SWAT: please help

GL Fournerat gary at netin.com
Tue Mar 6 07:38:56 GMT 2001


To: Thomas Cameron
        Russ Brooks
        Andrew Bartlett

Thanks a million guys.  I've got several options to look into now... and that's
far better than where I've been lately.

Re: my /etc/xinetd/swat file....

in the
        user     = smbuser
line, I should have added that after I created the 'smb' group,  I then created
the user account 'smbuser'... and made root  (and smbuser) a member of the smb
group (along with a select few others).  So, by 'smbuser' being a member of the
'smb' group, along with root, I was hoping that root access would be deferred to
smbuser (at least for the 'smb' group)... but it probably doesn't work that way.
This was all done in hopes of keeping root out of the SWAT equation... and is
probably the root cause of all my problems. LOL

Another issue to dig into is that I have the smbuser user account disabled (with
regard to logins and with no password assigned to the user) so I'll tinker with
this as well.

Is it safe to assume that "user     = " is looking for a user account.. and not a
group account?  I'm uncertain about this since "root" can be either.  On the same
note, can a user or group with root access be inserted here?

in the
        only_from = 127.0.0.1
line, I have tried 'localhost' there as well.. with the same results
(Authentication failed. Retry?).  I have not tried removing the line altogether
(yet).

Re: /etc/pam.d/samba

It's there Tom.. exactly as you copied from your system.

I thought PAM was going to be at least a part of the problem because I looked
into /var/log/ and found..  (I see now PAM was only doing what it's suppose to..
and this is pam-0.72-37)

Mar 5 08:19:52 arendia PAM_unix[669]: (login) session opened for user root by
LOGIN(uid=0)
Mar 5 08:20:13 arendia PAM_unix[786]: authentication failure; (uid=505) -> root
for samba service

{505 is the uid for the smbuser user account}

Re: (I know, I know...  bad sysadmin!)

To date, the only way that seems to work is by using root.. bad sysadmin or not.


Thanks again guys!!!

Gary


Andrew Bartlett wrote:

> Russ Brucks wrote:
> >
> > This is a quick shot in the dark, but in your email you displayed the cat of
> > /etc/xinetd.d/swat
> >
> > >#cat /etc/xinetd.d/swat
> > ># default: off
> > ># description:  SWAT is the Samba Web Admin Tool.  Use swat
> > >\
> > >#                          to configure your Samba server.
> > >To use SWAT, \
> > >#                          connect to port 901 with your
> > >favorite web browser.
> > >service swat
> > >{
> > >            port        = 901
> > >            socket_type    = stream
> > >            wait        = no
> > >            only_from = 127.0.0.1
> > >            user        = smbuser
> > >            server    = /usr/sbin/swat
> > >            log_on_failure    += USERID
> > >            disable    = no
> > >}
> >
> > I bet the line stating >  only_from = 127.0.0.1  is the culprit.  I would
> > think this is interpretted as SWAT will only accept connections from
> > 127.0.0.1, vis a vis the local host.  I removed this line from my
> > xinetd.d/swat file.  Try that and see if it helps.  I would also imagine the
> > user = smbuser would require you to login to SWAT as only smbuser.  I'm not
> > sure if you put a space or a comma to add more than one user.  I'm still
> > using root as mine.  (I know, I know...  bad sysadmin!)
> >
> > Cheers,
> >
> > Russ
>
> SWAT must run as ROOT, it cannot do its job as any other user (apart
> from remote password changes, but thats another issue).  The SWAT
> program needs to modify /etc/smbpasswd and /etc/smb.conf, as well as
> validating your idenity in /etc/shadow (or with PAM).  All this needs
> root privilages.
>
> Reading some of your earlier postings (quoted below) I see that the
> user=smbuser is the issue.  If SWAT is using PAM (it is), it can't tell
> the difference between 'that password is wrong' and 'i can't verify that
> password', hence your problem.
>
> Hope this clarifies things,
> Andrew Bartlett





More information about the samba mailing list