files/devfs_lysator.rules

+#Set group of /dev/drm files to lysator
+#
+[drm_setgroup=6]
+add path 'drm/*' mode 0660 group lysator

files/ldap/autofs/include_ldap

@@ -3,6 +3,8 @@
 # $FreeBSD: releng/12.1/usr.sbin/autofs/autofs/include_ldap 280321 2015-03-21 09:42:37Z trasz $
 #
 
+query_ldap()
+{
 	# Modify this to suit your needs.  The "$1" is the map name, eg. "auto_master".
 	# To debug, simply run this script with map name as the only parameter.  It's
 	# supposed to output map contents ("key location" pairs) to standard output.
@@ -12,7 +14,8 @@ VALUE_ATTRIBUTE="automountInformation"
 
 	# fstype=nfs4 fungerar inte på FreeBSD då det inte finns något
 	# NFS-filsystem. Använd sed för att byta det till något vettigare.
-/usr/local/bin/ldapsearch -LLL -x -o ldif-wrap=no -b "$SEARCHBASE" "$ENTRY_ATTRIBUTE" "$VALUE_ATTRIBUTE" | sed 's/fstype=nfs4/nfsv4,minorversion=1/' | awk '
+	/usr/local/bin/ldapsearch -LLL -x -o ldif-wrap=no -b "$SEARCHBASE" "$ENTRY_ATTRIBUTE" "$VALUE_ATTRIBUTE" |
+		sed 's/fstype=nfs4/nfsv4,minorversion=1,retrycnt=1/' | grep -v 'mail' | awk '
 	$1 == "'$ENTRY_ATTRIBUTE':" {
 		key = $2
 	}
@@ -55,3 +58,29 @@ NF == 0 {
 		delete value
 	}
 	'
+}
+
+# Hämta en lista med alla användarnamn
+get_users()
+{
+	/usr/local/bin/ldapsearch -LLL -x -o ldif-wrap=no -b "cn=users,cn=accounts,dc=ad,dc=lysator,dc=liu,dc=se" uid |
+		awk '$1 == "uid:" { print $2; }'
+}
+
+# Specialhantera auto.home genom att konstruera en yttricklig lista
+# med vilka användarmonteringar som finns. Detta för att undvika att
+# automount försöker montera kataloger som inte finns under /home.
+if [ "$1" = "auto.home" ]
+then
+	# Plocka ut monteringsinställningar, borde ge något liknande
+	# -nfsv4,minorversion=1,sec=sys,nosuid,rw home:/ceph-home/users/
+	HOME_MOUNT="$(query_ldap "auto.home" | head -n 1 |
+		awk '{ sub("\\&", "", $3); print($2 " " $3); }')"
+	# Konstruera en uttrycklig lista med hemkatalogmonteringar på
+	# formen:
+	# $användarnamn -nfsv4,minorversion=1,sec=sys,nosuid,rw home:/ceph-home/users/$användarnamn
+	{ echo defaults; get_users; } |
+		awk -v home_mount="$HOME_MOUNT" '{ print($1 " " home_mount $1); }'
+else
+	query_ldap "$1"
+fi

files/ldap/krb5.conf

@@ -14,6 +14,7 @@
 		pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
 		pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
 		kdc = trocca.ad.lysator.liu.se
+		kdc = champis.ad.lysator.liu.se
 	}
 
 [domain_realm]

files/ldap/nslcd.conf

@@ -15,7 +15,7 @@ gid nslcd
 #uri ldaps://127.0.0.1/
 #uri ldapi://%2fvar%2frun%2fldapi_sock/
 # Note: %2f encodes the '/' used as directory separator
-uri ldap://trocca.ad.lysator.liu.se/
+uri ldaps://trocca.ad.lysator.liu.se/ ldaps://champis.ad.lysator.liu.se/
 
 # The LDAP version to use (defaults to 3
 # if supported by client library)
@@ -62,7 +62,7 @@ scope sub
 #idle_timelimit 3600
 
 # Use StartTLS without verifying the server certificate.
-ssl start_tls
+#ssl start_tls
 #tls_reqcert never
 
 # CA certificates for server certificate verification

files/ldap/nsswitch.conf

@@ -3,14 +3,14 @@
 # $FreeBSD: releng/12.1/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $
 #
 group: files ldap
-group_compat: nis
+#group_compat: nis
 hosts: files dns
-netgroup: compat
+netgroup: ldap
 networks: files
-passwd: files ldap
-passwd_compat: nis
+passwd: compat
+passwd_compat: ldap
 shells: files
 services: compat
-services_compat: nis
+services_compat: cache
 protocols: files
 rpc: files

files/ldap/openldap/ldap.conf

@@ -12,7 +12,7 @@
 #TIMELIMIT	15
 #DEREF		never
 
-URI ldaps://trocca.ad.lysator.liu.se
+URI ldaps://trocca.ad.lysator.liu.se ldaps://champis.ad.lysator.liu.se
 BASE dc=ad,dc=lysator,dc=liu,dc=se
 TLS_CACERT /usr/local/etc/ipa/ca.crt
 SASL_MECH GSSAPI

files/ldap/pam.d/sshd

@@ -5,8 +5,6 @@
 #
 
 # auth
-auth		sufficient	pam_opie.so		no_warn no_fake_prompts
-auth		requisite	pam_opieaccess.so	no_warn allow_local
 auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass

files/ldap/pam.d/system

@@ -5,8 +5,6 @@
 #
 
 # auth
-auth		sufficient	pam_opie.so		no_warn no_fake_prompts
-auth		requisite	pam_opieaccess.so	no_warn allow_local
 auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass nullok

files/nis/auto_master

-/home	auto_home	-nosuid,nfsv4,minorversion=1
-/mp	auto_lysator	-nosuid,nfsv4,minorversion=1

files/nis/include_yp

-#!/bin/sh
-/usr/bin/ypcat -k "$1" | \
-    sed 's/actimeo=\([0-9][0-9]*\)/acregmin=\1,acregmax=\1,acdirmin=\1,acdirmax=\1/' | \
-    sed 's/noquota//'
-# The actimeo-replace can be removed when FreeBSD starts supporting actimeo.

files/nis/krb5.conf

-[libdefaults]
-        default_realm = LYSATOR.LIU.SE
-        forwardable = true
-
-[realms]
-        LYSATOR.LIU.SE = {
-                kdc = as-master.lysator.liu.se
-                kdc = as-slave1.lysator.liu.se
-                admin_server = as-master.lysator.liu.se
-        }
-
-[domain_realm]
-        .lysator.liu.se = LYSATOR.LIU.SE
-
-[appdefaults]
-        kinit = {
-                renewable = true
-                forwardable = true
-        }

files/nis/nsswitch.conf

-group: cache files nis
-#group_compat: nis
-hosts: files dns
-netgroup: compat
-networks: files
-passwd: cache files nis
-#passwd_compat: nis
-shells: files
-services: compat
-services_compat: cache nis
-protocols: files
-rpc: files

files/nis/pam.sshd

-#
-# $FreeBSD: releng/11.2/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
-#
-# PAM configuration for the "sshd" service
-#
-
-# auth
-auth		sufficient	pam_opie.so		no_warn no_fake_prompts
-auth		requisite	pam_opieaccess.so	no_warn allow_local
-auth		sufficient	pam_krb5.so		no_warn try_first_pass
-#auth		sufficient	pam_ssh.so		no_warn try_first_pass
-auth		required	pam_unix.so		no_warn try_first_pass
-
-# account
-account		required	pam_nologin.so
-#account	required	pam_krb5.so
-account		required	pam_login_access.so
-account		required	pam_unix.so
-
-# session
-#session	optional	pam_ssh.so		want_agent
-session		required	pam_permit.so
-
-# password
-password	sufficient	pam_krb5.so		no_warn try_first_pass
-password	required	pam_unix.so		no_warn try_first_pass

files/nis/pam.su

-#
-# $FreeBSD: releng/11.2/etc/pam.d/su 219663 2011-03-15 10:13:35Z des $
-#
-# PAM configuration for the "su" service
-#
-
-# auth
-auth		sufficient	pam_rootok.so		no_warn
-auth		sufficient	pam_self.so		no_warn
-auth		requisite	pam_group.so		no_warn group=root root_only fail_safe ruser
-auth		include		system
-
-# account
-account		include		system
-
-# session
-session		required	pam_permit.so

files/nis/pam.system

-#
-# $FreeBSD: releng/11.2/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $
-#
-# System-wide defaults
-#
-
-# auth
-auth		sufficient	pam_opie.so		no_warn no_fake_prompts
-auth		requisite	pam_opieaccess.so	no_warn allow_local
-auth		sufficient	pam_krb5.so		no_warn try_first_pass
-#auth		sufficient	pam_ssh.so		no_warn try_first_pass
-auth		required	pam_unix.so		no_warn try_first_pass nullok
-
-# account
-#account	required	pam_krb5.so
-account		required	pam_login_access.so
-account		required	pam_unix.so
-
-# session
-#session	optional	pam_ssh.so		want_agent
-session		required	pam_lastlog.so		no_fail
-
-# password
-#password	sufficient	pam_krb5.so		no_warn try_first_pass
-password	required	pam_unix.so		no_warn try_first_pass

files/puppet.conf

+[main]
+server = chapman.lysator.liu.se

files/rc.conf.d/blacklistd

+# Den här filen hanteras av puppet
+blacklistd_enable="YES"

files/rc.conf.d/devfs

+# Den här filen hanteras av puppet
+devfs_system_ruleset="drm_setgroup"
+devfs_rulesets="/etc/devfs.rules /etc/defaults/devfs.rules /etc/devfs_lysator.rules"

files/rc.conf.d/firewall_open

+# Den här filen hanteras av puppet
+firewall_enable="YES"
+firewall_type="open"

files/rc.conf.d/sendmail

+# Filen är hanterad av puppet
+sendmail_enable="NO"
+sendmail_submit_enable="NO"
+sendmail_outbound_enable="NO"
+sendmail_msp_queue_enable="NO"