# Convert ubuntu's PAM metaconfigs
/usr/share/yandex-cauth/pam_config_converter.py

# Replace dpkg-query with rpm -q
sed -i 's/dpkg-query -f=\x27${Version}\x27 -W/rpm -q --qf=\x27%\{VERSION\}\x27/' /etc/cauth/cauth_functions

# Disable fetching admins keys
sed -ri 's/(^\s+fetch_file \$\{root_keys_file\} .*$)/#\1/' /usr/sbin/get-keys.sh

# Allow root login with password
sed  -ri 's/(^update_config_parameter.*PasswordAuthentication.*$)/#\1/' /usr/sbin/cauth-patch-sshd.sh
sed  -ri 's/(^update_config_parameter.*PermitRootLogin.*$)/#\1/' /usr/sbin/cauth-patch-sshd.sh

# Add sssd
grep "^passwd:.*sss.*" /etc/nsswitch.conf >/dev/null || sed -i -e "s/^\(passwd:.*\)/\1 sss/" /etc/nsswitch.conf
grep "^group:.*sss.*" /etc/nsswitch.conf >/dev/null || sed -i -e "s/^\(group:.*\)/\1 sss/" /etc/nsswitch.conf

# Configuring sshd pam config
[ -f /etc/pam.d/sshd ] && sed -i '/^account.*include.*\(system\|password\)-auth/ s/^/#/;$ a account    include      yandex-account\nsession    include      yandex-session' /etc/pam.d/sshd

# Fix symlinks from older packages
readlink /etc/pam.d/system-auth | grep -q yandex && ln -sf /etc/pam.d/system-auth-ac /etc/pam.d/system-auth || true
readlink /etc/pam.d/smartcard-auth | grep -q yandex && ln -sf /etc/pam.d/smartcard-auth-ac /etc/pam.d/smartcard-auth || true

# fix permissions for sssd stuff
chmod 0755 /etc/cauth
chmod 0600 /etc/sssd/sssd.conf
chmod 0600 /etc/sssd/yandex-sssd.conf
chmod 0644 /etc/ldap/certs/cafile.pem
chmod 0600 /etc/security/yandex-access.conf

# making /sbin/nologin symlink to allow nologin shell works properly CAUTH-1194
if [ ! -e /sbin/nologin ]; then
    ln -sf $(which nologin) /sbin/nologin || true
fi

# In case this system is running systemd, we need to ensure that all
# necessary tmpfiles (if any) are created before starting.
%{?el7:systemd-tmpfiles --create /usr/lib/tmpfiles.d/sssd.conf >/dev/null || true}

# SSSD cache MUST be placed to RAM (tmpfs)
# to work properly under heavy IO loads
service sssd stop || true
rm -f /dev/shm/*.ldb || true
rm -rf /var/lib/sss/db || true
ln -sfT /var/run/sssd /var/lib/sss/db || true
service sssd start || true

# Trying to refresh cauth.conf
/usr/sbin/agent.sh 2>&1 || true

# regenerate monrun tasks if monrun installed
[ -x /var/cron.d/check_monrun.sh ] && /var/cron.d/check_monrun.sh || true
[ -x /usr/sbin/regenerate-monrun-tasks ] && /usr/sbin/regenerate-monrun-tasks || true

# clean old files from other cauth packages
rm -f /etc/sudoers.d/cauth /etc/sudoers.d/yandex-search-cauth-serveradmins /etc/cron.d/cauth-client-scripts || true
rm -rf /etc/cauth/spool || true

# Creating /etc/sssd/sssd.conf
[ -f /etc/sssd/sssd.conf ] && mv -f /etc/sssd/sssd.conf /etc/sssd/sssd.conf.bak;
cp -a %{_sysconfdir}/sssd/yandex-sssd.conf %{_sysconfdir}/sssd/sssd.conf

# Enabling sssd auth
%{?el6:authconfig --updateall --enablepamaccess --enablesssd --enablesssdauth --enablemkhomedir --disablefingerprint}
%{?el6:/sbin/chkconfig sssd on}
%{?el7:authconfig --updateall --enablepamaccess --enablesssd --enablesssdauth --enablemkhomedir}
%{?el7:systemctl enable sssd}

# Reloading services
service crond restart
service sssd restart


