Fix hardcoded rp-pppoe.so location - thanks to Nestor

- fix autorenew of self-signed certificate [SME: 12218]
  strips unsupported characters, use utf8 encoding

.gitignore

@@ -4,3 +4,4 @@
 *.tar.xz
 *.bak
 *gz
+*.patch

root/etc/e-smith/events/actions/update-passwd

@@ -28,6 +28,7 @@ use Errno;
 use esmith::AccountsDB;
 
 my $a = esmith::AccountsDB->open_ro or die "Could not open accounts db";
+my $c = esmith::ConfigDB->open_ro or die "Could not open configuration db";
 
 foreach my $u ($a->users)
 {
@@ -40,6 +41,23 @@ foreach my $u ($a->users)
 
 	system("/usr/bin/smbpasswd", "-d", $user) == 0
 	    or warn("Problem locking smbpassword for user $user\n");
+
+	my $serv = $c->get('samba') || '';
+	if (($serv eq 'service') && ($user ne 'administrator'))
+	{
+	my $samba = $c->get('samba')->prop('status') || 'disabled';
+	my $sambaip = $c->get('samba')->prop('SambaIP') || '';
+	my $sambapwd = $c->get('samba')->prop('Password') || '';
+	if ($sambaip eq '' || $sambapwd eq '')
+        {
+	    $samba = 'disabled';
+        }
+	if ($samba eq 'enabled')
+	{
+	system("/usr/bin/samba-tool", "user", "disable", "$user", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd") == 0
+	    or warn("Problem locking addc password for user $user\n");
+	}
+	}
     }
 }
 

root/etc/e-smith/events/actions/user-create-unix

@@ -134,4 +134,23 @@ if ($ldapauth ne 'enabled')
 system("/usr/bin/smbpasswd", "-a", "-d", "$userName")
     and ( $x = 255, warn "Could not lock (smb) password for $userName\n" );
 
+my $serv = $conf->get('samba') || '';
+if (($serv eq 'service') && ($userName ne 'administrator'))
+{
+my $samba = $conf->get('samba')->prop('status') || 'disabled';
+my $sambaip = $conf->get('samba')->prop('SambaIP') || '';
+my $sambapwd = $conf->get('samba')->prop('Password') || '';
+if ($sambaip eq '' || $sambapwd eq '')
+    {
+        $samba = 'disabled';
+    }
+if ($samba eq 'enabled')
+{
+system("/usr/bin/samba-tool", "user", "add", "$userName", "--random-password", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd")
+    and ( $x = 255, warn "Could not create (addc) user for $userName\n" );
+system("/usr/bin/samba-tool", "user", "disable", "$userName", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd")
+    and ( $x = 255, warn "Could not lock (addc) password for $userName\n" );
+}
+}
+
 exit ($x);

root/etc/e-smith/events/actions/user-delete-unix

@@ -75,4 +75,21 @@ $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (lda
 $result = $ldap->ldapdelgroup($userName);
 $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to delete (ldap) group account $userName.\n" );
 
+my $serv = $conf->get('samba') || '';
+if (($serv eq 'service') && ($userName ne 'administrator'))
+{
+my $samba = $conf->get('samba')->prop('status') || 'disabled';
+my $sambaip = $conf->get('samba')->prop('SambaIP') || '';
+my $sambapwd = $conf->get('samba')->prop('Password') || '';
+if ($sambaip eq '' || $sambapwd eq '')
+    {
+        $samba = 'disabled';
+    }
+if ($samba eq 'enabled')
+{
+system("/usr/bin/samba-tool", "user", "delete", "$userName", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd")
+    and ( $x = 255, warn "Failed to delete (addc) account $userName.\n" );
+}
+}
+
 exit ($x);

root/etc/e-smith/events/actions/user-lock-passwd

@@ -78,6 +78,23 @@ sub lock_user
     {
         $conf->set_value('PasswordSet', 'no');
     }
+
+    my $serv = $conf->get('samba') || '';
+    if (($serv eq 'service') && ($userName ne 'administrator'))
+    {
+    my $samba = $conf->get('samba')->prop('status') || 'disabled';
+    my $sambaip = $conf->get('samba')->prop('SambaIP') || '';
+    my $sambapwd = $conf->get('samba')->prop('Password') || '';
+    if ($sambaip eq '' || $sambapwd eq '')
+    {
+        $samba = 'disabled';
+    }
+    if ($samba eq 'enabled')
+    {
+    system("/usr/bin/samba-tool", "user", "disable", "$userName", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd") == 0
+        or ( $x = 255, warn "Error locking (addc) account $userName" );
+    }
+    }
 }
 
 sub bad_password_users

root/etc/e-smith/templates/etc/sysconfig/network-scripts/chat-ppp0/20LINUX_PLUGIN

@@ -1 +1,6 @@
-LINUX_PLUGIN=/usr/lib64/pppd/2.4.5/rp-pppoe.so
+{
+# Find Roaring Penguin pppoe plugin
+my ($plugin) = glob "/usr/lib*/pppd/*/rp-pppoe.so";
+$plugin ||= "pppoe_plugin_could_not_be_found";
+$OUT .= "LINUX_PLUGIN=$plugin\n";
+}

root/etc/e-smith/templates/home/e-smith/ssl.crt

@@ -2,6 +2,7 @@
     use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365;
     use esmith::ssl;
     use Date::Parse;
+    use utf8;
     use Cwd;
     use Net::IP qw(ip_is_ipv4 ip_is_ipv6);
     use esmith::Logger;
@@ -37,66 +38,70 @@
     $Country = substr($Country, 0, 2);
     $defaultCity = substr($defaultCity, 0, 128); 
     $defaultCompany = substr($defaultCompany, 0, 64); 
-    $defaultDepartment = substr($defaultDepartment, 0, 64); 
+    $defaultDepartment = substr($defaultDepartment, 0, 64);
+    $defaultDepartment =~ s/[''"]//g;
     $email = substr($email, 0, 64);
     $commonName = substr($commonName, 0, 64);
 
     # if self-signed certificate files exists, is a certificate, and is still valid
     if ( cert_exists_good_size )
     {
-	# check expiry date, if less than 2 days from now we update it.
+        # check expiry date, if less than 2 days from now we update it.
         my $expire = `openssl x509 -enddate -noout -in $crt`;
         $expire =~ s/^notAfter=//;
         $expire = str2time($expire);
         my $ttl_days = ($expire - time()) / 60 / 60 / 24;
-	# check the cert and the key are related, if key has been changed, then we need to change the cert
+        # check the cert and the key are related, if key has been changed, then we need to change the cert
-	my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
+        my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
-	my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
+        my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
 
         if ( ($ttl_days > 2) && ( "$crt_md5" eq "$key_md5" ) ) {
-            my $expected_issuer = 'C = '.$Country .
+            my $expected_issuer = 'C='.$Country .
-                              ', ST = '.$State;
+                              ', ST='.$State;
-            $expected_issuer .= ', L = ' . ($defaultCity ? $defaultCity : 'Default City');
+            $expected_issuer .= ', L=' . ($defaultCity ? $defaultCity : 'Default City');
-            $expected_issuer .= ', O = ' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd');
+            $expected_issuer .= ', O=' . ($defaultCompany ? $defaultCompany : 'Default Company Ltd');
-            $expected_issuer .= ", OU = $defaultDepartment" if $defaultDepartment;
+            $expected_issuer .= ", OU=$defaultDepartment" if $defaultDepartment;
-            $expected_issuer .= ", CN = $commonName" .
+            $expected_issuer .= ", CN=$commonName" .
-                                  ", emailAddress = $email";
+                                  ", emailAddress=$email";
-            my $issuer = `openssl x509 -issuer -noout -in $crt`;
+            # format so we can compare with right encoding
+            my $issuer = `openssl x509 -issuer -nameopt dump_der -noout -in $crt`;
             chomp $issuer;
             $issuer =~ s/^issuer=//;
+            # we remove any "
+            $issuer =~ s/["]//g;
             my $signatureAlg = `openssl x509 -text -noout -in $crt | grep "Signature Algorithm" | head -1`;
             chomp $signatureAlg;
             $signatureAlg =~ s/^ *Signature Algorithm: //;
-	    
+            
-	    # Test for expected subjectAltName
+            # Test for expected subjectAltName
             # openssl x509 -text -noout -in /etc/dehydrated/certs/domain/cert.pem | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\n//;:a;s/^\( *\)\(.*\), /\2,\1/;ta;p;q; }'
-	    $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
+            $expected_subjectAltName = `openssl x509 -text -noout -in $crt | sed -ne '/X509v3 Subject Alternative Name/{ N;s/^.*\\n//;:a;s/^\\( *\\)\\(.*\\), /\\2,\\1/;ta;p;q; }'`;
-	    chomp $expected_subjectAltName;
+            chomp $expected_subjectAltName;
             print FH "Self-Signed Cert: $issuer\n expected $expected_issuer" unless ($issuer eq $expected_issuer);
             print FH "Self-Signed Cert: $signatureAlg "unless ($signatureAlg ne "sha1WithRSAEncryption");
             print FH "Self-Signed Cert: $subjectAltName\n expected: $expected_subjectAltName" unless ($subjectAltName eq $expected_subjectAltName);
             if (
-	                 ($issuer eq $expected_issuer)
+                         ($issuer eq $expected_issuer)
-	              && ($signatureAlg ne "sha1WithRSAEncryption")
+                      && ($signatureAlg ne "sha1WithRSAEncryption")
-		      && ($subjectAltName eq $expected_subjectAltName)
+                      && ($subjectAltName eq $expected_subjectAltName)
             )
-	    {
+            {
-	        # Old key file is still good. Read it out - processTemplate will work
+                # Old key file is still good. Read it out - processTemplate will work
-	        # out that it hasn't changed, and leave the old one in place
+                # out that it hasn't changed, and leave the old one in place
-	        open(C, "$crt") or die "Couldn't open crt file: $!";
+                open(C, "$crt") or die "Couldn't open crt file: $!";
-	        my @crt = <C>;
+                my @crt = <C>;
-	        chomp @crt;
+                chomp @crt;
-	        $OUT = join "\n", @crt;
+                $OUT = join "\n", @crt;
-	        close(C);
+                close(C);
-	        return;
+                return;
-	    }
+            }
-	}
+        }
     }
     # go to somewhere private and safe where we can run programs
     # as root
     unless (-e "/tmp/ssl")
     {
-	mkdir "/tmp/ssl", 0700;
+        mkdir "/tmp/ssl", 0700;
     }
     chdir "/tmp/ssl" or die "Couldn't change to secure directory: $!";
 
@@ -104,21 +109,21 @@
 
     unless (open(SSL,"-|"))
     {
-	    # child
+            # child
-	    exec("/usr/bin/openssl",
+            exec("/usr/bin/openssl",
-		qw(req -new -key),
+                qw(req -new -key),
-		$key,
+                $key,
-		qw( -sha256 -x509 -days), KEYLIFEINDAYS,
+                qw( -sha256 -x509 -days), KEYLIFEINDAYS,
-		qw(-set_serial), time(),
+                qw(-set_serial), time(),
-		qw(-extensions v3_req),
+                qw(-extensions v3_req),
-		qw(-config), "/etc/openssl.conf" 
+                qw(-config), "/etc/openssl.conf"
-		)
+                )
-		    || die "can't exec program: $!";
+                    || die "can't exec program: $!";
-	    # NOTREACHED
+            # NOTREACHED
     }
     while (<SSL>)
     {
-	$OUT .= $_;
+        $OUT .= $_;
     }
     close(SSL) or die "Closing openssl pipe reported: $!";
     chdir $here;

root/etc/e-smith/templates/var/service/wan/pppoe.pppd.conf/plugin

@@ -1 +1,6 @@
-plugin /usr/lib64/pppd/2.4.5/rp-pppoe.so
+{
+# Find Roaring Penguin pppoe plugin
+my ($plugin) = glob "/usr/lib*/pppd/*/rp-pppoe.so";
+$plugin ||= "pppoe_plugin_could_not_be_found";
+$OUT .= "plugin $plugin\n";
+}

root/etc/e-smith/web/functions/userpassword

@@ -93,6 +93,23 @@ sub change_password {
     $accountdb = esmith::AccountsDB->open();
 
     $q->param(-name => 'status_message', -value => 'PASSWORD_CHANGE_SUCCESS');    
+
+    my $serv = $configdb->get('samba') || '';
+    if (($serv eq 'service') && ($acctName ne 'administrator'))
+    {
+    my $samba = $configdb->get('samba')->prop('status') || 'disabled';
+    my $sambaip = $configdb->get('samba')->prop('SambaIP') || '';
+    my $sambapwd = $configdb->get('samba')->prop('Password') || '';
+    if ($sambaip eq '' || $sambapwd eq '')
+    {
+        $samba = 'disabled';
+    }
+    if ($samba eq 'enabled')
+    {
+    system("/usr/bin/samba-tool", "user", "setpassword", "$acctName", "--newpassword=$pass", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd") == 0
+	or warn ("Error occured while modifying (addc) password for $acctName.\n" );
+    }
+    }
     return;
 }
 

root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/useraccounts.pm

@@ -911,6 +911,29 @@ sub reset_password {
 
         $self->success($self->localise('PASSWORD_CHANGE_SUCCEEDED',
             { acctName => $acctName}));
+
+	my $serv = $configdb->get('samba') || '';
+	if (($serv eq 'service') && ($acctName ne 'administrator'))
+	{
+	my $samba = $configdb->get('samba')->prop('status') || 'disabled';
+	my $sambaip = $configdb->get('samba')->prop('SambaIP') || '';
+	my $sambapwd = $configdb->get('samba')->prop('Password') || '';
+	if ($sambaip eq '' || $sambapwd eq '')
+	{
+	    $samba = 'disabled';
+	}
+	if ($samba eq 'enabled')
+	{
+	my $password = $self->{cgi}->param('password1');
+	unless (($password) = ($password =~ /^([ -~]+)$/ ))
+	{
+	    return $self->error('TAINTED_PASSWORD');
+	}
+	$password = $1;
+	system("/usr/bin/samba-tool", "user", "setpassword", "$acctName", "--newpassword=$password", "-H", "ldap://$sambaip", "--username=administrator", "--password=$sambapwd")  == 0
+	    or warn ("Error occured while modifying (addc) password for $acctName.\n" );
+	}
+	}
     }
     else
     {

smeserver-base.spec

@@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module
 %define name smeserver-base
 Name: %{name}
 %define version 11.0.0
-%define release 31
+%define release 34
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -182,6 +182,16 @@ fi
 
 
 %changelog
+* Wed Jul 09 2025 John Crisp <jcrisp@safeandsoundit.co.uk> 11.0.0-34.sme
+- fix hardcoded rp-pppoe.so location - Thanks Nestor [SME: 13074]
+
+* Thu Jun 12 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-33.sme
+- fix autorenew of self-signed certificate [SME: 12218]
+  strips unsupported characters, use utf8 encoding
+
+* Thu Jun 05 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-32.sme
+- Replicate user accounts to samba Active Directory [SME: 12799]
+
 * Sun Mar 16 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-31.sme
 - handle dh params with template [SME: 12826]
  TODO timer and event