diff options
-rw-r--r-- | laps.spec | 6 | ||||
-rw-r--r-- | src/usr/share/doc/laps/README.md | 4 | ||||
-rw-r--r-- | src/usr/share/doc/laps/changes | 4 | ||||
-rw-r--r-- | src/usr/share/doc/laps/version.txt | 2 | ||||
-rwxr-xr-x | src/usr/share/laps/laps.sh | 61 |
5 files changed, 44 insertions, 33 deletions
@@ -1,6 +1,6 @@ %define debug_package %{nil} Name: laps -Version: 0.0.2 +Version: 0.0.3 Release: 1 Summary: local administrator password solution @@ -44,5 +44,5 @@ cp -pr %{name}*/src/* "%{buildroot}" %{_datadir}/%{name} %changelog -* Wed Oct 24 2018 B Stack <bgstack15@gmail.com> 0.0.2-1 -- initial rpm built +* Fri Mar 1 2019 B Stack <bgstack15@gmail.com> 0.0.3-1 +- rpm built diff --git a/src/usr/share/doc/laps/README.md b/src/usr/share/doc/laps/README.md index 204b97d..7b5c95f 100644 --- a/src/usr/share/doc/laps/README.md +++ b/src/usr/share/doc/laps/README.md @@ -12,6 +12,10 @@ See /etc/laps/laps.conf.example for how to configure the client. The administrator needs to write **/etc/laps/laps.conf** and **/etc/laps/lapsldap.conf**. Copying and modifying the example config files is the recommended way to provide the configs. +For first use, use the -f flag to force the password change so the timestamp is initialized. + + /usr/share/laps/laps.sh -f + # Prepare the domain The OU where the Linux systems are placed in the domain will need some ACLS set up, which are identical to what the LAPS documentation describes. For a brief summary: diff --git a/src/usr/share/doc/laps/changes b/src/usr/share/doc/laps/changes index 9566fdc..51a0c15 100644 --- a/src/usr/share/doc/laps/changes +++ b/src/usr/share/doc/laps/changes @@ -2,3 +2,7 @@ - fix $2 read action should provide date of expiration on -d 1 - fix #3 add readme.md to front directory - fix #4 laps does not recognize expired kerberos tickets + +* Mar 1 2019 B Stack <bgstack15@gmail.com> 0.0.3-1 +- fix #5 document the recommended use of "-f" for first run +- merge !1 handle empty password change timestamp LDAP attribute diff --git a/src/usr/share/doc/laps/version.txt b/src/usr/share/doc/laps/version.txt index 4e379d2..bcab45a 100644 --- a/src/usr/share/doc/laps/version.txt +++ b/src/usr/share/doc/laps/version.txt @@ -1 +1 @@ -0.0.2 +0.0.3 diff --git a/src/usr/share/laps/laps.sh b/src/usr/share/laps/laps.sh index 132e2e9..c81e7a4 100755 --- a/src/usr/share/laps/laps.sh +++ b/src/usr/share/laps/laps.sh @@ -6,7 +6,7 @@ # Title: Local Administrator Password Solution for Linux # Purpose: LAPS Equivalent for GNU/Linux # Package: laps -# History: +# History: see upstream project at https://gitlab.com/bgstack15/laps # Usage: # Reference: ftemplate.sh 2018-09-12a; framework.sh 2018-09-12a # Improve: @@ -23,7 +23,7 @@ # sed (sed) # awk (gawk) fiversion="2018-09-12a" -lapsversion="2018-10-24b" +lapsversion="2019-03-01a" usage() { ${PAGER:-/usr/bin/less -F} >&2 <<ENDUSAGE @@ -179,26 +179,27 @@ get_attrib_from_ldap() { # execute to check for ldap or kerberos errors ___gtfl_stderr="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 1>/dev/null )" - if test "$?" -ne 0 ; then - if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ; + if test "$?" -ne 0 ; then - ferror "Kerberos ticket expired. Any values from ldap will be garbage." - return 1; - elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ; - then - ferror "GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf. Any values from ldap will be garbage." - return 1; - elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ; - then - ferror "TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf. Any values from ldap will be garbage." - return 1; - else - { - echo "other ldap error:" - echo "${___gtfl_stderr}" - } | debuglevoutput 9 - return 1; - fi + if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ; + then + ferror "Fatal: Kerberos ticket expired." + return 1; + elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ; + then + ferror "Fatal: GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf." + return 1; + elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ; + then + ferror "Fatal: TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf." + return 1; + else + { + echo "Fatal: other ldap error:" + echo "${___gtfl_stderr}" + } | debuglevoutput 9 + return 1; + fi fi # execute for actually fetching the value @@ -207,9 +208,10 @@ get_attrib_from_ldap() { "${___gtfl_attrib}" 2>/dev/null ; \ echo "$?" > "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" ; \ } | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )" - ___gtfl_ldap_success="$( cat "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" )" - if test "$___gtfl_ldap_success" -ne 0 ; then - ferror "LDAP lookup failed" + ___gtfl_ldap_success="$( { cat "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" 2>/dev/null ; echo "1" ; } | head -n1 )" + if test "${___gtfl_ldap_success}" != "0" ; + then + ferror "Fatal: LDAP lookup failed" return 1 fi @@ -235,7 +237,8 @@ wrapper_get_timestamp_from_ldap() { test "$?" -eq 0 || return 1 ts_epoch=0 - if test -n "$ts_filetime" ; then + if test -n "$ts_filetime" ; + then debuglev 3 && ferror "timestamp(FILETIME): ${ts_filetime}" ts_epoch="$( "${___wgtfl_datetime_py}" -e "${ts_filetime}" )" fi @@ -395,7 +398,7 @@ wrapper_change_password() { then echo "0" > "${LAPS_PASSWORD_STATUS_TMPFILE}" else - ___wcp_stdout="$( { echo "${___wcp_phrase}" ; echo "${___wcp_phrase}" ; } | "${___wcp_passwd_bin}" "${___wcp_user}" ; echo "$?" > "${LAPS_PASSWORD_STATUS_TMPFILE}" )" + ___wcp_stdout="$( printf "%s\n%s\n" "${___wcp_phrase}" "${___wcp_phrase}" | "${___wcp_passwd_bin}" "${___wcp_user}" ; echo "$?" > "${LAPS_PASSWORD_STATUS_TMPFILE}" )" fi ___wcp_passwd_result="$( cat "${LAPS_PASSWORD_STATUS_TMPFILE}" )" @@ -405,7 +408,7 @@ wrapper_change_password() { debuglev 4 && ferror "${___wcp_stdout}" ;; *) - # successful operation + # failed operation ferror "${scriptfile}: 8 fatal! Unable to change password for ${___wcp_user}:\n${___wcp_stdout}" exit 8 ;; @@ -526,8 +529,8 @@ clean_laps() { # Delayed cleanup if test -z "${LAPS_NO_CLEAN}" ; then - nohup /bin/bash <<EOF 1>/dev/null 2>&1 & -sleep "${LAPS_CLEANUP_SEC:-300}" ; /bin/rm -r "${LAPS_TMPDIR:-NOTHINGTODELETE}" 1>/dev/null 2>&1 ; + nohup /bin/sh <<EOF 1>/dev/null 2>&1 & +sleep "${LAPS_CLEANUP_SEC:-3}" ; /bin/rm -r "${LAPS_TMPDIR:-NOTHINGTODELETE}" 1>/dev/null 2>&1 ; EOF fi } |