|
#Check if configuration was obtained by sync
|
|
if [ -f $(dirname "$0")/../config/setup_system.conf ]; then
|
|
echo "Existing configuration found in Repository, removing configure-mode and reread the configuration."
|
|
rm -f $(dirname "$0")/../config.d/configure.conf.bak >/dev/null
|
|
mv $(dirname "$0")/../config.d/configure.conf $(dirname "$0")/../config.d/configure.conf.bak
|
|
OLD_REPO_URL="$REPO_URL"
|
|
OLD_REPO_BRANCH="$REPO_BRANCH"
|
|
source $(dirname "$0")/setup_system.inc.sh
|
|
#Compare the Repository URLS after that
|
|
if [ "$REPO_URL" != "$OLD_REPO_URL" ] || [ "$REPO_BRANCH" != "$OLD_REPO_BRANCH" ]; then
|
|
echo "The Repository for installation was"
|
|
echo "$OLD_REPO_URL Branch $OLD_REPO_BRANCH"
|
|
echo "After reading the config, the Repository has changed to"
|
|
echo "$REPO_URL Branch $REPO_BRANCH"
|
|
echo
|
|
echo "Do you want to create a system specific configuration for the installation Repository, so that"
|
|
read -r -p "only this system will stay on the Repository for installation? [y/N]: " CREATE_REPO_CONF
|
|
if [[ "${CREATE_REPO_CONF,,}" == "y" ]]; then
|
|
echo "export REPO_URL=\"$OLD_REPO_URL\"" >$(dirname "$0")/../config.d/repo.conf
|
|
echo "export REPO_BRANCH=\"$OLD_REPO_BRANCH\"" >>$(dirname "$0")/../config.d/repo.conf
|
|
echo "Wrote new $(dirname "$0")/../config.d/repo.conf"
|
|
fi
|
|
fi
|
|
else
|
|
echo "System is in configure-mode and configuration repository was found and synced, but still not configuration was found"
|
|
echo "checking file $(dirname "$0")/../config/setup_system.conf"
|
|
echo ""
|
|
echo "Please make a copy of system_setup/config.dist/setup_system.conf.dist to config/setup_system.conf and check all settings there."
|
|
echo "Then rerun the logon script to sync the file to your repository."
|
|
echo "Press any key to continue" && read -n 1 -s -r && exit 1
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
#Check if Repository is defined
|
|
if [ "${CLIENT_SOFTWARE_DST}." == "." ]; then
|
|
echo "No central softwarerepository defined (CLIENT_SOFTWARE_DST). Skipping sync."
|
|
else
|
|
# Then, sync all client_software-files
|
|
if [[ ! -z "${CLIENT_SOFTWARE_SRC}" ]]; then
|
|
echo "Syncing central softwarerepository ${CLIENT_SOFTWARE_DST}"
|
|
# Create Directory if not existent
|
|
mkdir -p ${CLIENT_SOFTWARE_DST}
|
|
SYNCCMD="sudo -i /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=nextcloudcmd com.nextcloud.desktopclient.nextcloud -h -u ${DAVTOKEN_USER} -p ${DAVTOKEN_PASS} --path ${CLIENT_SOFTWARE_SRC} ${CLIENT_SOFTWARE_DST} https://${SERVERFQDN_NC}"
|
|
SYNCCMD_HIDDENPW=$( echo "${SYNCCMD/${DAVTOKEN_PASS}/***HIDDEN***}" )
|
|
echo "Exec: ${SYNCCMD_HIDDENPW}"
|
|
echo "Sync Client Software"
|
|
${SYNCCMD} >${TEMPDIR}/synccmd_last.log 2>&1
|
|
if [[ $? -ne 0 ]]; then
|
|
echo "Error in sync:"
|
|
echo ""
|
|
cat ${TEMPDIR}/synccmd_last.log
|
|
echo ""
|
|
echo "Please check if your Token is setup right and for the above Output"
|
|
read -n 1 -s -r -p "Press any key to continue"
|
|
echo ""
|
|
exit 1
|
|
fi
|
|
echo "Sucessfully synced."
|
|
fi
|
|
echo ""
|
|
|
|
# After sync again, restore the rights to all filles. They must be owned by root, changeable by admingroup and readable by otherusers (we are root, so we can change!)
|
|
chown root:${CLIENTADMINGROUP} -R ${SYSCONFIGPATH}
|
|
chmod ug+rwX,o=rX -R ${SYSCONFIGPATH}
|
|
#Make all install.sh executable
|
|
find ${CLIENT_SOFTWARE_DST} -type f -name install.sh -exec chmod ugo+x {} \;
|
|
|
|
#Run Software setup
|
|
echo "Running Setup of Software"
|
|
if [ $1 == "install" ]; then
|
|
${CLIENT_SOFTWARE_DST}/install.sh $2
|
|
if [ $? -ne 0 ]; then
|
|
exit 1
|
|
fi
|
|
fi
|
|
fi
|
|
echo ""
|
|
exit 0
|