xref: /titanic_52/usr/src/cmd/svc/milestone/net-loc (revision 188eaed9d5f14c73dfba1cd0dabaa430bdfd4a9a)
1#!/sbin/sh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22#
23# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
24#
25
26. /lib/svc/share/smf_include.sh
27. /lib/svc/share/net_include.sh
28
29# FMRI consts
30AUTOFS_FMRI="svc:/system/filesystem/autofs"
31DNS_CLIENT_FMRI="svc:/network/dns/client"
32IPSEC_IKE_FMRI="svc:/network/ipsec/ike"
33IPSEC_POLICY_FMRI="svc:/network/ipsec/policy"
34IPFILTER_FMRI="svc:/network/ipfilter:default"
35LDAP_CLIENT_FMRI="svc:/network/ldap/client"
36LOCATION_FMRI="svc:/network/location:default"
37MAPID_FMRI="svc:/network/nfs/mapid:default"
38NIS_CLIENT_FMRI="svc:/network/nis/client"
39NWAM_FMRI="svc:/network/physical:nwam"
40
41# commands
42CP=/usr/bin/cp
43DHCPINFO=/sbin/dhcpinfo
44DOMAINNAME=/usr/bin/domainname
45GREP=/usr/bin/grep
46LDAPCLIENT=/usr/sbin/ldapclient
47MKDIR=/usr/bin/mkdir
48MV=/usr/bin/mv
49NAWK=/usr/bin/nawk
50NWAMADM=/usr/sbin/nwamadm
51NWAMCFG=/usr/sbin/nwamcfg
52RM=/usr/bin/rm
53SED=/usr/bin/sed
54SVCADM=/usr/sbin/svcadm
55SVCCFG=/usr/sbin/svccfg
56SVCPROP=/usr/bin/svcprop
57TOUCH=/usr/bin/touch
58
59# Path to directories
60ETC_DEFAULT_DOMAIN=/etc/defaultdomain
61NIS_BIND_PATH=/var/yp/binding
62LEGACY_LOC_PATH=/etc/nwam/loc/Legacy
63USER_LOC_PATH=/etc/nwam/loc/User
64SCRIPT_PATH=/etc/svc/volatile/nwam
65
66#
67# echoes DHCP controlled interfaces separated by commas
68#
69# Don't parse the output of ifconfig(1M) because interfaces that haven't
70# acquired a DHCP lease also have the DHCP flag set.
71#
72get_dhcp_interfaces () {
73	#
74	# 1. parse netstat(1M) output for v4 interfaces in BOUND
75	#    or INFORMATION state
76	# 2. make a space-separated list of interface names
77	#
78	netstat -D -f inet | $NAWK '
79	    $2 ~ /BOUND/ { printf "%s ", $1 }
80	    $2 ~ /INFORMATION/ { printf "%s ", $1 }'
81}
82
83#
84# get_dhcpinfo <code/identifier>
85#
86# echoes the value received through each interface controlled by DHCP
87# returns:
88#	0 => property is set
89#	1 => property is not set
90#
91get_dhcpinfo () {
92	code=$1
93
94	# Get all interfaces with DHCP control, IFS is " "
95	interfaces=`get_dhcp_interfaces`
96
97	info=""
98 	for intf in $interfaces; do
99		val=`$DHCPINFO -i $intf $code`
100		if [ $? -eq 0 ]; then
101			if [ "$info" = "" ]; then
102				info="$val"
103			else
104				info="$info,$val"
105			fi
106		fi
107 	done
108	echo $info
109}
110
111#
112# set_smf_prop <fmri> <property name> <property value>
113#
114set_smf_prop () {
115	$SVCCFG -s $1 setprop $2 = astring: "$3" && return
116}
117
118#
119# refresh_svc <fmri>
120#
121# Refreshes the service.
122#
123refresh_svc () {
124	$SVCADM refresh $1
125}
126
127#
128# restart_svc <fmri>
129#
130# Restarts the service.
131#
132restart_svc () {
133	$SVCADM restart $1
134}
135
136#
137# start_svc <fmri>
138#
139# Starts the service.  If the service is already enabled, restarts it.  If
140# it is not enabled, temporarily enables it.
141#
142start_svc () {
143	if service_is_enabled $1; then
144		$SVCADM restart $1
145	else
146		$SVCADM enable -t $1
147	fi
148}
149
150#
151# stop_svc <fmri>
152#
153# Temporarily disables the service.
154#
155stop_svc () {
156	$SVCADM disable -t $1
157}
158
159#
160# copy_default <dir> <file>
161#
162# Copies <dir>/<file>.dfl to <dir>/<file>
163#
164copy_default () {
165	$CP -p $1/$2.dfl $1/$2
166}
167
168#
169# enable_nonet
170#
171# Enables the NoNet location.  This function is called whenever an error is
172# detected in the location currently being activated (missing property or the
173# location itself).
174#
175enable_nonet () {
176	echo "reverting to NoNet location"
177	set_smf_prop $SMF_FMRI location/selected NoNet
178	refresh_svc $SMF_FMRI
179	# Refresh nwam so that it re-does the condition checking
180	refresh_svc $NWAM_FMRI
181}
182
183#
184# do_dns <location>
185#
186# Installs DNS information on /etc/resolv.conf for location
187#
188do_dns () {
189	loc=$1
190	file=/etc/resolv.conf
191
192	# Write out to temporary file first
193	$TOUCH $file.$$
194
195	DNS_CONFIGSRC=`nwam_get_loc_prop $loc dns-nameservice-configsrc`
196	if [ -z "$DNS_CONFIGSRC" ]; then
197		echo "missing 'dns-nameservice-configsrc' property for '$loc'"
198		enable_nonet
199		return
200	fi
201
202	(IFS=" ";
203	dns_server_set=false
204	for configsrc in $DNS_CONFIGSRC; do
205		case "$configsrc" in
206		'manual')
207			DNS_DOMAIN=`nwam_get_loc_prop $loc \
208			    dns-nameservice-domain`
209			DNS_SERVERS=`nwam_get_loc_prop $loc \
210			    dns-nameservice-servers`
211			DNS_SEARCH=`nwam_get_loc_prop $loc \
212			    dns-nameservice-search`
213			;;
214		'dhcp')
215			DNS_DOMAIN=`get_dhcpinfo DNSdmain`
216			DNS_SERVERS=`get_dhcpinfo DNSserv`
217			# No DNS search info for IPv4
218			;;
219		'*')
220			echo "Unrecognized DNS configsrc ${configsrc}; ignoring"
221			;;
222		esac
223
224		# Write DNS settings
225		if [ -n "$DNS_DOMAIN" ]; then
226			echo "$DNS_DOMAIN" | $NAWK \
227			    'FS="," { for (i = 1; i <= NF; i++) \
228			    print "domain ", $i }' >> $file.$$
229		fi
230		if [ -n "$DNS_SEARCH" ]; then
231			echo "$DNS_SEARCH" | $NAWK \
232                            'FS="," { printf("search"); \
233			    for (i = 1; i <= NF; i++) printf(" %s", $i); \
234			    printf("\n") }' >> $file.$$
235		fi
236		if [ -n "$DNS_SERVERS" ]; then
237			dns_server_set=true
238			echo "$DNS_SERVERS" | $NAWK \
239			    'FS="," { for (i = 1; i <= NF; i++) \
240			    print "nameserver ", $i }' >> $file.$$
241		fi
242	done
243	if [ "$dns_server_set" = "false" ]; then
244		echo "DNS nameserver not set for '$loc'"
245		enable_nonet
246		return
247	fi
248	)
249
250	# Finally, copy our working version to the real thing
251	$MV -f $file.$$ $file
252	start_svc $DNS_CLIENT_FMRI
253}
254
255#
256# do_nis <location>
257#
258# Installs NIS information on /var/yp/binding/ for location
259#
260do_nis () {
261	loc=$1
262
263	NIS_CONFIGSRC=`nwam_get_loc_prop $loc nis-nameservice-configsrc`
264	if [ -z "$NIS_CONFIGSRC" ]; then
265		echo "missing 'nis-nameservice-configsrc' property for '$loc'"
266		enable_nonet
267		return
268	fi
269
270	(IFS=" ";
271	domainname_set=false
272	for configsrc in $NIS_CONFIGSRC; do
273		case "$configsrc" in
274		'manual')
275			NIS_SERVERS=`nwam_get_loc_prop $loc \
276			    nis-nameservice-servers`
277			DEFAULT_DOMAIN=`nwam_get_loc_prop $loc default-domain`
278			# user-specified default-domain always wins
279			if [ -n "$DEFAULT_DOMAIN" ]; then
280				$DOMAINNAME $DEFAULT_DOMAIN
281				$DOMAINNAME > $ETC_DEFAULT_DOMAIN
282				domainname_set=true
283			fi
284			;;
285		'dhcp')
286			# Use only the first name
287			DEFAULT_DOMAIN=`get_dhcpinfo NISdmain | \
288			    $NAWK 'FS="," { print $1 }'`
289			NIS_SERVERS=`get_dhcpinfo NISservs`
290			if [ "$domainname_set" = "false" ]; then
291				$DOMAINNAME $DEFAULT_DOMAIN
292				$DOMAINNAME > $ETC_DEFAULT_DOMAIN
293				domainname_set=true
294			fi
295			;;
296		'*')
297			echo "Unrecognized NIS configsrc ${configsrc}; ignoring"
298			;;
299		esac
300
301		# Place NIS settings in appropriate directory/file.
302		if [ ! -d "$NIS_BIND_PATH/$DEFAULT_DOMAIN" ]; then
303			$MKDIR -p $NIS_BIND_PATH/$DEFAULT_DOMAIN
304		fi
305		if [ -n "$NIS_SERVERS" ]; then
306			echo "$NIS_SERVERS" | $NAWK \
307			    'FS="," { for (i = 1; i <= NF; i++) print $i }' \
308			    > $NIS_BIND_PATH/$DEFAULT_DOMAIN/ypservers
309		fi
310	done
311	if [ "$domainname_set" = "false" ]; then
312		echo "'domainname' not set for '$loc'"
313		enable_nonet
314		return
315	fi
316	)
317	start_svc $NIS_CLIENT_FMRI
318}
319
320#
321# do_ldap <location>
322#
323# Installs LDAP information using ldapclient(1M) for location
324#
325do_ldap () {
326	loc=$1
327
328	LDAP_CONFIGSRC=`nwam_get_loc_prop $loc ldap-nameservice-configsrc`
329	if [ -z "$LDAP_CONFIGSRC" ]; then
330		echo "missing 'ldap-nameservice-configsrc' property for '$loc'"
331		enable_nonet
332		return
333	fi
334
335	(IFS=" ";
336	ldap_config_set=false
337	for configsrc in $LDAP_CONFIGSRC; do
338		case "$configsrc" in
339		'manual')
340			LDAP_SERVERS=`nwam_get_loc_prop $loc \
341			    ldap-nameservice-servers`
342			DEFAULT_DOMAIN=`nwam_get_loc_prop $loc default-domain`
343			$DOMAINNAME $DEFAULT_DOMAIN
344			$DOMAINNAME > $ETC_DEFAULT_DOMAIN
345			;;
346		'*')
347			echo "Unrecognized LDAP configsrc ${configsrc}; ignoring"
348			;;
349		esac
350
351		# Use ldapclient(1M) to initialize LDAP client settings.
352		if [ -n "$DEFAULT_DOMAIN" -o -n "$LDAP_SERVERS" ]; then
353			ldap_config_set=true
354			# XXX need to check how to specify multiple LDAP servers.
355			$LDAPCLIENT init -a domainName=$DEFAULT_DOMAIN \
356			    $LDAP_SERVERS
357		fi
358	done
359	if [ "$ldap_config_set" = "false" ]; then
360		echo "LDAP configuration could not be set for '$loc'"
361		enable_nonet
362		return
363	fi
364	)
365	start_svc $LDAP_CLIENT_FMRI
366}
367
368#
369# do_ns <location>
370#
371# Installs different nameservices for location
372#
373do_ns () {
374	loc=$1
375
376	#
377	# Disable nameservices temporarily while we reconfigure.  Copy
378	# /etc/nsswitch.files to /etc/nsswitch.conf first so that only "files"
379	# are used.
380	#
381	$CP -p /etc/nsswitch.files /etc/nsswitch.conf
382	stop_svc $DNS_CLIENT_FMRI
383	stop_svc $NIS_CLIENT_FMRI
384	stop_svc $LDAP_CLIENT_FMRI
385
386	#
387	# Remove /etc/defaultdomain and unset domainname(1M).  If NIS
388	# and/or LDAP is configured, they will create /etc/defaultdomain
389	# and set the domainname(1M).
390	#
391	$RM -f $ETC_DEFAULT_DOMAIN
392	$DOMAINNAME " "
393
394	NAMESERVICES=`nwam_get_loc_prop $loc nameservices`
395	if [ -z "$NAMESERVICES" ]; then
396		echo "missing 'nameservices' property for location '$loc'"
397		enable_nonet
398		return
399	fi
400
401	NAMESERVICES_CONFIG_FILE=`nwam_get_loc_prop \
402	    $loc nameservices-config-file`
403	if [ -z "$NAMESERVICES_CONFIG_FILE" ]; then
404		echo "missing 'nameservices-config-file' property for '$loc'"
405		enable_nonet
406		return
407	fi
408	$CP -p $NAMESERVICES_CONFIG_FILE /etc/nsswitch.conf
409
410	(IFS=,;
411	for ns in $NAMESERVICES; do
412		case "$ns" in
413		'files')
414			# no additional setup needed for files nameservice
415			;;
416		'dns')
417			do_dns $loc
418			;;
419		'nis')
420			do_nis $loc
421			;;
422		'ldap')
423			do_ldap $loc
424			;;
425		'*')
426			echo "Unrecognized nameservices value ${ns}; ignoring"
427			;;
428		esac
429	done
430	)
431
432	#
433	# Restart other related services
434	#
435	# We explicitly restart here, as restart will only have an
436	# effect if the service is already enabled.  We don't want
437	# to enable the service if it's currently disabled.
438	#
439	restart_svc $AUTOFS_FMRI
440}
441
442#
443# do_sec <location>
444#
445# If config properties are set, update the SMF property and refresh the
446# service.  If config properties are not set, delete the SMF property and
447# stop the service.
448#
449do_sec () {
450	loc=$1
451
452	ike_file=`nwam_get_loc_prop $loc ike-config-file`
453	pol_file=`nwam_get_loc_prop $loc ipsecpolicy-config-file`
454	ipf_file=`nwam_get_loc_prop $loc ipfilter-config-file`
455	ipf6_file=`nwam_get_loc_prop $loc ipfilter-v6-config-file`
456	ipnat_file=`nwam_get_loc_prop $loc ipnat-config-file`
457	ippool_file=`nwam_get_loc_prop $loc ippool-config-file`
458
459	# IKE
460	if [ -n "$ike_file" ]; then
461		set_smf_prop $IPSEC_IKE_FMRI config/config_file $ike_file
462		refresh_svc $IPSEC_IKE_FMRI
463		start_svc $IPSEC_IKE_FMRI
464	else
465		stop_svc $IPSEC_IKE_FMRI
466	fi
467
468	# IPsec
469	if [ -n "$pol_file" ]; then
470		set_smf_prop $IPSEC_POLICY_FMRI config/config_file $pol_file
471		refresh_svc $IPSEC_POLICY_FMRI
472		start_svc $IPSEC_POLICY_FMRI
473	else
474		stop_svc $IPSEC_POLICY_FMRI
475	fi
476
477	# IPFilter
478	refresh_ipf=false
479	if [ -n "$ipf_file" ]; then
480		if [ "$ipf_file" = "/none" ]; then
481			set_smf_prop $IPFILTER_FMRI \
482			    firewall_config_default/policy "none"
483		elif [ "$ipf_file" = "/deny" ]; then
484			set_smf_prop $IPFILTER_FMRI \
485			    firewall_config_default/policy "deny"
486		elif [ "$ipf_file" = "/allow" ]; then
487			set_smf_prop $IPFILTER_FMRI \
488			    firewall_config_default/policy "allow"
489		else
490			# custom policy with policy file
491			set_smf_prop $IPFILTER_FMRI \
492			    firewall_config_default/policy "custom"
493			set_smf_prop $IPFILTER_FMRI \
494			    firewall_config_default/custom_policy_file $ipf_file
495		fi
496		refresh_ipf=true
497	else
498		# change policy to "none", no need to clear custom_policy_file
499		set_smf_prop $IPFILTER_FMRI firewall_config_default/policy \
500		    "none"
501		# IPFilter has to be refreshed to make the changes effective.
502		# Don't set $refresh_ipf as it keeps IPFilter online rather
503		# than disabled.  Refresh after IPFilter is disabled below.
504	fi
505	if [ -n "$ipf6_file" ]; then
506		set_smf_prop $IPFILTER_FMRI config/ipf6_config_file $ipf6_file
507		refresh_ipf=true
508	fi
509	if [ -n "$ipnat_file" ]; then
510		set_smf_prop $IPFILTER_FMRI config/ipnat_config_file $ipnat_file
511		refresh_ipf=true
512	fi
513	if [ -n "$ippool_file" ]; then
514		set_smf_prop $IPFILTER_FMRI config/ippool_config_file \
515		    $ippool_file
516		refresh_ipf=true
517	fi
518
519	if [ "$refresh_ipf" = "true" ]; then
520		refresh_svc $IPFILTER_FMRI
521		start_svc $IPFILTER_FMRI
522	else
523		stop_svc $IPFILTER_FMRI
524		refresh_svc $IPFILTER_FMRI
525	fi
526}
527
528#
529# update_nfs_file <new nfsv4 domain>
530#
531update_nfs_file () {
532	domain=$1
533	file=/etc/default/nfs
534
535	#
536	# For non-commented-out lines that set NFSMAPID_DOMAIN:
537	#	if not previously added by nwam, comment out with a note
538	#	if previously added by nwam, remove
539	# For commented-out lines that set NFSMAPID_DOMAIN:
540	#	if not commented out by NWAM, leave as-is
541	#	if commented out by NWAM, remove
542	# All other lines: leave as-is
543	#
544	$NAWK ' \
545		$0 ~ /^NFSMAPID_DOMAIN=/ {
546			if (index($0, "# Added by NWAM") == 0)
547				printf("#%s # Commented out by NWAM\n", $0);
548		}
549		$0 ~ /^#NFSMAPID_DOMAIN=/ {
550			if ($0 !~ /"# Commented out by NWAM"/)
551				printf("%s\n", $0);
552		}
553		$1 !~ /NFSMAPID_DOMAIN=/ {
554			printf("%s\n", $0);
555		}' $file >$file.$$
556
557	# Now add the desired value
558	echo "NFSMAPID_DOMAIN=$domain # Added by NWAM" >> $file.$$
559
560	# Finally, copy our working version to the real thing
561	$MV -f $file.$$ $file
562}
563
564#
565# do_nfsv4 <location>
566#
567# Updates NFSv4 domain for location
568#
569do_nfsv4 () {
570	loc=$1
571
572	nfsv4domain=`nwam_get_loc_prop $loc nfsv4-domain`
573	if [ $? -eq 0 ]; then
574		update_nfs_file $nfsv4domain
575		start_svc $MAPID_FMRI
576	else
577		stop_svc $MAPID_FMRI
578	fi
579}
580
581#
582# activate_loc <location>
583#
584# Activates the given location
585#
586activate_loc () {
587	loc=$1
588
589	echo activating $loc location
590
591	do_sec $loc
592	do_ns $loc
593	do_nfsv4 $loc
594}
595
596#
597# Script entry point
598#
599# Arguments to net-loc are
600#	method ('start' or 'refresh')
601
602#
603# If nwam is not enabled, do nothing and return OK.
604#
605service_is_enabled $NWAM_FMRI || exit $SMF_EXIT_OK
606
607#
608# In a shared-IP zone we need this service to be up, but all of the work
609# it tries to do is irrelevant (and will actually lead to the service
610# failing if we try to do it), so just bail out.
611# In the global zone and exclusive-IP zones we proceed.
612#
613smf_configure_ip || exit $SMF_EXIT_OK
614
615case "$1" in
616
617'start')
618	#
619	# We need to create the default (NoNet and Automatic)
620	# locations, if they don't already exist.  So: first check
621	# for the existence of each, and then run the appropriate
622	# nwamcfg script(s) as needed. Restart nwamd if a location is
623	# created, as it needs to read it in.
624	#
625	LOC_CREATED="false"
626	$NWAMCFG list loc Automatic >/dev/null 2>&1
627	if [ $? -eq 1 ]; then
628		$NWAMCFG -f /etc/nwam/loc/create_loc_auto
629		LOC_CREATED="true"
630	fi
631
632	$NWAMCFG list loc NoNet >/dev/null 2>&1
633	if [ $? -eq 1 ]; then
634		NONETPATH=/etc/nwam/loc/NoNet
635		NONETFILES="ipf.conf ipf6.conf"
636		for file in $NONETFILES; do
637			copy_default $NONETPATH $file
638		done
639		$NWAMCFG -f /etc/nwam/loc/create_loc_nonet
640		LOC_CREATED="true"
641	fi
642
643	if [ "$LOC_CREATED" = "true" ]; then
644		refresh_svc $NWAM_FMRI
645	fi
646
647	# location selection/activation happens below
648	;;
649
650'refresh')
651
652	# location selection/activation happens below
653	;;
654
655*)
656	echo "Usage: $0 start|refresh"
657	exit 1
658	;;
659
660esac
661
662#
663# If the Legacy location doesn't exist and the file to create the Legacy
664# location exists, create the Legacy location.  Make a copy of it as the user's
665# intentions before upgrade.  Then activate the User location if nis is
666# involved.  Because NIS affects more parts of the system (e.g. automounts) we
667# are not willing to make NIS part of the Automatic location (i.e. enable it
668# automatically based on external input) as we do with DHCP-driven DNS.
669#
670activate_user_loc=0
671$NWAMCFG list loc Legacy >/dev/null 2>&1
672if [ $? -eq 1 -a -f "$SCRIPT_PATH/create_loc_legacy" ]; then
673	#
674	# We built the script in and pointing to /etc/svc/volatile because we
675	# may not have a writable filesystem in net-nwam.  So here we move the
676	# components and rewrite the script to point at the writable filesystem.
677	#
678	$CP -r $SCRIPT_PATH/Legacy $LEGACY_LOC_PATH
679	$MV $SCRIPT_PATH/create_loc_legacy $SCRIPT_PATH/vcreate_loc_legacy
680	$SED -e's,/etc/svc/volatile/nwam/Legacy,/etc/nwam/loc/Legacy,' \
681	    $SCRIPT_PATH/vcreate_loc_legacy >$SCRIPT_PATH/create_loc_legacy
682	$NWAMCFG -f $SCRIPT_PATH/create_loc_legacy
683	loc_ver=`$SVCPROP -c -p location_upgrade/version $LOCATION_FMRI \
684	    2>/dev/null`
685	if [ $? -eq 1 ]; then
686		#
687		# We are rewriting configuration variables from the Legacy
688		# location to the User location.  Use variable ULP to keep REs
689		# within a line.
690		#
691		ULP=$USER_LOC_PATH
692		$SED -e's,Legacy,User,' \
693		    -e's,activation-mode=system,activation-mode=manual,' \
694		    -e"s,\(ipfilter-config-file=\).*/\(.*\),\1$ULP/\2," \
695		    -e"s,\(ipfilter-v6-config-file=\).*/\(.*\),\1$ULP/\2," \
696		    -e"s,\(ipnat-config-file=\).*/\(.*\),\1$ULP/\2," \
697		    -e"s,\(ippool-config-file=\).*/\(.*\),\1$ULP/\2," \
698		    -e"s,\(ike-config-file=\).*/\(.*\),\1$ULP/\2," \
699		    -e"s,\(ipsecpolicy-config-file=\).*/\(.*\),\1$ULP/\2," \
700		    $SCRIPT_PATH/create_loc_legacy | \
701			$SED -e's,/etc/nwam/loc/User/none,/none,' \
702			-e's,/etc/nwam/loc/User/allow,/allow,' \
703			-e's,/etc/nwam/loc/User/deny,/deny,' \
704			>$SCRIPT_PATH/create_loc_user
705		#
706		# We are creating the User location here.  The User location
707		# is an appromixation of the machine configuration when the
708		# user change or upgraded to this version of NWAM.  First
709		# we make sure there isn't an existing User location or any
710		# existing User location data.  We then copy all the data
711		# from the Legacy location and create a location pointing at
712		# that data.  Lastly we create a version property to note
713		# that we have done this.
714		#
715		$NWAMCFG destroy loc User 2>/dev/null
716		$RM -rf $USER_LOC_PATH
717		$CP -r $LEGACY_LOC_PATH $USER_LOC_PATH
718		$RM -f $USER_LOC_PATH/resolv.conf
719		$NWAMCFG -f $SCRIPT_PATH/create_loc_user
720		# The User location is activated if 'nis' is in a non comment
721		# line of nsswitch.conf.
722		$GREP -v "^#" $USER_LOC_PATH/nsswitch.conf |\
723		    $SED -e 's/[^:]*://' | $GREP nis >/dev/null 2>&1
724		if [ $? -eq 0 ]; then
725			activate_user_loc=1
726		fi
727		$SVCCFG -s $SMF_FMRI addpg location_upgrade application \
728		    2>/dev/null
729		$SVCCFG -s $SMF_FMRI setprop location_upgrade/version = \
730		    astring: "1"
731	fi
732fi
733
734#
735# Activate a location.  If we've just finished upgrading, and
736# the User location should be activated, do that (and use nwamadm
737# to do so, so the enabled property gets set and nwamd knows this
738# selection has been made).  Otherwise, if our location/selected
739# property has a value, we activate that location; else we activate
740# the NoNet location as a default value.
741#
742if [ $activate_user_loc -eq 1 ]; then
743	$NWAMADM enable -p loc User
744else
745	sel_loc=`$SVCPROP -c -p location/selected $SMF_FMRI 2>/dev/null`
746	if [ $? -eq 1 ]; then
747		# location hasn't been selected; default to NoNet
748		activate_loc NoNet
749	else
750		# check if the selected location exists
751		$NWAMCFG list loc $sel_loc >/dev/null 2>&1
752		if [ $? -eq 1 ]; then
753			echo "location '$sel_loc' doesn't exist"
754			enable_nonet
755		else
756			# activate selected location
757			activate_loc $sel_loc
758		fi
759	fi
760fi
761
762exit $SMF_EXIT_OK
763