* Thu Jun 05 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-32.sme

- Replicate user accounts to samba Active Directory [SME: 12799]
* Sun Mar 16 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-31.sme
2025-06-05 16:40:38 -04:00 · 2025-03-17 22:55:51 -04:00
16 changed files with 264 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
 *.tar.xz
 *.bak
 *gz
+*.patch
--- a/16
+++ b/16
@@ -303,10 +303,11 @@ my $event = "smeserver-base-update";


 event_link("remove-templates-custom", $event, "02");
+event_link("systemd-journald", $event, "02");
+event_link("dhgenerator", $event, "03");
 templates2events("/etc/smartmontools/smartd.conf", $event);
 templates2events("/home/e-smith/ssl.pem/pem", $event);
 templates2events("/usr/lib/systemd/system/dhcpd.service.d/50koozali.conf", $event);
-event_link("systemd-journald", $event, "02");
 event_link("fix-startup", $event, "05");
 event_link("init-accounts", $event, "05");
 event_link("mail-spool-fix", $event, "05");
@@ -612,13 +613,24 @@ $event = "ldap-update";
 templates2events("/home/e-smith/ssl.pem/pem", $event);

 #--------------------------------------------------
-# actions for ldap-update event
+# actions for ssl-update event
 #--------------------------------------------------

 $event = "ssl-update";

 templates2events("/home/e-smith/ssl.pem/pem", $event);

+#--------------------------------------------------
+# actions for dhparam-update event
+#--------------------------------------------------
+
+$event = "dhparam-update";
+
+event_link("dhgenerator", $event, "03");
+templates2events("/etc/crontab", $event);
+# add templates to expand  + service to try-restart in target packages
+# templates2events("/etc/dovecot/ssl/dhparam.pem", $event);
+# safe_symlink("try-restart", "root/etc/e-smith/events/$event/services2adjust/dovecot"); 

 #--------------------------------------------------
 # actions for email-update event:
--- a/root/etc/e-smith/events/actions/dhgenerator
+++ b/root/etc/e-smith/events/actions/dhgenerator
@@ -0,0 +1,27 @@
+#!/usr/bin/perl
+use strict;
+use warnings;
+use esmith::ssl;
+
+my $event=shift||"program";
+my $folder="/home/e-smith/dh.pem";
+my $KeySize = 2048;
+# load config db
+
+mkdir($folder, 0700) unless(-d $folder );
+# if program (or during updates) we only generate the 2048 to start all programs after install without waiting too much
+if ( $event eq "program" || $event eq "temp" ) {
+	my $exit_code=dh_exists_good_size($KeySize,"$folder/$KeySize.pem") || system("/usr/bin/openssl","dhparam","-out","$folder/$KeySize.pem", $KeySize);
+  exit 0;
+}
+# if called as event, we generate a 4096 if 2096 exist, and then expand templates for services in need of this 
+#  then the event will restart the service to use stronger dh.pem
+else {
+ $KeySize =  4096 if (dh_exists_good_size($KeySize,"$folder/$KeySize.pem"));
+ print "Key size is  $KeySize\n";
+ exit 0 if (dh_exists_good_size($KeySize,"$folder/$KeySize.pem"));
+ # here we should test if uptime  > 2 hours and return if not enough uptime
+ system("/usr/bin/openssl","dhparam","-out","$folder/$KeySize.pem", $KeySize);
+ exit 0; 
+}
+
--- a/root/etc/e-smith/events/actions/update-passwd
+++ b/root/etc/e-smith/events/actions/update-passwd
@@ -28,6 +28,7 @@ use Errno;
 use esmith::AccountsDB;

 my $a = esmith::AccountsDB->open_ro or die "Could not open accounts db";
+my $c = esmith::ConfigDB->open_ro or die "Could not open configuration db";

 foreach my $u ($a->users)
 {
@@ -40,6 +41,23 @@ foreach my $u ($a->users)

 	system("/usr/bin/smbpasswd", "-d", $user) == 0
 	    or warn("Problem locking smbpassword for user $user\n");
+
+	my $serv = $c->get('samba') || '';
+	if (($serv eq 'service') && ($user ne 'administrator'))
+	{
+	my $samba = $c->get('samba')->prop('status') || 'disabled';
+	my $sambaip = $c->get('samba')->prop('SambaIP') || '';
+	my $sambapwd = $c->get('samba')->prop('Password') || '';
+	if ($sambaip eq '' || $sambapwd eq '')
+        {
+	    $samba = 'disabled';
+        }
+	if ($samba eq 'enabled')
+	{
+	system("/usr/bin/samba-tool", "user", "disable", "$user", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd") == 0
+	    or warn("Problem locking addc password for user $user\n");
+	}
+	}
    }
 }

--- a/root/etc/e-smith/events/actions/user-create-unix
+++ b/root/etc/e-smith/events/actions/user-create-unix
@@ -134,4 +134,23 @@ if ($ldapauth ne 'enabled')
 system("/usr/bin/smbpasswd", "-a", "-d", "$userName")
    and ( $x = 255, warn "Could not lock (smb) password for $userName\n" );

+my $serv = $conf->get('samba') || '';
+if (($serv eq 'service') && ($userName ne 'administrator'))
+{
+my $samba = $conf->get('samba')->prop('status') || 'disabled';
+my $sambaip = $conf->get('samba')->prop('SambaIP') || '';
+my $sambapwd = $conf->get('samba')->prop('Password') || '';
+if ($sambaip eq '' || $sambapwd eq '')
+    {
+        $samba = 'disabled';
+    }
+if ($samba eq 'enabled')
+{
+system("/usr/bin/samba-tool", "user", "add", "$userName", "--random-password", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd")
+    and ( $x = 255, warn "Could not create (addc) user for $userName\n" );
+system("/usr/bin/samba-tool", "user", "disable", "$userName", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd")
+    and ( $x = 255, warn "Could not lock (addc) password for $userName\n" );
+}
+}
+
 exit ($x);
--- a/root/etc/e-smith/events/actions/user-delete-unix
+++ b/root/etc/e-smith/events/actions/user-delete-unix
@@ -75,4 +75,21 @@ $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (lda
 $result = $ldap->ldapdelgroup($userName);
 $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group account $userName.\n" );

+my $serv = $conf->get('samba') || '';
+if (($serv eq 'service') && ($userName ne 'administrator'))
+{
+my $samba = $conf->get('samba')->prop('status') || 'disabled';
+my $sambaip = $conf->get('samba')->prop('SambaIP') || '';
+my $sambapwd = $conf->get('samba')->prop('Password') || '';
+if ($sambaip eq '' || $sambapwd eq '')
+    {
+        $samba = 'disabled';
+    }
+if ($samba eq 'enabled')
+{
+system("/usr/bin/samba-tool", "user", "delete", "$userName", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd")
+    and ( $x = 255, warn "Failed to delete (addc) account $userName.\n" );
+}
+}
+
 exit ($x);
--- a/root/etc/e-smith/events/actions/user-lock-passwd
+++ b/root/etc/e-smith/events/actions/user-lock-passwd
@@ -78,6 +78,23 @@ sub lock_user
    {
        $conf->set_value('PasswordSet', 'no');
    }
+
+    my $serv = $conf->get('samba') || '';
+    if (($serv eq 'service') && ($userName ne 'administrator'))
+    {
+    my $samba = $conf->get('samba')->prop('status') || 'disabled';
+    my $sambaip = $conf->get('samba')->prop('SambaIP') || '';
+    my $sambapwd = $conf->get('samba')->prop('Password') || '';
+    if ($sambaip eq '' || $sambapwd eq '')
+    {
+        $samba = 'disabled';
+    }
+    if ($samba eq 'enabled')
+    {
+    system("/usr/bin/samba-tool", "user", "disable", "$userName", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd") == 0
+        or ( $x = 255, warn "Error locking (addc) account $userName" );
+    }
+    }
 }

 sub bad_password_users
--- a/root/etc/e-smith/templates/etc/crontab/dhgenerate
+++ b/root/etc/e-smith/templates/etc/crontab/dhgenerate
@@ -0,0 +1,8 @@
+{
+use esmith::ssl;
+my $folder="/home/e-smith/dh.pem";
+my $KeySize = 4096;
+$OUT = "#4096 dhparam exists";
+$OUT = '@reboot root sleep 2d && /sbin/e-smith/signal-event dhparam-update'."\n" unless (dh_exists_good_size($KeySize,"$folder/$KeySize.pem"));
+}
+
--- a/root/etc/e-smith/templates/home/e-smith/dh.pem
+++ b/root/etc/e-smith/templates/home/e-smith/dh.pem
@@ -0,0 +1,35 @@
+{
+    use esmith::ssl;
+    # for the generation of originals in /home/e-smith/dh.pem/ 
+    # we check that 4096 exist, if not we default to 2048. If not we generate it
+    # for replication : we copy what we have
+
+    my $DHSize = $modSSL{DHSize} ||'4096';
+    my $key = "/home/e-smith/dh.pem";
+    for my $DHSize (qw(4096 2048))
+    {
+			# if key exists and good size, we use it
+			if ( dh_exists_good_size($DHSize,"$key/$DHSize.pem") )
+			{
+				# Old key file is still good. Read it out - processTemplate will work
+				# out that it hasn't changed, and leave the old one in place
+				open(K, "$key/$DHSize.pem") or die "Couldn't open key file: $!";
+				my @key = <K>;
+				chomp @key;
+				$OUT = join "\n", @key;
+				close(K);
+				return;
+			}
+    }
+    # if nothing have ever been generated we call the action script as program
+    # it will generate a 2048, which 'should' be faster than 4096
+    # later if uptime is sufficient 4096 will be generated.
+    my $program = "/etc/e-smith/events/actions/dhgenerator";
+    system($program);
+    open(K, "$key/2048.pem") or die "Couldn't open dh file: $!";
+    my @key = <K>;
+    chomp @key; 
+    $OUT = join "\n", @key;
+    close(K);
+    return;
+}
--- a/root/etc/e-smith/web/functions/userpassword
+++ b/root/etc/e-smith/web/functions/userpassword
@@ -93,6 +93,23 @@ sub change_password {
    $accountdb = esmith::AccountsDB->open();

    $q->param(-name => 'status_message', -value => 'PASSWORD_CHANGE_SUCCESS');    
+
+    my $serv = $configdb->get('samba') || '';
+    if (($serv eq 'service') && ($acctName ne 'administrator'))
+    {
+    my $samba = $configdb->get('samba')->prop('status') || 'disabled';
+    my $sambaip = $configdb->get('samba')->prop('SambaIP') || '';
+    my $sambapwd = $configdb->get('samba')->prop('Password') || '';
+    if ($sambaip eq '' || $sambapwd eq '')
+    {
+        $samba = 'disabled';
+    }
+    if ($samba eq 'enabled')
+    {
+    system("/usr/bin/samba-tool", "user", "setpassword", "$acctName", "--newpassword=$pass", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd") == 0
+	or warn ("Error occured while modifying (addc) password for $acctName.\n" );
+    }
+    }
    return;
 }

--- a/root/etc/sysconfig/modules/dummy.modules
+++ b/root/etc/sysconfig/modules/dummy.modules
@@ -1,3 +1,4 @@
 #!/bin/sh
 /sbin/modprobe dummy
+$(ip link show dummy0 2>/dev/null 1>&2)  || exec ip link add dummy0 type dummy
 exec ip link set dummy0 address 10:00:01:02:03:04
--- a/root/usr/lib/systemd/system-preset/50-koozali.preset
+++ b/root/usr/lib/systemd/system-preset/50-koozali.preset
@@ -15,12 +15,6 @@ enable networking.service
 enable wan.service
 enable masq.service
 enable php-fpm.service
-enable php55-php-fpm.service
-enable php56-php-fpm.service
-enable php70-php-fpm.service
-enable php71-php-fpm.service
-enable php72-php-fpm.service
-enable php73-php-fpm.service
 enable php74-php-fpm.service
 enable php80-php-fpm.service
 enable httpd-e-smith.service
@@ -73,3 +67,4 @@ disable ntpdate.service
 disable ftp.service
 disable proftpd.service

+enable dhparam-generator.service
--- a/root/usr/lib/systemd/system/dhparam-generator.service
+++ b/root/usr/lib/systemd/system/dhparam-generator.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Diffie Hellman parameter generator
+#TODO: add Requires= or Wants= to those:
+Before=ftp.service
+Before=dovecot.service
+Before=qpsmtpd.service sqpsmtpd.service uqpsmtpd.service
+Before=radiusd.service
+
+[Service]
+Type=oneshot
+ExecStart=/etc/e-smith/events/actions/dhgenerator
+# sqpsmtpd and uqpsmtpd use a symlink to /var/service/qpsmtpd/ssl
+ExecStartPost=-/sbin/e-smith/expand-template /var/service/qpsmtpd/ssl/dhparam.pem
+ExecStartPost=-/sbin/e-smith/expand-template /etc/dovecot/ssl/dhparam.pem
+ExecStartPost=-/sbin/e-smith/expand-template /etc/raddb/certs/dh 
+
+PrivateTmp=true
+ProtectSystem=no
+ProtectHome=no
+PrivateDevices=false
+
+[Install]
+WantedBy=sme-server.target
+
--- a/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/useraccounts.pm
+++ b/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/useraccounts.pm
@@ -911,6 +911,29 @@ sub reset_password {

        $self->success($self->localise('PASSWORD_CHANGE_SUCCEEDED',
            { acctName => $acctName}));
+
+	my $serv = $configdb->get('samba') || '';
+	if (($serv eq 'service') && ($acctName ne 'administrator'))
+	{
+	my $samba = $configdb->get('samba')->prop('status') || 'disabled';
+	my $sambaip = $configdb->get('samba')->prop('SambaIP') || '';
+	my $sambapwd = $configdb->get('samba')->prop('Password') || '';
+	if ($sambaip eq '' || $sambapwd eq '')
+	{
+	    $samba = 'disabled';
+	}
+	if ($samba eq 'enabled')
+	{
+	my $password = $self->{cgi}->param('password1');
+	unless (($password) = ($password =~ /^([ -~]+)$/ ))
+	{
+	    return $self->error('TAINTED_PASSWORD');
+	}
+	$password = $1;
+	system("/usr/bin/samba-tool", "user", "setpassword", "$acctName", "--newpassword=$password", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd")  == 0
+	    or warn ("Error occured while modifying (addc) password for $acctName.\n" );
+	}
+	}
    }
    else
    {
--- a/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
+++ b/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
@@ -6,7 +6,7 @@ use esmith::ConfigDB;


 our @ISA = qw(Exporter);
-our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert SSLproto SSLprotoApache SSLprotoComa SSLprotoHyphen SSLprotoMin SSLprotoLDAP SSLprotoQpsmtpd $smeCiphers $smeSSLprotocol %existingSSLprotos);
+our @EXPORT = qw( key_exists_good_size cert_exists_good_size cert_is_cert key_is_key related_key_cert SSLproto SSLprotoApache SSLprotoComa SSLprotoHyphen SSLprotoMin SSLprotoLDAP SSLprotoQpsmtpd $smeCiphers $smeSSLprotocol %existingSSLprotos dh_exists_good_size);

 my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
 our $SystemName = $configdb->get('SystemName')->value;
@@ -162,6 +162,38 @@ sub related_key_cert {
    return 0;
 }

+=head2 dh_exists_good_size
+# check dh exist
+# check dh is indeed dh
+# check dh size 
+# openssl rsa -noout -modulus -in domain.key | openssl md5
+# openssl x509 -noout -modulus -in domain.crt | openssl md5
+=cut
+
+sub dh_exists_good_size {
+    my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
+    my %modSSL = $configdb->as_hash('modSSL');
+    my $KeySize = shift || $modSSL{DHSize} ||'4096';
+		my $dh = shift || "/home/e-smith/dh.pem/$KeySize.pem";
+    if ( -f $dh )
+    {
+  my $signatureKeySize = `openssl dhparam -text -noout -in $dh 2>/dev/null | grep "DH Parameters:" | head -1`;
+  chomp $signatureKeySize;
+  $signatureKeySize =~ s/^.*DH Parameters: \((.*) bit\)/$1/p;
+  if ( $signatureKeySize == $KeySize ) {
+    #print "$signatureKeySize\n";
+    # cert is  correct size and exists, we can proceed.
+    # next check key and cert are related
+    # next check cert is still valid
+    # next check alt name are still the same
+    return 1;
+  }
+    }
+    return 0;
+}
+
+
+
 ##TODO write sub and migrate those actions from template fragments
 # check cert is related to key
 # => /etc/e-smith/templates/home/e-smith/ssl.crt 
--- a/smeserver-base.spec
+++ b/smeserver-base.spec
@@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module
 %define name smeserver-base
 Name: %{name}
 %define version 11.0.0
-%define release 30
+%define release 32
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -182,6 +182,14 @@ fi


 %changelog
+* Thu Jun 05 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-32.sme
+- Replicate user accounts to samba Active Directory [SME: 12799]
+
+* Sun Mar 16 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-31.sme
+- handle dh params with template [SME: 12826]
+ TODO timer and event
+- foolproofing dummy.module
+
 * Thu Mar 06 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-30.sme
 - systemd unit for ippp [SME: 12876]
 - systemd unit for wan [SME: 12875]
Author	SHA1	Message	Date
Jean-Philippe Pialasse	6957c1ab9c	* Thu Jun 05 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-32.sme - Replicate user accounts to samba Active Directory [SME: 12799]	2025-06-05 16:40:38 -04:00
Jean-Philippe Pialasse	8615e569eb	* Sun Mar 16 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-31.sme - handle dh params with template [SME: 12826] TODO timer and event - foolproofing dummy.module	2025-03-17 22:55:51 -04:00