Context Navigation

← Previous Changeset
Next Changeset →

Changeset 75f9474f

Timestamp:

11/13/2011 02:22:21 AM (12 years ago)

Author:

Bruce Dubbs <bdubbs@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

fcc6d60

Parents:

ee792ef

Message:

Update swat instructions in samba

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8957 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:

: 3 edited

general.ent (modified) (3 diffs)
introduction/welcome/changelog.xml (modified) (1 diff)
networking/netprogs/samba3.xml (modified) (11 diffs)

Legend:

: Unmodified
: Added
: Removed

general.ent

-              ree792ef
+              r75f9474f
 -->
 <!ENTITY day          "11">                   <!-- Always 2 digits -->
+<!ENTITY day          "12">                   <!-- Always 2 digits -->
 <!ENTITY month        "11">                   <!-- Always 2 digits -->
 <!ENTITY year         "2011">
 …
 <!ENTITY copyholder   "The BLFS Development Team">
 <!ENTITY version      "&year;-&month;-&day;">
 <!ENTITY releasedate  "November 11th, &year;">
+<!ENTITY releasedate  "November 12th, &year;">
 <!-- <!ENTITY releasedate  "November &day;st, &year;"> -->
 <!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
 …
 <!-- End LFS versions -->
 <!ENTITY blfs-bootscripts-version     "20111111">
+<!ENTITY blfs-bootscripts-version     "20111112">
 <!ENTITY blfs-bootscripts-download    "&downloads-root;/blfs-bootscripts-&blfs-bootscripts-version;.tar.bz2">

introduction/welcome/changelog.xml

-              ree792ef
+              r75f9474f
 -->
+    <listitem>
+      <para>November 12th, 2011</para>
+      <itemizedlist>
+        <listitem>
+          <para>[bdubbs] - Update swat instructions in samba.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
     <listitem>

networking/netprogs/samba3.xml

-              ree792ef
+              r75f9474f
 make</userinput></screen>
-<!-- - -enable-socket-wrapper for tests -->
     <para>To test the results, issue: <command>make test</command>. If you have
     <application>Linux-PAM</application> installed and built the PAM library
 …
       </sect4>
+      <sect4 id="samba3-init">
+        <title>Boot Script</title>
+        <para>For your convenience, boot scripts have been provided for
+        <application>Samba</application>. There are two included in the
+        <xref linkend="bootscripts"/> package. The first,
+        <filename>samba</filename>, will start the <command>smbd</command>
+        and <command>nmbd</command> daemons needed to provide SMB/CIFS
+        services. The second script, <filename>winbind</filename>, starts
+        the <command>winbindd</command> daemon, used for providing Windows
+        domain services to Linux clients.</para>
+        <indexterm zone="samba3 samba3-init">
+          <primary sortas="f-samba">samba</primary>
+        </indexterm>
+        <indexterm zone="samba3 samba3-init">
+          <primary sortas="f-winbind">winbind</primary>
+        </indexterm>
+        <para>The default <application>Samba</application> installation uses the
+        <systemitem class='username'>nobody</systemitem> user for guest access
+        to the server. This can be overridden by setting the
+        <option>guest account =</option> parameter in the
+        <filename>/etc/samba/smb.conf</filename> file. If you utilize the
+        <option>guest account =</option> parameter, ensure this user exists in
+        the <filename>/etc/passwd</filename> file. To use the default user,
+        issue the following commands as the
+        <systemitem class='username'>root</systemitem> user:</para>
+<screen><userinput>groupadd -g 99 nogroup &amp;&amp;
+useradd -c "Unprivileged Nobody" -d /dev/null -g nogroup \
+    -s /bin/false -u 99 nobody</userinput></screen>
+        <para>Install the <filename>samba</filename> script with the following
+        command issued as the <systemitem class="username">root</systemitem>
+        user:</para>
+<screen role="root"><userinput>make install-samba</userinput></screen>
+        <para>If you also need the <filename>winbind</filename>
+        script:</para>
+<screen role="root"><userinput>make install-winbind</userinput></screen>
+       </sect4>
     </sect3>
 …
       <title>Configuring SWAT</title>
+      <para>The built in SWAT (<application>Samba</application> Web
+      Administration Tool) utility can be used for basic configuration of
+      the <application>Samba</application> installation, but because it may
+      be inconvenient, undesirable or perhaps even impossible to gain
+      access to the console, BLFS recommends setting up access to SWAT using
+      <application>Stunnel</application>. Without
+      <application>Stunnel</application>, the
+      <systemitem class="username">root</systemitem> password is transmitted
+      in clear text over the wire, and is considered an unacceptable security
+      risk. After considering the security implications of using SWAT without
+      <application>Stunnel</application>, and you still wish to implement SWAT
+      without it, instructions are provided at this end of this section.</para>
+      <para>The SWAT (<application>Samba</application> Web Administration Tool)
+      utility can be used for configuration of the
+      <application>Samba</application> installation.</para>
       <indexterm zone="samba3 samba3-swat-config">
         <primary sortas="g-SWAT">SWAT</primary>
 …
       <sect4>
+        <title>Setting up SWAT using Stunnel</title>
+        <para>First install, or ensure you have already installed, the
+        <xref linkend="stunnel"/> package.</para>
+        <para>Next you must add entries to <filename>/etc/services</filename>
+        and modify the <command>inetd</command>/<command>xinetd</command>
+        configuration.</para>
+        <title>Setting up SWAT using inetd</title>
+        <indexterm zone="samba3 samba3-swat-config">
+          <primary sortas="e-etc-inetd.conf">/etc/inetd.conf</primary>
+        </indexterm>
         <indexterm zone="samba3 samba3-swat-config">
           <primary sortas="e-etc-services">/etc/services</primary>
         </indexterm>
-        <indexterm zone="samba3 samba3-swat-config">
-          <primary sortas="e-etc-inetd.conf">/etc/inetd.conf</primary>
-        </indexterm>
-        <indexterm zone="samba3 samba3-swat-config">
-          <primary sortas="e-etc-xinetd.conf">/etc/xinetd.conf</primary>
-        </indexterm>
-        <para>Add swat and swat_tunnel entries to
-        <filename>/etc/services</filename> with the following commands issued
-        as the <systemitem class="username">root</systemitem> user:</para>
-<screen role="root"><userinput>echo "swat            904/tcp" &gt;&gt; /etc/services &amp;&amp;
-echo "swat_tunnel     905/tcp" &gt;&gt; /etc/services</userinput></screen>
-        <para>If <command>inetd</command> is used, the following command will
-        add the swat_tunnel entry to <filename>/etc/inetd.conf</filename> (as
-        user <systemitem class="username">root</systemitem>):</para>
-<screen role="root"><userinput>echo "swat_tunnel stream tcp nowait.400 root /usr/sbin/swat swat" \
-    &gt;&gt; /etc/inetd.conf</userinput></screen>
-        <para>Issue a <command>killall -HUP inetd</command> to reread the
-        changed <filename>inetd.conf</filename> file.</para>
-        <para>If you use <command>xinetd</command>, the following command will
-        create the <application>Samba</application> file as
-        <filename>/etc/xinetd.d/swat_tunnel</filename> (you may need to modify
-        or remove the <quote>only_from</quote> line to include the desired
-        host[s]):</para>
-<screen role="root"><userinput>cat &gt;&gt; /etc/xinetd.d/swat_tunnel &lt;&lt; "EOF"
-<literal># Begin /etc/xinetd.d/swat_tunnel
-service swat_tunnel
+{
-    port            = 905
-    socket_type     = stream
-    wait            = no
-    only_from       = 127.0.0.1
-    user            = root
-    server          = /usr/sbin/swat
-    log_on_failure  += USERID
+}
-# End /etc/xinetd.d/swat_tunnel</literal>
-EOF</userinput></screen>
-        <indexterm zone="samba3 samba3-swat-config">
-          <primary sortas="e-etc-xinetd.d-swat-tunnel">/etc/xinetd.d/swat_tunnel</primary>
-        </indexterm>
-        <para>Issue a <command>killall -HUP xinetd</command> to read the new
-        <filename>/etc/xinetd.d/swat_tunnel</filename> file.</para>
-        <para>Next, you must add an entry for the swat service to the
-        <filename>/etc/stunnel/stunnel.conf</filename> file (as user
-        <systemitem class="username">root</systemitem>):</para>
-        <indexterm zone="samba3 samba3-swat-config">
-          <primary sortas="e-etc-stunnel-stunnel.conf">/etc/stunnel/stunnel.conf</primary>
-        </indexterm>
-<screen role="root"><userinput>cat &gt;&gt; /etc/stunnel/stunnel.conf &lt;&lt; "EOF"
-<literal>[swat]
-accept  = 904
-connect = 905
-TIMEOUTclose = 1</literal>
-EOF</userinput></screen>
-        <para>Restart the <command>stunnel</command> daemon using the following
-        command as the <systemitem class="username">root</systemitem> user:</para>
-<screen role="root"><userinput>/etc/rc.d/init.d/stunnel restart</userinput></screen>
-      <para>SWAT can be launched by pointing your web browser to
-      <uri>https://<replaceable>&lt;CA_DN_field&gt;</replaceable>:904</uri>.
-      Substitute the hostname listed in the DN field of the CA certificate
-      used with <application>Stunnel</application> for
-      <replaceable>&lt;CA_DN_field&gt;</replaceable>.</para>
-      </sect4>
-      <sect4>
-        <title>Setting up SWAT without Stunnel</title>
         <warning>
 …
         </warning>
         <para>Add a swat entry to <filename>/etc/services</filename> with the
         following command issued as the
         <systemitem class='username'>root</systemitem> user:</para>
+<screen role='root'><userinput>echo "swat            904/tcp" &gt;&gt; /etc/services</userinput></screen>
+        <para>If <command>inetd</command> is used, the following command
         issued as the <systemitem class='username'>root</systemitem> user will
         add a swat entry to the <filename>/etc/inetd.conf</filename> file:</para>
+<screen role='root'><userinput>echo "swat stream tcp nowait.400 root /usr/sbin/swat swat" \
     &gt;&gt; /etc/inetd.conf</userinput></screen>
+        <para>First you must add an entry to <filename>/etc/services</filename>
+        and modify the <command>inetd</command> configuration. Add this entry
+        with the following command issued as the <systemitem
+        class="username">root</systemitem> user:</para>
+<screen role="root"><userinput>echo "swat            905/tcp" &gt;&gt; /etc/services</userinput></screen>
+        <para>Now add this entry to the <filename>/etc/inetd.conf</filename>
+        file, again as the <systemitem class="username">root</systemitem>
+        user:</para>
+<screen role="root"><userinput>echo "swat stream tcp nowait.5 root /usr/sbin/swat swat &gt;&gt; /etc/inetd.conf</userinput></screen>
         <para>Issue a <command>killall -HUP inetd</command> to reread the
         changed <filename>inetd.conf</filename> file.</para>
+        <para>If <command>xinetd</command> is used, the following command
+        issued as the <systemitem class='username'>root</systemitem> user
+        will create an <filename>/etc/xinetd.d/swat</filename> file:</para>
+<screen role='root'><userinput>cat &gt;&gt; /etc/xinetd.d/swat &lt;&lt; "EOF"
+        <para>SWAT can be launched by pointing your web browser to
+        http://localhost:905.</para>
+      </sect4>
+      <sect4>
+        <title>Setting up SWAT using xinetd</title>
+        <indexterm zone="samba3 samba3-swat-config">
+          <primary sortas="e-etc-xinetd.conf">/etc/xinetd.conf</primary>
+        </indexterm>
+        <para>If not already done, add an entry to <filename>/etc/services</filename> file
+        as the <systemitem class="username">root</systemitem> user:</para>
+<screen role="root"><userinput>echo "swat            905/tcp" &gt;&gt; /etc/services</userinput></screen>
+        <para>Create the <application>Samba</application> <xref
+        linkend='xinetd'/> file as <filename>/etc/xinetd.d/swat</filename>.</para>
+        <warning>
+          <para>You may modify or remove the <quote>only_from</quote> line
+          below to include other host(s).  BLFS does not recommend doing this
+          because of the security risk involved. However, in a home network
+          environment, disclosure of the <systemitem
+          class='username'>root</systemitem> password may be an acceptable
+          risk.</para>
+        </warning>
+<screen role="root"><userinput>cat &gt;&gt; /etc/xinetd.d/swat &lt;&lt; "EOF"
 <literal># Begin /etc/xinetd.d/swat
 service swat
+{
     port            = 904
+    port            = 905
     socket_type     = stream
     wait            = no
+    instances       = 5
     only_from       = 127.0.0.1
     user            = root
     server          = /usr/sbin/swat
     log_on_failure  += USERID
+    log_on_failure += USERID
+}
 …
 EOF</userinput></screen>
+        <para>Issue a <command>killall -HUP xinetd</command> to read the
+        new <filename>/etc/xinetd.d/swat</filename> file.</para>
+        <para>SWAT can be launched by pointing your web browser to
+        http://localhost:904.</para>
+        <para>Issue a <command>killall -HUP xinetd</command> to read the new
+        <filename>/etc/xinetd.d/swat</filename> file.</para>
+        <note>
+          <para>If you linked <application>Linux-PAM</application> into the
+          <application>Samba</application> build, you'll need to create an
+          <filename>/etc/pam.d/samba</filename> file.</para>
+        </note>
+        <para>SWAT can now be launched by pointing your web browser to
+        http://localhost:905.</para>
+      </sect4>
+      <sect4>
+        <title>Setting up SWAT using stunnel</title>
+        <para>A better way to set up SWAT for network access is through
+        <xref linkend='stunnel'/>.  For convenience, a boot scripts has
+        been provided for SWAT via stunnel.  First, create the stunnel
+        configuration file:</para>
+        <indexterm zone="samba3 samba3-swat-config">
+          <primary sortas="e-etc-stunnel-swat.conf">/etc/stunnel/swat.conf</primary>
+        </indexterm>
+<screen role="root"><userinput>cat &gt;&gt; /etc/stunnel/swat.conf &lt;&lt; "EOF"
+<literal>; File: /etc/stunnel/swat.conf
+pid    = /run/stunnel-swat.pid
+setuid = root
+setgid = root
+cert   = /etc/stunnel/stunnel.pem
+[swat]
+accept = swat
+exec   = /usr/sbin/swat
+</literal>
+EOF</userinput></screen>
+        <para>Next, install the swat bootscript:</para>
+<screen role="root"><userinput>make install-swat</userinput></screen>
+        <para>After starting the SWAT boot script the tool can be accessed by
+        pointing your web browser to https://localhost:905.  Note:
+        <emphasis>https</emphasis>.  If access to the tool needs to be
+        further restricted, then <xref linkend='iptables'/> can be
+        used.</para>
       </sect4>
 …
       <title/>
-      <note>
-        <para>If you linked <application>Linux-PAM</application> into the
-        <application>Samba</application> build, you'll need to create an
-        <filename>/etc/pam.d/samba</filename> file.</para>
-      </note>
       <indexterm zone="samba3 samba3-swat-config">
 …
     </sect3>
-    <sect3 id="samba3-init">
-      <title>Boot Script</title>
-      <para>For your convenience, boot scripts have been provided for
-      <application>Samba</application>. There are two included in the
-      <xref linkend="bootscripts"/> package. The first,
-      <filename>samba</filename>, will start the <command>smbd</command>
-      and <command>nmbd</command> daemons needed to provide SMB/CIFS
-      services. The second script, <filename>winbind</filename>, starts
-      the <command>winbindd</command> daemon, used for providing Windows
-      domain services to Linux clients.</para>
-      <indexterm zone="samba3 samba3-init">
-        <primary sortas="f-samba">samba</primary>
-      </indexterm>
-      <indexterm zone="samba3 samba3-init">
-        <primary sortas="f-winbind">winbind</primary>
-      </indexterm>
-      <para>The default <application>Samba</application> installation uses the
-      <systemitem class='username'>nobody</systemitem> user for guest access
-      to the server. This can be overridden by setting the
-      <option>guest account =</option> parameter in the
-      <filename>/etc/samba/smb.conf</filename> file. If you utilize the
-      <option>guest account =</option> parameter, ensure this user exists in
-      the <filename>/etc/passwd</filename> file. To use the default user,
-      issue the following commands as the
-      <systemitem class='username'>root</systemitem> user:</para>
-<screen><userinput>groupadd -g 99 nogroup &amp;&amp;
-useradd -c "Unprivileged Nobody" -d /dev/null -g nogroup \
-    -s /bin/false -u 99 nobody</userinput></screen>
-      <para>Install the <filename>samba</filename> script with the following
-      command issued as the <systemitem class="username">root</systemitem>
-      user:</para>
-<screen role="root"><userinput>make install-samba</userinput></screen>
-      <para>If you also need the <filename>winbind</filename>
-      script:</para>
-<screen role="root"><userinput>make install-winbind</userinput></screen>
-    </sect3>
   </sect2>
 …
       <seglistitem>
         <seg>cifs.upcall, eventlogadm, findsmb, ldbadd, ldbdel, ldbedit,
         ldbmodify, ldbrename, ldbsearch, mount.cifs, net, nmbd,
+        ldbmodify, ldbrename, ldbsearch, net, nmbd,
         nmblookup, ntlm_auth, pdbedit, profiles, rpcclient, sharesec, smbcacls,
         smbclient, smbcontrol, smbcquotas, smbd, smbget, smbpasswd, smbspool,
         smbstatus, smbtar, smbtree, swat, testparm, umount.cifs, wbinfo,
+        smbstatus, smbtar, smbtree, swat, testparm, wbinfo,
         winbindd, and (if not using system TDB) tdbbackup, tdbdump, and
         tdbtool</seg>
 …
       </varlistentry>
-      <varlistentry id="mount.cifs">
-        <term><command>mount.cifs</command></term>
-        <listitem>
-          <para>mounts a Linux CIFS filesystem. It is usually invoked
-          indirectly by the <command>mount</command> command when using the
-          <option>-t cifs</option> option.</para>
-          <indexterm zone="samba3 mount.cifs">
-            <primary sortas="b-mount.cifs">mount.cifs</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
       <varlistentry id="net">
         <term><command>net</command></term>
 …
       </varlistentry>
-      <varlistentry id="umount.cifs">
-        <term><command>umount.cifs</command></term>
-        <listitem>
-          <para>is used by normal, non-<systemitem
-          class="username">root</systemitem> users, to
-          <command>unmount</command> their own Common Internet File System
-          (CIFS) mounts.</para>
-          <indexterm zone="samba3 umount.cifs">
-            <primary sortas="b-umount.cifs">umount.cifs</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
       <varlistentry id="wbinfo">
         <term><command>wbinfo</command></term>

Note: See TracChangeset for help on using the changeset viewer.