* Thu Jun 05 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-32.sme

- Replicate user accounts to samba Active Directory [SME: 12799]
* Sun Mar 16 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-31.sme
2025-06-05 16:40:38 -04:00 · 2025-03-17 22:55:51 -04:00 · 2025-03-06 17:14:41 -05:00 · 2025-03-06 17:11:29 -05:00 · 2025-03-05 22:14:37 -05:00 · 2025-03-05 22:10:01 -05:00
67 changed files with 699 additions and 83 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,5 @@
 *spec-20*
 *.tar.xz
 *.bak
+*gz
+*.patch
--- a/18
+++ b/18
@@ -45,7 +45,7 @@ foreach (qw(
    /etc/diald.conf
    /etc/diald.filter
    /etc/diald/link
-    /var/service/ippp/config
+    /usr/lib/systemd/system/ippp.service.d/50koozali.conf
    /etc/ppp/ioptions
    ))
 {
@@ -303,10 +303,11 @@ my $event = "smeserver-base-update";


 event_link("remove-templates-custom", $event, "02");
+event_link("systemd-journald", $event, "02");
+event_link("dhgenerator", $event, "03");
 templates2events("/etc/smartmontools/smartd.conf", $event);
 templates2events("/home/e-smith/ssl.pem/pem", $event);
 templates2events("/usr/lib/systemd/system/dhcpd.service.d/50koozali.conf", $event);
-event_link("systemd-journald", $event, "02");
 event_link("fix-startup", $event, "05");
 event_link("init-accounts", $event, "05");
 event_link("mail-spool-fix", $event, "05");
@@ -612,13 +613,24 @@ $event = "ldap-update";
 templates2events("/home/e-smith/ssl.pem/pem", $event);

 #--------------------------------------------------
-# actions for ldap-update event
+# actions for ssl-update event
 #--------------------------------------------------

 $event = "ssl-update";

 templates2events("/home/e-smith/ssl.pem/pem", $event);

+#--------------------------------------------------
+# actions for dhparam-update event
+#--------------------------------------------------
+
+$event = "dhparam-update";
+
+event_link("dhgenerator", $event, "03");
+templates2events("/etc/crontab", $event);
+# add templates to expand  + service to try-restart in target packages
+# templates2events("/etc/dovecot/ssl/dhparam.pem", $event);
+# safe_symlink("try-restart", "root/etc/e-smith/events/$event/services2adjust/dovecot"); 

 #--------------------------------------------------
 # actions for email-update event:
--- a/root/etc/e-smith/db/accounts/defaults/Primary/SSLRequireSSL
+++ b/root/etc/e-smith/db/accounts/defaults/Primary/SSLRequireSSL
@@ -0,0 +1 @@
+enabled
--- a/root/etc/e-smith/db/accounts/defaults/primary/type
+++ b/root/etc/e-smith/db/accounts/defaults/primary/type
@@ -1 +0,0 @@
-system
--- a/root/etc/e-smith/db/accounts/migrate/10primary
+++ b/root/etc/e-smith/db/accounts/migrate/10primary
@@ -0,0 +1,10 @@
+{
+    # Delete any pre-existing primary=system record (all lower case)
+    my $p = $DB->get('primary');
+    return unless defined $p;
+
+    my $type = $p->prop('type');
+    return unless defined $type;
+
+    $p->delete if $type eq 'system';
+}
--- a/root/etc/e-smith/db/configuration/defaults/modSSL/type
+++ b/root/etc/e-smith/db/configuration/defaults/modSSL/type
@@ -1 +1 @@
-service
+configuration
--- a/root/etc/e-smith/db/configuration/defaults/pam_abl/type
+++ b/root/etc/e-smith/db/configuration/defaults/pam_abl/type
@@ -1 +1 @@
-service
+configuration
--- a/root/etc/e-smith/db/configuration/defaults/pam_faillock/status
+++ b/root/etc/e-smith/db/configuration/defaults/pam_faillock/status
--- a/root/etc/e-smith/db/configuration/defaults/pam_faillock/type
+++ b/root/etc/e-smith/db/configuration/defaults/pam_faillock/type
@@ -0,0 +1 @@
+configuration
--- a/root/etc/e-smith/db/configuration/defaults/pam_tally/type
+++ b/root/etc/e-smith/db/configuration/defaults/pam_tally/type
@@ -1 +0,0 @@
-service
--- a/root/etc/e-smith/db/configuration/defaults/pppoe/type
+++ b/root/etc/e-smith/db/configuration/defaults/pppoe/type
@@ -1 +1 @@
-service
+configuration
--- a/root/etc/e-smith/db/configuration/defaults/serial-console/type
+++ b/root/etc/e-smith/db/configuration/defaults/serial-console/type
@@ -1 +1 @@
-service
+configuration
--- a/root/etc/e-smith/db/configuration/migrate/05pam_faillock
+++ b/root/etc/e-smith/db/configuration/migrate/05pam_faillock
@@ -0,0 +1,11 @@
+{
+    my $pamtally = $DB->get("pam_tally") or return;
+
+    my $pamfaillock = $DB->get("pam_faillock") ||
+        $DB->new_record("pam_faillock", { type => "service" });
+
+    $pamfaillock->merge_props($pamtally->props);
+
+    $pamtally->delete;
+}
+
--- a/root/etc/e-smith/db/configuration/migrate/smeserver-base-configuration
+++ b/root/etc/e-smith/db/configuration/migrate/smeserver-base-configuration
@@ -0,0 +1,5 @@
+{
+ foreach my $sservice (qw(serial-console pppoe modSSL pam_abl pam_faillock)) {
+  $DB->set_prop($sservice, "type", "configuration") if  ${$sservice}{type} eq "service";
+  }
+}
--- a/root/etc/e-smith/events/actions/dhgenerator
+++ b/root/etc/e-smith/events/actions/dhgenerator
@@ -0,0 +1,27 @@
+#!/usr/bin/perl
+use strict;
+use warnings;
+use esmith::ssl;
+
+my $event=shift||"program";
+my $folder="/home/e-smith/dh.pem";
+my $KeySize = 2048;
+# load config db
+
+mkdir($folder, 0700) unless(-d $folder );
+# if program (or during updates) we only generate the 2048 to start all programs after install without waiting too much
+if ( $event eq "program" || $event eq "temp" ) {
+	my $exit_code=dh_exists_good_size($KeySize,"$folder/$KeySize.pem") || system("/usr/bin/openssl","dhparam","-out","$folder/$KeySize.pem", $KeySize);
+  exit 0;
+}
+# if called as event, we generate a 4096 if 2096 exist, and then expand templates for services in need of this 
+#  then the event will restart the service to use stronger dh.pem
+else {
+ $KeySize =  4096 if (dh_exists_good_size($KeySize,"$folder/$KeySize.pem"));
+ print "Key size is  $KeySize\n";
+ exit 0 if (dh_exists_good_size($KeySize,"$folder/$KeySize.pem"));
+ # here we should test if uptime  > 2 hours and return if not enough uptime
+ system("/usr/bin/openssl","dhparam","-out","$folder/$KeySize.pem", $KeySize);
+ exit 0; 
+}
+
--- a/root/etc/e-smith/events/actions/group-create-unix
+++ b/root/etc/e-smith/events/actions/group-create-unix
@@ -137,7 +137,9 @@ foreach my $member (@groupMembers)
    # new group to the list. Finally sort, join and run the usermod
    # function to update the group list for this member.

-    my $cmd = "/usr/bin/id -G -n '$member'";
+    #my $cmd = "/usr/bin/id -G -n '$member'";
+    # this will not fail in case of apache aliase before www in passwd
+    my $cmd = "/usr/bin/groups '$member' 2>/dev/null | cut -d' ' -f3- ";
    my $groups = `$cmd 2>/dev/null`; 
    if ($? != 0)
    {
--- a/root/etc/e-smith/events/actions/group-modify-unix
+++ b/root/etc/e-smith/events/actions/group-modify-unix
@@ -131,22 +131,22 @@ foreach my $group (@groups)
 	# Get the supplementary group list for the member we are adding or
 	# deleting.
 	#my $cmd = "/usr/bin/id -G -n '$member'";
-  # this will not fail in case of apache before www in passwd
-  my $cmd = "/usr/bin/groups '$member'"; 
+	# this will not fail in case of apache before www in passwd
+	my $cmd = "/usr/bin/groups '$member' 2>/dev/null | cut -d' ' -f3- "; 
 	my $groups = `$cmd 2>/dev/null`; 
 	if ($? != 0)
 	{
 	    die "Failed to get supplementary group list for $member.\n";
 	}
-  $groups =~ s/^.*:\s+//;
+	$groups =~ s/^.*:\s+//;
 	chomp ($groups);

 	my @groupList = split (/\s+/, $groups);
 	@groupList = grep (!/^$member$/, @groupList);
 	# Apache is an alias for www
 	@groupList = map { $_ =~ s/^apache$/www/g; $_ } @groupList;
-  # www needs to be in shared
-  push(@groupList,'shared') if ( ($member eq 'www') and (! grep{$_ eq 'shared'} @groupList));
+	# www needs to be in shared
+	push(@groupList,'shared') if ( ($member eq 'www') and (! grep{$_ eq 'shared'} @groupList));

 	if ($oldMembers{$member})
 	{
--- a/root/etc/e-smith/events/actions/systemd-default
+++ b/root/etc/e-smith/events/actions/systemd-default
@@ -54,7 +54,9 @@ if (!symlink($old_qfn, $new_qfn)) {

 # we let the dedicated systemd command tryin to do what we will do later in this script
 # as up to systemd 236 it is bugged see:
-#  https://github.com/systemd/systemd/pull/7158 and https://github.com/systemd/systemd/pull/7289
+#  https://github.com/systemd/systemd/pull/7158 : systemctl: respect [Install] section in drop-ins: should be fixed in SME 12 (239)
+#  https://github.com/systemd/systemd/issues/9477 : aliases; open
+#  https://github.com/systemd/systemd/pull/9901 allow instantiated units to be enabled via presets v240
 system("/usr/bin/systemctl  preset-all");
 # in case preset-all messed up  with our default target
 system("/usr/bin/systemctl  set-default sme-server.target");
@@ -101,10 +103,11 @@ foreach my $filen (reverse sort keys %files) {
 	    my $service=$2;
 	    my $stats=$1;
 #	    print $_ ."\n"; 
-	    #ignore service that does not exists !
+	    # ignore service that does not exists !
+	    # here we are searching for service@instance.service type
 	    my $multiple = $service;
 	    ($multiple = $service ) =~ s/([a-zA-Z0-9\-_.]+@)(.*)/$1.service/ if ( $service =~ /@/ );
-	    #print "$stats $service $multiple\n";
+	    #print "$stats $service $multiple\n" if $service ne $multiple;
 	    next unless ( -e "/usr/lib/systemd/system/$service" or -e "/etc/systemd/system/$service" or -e "/usr/lib/systemd/system/$multiple");
 	    # eliminate duplicates, this way we keep only the last entry of the lowest file as we do it in reverse order of file,
 	    # but from top to bottom of file.
@@ -117,7 +120,7 @@ foreach my $filen (reverse sort keys %files) {
 		#print "want $service \n";
            }
            else {
-                my $wanted = `grep -P '^WantedBy=.*sme-server.target' /usr/lib/systemd/system/$service*  /etc/systemd/system/$service* -rsh` ;
+                my $wanted = `grep -P '^WantedBy=.*sme-server.target' /usr/lib/systemd/system/$service*  /etc/systemd/system/$service* /usr/lib/systemd/system/$multiple* /etc/systemd/system/$multiple* -rsh` ;
                chomp $wanted;
 		$wantedBy{$service}=1 unless ( $wanted eq "");
 		#print "want $service \n" unless ( $wanted eq "") ;
--- a/root/etc/e-smith/events/actions/update-passwd
+++ b/root/etc/e-smith/events/actions/update-passwd
@@ -28,6 +28,7 @@ use Errno;
 use esmith::AccountsDB;

 my $a = esmith::AccountsDB->open_ro or die "Could not open accounts db";
+my $c = esmith::ConfigDB->open_ro or die "Could not open configuration db";

 foreach my $u ($a->users)
 {
@@ -40,6 +41,23 @@ foreach my $u ($a->users)

 	system("/usr/bin/smbpasswd", "-d", $user) == 0
 	    or warn("Problem locking smbpassword for user $user\n");
+
+	my $serv = $c->get('samba') || '';
+	if (($serv eq 'service') && ($user ne 'administrator'))
+	{
+	my $samba = $c->get('samba')->prop('status') || 'disabled';
+	my $sambaip = $c->get('samba')->prop('SambaIP') || '';
+	my $sambapwd = $c->get('samba')->prop('Password') || '';
+	if ($sambaip eq '' || $sambapwd eq '')
+        {
+	    $samba = 'disabled';
+        }
+	if ($samba eq 'enabled')
+	{
+	system("/usr/bin/samba-tool", "user", "disable", "$user", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd") == 0
+	    or warn("Problem locking addc password for user $user\n");
+	}
+	}
    }
 }

--- a/root/etc/e-smith/events/actions/user-create-unix
+++ b/root/etc/e-smith/events/actions/user-create-unix
@@ -134,4 +134,23 @@ if ($ldapauth ne 'enabled')
 system("/usr/bin/smbpasswd", "-a", "-d", "$userName")
    and ( $x = 255, warn "Could not lock (smb) password for $userName\n" );

+my $serv = $conf->get('samba') || '';
+if (($serv eq 'service') && ($userName ne 'administrator'))
+{
+my $samba = $conf->get('samba')->prop('status') || 'disabled';
+my $sambaip = $conf->get('samba')->prop('SambaIP') || '';
+my $sambapwd = $conf->get('samba')->prop('Password') || '';
+if ($sambaip eq '' || $sambapwd eq '')
+    {
+        $samba = 'disabled';
+    }
+if ($samba eq 'enabled')
+{
+system("/usr/bin/samba-tool", "user", "add", "$userName", "--random-password", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd")
+    and ( $x = 255, warn "Could not create (addc) user for $userName\n" );
+system("/usr/bin/samba-tool", "user", "disable", "$userName", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd")
+    and ( $x = 255, warn "Could not lock (addc) password for $userName\n" );
+}
+}
+
 exit ($x);
--- a/root/etc/e-smith/events/actions/user-delete-unix
+++ b/root/etc/e-smith/events/actions/user-delete-unix
@@ -75,4 +75,21 @@ $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (lda
 $result = $ldap->ldapdelgroup($userName);
 $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group account $userName.\n" );

+my $serv = $conf->get('samba') || '';
+if (($serv eq 'service') && ($userName ne 'administrator'))
+{
+my $samba = $conf->get('samba')->prop('status') || 'disabled';
+my $sambaip = $conf->get('samba')->prop('SambaIP') || '';
+my $sambapwd = $conf->get('samba')->prop('Password') || '';
+if ($sambaip eq '' || $sambapwd eq '')
+    {
+        $samba = 'disabled';
+    }
+if ($samba eq 'enabled')
+{
+system("/usr/bin/samba-tool", "user", "delete", "$userName", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd")
+    and ( $x = 255, warn "Failed to delete (addc) account $userName.\n" );
+}
+}
+
 exit ($x);
--- a/root/etc/e-smith/events/actions/user-lock-passwd
+++ b/root/etc/e-smith/events/actions/user-lock-passwd
@@ -78,6 +78,23 @@ sub lock_user
    {
        $conf->set_value('PasswordSet', 'no');
    }
+
+    my $serv = $conf->get('samba') || '';
+    if (($serv eq 'service') && ($userName ne 'administrator'))
+    {
+    my $samba = $conf->get('samba')->prop('status') || 'disabled';
+    my $sambaip = $conf->get('samba')->prop('SambaIP') || '';
+    my $sambapwd = $conf->get('samba')->prop('Password') || '';
+    if ($sambaip eq '' || $sambapwd eq '')
+    {
+        $samba = 'disabled';
+    }
+    if ($samba eq 'enabled')
+    {
+    system("/usr/bin/samba-tool", "user", "disable", "$userName", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd") == 0
+        or ( $x = 255, warn "Error locking (addc) account $userName" );
+    }
+    }
 }

 sub bad_password_users
--- a/root/etc/e-smith/templates/etc/crontab/dhgenerate
+++ b/root/etc/e-smith/templates/etc/crontab/dhgenerate
@@ -0,0 +1,8 @@
+{
+use esmith::ssl;
+my $folder="/home/e-smith/dh.pem";
+my $KeySize = 4096;
+$OUT = "#4096 dhparam exists";
+$OUT = '@reboot root sleep 2d && /sbin/e-smith/signal-event dhparam-update'."\n" unless (dh_exists_good_size($KeySize,"$folder/$KeySize.pem"));
+}
+
--- a/root/etc/e-smith/templates/etc/pam.d/system-auth/20auth
+++ b/root/etc/e-smith/templates/etc/pam.d/system-auth/20auth
@@ -1,9 +1,10 @@
-{
-    my $status = $pam_tally{status} || 'disabled';
-    return unless $status eq 'enabled';
-    $OUT .= "auth        required      pam_tally.so onerr=fail no_magic_root";
-}
 auth        required      pam_env.so
+{
+    my $status = $pam_faillock{status} || 'disabled';
+    return unless $status eq 'enabled';
+    # lock out users after three unsuccessful attempts and unlock the user account after 10 minutes (600 seconds)
+    $OUT .= "auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=600 root_unlock_time=600";
+}
 {
    my $status = $pam_abl{status} || 'disabled';
    return unless $status eq 'enabled';
@@ -15,5 +16,10 @@ auth        sufficient    pam_unix.so likeauth nullok
    return unless $status eq 'enabled';
    $OUT .= "auth        sufficient    pam_ldap.so use_first_pass";
 }
+{
+    my $status = $pam_faillock{status} || 'disabled';
+    return unless $status eq 'enabled';
+    $OUT .= "auth        [default=die]      pam_faillock.so authfail audit deny=3 unlock_time=600";
+}
 auth        required      pam_deny.so

--- a/root/etc/e-smith/templates/etc/pam.d/system-auth/30account
+++ b/root/etc/e-smith/templates/etc/pam.d/system-auth/30account
@@ -7,7 +7,9 @@ account     sufficient    pam_succeed_if.so uid < 100 quiet
 }
 account     required      pam_permit.so
 {
-    my $status = $pam_tally{status} || 'disabled';
+    my $status = $pam_faillock{status} || 'disabled';
    return unless $status eq 'enabled';
-    $OUT .= "account     required      pam_tally.so deny=5 reset no_magic_root";
+    # if you drop this call to pam_faillock.so the lock will be done also
+    # on non-consecutive authentication failures
+    $OUT .= "account     required      pam_faillock.so";
 }
--- a/root/etc/e-smith/templates/etc/rsyslog.conf/32dhcpd
+++ b/root/etc/e-smith/templates/etc/rsyslog.conf/32dhcpd
@@ -1,4 +1,3 @@
-
 # dhcpd
 :programname, isequal, "dhcpd"            /var/log/dhcpd/dhcpd.log
 & stop
--- a/root/etc/e-smith/templates/etc/rsyslog.conf/32ippp
+++ b/root/etc/e-smith/templates/etc/rsyslog.conf/32ippp
@@ -0,0 +1,3 @@
+# ippp
+:programname, isequal, "ippp"            /var/log/ippp/ippp.log
+& stop
--- a/root/etc/e-smith/templates/etc/rsyslog.conf/32wan
+++ b/root/etc/e-smith/templates/etc/rsyslog.conf/32wan
@@ -0,0 +1,3 @@
+# wan
+:programname, isequal, "wan"            /var/log/wan/wan.log
+& stop
--- a/root/etc/e-smith/templates/etc/shells/bash
+++ b/root/etc/e-smith/templates/etc/shells/bash
@@ -1 +1,2 @@
 /bin/bash
+/usr/bin/bash
--- a/root/etc/e-smith/templates/etc/shells/bash2
+++ b/root/etc/e-smith/templates/etc/shells/bash2
@@ -1 +1,2 @@
 /bin/bash2
+/usr/bin/bash2
--- a/root/etc/e-smith/templates/etc/shells/console
+++ b/root/etc/e-smith/templates/etc/shells/console
@@ -1 +1,2 @@
 /sbin/e-smith/console
+/usr/sbin/e-smith/console
--- a/root/etc/e-smith/templates/etc/shells/csh
+++ b/root/etc/e-smith/templates/etc/shells/csh
@@ -1 +1,2 @@
 /bin/csh
+/usr/bin/csh
--- a/root/etc/e-smith/templates/etc/shells/false
+++ b/root/etc/e-smith/templates/etc/shells/false
@@ -1 +1,2 @@
 /bin/false
+/usr/bin/false
--- a/root/etc/e-smith/templates/etc/shells/sh
+++ b/root/etc/e-smith/templates/etc/shells/sh
@@ -1 +1,2 @@
 /bin/sh
+/usr/bin/sh
--- a/root/etc/e-smith/templates/home/e-smith/dh.pem
+++ b/root/etc/e-smith/templates/home/e-smith/dh.pem
@@ -0,0 +1,35 @@
+{
+    use esmith::ssl;
+    # for the generation of originals in /home/e-smith/dh.pem/ 
+    # we check that 4096 exist, if not we default to 2048. If not we generate it
+    # for replication : we copy what we have
+
+    my $DHSize = $modSSL{DHSize} ||'4096';
+    my $key = "/home/e-smith/dh.pem";
+    for my $DHSize (qw(4096 2048))
+    {
+			# if key exists and good size, we use it
+			if ( dh_exists_good_size($DHSize,"$key/$DHSize.pem") )
+			{
+				# Old key file is still good. Read it out - processTemplate will work
+				# out that it hasn't changed, and leave the old one in place
+				open(K, "$key/$DHSize.pem") or die "Couldn't open key file: $!";
+				my @key = <K>;
+				chomp @key;
+				$OUT = join "\n", @key;
+				close(K);
+				return;
+			}
+    }
+    # if nothing have ever been generated we call the action script as program
+    # it will generate a 2048, which 'should' be faster than 4096
+    # later if uptime is sufficient 4096 will be generated.
+    my $program = "/etc/e-smith/events/actions/dhgenerator";
+    system($program);
+    open(K, "$key/2048.pem") or die "Couldn't open dh file: $!";
+    my @key = <K>;
+    chomp @key; 
+    $OUT = join "\n", @key;
+    close(K);
+    return;
+}
--- a/root/etc/e-smith/templates/usr/lib/systemd/system/ippp.service.d/50koozali.conf/20service
+++ b/root/etc/e-smith/templates/usr/lib/systemd/system/ippp.service.d/50koozali.conf/20service
@@ -0,0 +1,11 @@
+[Service]
+Environment={
+    $OUT = 'ppp_options="';
+    $OUT .= "user $DialupUserAccount name $DialupUserAccount ";
+    # If you really want to change the options used by ipppd, then
+    # you can set the IpppdOptions property of the 'isdn' service.
+    # If you do this, you'd better know what you are doing!
+    $OUT .= $isdn{'IpppdOptions'} ||  "noauth debug -vj -vjccomp -bsdcomp -ac -pc";
+    $OUT .= " noipdefault ipcp-accept-local ipcp-accept-remote";
+    $OUT .= ' ipparam diald"';
+}
--- a/root/etc/e-smith/tests/10e-smith-base/configuration.conf
+++ b/root/etc/e-smith/tests/10e-smith-base/configuration.conf
@@ -75,15 +75,15 @@ lpd=service|InitscriptOrder|60|status|enabled
 mariadb=service|InitscriptOrder|90|status|enabled
 masq=service|InitscriptOrder|06|Logging|none|Stealth|no|status|disabled
 maxIbayNameLength=2
-modSSL=service|status|enabled
+modSSL=configuration|status|enabled
 mysql.init=service|InitscriptOrder|99|status|enabled
 named=service|chroot|yes|status|enabled
 network=service|InitscriptOrder|10|status|enabled
 ntpd=service|InitscriptOrder|55|status|disabled
-php=service|status|enabled
+php=configuration|status|enabled
 pop3s=service|access|private|status|enabled
 popd=service|access|private|status|enabled
-pppoe=service|DemandIdleTime|no|InitscriptOrder|57|SynchronousPPP|no|status|disabled
+pppoe=configuration|DemandIdleTime|no|InitscriptOrder|57|SynchronousPPP|no|status|disabled
 qmail=service|InitscriptOrder|80|status|enabled
 random=service|InitscriptOrder|20|status|enabled
 scanner=service|ScannerFns|iscan|UpdateTime|1:14|scanMail|yes|status|enabled
--- a/root/etc/e-smith/web/functions/userpassword
+++ b/root/etc/e-smith/web/functions/userpassword
@@ -93,6 +93,23 @@ sub change_password {
    $accountdb = esmith::AccountsDB->open();

    $q->param(-name => 'status_message', -value => 'PASSWORD_CHANGE_SUCCESS');    
+
+    my $serv = $configdb->get('samba') || '';
+    if (($serv eq 'service') && ($acctName ne 'administrator'))
+    {
+    my $samba = $configdb->get('samba')->prop('status') || 'disabled';
+    my $sambaip = $configdb->get('samba')->prop('SambaIP') || '';
+    my $sambapwd = $configdb->get('samba')->prop('Password') || '';
+    if ($sambaip eq '' || $sambapwd eq '')
+    {
+        $samba = 'disabled';
+    }
+    if ($samba eq 'enabled')
+    {
+    system("/usr/bin/samba-tool", "user", "setpassword", "$acctName", "--newpassword=$pass", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd") == 0
+	or warn ("Error occured while modifying (addc) password for $acctName.\n" );
+    }
+    }
    return;
 }

--- a/root/etc/logrotate.d/ippp
+++ b/root/etc/logrotate.d/ippp
@@ -0,0 +1,9 @@
+/var/log/ippp/ippp.log {
+    weekly
+    rotate 5
+    copytruncate
+    compress
+    notifempty
+    missingok
+}
+
--- a/root/etc/logrotate.d/wan
+++ b/root/etc/logrotate.d/wan
@@ -0,0 +1,9 @@
+/var/log/wan/wan.log {
+    weekly
+    rotate 5
+    copytruncate
+    compress
+    notifempty
+    missingok
+}
+
--- a/root/etc/sysconfig/modules/dummy.modules
+++ b/root/etc/sysconfig/modules/dummy.modules
@@ -1,3 +1,4 @@
 #!/bin/sh
 /sbin/modprobe dummy
+$(ip link show dummy0 2>/dev/null 1>&2)  || exec ip link add dummy0 type dummy
 exec ip link set dummy0 address 10:00:01:02:03:04
--- a/root/sbin/e-smith/systemd/ippp-pre
+++ b/root/sbin/e-smith/systemd/ippp-pre
@@ -11,7 +11,7 @@
 # This should run before dialds are started and before any attempt
 # is made to reconfigure ippp interfaces differently.

-config_file=./config
+LocalIP=$(/sbin/e-smith/config get LocalIP|| echo "127.0.0.88")

 modprobe hisax
 # TODO should check here for failure!!
@@ -55,4 +55,5 @@ ifconfig ippp0 "$LocalIP" \
 # where all the traffic is to/from the local
 # system. i.e. our reply must go out via the
 # diald slip proxy.
-exec ipppd ippp0 -detach -hostroute $pppopts
+# will be done in main process
+exit 0
--- a/root/service/ippp
+++ b/root/service/ippp
@@ -1 +0,0 @@
-/var/service/ippp
--- a/root/service/wan
+++ b/root/service/wan
@@ -1 +0,0 @@
-/var/service/wan
--- a/root/usr/lib/systemd/system-preset/50-koozali.preset
+++ b/root/usr/lib/systemd/system-preset/50-koozali.preset
@@ -15,12 +15,6 @@ enable networking.service
 enable wan.service
 enable masq.service
 enable php-fpm.service
-enable php55-php-fpm.service
-enable php56-php-fpm.service
-enable php70-php-fpm.service
-enable php71-php-fpm.service
-enable php72-php-fpm.service
-enable php73-php-fpm.service
 enable php74-php-fpm.service
 enable php80-php-fpm.service
 enable httpd-e-smith.service
@@ -73,3 +67,4 @@ disable ntpdate.service
 disable ftp.service
 disable proftpd.service

+enable dhparam-generator.service
--- a/root/usr/lib/systemd/system/bootstrap-console.service
+++ b/root/usr/lib/systemd/system/bootstrap-console.service
@@ -2,7 +2,7 @@
 Description=SME server bootstrap-console
 DefaultDependencies=no
 Conflicts=shutdown.target
-After=livesys.service plymouth-quit-wait.service
+After=livesys.service
 After=systemd-vconsole-setup.service
 Before=getty@tty1.service
 Before=shutdown.target
--- a/root/usr/lib/systemd/system/dhparam-generator.service
+++ b/root/usr/lib/systemd/system/dhparam-generator.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Diffie Hellman parameter generator
+#TODO: add Requires= or Wants= to those:
+Before=ftp.service
+Before=dovecot.service
+Before=qpsmtpd.service sqpsmtpd.service uqpsmtpd.service
+Before=radiusd.service
+
+[Service]
+Type=oneshot
+ExecStart=/etc/e-smith/events/actions/dhgenerator
+# sqpsmtpd and uqpsmtpd use a symlink to /var/service/qpsmtpd/ssl
+ExecStartPost=-/sbin/e-smith/expand-template /var/service/qpsmtpd/ssl/dhparam.pem
+ExecStartPost=-/sbin/e-smith/expand-template /etc/dovecot/ssl/dhparam.pem
+ExecStartPost=-/sbin/e-smith/expand-template /etc/raddb/certs/dh 
+
+PrivateTmp=true
+ProtectSystem=no
+ProtectHome=no
+PrivateDevices=false
+
+[Install]
+WantedBy=sme-server.target
+
--- a/root/usr/lib/systemd/system/ippp.service
+++ b/root/usr/lib/systemd/system/ippp.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=Koozali SME Server ippp service for dialup
+After=network-pre.target
+After=networking.service
+Requires=network.target
+
+[Service]
+Type=simple
+#this needs to be updated  in a dropin file
+Environment=pppopts="user sme name sme noauth debug -vj -vjccomp -bsdcomp -ac -pc noipdefault ipcp-accept-local ipcp-accept-remote ipparam diald"
+ExecStartPre=-/sbin/e-smith/service-status ippp
+ExecStartPre=/sbin/e-smith/systemd/ippp-pre
+ExecStart=/usr/sbin/ipppd ippp0 -detach -hostroute $pppopts
+
+Restart=always
+RestartSec=20s
+SyslogIdentifier=ippp
+
+[Install]
+WantedBy=sme-server.target
+
--- a/root/usr/lib/systemd/system/ippp.service.d/.gitignore
+++ b/root/usr/lib/systemd/system/ippp.service.d/.gitignore
--- a/root/usr/lib/systemd/system/networking.service
+++ b/root/usr/lib/systemd/system/networking.service
@@ -1,8 +1,11 @@
 [Unit]
 Description= Network management for Koozali SME Server, using old sysvinit script
 After=network-pre.target
+Wants=network-online.target
 Wants=network.target
-Before=network-online.target wan.service
+Before=network-online.target 
+Before=network.target
+Before=wan.service
 Conflicts=NetworkManager.service

 [Service]
--- a/root/usr/lib/systemd/system/sme-server.target
+++ b/root/usr/lib/systemd/system/sme-server.target
@@ -8,6 +8,6 @@ Requires=basic.target
 Conflicts=rescue.service rescue.target multi-user.target
 After=basic.target rescue.service rescue.target runit.service
 AllowIsolate=yes
-Wants=atd.service auditd.service avahi-daemon.service brandbot.path nfs-client.target remote-fs.target rhel-configure.service
+Wants=atd.service auditd.service avahi-daemon.service nfs-client.target remote-fs.target 
 Wants=dbus.service plymouth-quit-wait.service plymouth-quit.service systemd-logind.service systemd-update-utmp-runlevel.service systemd-user-sessions.service

--- a/root/usr/lib/systemd/system/wan.service
+++ b/root/usr/lib/systemd/system/wan.service
@@ -1,16 +1,24 @@
 [Unit]
 Description=WAN interface for Koozali SME Server
-After=network-pre.target networking.service
+After=network-pre.target
+After=networking.service
 Before=network-online.target
 PartOf=networking.service

 [Service]
-Type=oneshot
+PermissionsStartOnly=true
+WorkingDirectory=/var/service/wan
+Type=simple
 ExecStartPre=/sbin/e-smith/service-status wan
-ExecStart=/usr/bin/sv u /service/wan
-ExecStop=/usr/bin/sv stop  /service/wan
-ExecReload=/usr/bin/sv t /service/wan
+ExecStart=/var/service/wan/run
+ExecReload=/var/service/wan/run
+
+#run.static will just exit, this might create an infinite loop
+#unless set on-failure on-abnormal on-abort on-watchdog
+Restart=on-failure
+RestartSec=20s
 RemainAfterExit=yes
+SyslogIdentifier=wan

 [Install]
 WantedBy=sme-server.target
--- a/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/useraccounts.pm
+++ b/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/useraccounts.pm
@@ -911,6 +911,29 @@ sub reset_password {

        $self->success($self->localise('PASSWORD_CHANGE_SUCCEEDED',
            { acctName => $acctName}));
+
+	my $serv = $configdb->get('samba') || '';
+	if (($serv eq 'service') && ($acctName ne 'administrator'))
+	{
+	my $samba = $configdb->get('samba')->prop('status') || 'disabled';
+	my $sambaip = $configdb->get('samba')->prop('SambaIP') || '';
+	my $sambapwd = $configdb->get('samba')->prop('Password') || '';
+	if ($sambaip eq '' || $sambapwd eq '')
+	{
+	    $samba = 'disabled';
+	}
+	if ($samba eq 'enabled')
+	{
+	my $password = $self->{cgi}->param('password1');
+	unless (($password) = ($password =~ /^([ -~]+)$/ ))
+	{
+	    return $self->error('TAINTED_PASSWORD');
+	}
+	$password = $1;
+	system("/usr/bin/samba-tool", "user", "setpassword", "$acctName", "--newpassword=$password", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd")  == 0
+	    or warn ("Error occured while modifying (addc) password for $acctName.\n" );
+	}
+	}
    }
    else
    {
--- a/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
+++ b/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
@@ -6,18 +6,26 @@ use esmith::ConfigDB;


 our @ISA = qw(Exporter);
-our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert);
+our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert SSLproto SSLprotoApache SSLprotoComa SSLprotoHyphen SSLprotoMin SSLprotoLDAP SSLprotoQpsmtpd $smeCiphers $smeSSLprotocol %existingSSLprotos dh_exists_good_size);

 my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
 our $SystemName = $configdb->get('SystemName')->value;
 our $DomainName = $configdb->get('DomainName')->value;
 our $FQDN = "$SystemName.$DomainName";

-# test key size
-# test key exists
+#default cipher list 
+our $smeCiphers = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:!ADH:!SSLv2:!ADH:!aNULL:!MD5:!RC4";
+#default protocol list 
+# 2024 phase out : TLS 1.1 and 1.0 ; insuficient: SSL 3.0, 2.0 and 1.0
+our $smeSSLprotocol = "TLSv1.2 TLSv1.3";
+
+# SSLv2 and SSLv3 are not available in el8 openssl-1.1.1, while -ssl3 still in man page
+# it will throw  Option unknown option -ssl3
+our %existingSSLprotos=%{ {'SSLv3'=>1, 'TLSv1'=>1, 'TLSv1.1'=>1, 'TLSv1.2'=>1, 'TLSv1.3'=>1}};
+
 =head1 NAME

-esmith::php - A few tools to help with php-fpm installed versions
+esmith::ssl - A few tools to help with ssl handling

 =head1 SYNOPSIS

@@ -42,6 +50,7 @@ returns 0 if key is missing or wrong size
 returns 1 if key exists and key size is correct

 =cut
+
 sub key_exists_good_size {
    my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
    my %modSSL = $configdb->as_hash('modSSL');
@@ -74,8 +83,8 @@ sub key_exists_good_size {
 # check cert size Public-Key
 # openssl rsa -noout -modulus -in domain.key | openssl md5
 # openssl x509 -noout -modulus -in domain.crt | openssl md5
-
 =cut
+
 sub cert_exists_good_size {
    my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
    my %modSSL = $configdb->as_hash('modSSL');
@@ -99,6 +108,10 @@ sub cert_exists_good_size {
    return 0;
 }

+=head2 cert_is_cert
+check if file is really a certificate
+=cut
+
 sub cert_is_cert {
    my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
    if ( -f $crt ) 
@@ -115,6 +128,10 @@ sub cert_is_cert {
    return 0;
 }

+=head2 key_is_key
+check if file is really a key
+=cut
+
 sub key_is_key {
    my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
    if ( -f $key )
@@ -144,7 +161,40 @@ sub related_key_cert {
    }
    return 0;
 }
-##TODO migrate those actions from 
+
+=head2 dh_exists_good_size
+# check dh exist
+# check dh is indeed dh
+# check dh size 
+# openssl rsa -noout -modulus -in domain.key | openssl md5
+# openssl x509 -noout -modulus -in domain.crt | openssl md5
+=cut
+
+sub dh_exists_good_size {
+    my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
+    my %modSSL = $configdb->as_hash('modSSL');
+    my $KeySize = shift || $modSSL{DHSize} ||'4096';
+		my $dh = shift || "/home/e-smith/dh.pem/$KeySize.pem";
+    if ( -f $dh )
+    {
+  my $signatureKeySize = `openssl dhparam -text -noout -in $dh 2>/dev/null | grep "DH Parameters:" | head -1`;
+  chomp $signatureKeySize;
+  $signatureKeySize =~ s/^.*DH Parameters: \((.*) bit\)/$1/p;
+  if ( $signatureKeySize == $KeySize ) {
+    #print "$signatureKeySize\n";
+    # cert is  correct size and exists, we can proceed.
+    # next check key and cert are related
+    # next check cert is still valid
+    # next check alt name are still the same
+    return 1;
+  }
+    }
+    return 0;
+}
+
+
+
+##TODO write sub and migrate those actions from template fragments
 # check cert is related to key
 # => /etc/e-smith/templates/home/e-smith/ssl.crt 
 # check cert domain and alt
@@ -152,3 +202,126 @@ sub related_key_cert {
 # check is valid / expiry date
 # => /etc/e-smith/templates/home/e-smith/ssl.crt 
 ###################################
+
+=head2 SSLprotoApache
+output a list of allowed protocols with apache format
+e.g. -all +TLSv1.2 +TLSv1.3
+=cut
+
+sub SSLprotoApache{
+ my $protocols = " -all +".join(" +",split(" ",$smeSSLprotocol)) ." ";
+ my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
+ my $httpd = $configdb->get('httpd-e-smith');
+ # SSLv2 and SSLv3 are not available in el8 openssl-1.1.1, while -ssl3 still referenced
+ # it will throw  Option unknown option -ssl3
+ #$protocols .= " +SSLv3" if ($httpd->{'SSLv3'} || 'disabled') eq 'enabled';
+ #  TODO: a loop using existingSSLprotos
+ $protocols .= " +TLSv1" if ($httpd->{'TLSv1'} || 'disabled') eq 'enabled';
+ $protocols .= " +TLSv1.1" if ($httpd->{'TLSv1.1'} || 'disabled') eq 'enabled';
+ # look closely this is to remove what has been added on first line,
+ # hence the minus sign and reverse logic.
+ $protocols .= " -TLSv1.2" unless ($httpd->{'TLSv1.2'} || 'enabled') eq 'enabled';
+ $protocols .= " -TLSv1.3" unless ($httpd->{'TLSv1.3'} || 'enabled') eq 'enabled';
+ return $protocols;
+}
+
+=head2 SSLprotoQpsmtpd
+output an expected IO::Socket::SSL string to enable 
+only the wanted TLS versions
+SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1
+=cut
+
+sub SSLprotoQpsmtpd{
+ my $service= shift || 'qpsmtpd';
+ my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
+ my %qpsmtpd = %{$configdb->get($service)};
+ # SSLv2 and SSLv3 are not available in el8 openssl-1.1.1, while -ssl3 still referenced
+ # it will throw  Option unknown option -ssl3
+ my $protocols = "SSLv23:!SSLv2:!SSLv3";
+ # TODO: a loop using existingSSLprotos and SSLprotoHyphen()
+ $protocols .= ':!TLSv1' unless ($qpsmtpd{'TLSv1'} || 'disabled') eq 'enabled';
+ $protocols .= ':!TLSv1_1' unless ($qpsmtpd{'TLSv1.1'} || 'disabled') eq 'enabled';
+ $protocols .= ':!TLSv1_2' unless ($qpsmtpd{'TLSv1.2'} || 'enabled') eq 'enabled';
+ $protocols .= ':!TLSv1_3' unless ($qpsmtpd{'TLSv1.3'} || 'enabled') eq 'enabled';
+ return $protocols;
+}
+
+=head2 SSLproto
+default display of list of protocol. This is how it will be displayed in 
+httpd.conf and proftpd.conf
+e.g. TLSv1.2 TLSv1.3
+=cut
+
+sub SSLproto{
+return $smeSSLprotocol;
+}
+
+=head2 SSLprotoComa
+way to display protocols in Mariadb as a string list separated by coma
+e.g. TLSv1.2,TLSv1.3
+=cut
+
+sub SSLprotoComa{
+my $string = shift || $smeSSLprotocol;
+$string =~ s/[ :]/,/g;
+return $string;
+}
+
+=head2 SSLprotoHyphen
+convert TLSv1.2 to TLSv1_2
+This is the format required by perl IO::Socket::SSL; and as the result by 
+qpsmtpd, uqpsmtpd, sqpsmtpd SME Server services
+=cut
+
+sub SSLprotoHyphen {
+my $string = shift || $smeSSLprotocol;
+$string =~ s/[ ,]/:/g;
+$string =~ s/\./_/g;
+return $string;
+}
+
+=head2 SSLprotoMin
+display only the lower protocol, as expected for dovecot
+ssl_min_protocol = TLSv1.2
+# limit : will not handle all or sslv23 as input
+=cut
+
+sub SSLprotoMin{
+  my @SSLarray =  split(" ",shift || $smeSSLprotocol);
+  my %hash ;
+  foreach my $value (@SSLarray) {
+    my $toto = $value =~ s/(.*)(\d{1})+$/$2/r;
+    # hack for TLS > SSL
+    $toto = ($value =~ /^TLS/) ? "2$toto" : "1$toto";
+    $hash{$toto}=$value ;
+  }
+  my @keys_sorted_by_value = sort { $a <=> $b } keys %hash;
+  my $lowest_value = $keys_sorted_by_value[0] ;
+  return $hash{$lowest_value};
+}
+
+=head2 SSLprotoLDAP
+convert min protocol suported to LDAP format
+TLSProtocolMin          3.3
+To require TLS 1.x or higher, set this option to 3.(x+1), e.g., TLSProtocolMin 3.2          would require TLS 1.1.
+from $smeSSLprotocol = "TLSv1.2 TLSv1.3";
+=cut
+
+sub SSLprotoLDAP{
+  # convert to array 
+  my @SSLarray =  split(" ",shift || $smeSSLprotocol);
+  return "3.0" if  (grep /^SSLv3$/, @SSLarray);
+  # TLSv1
+  return "3.1" if (grep /^TLSv1$/ , @SSLarray);
+  # keep only digit after .
+  @SSLarray = grep{ $_ =~ s/(.*)(\d{1})+$/$2/ } @SSLarray;
+  # order
+  @SSLarray = sort @SSLarray;
+  # get lower
+  my $num = $SSLarray[0];
+  # sum 3.1 + 0.$x
+  $num = "0.".$num;
+  # return
+  $num = $num +3.1;
+  return $num;
+}
--- a/root/var/service/ippp/down
+++ b/root/var/service/ippp/down
--- a/root/var/service/ippp/log/run
+++ b/root/var/service/ippp/log/run
@@ -1,6 +0,0 @@
-#! /bin/sh
-
-exec                                    \
-    /usr/local/bin/setuidgid smelog     \
-    /usr/local/bin/multilog t s5000000  \
-    /var/log/ippp
--- a/root/var/service/ippp/supervise/.gitignore
+++ b/root/var/service/ippp/supervise/.gitignore
--- a/root/var/service/wan/down
+++ b/root/var/service/wan/down
--- a/root/var/service/wan/log/run
+++ b/root/var/service/wan/log/run
@@ -1,7 +0,0 @@
-#! /bin/sh
-
-exec                                    \
-    /usr/local/bin/setuidgid smelog     \
-    /usr/local/bin/multilog t s5000000  \
-    /var/log/wan
-
--- a/root/var/service/wan/log/supervise/.gitignore
+++ b/root/var/service/wan/log/supervise/.gitignore
--- a/root/var/service/wan/run
+++ b/root/var/service/wan/run
@@ -9,4 +9,5 @@ then
 fi

 echo script run.$config not found - please report this as a bug
-sleep 100
+#sleep 100
+exit 0
--- a/root/var/service/wan/run.DHCPEthernetAddress
+++ b/root/var/service/wan/run.DHCPEthernetAddress
@@ -0,0 +1,31 @@
+#!/bin/sh
+#----------------------------------------------------------------------
+# copyright (C) 1999-2006 Mitel Networks Corporation
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+#
+#----------------------------------------------------------------------
+exec 2>&1
+
+. ./dhclient.config
+
+configfile=/var/lib/dhclient/dhclient-$interface.conf
+leasefile=/var/lib/dhclient/dhclient-$interface.leases
+
+export PEERDNS=no
+exec /sbin/dhclient -d \
+    -cf $configfile \
+    -lf $leasefile \
+    $interface
--- a/root/var/service/wan/run.DHCPHostname
+++ b/root/var/service/wan/run.DHCPHostname
@@ -0,0 +1,31 @@
+#!/bin/sh
+#----------------------------------------------------------------------
+# copyright (C) 1999-2006 Mitel Networks Corporation
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+#
+#----------------------------------------------------------------------
+exec 2>&1
+
+. ./dhclient.config
+
+configfile=/var/lib/dhclient/dhclient-$interface.conf
+leasefile=/var/lib/dhclient/dhclient-$interface.leases
+
+export PEERDNS=no
+exec /sbin/dhclient -d \
+    -cf $configfile \
+    -lf $leasefile \
+    $interface
--- a/root/var/service/wan/run.dialup
+++ b/root/var/service/wan/run.dialup
@@ -3,7 +3,8 @@
 ISDN=$(/sbin/e-smith/config getprop isdn status)
 if [ "$ISDN" = "enabled" ]
 then
-    sv u /service/ippp
+    # Stop and then start. If the units are not running yet, they will be started.	
+    /usr/bin/systemctl restart ippp
    sleep 10
    # TODO check here that ISDN device is available!!
 fi
--- a/root/var/service/wan/run.pppoe.conf
+++ b/root/var/service/wan/run.pppoe.conf
@@ -0,0 +1,21 @@
+#------------------------------------------------------------
+#	       !!DO NOT MODIFY THIS FILE!!
+# 
+# Manual changes will be lost when this file is regenerated.
+#
+# Please read the developer's guide, which is available
+# at http://www.contribs.org/development/
+#
+# Copyright (C) 1999-2006 Mitel Networks Corporation
+#------------------------------------------------------------
+/sbin/ifconfig eth1 up mtu 1500
+/sbin/modprobe ppp_generic
+/sbin/modprobe ppp_async
+/sbin/modprobe ppp_synctty
+DEVICE=eth1
+# add pppoe module
+/sbin/modprobe pppoe
+PPPD_MLIMIT=100000000
+
+# PPPOE_TIMEOUT should be about 4*LCP_INTERVAL
+PPPOE_TIMEOUT=120
--- a/root/var/service/wan/supervise/.gitignore
+++ b/root/var/service/wan/supervise/.gitignore
--- a/smeserver-base.spec
+++ b/smeserver-base.spec
@@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module
 %define name smeserver-base
 Name: %{name}
 %define version 11.0.0
-%define release 18
+%define release 32
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -49,6 +49,9 @@ Requires: bash-completion
 Requires: smeserver-runit >= 2.6.0-7
 Requires: smeserver-php >= 3.0.0-22
 Requires: smeserver-yum >= 2.6.0-43 
+# daemontools bins in use : 
+# /var/service/wan/run.pppoe
+Requires: /usr/bin/softlimit 
 Obsoletes: nss_ldap < 254
 Obsoletes: cpu
 Obsoletes: rlinetd, e-smith-mod_ssl
@@ -65,7 +68,11 @@ BuildRequires: smeserver-devtools >= 1.13.1-03
 BuildRequires: gettext
 Requires: gdisk
 Requires: ppp
-Requires: rp-pppoe 
+Requires: rp-pppoe
+# pam autoblock 
+Requires: pam_abl 
+# isdn wan connection (ippp)
+Requires: isdn4k-utils
 %define dbfiles accounts configuration domains hosts networks
 AutoReqProv: no

@@ -114,25 +121,13 @@ mkdir -p $RPM_BUILD_ROOT/etc/selinux
    --dir /home/e-smith/ssl.crt 'attr(0700,root,root)' \
    --dir /home/e-smith/ssl.pem 'attr(0700,root,root)' \
    --dir /var/service/wan 'attr(1755,root,root)' \
-    --file /var/service/wan/down 'attr(0644,root,root)' \
    --file /var/service/wan/run 'attr(0750,root,root)' \
    --file /var/service/wan/run.dhclient 'attr(0750,root,root)' \
    --file /var/service/wan/run.pppoe 'attr(0750,root,root)' \
    --file /var/service/wan/run.static 'attr(0750,root,root)' \
    --file /var/service/wan/run.dialup 'attr(0750,root,root)' \
    --file /var/service/wan/run.disabled 'attr(0750,root,root)' \
-    --dir /var/service/wan/supervise 'attr(0700,root,root)' \
-    --dir /var/service/wan/log 'attr(1755,root,root)' \
-    --file /var/service/wan/log/run 'attr(0750,root,root)' \
-    --dir /var/service/wan/log/supervise 'attr(0700,root,root)' \
    --dir /var/log/wan 'attr(2750,smelog,smelog)' \
-    --dir /var/service/ippp 'attr(1755,root,root)' \
-    --file /var/service/ippp/down 'attr(0644,root,root)' \
-    --file /var/service/ippp/run 'attr(0750,root,root)' \
-    --dir /var/service/ippp/supervise 'attr(0700,root,root)' \
-    --dir /var/service/ippp/log 'attr(1755,root,root)' \
-    --file /var/service/ippp/log/run 'attr(0750,root,root)' \
-    --dir /var/service/ippp/log/supervise 'attr(0700,root,root)' \
    --dir /var/log/ippp 'attr(2750,smelog,smelog)' \
    --dir /etc/e-smith/skel/user/.ssh 'attr(0700,root,root)' \
    --file /etc/sysconfig/modules/dummy.modules 'attr(0755,root,root)' \
@@ -160,6 +155,9 @@ rm -rf $RPM_BUILD_ROOT
 /sbin/e-smith/create-system-user smelastsys 2999 \
    'sme last system user marker' /tmp /bin/false

+
+exit 0
+
 %post
 LEXICONS=$(find /etc/e-smith/locale/*/etc/e-smith/web/panels/password/cgi-bin/userpassword -type f 2>/dev/null)

@@ -184,6 +182,54 @@ fi


 %changelog
+* Thu Jun 05 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-32.sme
+- Replicate user accounts to samba Active Directory [SME: 12799]
+
+* Sun Mar 16 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-31.sme
+- handle dh params with template [SME: 12826]
+ TODO timer and event
+- foolproofing dummy.module
+
+* Thu Mar 06 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-30.sme
+- systemd unit for ippp [SME: 12876]
+- systemd unit for wan [SME: 12875]
+- improve networking service unit [SME: 12541]
+
+* Wed Mar 05 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-29.sme
+- change key type from service to configuration [SME: 11367]
+
+* Thu Feb 20 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-28.sme
+- clean sme-server.target [SME: 12931]
+
+* Sun Feb 16 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-27.sme
+- fix missing allowed shell for login [SME: 12926]
+
+* Wed Feb 12 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-26.sme
+- add pam_abl requirement [SME: 12914]
+- add isdn4k-utils requirement for ippp isdn connections [SME: 12909]
+- remove pam_tally as deprecated in favor of pam_faillock [SME: 12913]
+
+* Tue Feb 04 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-25.sme
+- fix boot ordering cycle [SME: 12902]
+
+* Sun Jan 26 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-24.sme
+- ippp and wan requires daemontools bins [SME: 12566]
+
+* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-23.sme
+- handle all ssl ciphers and protocol in one place esmith::ssl [SME: 12827]
+  this will allow to sync all service default protocol and ciphers
+  in one place.
+
+* Fri Jan 03 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-21.sme
+- improve support of  systemd service with instance service@instance.service [SME: 12859]
+
+* Thu Jan 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-20.sme
+- Primary default to SSL required and redirect [SME: 12858]
+- cleanup remove primary=system [SME: 8268]
+
+* Tue Dec 31 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-19.sme
+- fix www removed from shared on group creation [SME: 12848]
+
 * Mon Dec 23 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-18.sme
 - add vlan support on External Interface [SME: 12677]
 - fix typo [SME: 12763]
Author	SHA1	Message	Date
Jean-Philippe Pialasse	6957c1ab9c	* Thu Jun 05 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-32.sme - Replicate user accounts to samba Active Directory [SME: 12799]	2025-06-05 16:40:38 -04:00
Jean-Philippe Pialasse	8615e569eb	* Sun Mar 16 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-31.sme - handle dh params with template [SME: 12826] TODO timer and event - foolproofing dummy.module	2025-03-17 22:55:51 -04:00
Jean-Philippe Pialasse	ccd94a71e2	* Thu Mar 06 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-30.sme - systemd unit for ippp [SME: 12876] - systemd unit for wan [SME: 12875] - improve networking service unit [SME: 12541]	2025-03-06 17:14:41 -05:00
Jean-Philippe Pialasse	33833b4033	* Thu Mar 06 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-30.sme - systemd unit for ippp [SME: 12876] - systemd unit for wan [SME: 12875]	2025-03-06 17:11:29 -05:00
Jean-Philippe Pialasse	a3f80cc6fa	test	2025-03-05 22:14:37 -05:00
Jean-Philippe Pialasse	f0f7b201cc	* Wed Mar 05 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-29.sme - change key type from service to configuration [SME: 11367]	2025-03-05 22:10:01 -05:00
Jean-Philippe Pialasse	d0b26d9228	* Thu Feb 20 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-28.sme - clean sme-server.target [SME: 12931]	2025-02-20 22:55:39 -05:00
Jean-Philippe Pialasse	c58758fe43	* Sun Feb 16 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-27.sme - fix missing allowed shell for login [SME: 12926]	2025-02-16 02:18:26 -05:00
Jean-Philippe Pialasse	f1752e7aa5	* Wed Feb 12 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-26.sme - add pam_abl requirement [SME: 12914] - add isdn4k-utils requirement for ippp isdn connections [SME: 12909] - remove pam_tally as deprecated in favor of pam_faillock [SME: 12913]	2025-02-12 22:18:04 -05:00
Jean-Philippe Pialasse	4c64e91235	* Wed Feb 12 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-26.sme - add pam_abl requirement [SME: 12914] - add isdn4k-utils requirement for ippp isdn connections [SME: 12909] - remove pam_tally as deprecated in favor of pam_faillock [SME: 12913] - fix CGI::param called in list context [SME: 12888]	2025-02-12 22:17:17 -05:00
Jean-Philippe Pialasse	74d45e3c8e	* Tue Feb 04 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-25.sme - fix boot ordering cycle [SME: 12902]	2025-02-04 21:19:28 -05:00
Jean-Philippe Pialasse	507734d114	* Sun Jan 26 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-24.sme - ippp and wan requires daemontools bins [SME: 12566]	2025-01-26 16:22:48 -05:00
Jean-Philippe Pialasse	0dfb543664	* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-23.sme - handle all ssl ciphers and protocol in one place esmith::ssl [SME: 12827] this will allow to sync all service default protocol and ciphers in one place.	2025-01-18 16:19:09 -05:00
Jean-Philippe Pialasse	8c05c61008	* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-22.sme - handle all ssl ciphers and protocol in one place esmith::ssl [SME: 12827] this will allow to sync all service default protocol and ciphers in one place.	2025-01-18 15:15:02 -05:00
Jean-Philippe Pialasse	e4b308e422	* Fri Jan 03 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-21.sme - improve support of systemd service with instance service@instance.service [SME: 12859]	2025-01-03 01:54:02 -05:00
Jean-Philippe Pialasse	5c4bf19137	* Thu Jan 02 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-20.sme - Primary default to SSL required and redirect [SME: 12858] - cleanup remove primary=system [SME: 8268]	2025-01-02 00:36:45 -05:00
Jean-Philippe Pialasse	5b938b2987	* Tue Dec 31 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-19.sme - fix www removed from shared on group creation [SME: 12848]	2024-12-31 03:29:03 -05:00