#!/bin/bash
#
# install_afs
#
# Configures AFS client on a MacOSX computer.
#
# -- Frank Burkhardt <burk@cbs.mpg.de>  Sat, 13 Feb 2010 15:59:33 +0100

DEFAULTCACHESIZE=30000

# Path to the instantafs mirror
BASEPATH="ftp://instantafs.cbs.mpg.de/instantafs"

# For testing purposes
#BASEPATH="ftp://ftp.alpha/instantafs"

BASEURL="$BASEPATH"/collection/clients/macosx

cat <<END_INTRO
This script will download the AFS client and do all necessary setup
to connect you to your Instantafs compatible Kerberos5-driven AFS cell.

Make sure, to answer all questions wisely.

Frank Burkhardt <burk@cbs.mpg.de>
END_INTRO

DETVERSION=`sw_vers | grep 'ProductVersion' | cut -d$'\t' -f2 | cut -d. -f1-2`
/bin/echo -n "Enter os version [$DETVERSION]) "
read a
if [ "" = "$a" ]; then
	a=$DETVERSION
fi
if ! echo "$a" | egrep -q '10\.[1234567]+'; then
	echo "E: unsupported OS." >&2
	exit 1
fi
OSVERSION="$a"

if [ -e /tmp/openafs.dmg ]; then
	echo "/tmp/openafs.dmg already exists. Remove it (Y|n)"
	read a
	if echo "$a" | egrep -qi '^y?$'; then
		echo "I: removing openafs.dmg" >&2
		rm -f /tmp/openafs.dmg
	fi
fi

# Ask for various parameters. Just the cell name has to be provided,
# the other stuff has defaults which can be set by just hitting enter.
/bin/echo -n "Name of your AFS cell :"
read a
CELLNAME=`echo "$a" | tr '[A-Z]' '[a-z]'`
REALMNAME=`echo "$a" | tr '[a-z]' '[A-Z]'`

/bin/echo -n "Cachesize [kB] (default: $DEFAULTCACHESIZE) :"
read CACHESIZE
if [ "$CACHESIZE" = "" ]; then
	CACHESIZE=$DEFAULTCACHESIZE
fi
/bin/echo "Selected cachesize is: $CACHESIZE"

/bin/echo -n "Which openafs branch: (s)table or (e)xperimental? [s/e]"
read a
if echo "$a" | egrep -qi '^s?$'; then
	FLAVOR=suggested
else
	FLAVOR=experimental
fi

/bin/echo "Selected flavor is: $FLAVOR"

/bin/echo -n "Enable kerberos session login? [Y/n]"
read a
if echo "$a" | egrep -qi '^y?$'; then
	KLOGIN=1
else
	KLOGIN=0
fi

/bin/echo -n "Enable kerberos aklog plugin (won't work after MacOSX 10.4)? [Y/n]"
read a
if echo "$a" | egrep -qi '^y?$'; then
	AKLOG=1
else
	AKLOG=0
fi

/bin/echo -n "Update SSH configuration? [Y/n]"
read a
if echo "$a" | egrep -qi '^y?$'; then
	SSHCONF=1
else
	SSHCONF=0
fi

plattform=`uname -p`

echo "I: Plattform is '$plattform'" >&2

# AFS-Package-Installation
if true; then
	cd /tmp
	if [ -e openafs.dmg ]; then
		echo "I: Using existing /tmp/openafs.dmg" >&2
	else
		echo "Getting file: $BASEURL/$OSVERSION/openafs-${FLAVOR}.${plattform}.dmg"
		curl -o openafs.dmg "$BASEURL/$OSVERSION/openafs-${FLAVOR}.${plattform}.dmg" 
	fi
	hdiutil mount -mountpoint /Volumes/openafs /tmp/openafs.dmg
	if ! installer -verbose -pkg /Volumes/openafs/OpenAFS.pkg -target /; then
		echo "E: openafs client package installation failed, sorry." >&2
		exit 1
	fi
	hdiutil unmount /Volumes/openafs
fi

# Apply parameters to the various configuration files
echo $CELLNAME > /var/db/openafs/etc/ThisCell

# Make it empty to force DNS-lookups
rm -f /var/db/openafs/etc/CellServDB
touch /var/db/openafs/etc/CellServDB

echo "/afs:/var/db/openafs/cache:$CACHESIZE" > /var/db/openafs/etc/cacheinfo
echo " -afsdb -stat 2000 -dcache 800 -daemons 3 -volumes 1200 -fakestat-all -afsdb" > /var/db/openafs/etc/config/afsd.options

cat <<END_KRBCONFIG | sed s/_REALMNAME_/$REALMNAME/ > /Library/Preferences/edu.mit.Kerberos
[libdefaults]
	default_realm=_REALMNAME_
	noaddresses=true
# This plugin won't work after MacOSX 10.4
	login_logout_notification="afslog"
	ticket_lifetime=93600
	forwardable=true
	proxiable=true
	allow_weak_crypto=true
END_KRBCONFIG

# Create a link for easy usage of the Kerberos applett
if ! [ -e /Applications/Kerberos.app ]; then
	if [ -e /System/Library/CoreServices/Kerberos.app ]; then
		echo "I: Creating link to kerberos cc manager." >&2
		ln -s /System/Library/CoreServices/Kerberos.app /Applications/Kerberos.app
	else
		echo "E: Unable to create link to kerberos identity manager" >&2
	fi
fi

if [ "$AKLOG" = "1" ]; then
	# Decompress AFS plugin for Kerberos
	mkdir -p "/Library/Kerberos Plug-Ins"
	cd "/Library/Kerberos Plug-Ins"
	echo "Getting file: $BASEURL/$OSVERSION/kerberos-plugin-afs-${OSVERSION}.tgz"
	curl "$BASEURL/10.4/kerberos-plugin-afs-10.4.tgz" | tar xz
fi

if [ "$SSHCONF" = "1" ]; then
	# Modify ssh configuration to support Kerberos/GSSAPI
	cat <<END_SSH_CONFIG > /etc/ssh_config
host *
	ForwardAgent yes
	ForwardX11 yes
	GSSAPIAuthentication yes
	GSSAPIDelegateCredentials yes
	CheckHostIP no
	EscapeChar ~
	Protocol 2
	StrictHostKeyChecking ask
	IdentityFile ~/.ssh/id_rsa
	IdentityFile ~/.ssh/id_dsa
END_SSH_CONFIG
	# Same for sshd
	cat <<END_SSHD_CONFIG > /etc/sshd_config
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin yes
GSSAPIAuthentication yes
KerberosTgtPassing yes
X11Forwarding yes
UsePrivilegeSeparation no
Subsystem sftp /usr/libexec/sftp-server
END_SSHD_CONFIG
fi

# Setup kerberos authentication for Login manager
if [ $KLOGIN = 1 ]; then

	cd /etc
	cat <<END_DIFF | patch -p0
--- authorization.prek5	2007-11-01 09:02:03.000000000 +0100
+++ authorization	2007-11-01 09:05:01.000000000 +0100
@@ -365,6 +365,7 @@
 			<array>
 				<string>builtin:auto-login,privileged</string>
 				<string>loginwindow_builtin:login</string>
+				<string>builtin:krb5authnoverify,privileged</string>
 				<string>builtin:reset-password,privileged</string>
 				<string>authinternal</string>
 				<string>builtin:getuserinfo,privileged</string>
@@ -561,6 +562,7 @@
 			<key>mechanisms</key>
 			<array>
 				<string>builtin:authenticate</string>
+				<string>builtin:krb5authnoverify,privileged</string>
 				<string>authinternal</string>
 			</array>
 		</dict>
END_DIFF
fi

#cd "/Library/Keyboard Layouts"
#curl -O http://fbo.no-ip.org/twiki/pub/Mac/InitialStuff/PC_DE.keylayout