Author: bdubbs Date: 2011-11-12 19:22:21 -0700 (Sat, 12 Nov 2011) New Revision: 8957
Added: trunk/bootscripts/blfs/init.d/swat Modified: trunk/BOOK/general.ent trunk/BOOK/introduction/welcome/changelog.xml trunk/BOOK/networking/netprogs/samba3.xml trunk/bootscripts/Makefile Log: Update swat instructions in samba Modified: trunk/BOOK/general.ent =================================================================== --- trunk/BOOK/general.ent 2011-11-12 04:33:41 UTC (rev 8956) +++ trunk/BOOK/general.ent 2011-11-13 02:22:21 UTC (rev 8957) @@ -3,13 +3,13 @@ $Date$ --> -<!ENTITY day "11"> <!-- Always 2 digits --> +<!ENTITY day "12"> <!-- Always 2 digits --> <!ENTITY month "11"> <!-- Always 2 digits --> <!ENTITY year "2011"> <!ENTITY copyrightdate "2001-&year;"> <!ENTITY copyholder "The BLFS Development Team"> <!ENTITY version "&year;-&month;-&day;"> -<!ENTITY releasedate "November 11th, &year;"> +<!ENTITY releasedate "November 12th, &year;"> <!-- <!ENTITY releasedate "November &day;st, &year;"> --> <!ENTITY pubdate "&year;-&month;-&day;"> <!-- metadata req. by TLDP --> <!ENTITY blfs-version "svn"> <!-- svn|[release #] --> @@ -56,7 +56,7 @@ <!ENTITY lfs-vim-version "7.3"> <!-- End LFS versions --> -<!ENTITY blfs-bootscripts-version "20111111"> +<!ENTITY blfs-bootscripts-version "20111112"> <!ENTITY blfs-bootscripts-download "&downloads-root;/blfs-bootscripts-&blfs-bootscripts-version;.tar.bz2"> <!ENTITY blfs-wiki "http://wiki.&lfs-domainname;/blfs/wiki";> Modified: trunk/BOOK/introduction/welcome/changelog.xml =================================================================== --- trunk/BOOK/introduction/welcome/changelog.xml 2011-11-12 04:33:41 UTC (rev 8956) +++ trunk/BOOK/introduction/welcome/changelog.xml 2011-11-13 02:22:21 UTC (rev 8957) @@ -42,6 +42,15 @@ --> <listitem> + <para>November 12th, 2011</para> + <itemizedlist> + <listitem> + <para>[bdubbs] - Update swat instructions in samba.</para> + </listitem> + </itemizedlist> + </listitem> + + <listitem> <para>November 11th, 2011</para> <itemizedlist> <listitem> Modified: trunk/BOOK/networking/netprogs/samba3.xml =================================================================== --- trunk/BOOK/networking/netprogs/samba3.xml 2011-11-12 04:33:41 UTC (rev 8956) +++ trunk/BOOK/networking/netprogs/samba3.xml 2011-11-13 02:22:21 UTC (rev 8957) @@ -132,8 +132,6 @@ --enable-socket-wrapper && make</userinput></screen> -<!-- - -enable-socket-wrapper for tests --> - <para>To test the results, issue: <command>make test</command>. If you have <application>Linux-PAM</application> installed and built the PAM library modules, you can perform a dlopen test by issuing: @@ -418,129 +416,77 @@ </sect4> - </sect3> - - <sect3 id="samba3-swat-config"> - <title>Configuring SWAT</title> - - <para>The built in SWAT (<application>Samba</application> Web - Administration Tool) utility can be used for basic configuration of - the <application>Samba</application> installation, but because it may - be inconvenient, undesirable or perhaps even impossible to gain - access to the console, BLFS recommends setting up access to SWAT using - <application>Stunnel</application>. Without - <application>Stunnel</application>, the - <systemitem class="username">root</systemitem> password is transmitted - in clear text over the wire, and is considered an unacceptable security - risk. After considering the security implications of using SWAT without - <application>Stunnel</application>, and you still wish to implement SWAT - without it, instructions are provided at this end of this section.</para> - - <indexterm zone="samba3 samba3-swat-config"> - <primary sortas="g-SWAT">SWAT</primary> - </indexterm> - - <sect4> - <title>Setting up SWAT using Stunnel</title> - - <para>First install, or ensure you have already installed, the - <xref linkend="stunnel"/> package.</para> - - <para>Next you must add entries to <filename>/etc/services</filename> - and modify the <command>inetd</command>/<command>xinetd</command> - configuration.</para> - - <indexterm zone="samba3 samba3-swat-config"> - <primary sortas="e-etc-services">/etc/services</primary> + <sect4 id="samba3-init"> + <title>Boot Script</title> + + <para>For your convenience, boot scripts have been provided for + <application>Samba</application>. There are two included in the + <xref linkend="bootscripts"/> package. The first, + <filename>samba</filename>, will start the <command>smbd</command> + and <command>nmbd</command> daemons needed to provide SMB/CIFS + services. The second script, <filename>winbind</filename>, starts + the <command>winbindd</command> daemon, used for providing Windows + domain services to Linux clients.</para> + + <indexterm zone="samba3 samba3-init"> + <primary sortas="f-samba">samba</primary> </indexterm> - - <indexterm zone="samba3 samba3-swat-config"> - <primary sortas="e-etc-inetd.conf">/etc/inetd.conf</primary> + + <indexterm zone="samba3 samba3-init"> + <primary sortas="f-winbind">winbind</primary> </indexterm> + + <para>The default <application>Samba</application> installation uses the + <systemitem class='username'>nobody</systemitem> user for guest access + to the server. This can be overridden by setting the + <option>guest account =</option> parameter in the + <filename>/etc/samba/smb.conf</filename> file. If you utilize the + <option>guest account =</option> parameter, ensure this user exists in + the <filename>/etc/passwd</filename> file. To use the default user, + issue the following commands as the + <systemitem class='username'>root</systemitem> user:</para> - <indexterm zone="samba3 samba3-swat-config"> - <primary sortas="e-etc-xinetd.conf">/etc/xinetd.conf</primary> - </indexterm> +<screen><userinput>groupadd -g 99 nogroup && +useradd -c "Unprivileged Nobody" -d /dev/null -g nogroup \ + -s /bin/false -u 99 nobody</userinput></screen> - <para>Add swat and swat_tunnel entries to - <filename>/etc/services</filename> with the following commands issued - as the <systemitem class="username">root</systemitem> user:</para> + <para>Install the <filename>samba</filename> script with the following + command issued as the <systemitem class="username">root</systemitem> + user:</para> -<screen role="root"><userinput>echo "swat 904/tcp" >> /etc/services && -echo "swat_tunnel 905/tcp" >> /etc/services</userinput></screen> +<screen role="root"><userinput>make install-samba</userinput></screen> - <para>If <command>inetd</command> is used, the following command will - add the swat_tunnel entry to <filename>/etc/inetd.conf</filename> (as - user <systemitem class="username">root</systemitem>):</para> + <para>If you also need the <filename>winbind</filename> + script:</para> -<screen role="root"><userinput>echo "swat_tunnel stream tcp nowait.400 root /usr/sbin/swat swat" \ - >> /etc/inetd.conf</userinput></screen> +<screen role="root"><userinput>make install-winbind</userinput></screen> - <para>Issue a <command>killall -HUP inetd</command> to reread the - changed <filename>inetd.conf</filename> file.</para> + </sect4> - <para>If you use <command>xinetd</command>, the following command will - create the <application>Samba</application> file as - <filename>/etc/xinetd.d/swat_tunnel</filename> (you may need to modify - or remove the <quote>only_from</quote> line to include the desired - host[s]):</para> + </sect3> -<screen role="root"><userinput>cat >> /etc/xinetd.d/swat_tunnel << "EOF" -<literal># Begin /etc/xinetd.d/swat_tunnel + <sect3 id="samba3-swat-config"> + <title>Configuring SWAT</title> -service swat_tunnel -{ - port = 905 - socket_type = stream - wait = no - only_from = 127.0.0.1 - user = root - server = /usr/sbin/swat - log_on_failure += USERID -} + <para>The SWAT (<application>Samba</application> Web Administration Tool) + utility can be used for configuration of the + <application>Samba</application> installation.</para> + + <indexterm zone="samba3 samba3-swat-config"> + <primary sortas="g-SWAT">SWAT</primary> + </indexterm> -# End /etc/xinetd.d/swat_tunnel</literal> -EOF</userinput></screen> + <sect4> + <title>Setting up SWAT using inetd</title> <indexterm zone="samba3 samba3-swat-config"> - <primary sortas="e-etc-xinetd.d-swat-tunnel">/etc/xinetd.d/swat_tunnel</primary> + <primary sortas="e-etc-inetd.conf">/etc/inetd.conf</primary> </indexterm> - <para>Issue a <command>killall -HUP xinetd</command> to read the new - <filename>/etc/xinetd.d/swat_tunnel</filename> file.</para> - - <para>Next, you must add an entry for the swat service to the - <filename>/etc/stunnel/stunnel.conf</filename> file (as user - <systemitem class="username">root</systemitem>):</para> - <indexterm zone="samba3 samba3-swat-config"> - <primary sortas="e-etc-stunnel-stunnel.conf">/etc/stunnel/stunnel.conf</primary> + <primary sortas="e-etc-services">/etc/services</primary> </indexterm> -<screen role="root"><userinput>cat >> /etc/stunnel/stunnel.conf << "EOF" -<literal>[swat] -accept = 904 -connect = 905 -TIMEOUTclose = 1</literal> - -EOF</userinput></screen> - - <para>Restart the <command>stunnel</command> daemon using the following - command as the <systemitem class="username">root</systemitem> user:</para> - -<screen role="root"><userinput>/etc/rc.d/init.d/stunnel restart</userinput></screen> - - <para>SWAT can be launched by pointing your web browser to - <uri>https://<replaceable><CA_DN_field></replaceable>:904</uri>. - Substitute the hostname listed in the DN field of the CA certificate - used with <application>Stunnel</application> for - <replaceable><CA_DN_field></replaceable>.</para> - - </sect4> - - <sect4> - <title>Setting up SWAT without Stunnel</title> - <warning> <para>BLFS does not recommend using these procedures because of the security risk involved. However, in a home network environment and @@ -549,115 +495,134 @@ instructions are provided for your convenience.</para> </warning> - <para>Add a swat entry to <filename>/etc/services</filename> with the - following command issued as the - <systemitem class='username'>root</systemitem> user:</para> + <para>First you must add an entry to <filename>/etc/services</filename> + and modify the <command>inetd</command> configuration. Add this entry + with the following command issued as the <systemitem + class="username">root</systemitem> user:</para> -<screen role='root'><userinput>echo "swat 904/tcp" >> /etc/services</userinput></screen> +<screen role="root"><userinput>echo "swat 905/tcp" >> /etc/services</userinput></screen> - <para>If <command>inetd</command> is used, the following command - issued as the <systemitem class='username'>root</systemitem> user will - add a swat entry to the <filename>/etc/inetd.conf</filename> file:</para> + <para>Now add this entry to the <filename>/etc/inetd.conf</filename> + file, again as the <systemitem class="username">root</systemitem> + user:</para> -<screen role='root'><userinput>echo "swat stream tcp nowait.400 root /usr/sbin/swat swat" \ - >> /etc/inetd.conf</userinput></screen> +<screen role="root"><userinput>echo "swat stream tcp nowait.5 root /usr/sbin/swat swat >> /etc/inetd.conf</userinput></screen> <para>Issue a <command>killall -HUP inetd</command> to reread the changed <filename>inetd.conf</filename> file.</para> - <para>If <command>xinetd</command> is used, the following command - issued as the <systemitem class='username'>root</systemitem> user - will create an <filename>/etc/xinetd.d/swat</filename> file:</para> + <para>SWAT can be launched by pointing your web browser to + http://localhost:905.</para> + + </sect4> -<screen role='root'><userinput>cat >> /etc/xinetd.d/swat << "EOF" + <sect4> + <title>Setting up SWAT using xinetd</title> + + <indexterm zone="samba3 samba3-swat-config"> + <primary sortas="e-etc-xinetd.conf">/etc/xinetd.conf</primary> + </indexterm> + + <para>If not already done, add an entry to <filename>/etc/services</filename> file + as the <systemitem class="username">root</systemitem> user:</para> + +<screen role="root"><userinput>echo "swat 905/tcp" >> /etc/services</userinput></screen> + + <para>Create the <application>Samba</application> <xref + linkend='xinetd'/> file as <filename>/etc/xinetd.d/swat</filename>.</para> + + <warning> + <para>You may modify or remove the <quote>only_from</quote> line + below to include other host(s). BLFS does not recommend doing this + because of the security risk involved. However, in a home network + environment, disclosure of the <systemitem + class='username'>root</systemitem> password may be an acceptable + risk.</para> + </warning> + +<screen role="root"><userinput>cat >> /etc/xinetd.d/swat << "EOF" <literal># Begin /etc/xinetd.d/swat service swat { - port = 904 + port = 905 socket_type = stream wait = no + instances = 5 only_from = 127.0.0.1 user = root server = /usr/sbin/swat - log_on_failure += USERID + log_on_failure += USERID } # End /etc/xinetd.d/swat</literal> EOF</userinput></screen> - <para>Issue a <command>killall -HUP xinetd</command> to read the - new <filename>/etc/xinetd.d/swat</filename> file.</para> + <para>Issue a <command>killall -HUP xinetd</command> to read the new + <filename>/etc/xinetd.d/swat</filename> file.</para> - <para>SWAT can be launched by pointing your web browser to - http://localhost:904.</para> + <note> + <para>If you linked <application>Linux-PAM</application> into the + <application>Samba</application> build, you'll need to create an + <filename>/etc/pam.d/samba</filename> file.</para> + </note> + <para>SWAT can now be launched by pointing your web browser to + http://localhost:905.</para> + </sect4> - </sect3> + <sect4> + <title>Setting up SWAT using stunnel</title> - <sect3> - <title/> + <para>A better way to set up SWAT for network access is through + <xref linkend='stunnel'/>. For convenience, a boot scripts has + been provided for SWAT via stunnel. First, create the stunnel + configuration file:</para> - <note> - <para>If you linked <application>Linux-PAM</application> into the - <application>Samba</application> build, you'll need to create an - <filename>/etc/pam.d/samba</filename> file.</para> - </note> + <indexterm zone="samba3 samba3-swat-config"> + <primary sortas="e-etc-stunnel-swat.conf">/etc/stunnel/swat.conf</primary> + </indexterm> - <indexterm zone="samba3 samba3-swat-config"> - <primary sortas="e-etc-pam.d-samba">/etc/pam.d/samba</primary> - </indexterm> +<screen role="root"><userinput>cat >> /etc/stunnel/swat.conf << "EOF" +<literal>; File: /etc/stunnel/swat.conf - </sect3> +pid = /run/stunnel-swat.pid +setuid = root +setgid = root +cert = /etc/stunnel/stunnel.pem - <sect3 id="samba3-init"> - <title>Boot Script</title> +[swat] +accept = swat +exec = /usr/sbin/swat +</literal> +EOF</userinput></screen> - <para>For your convenience, boot scripts have been provided for - <application>Samba</application>. There are two included in the - <xref linkend="bootscripts"/> package. The first, - <filename>samba</filename>, will start the <command>smbd</command> - and <command>nmbd</command> daemons needed to provide SMB/CIFS - services. The second script, <filename>winbind</filename>, starts - the <command>winbindd</command> daemon, used for providing Windows - domain services to Linux clients.</para> + <para>Next, install the swat bootscript:</para> - <indexterm zone="samba3 samba3-init"> - <primary sortas="f-samba">samba</primary> - </indexterm> +<screen role="root"><userinput>make install-swat</userinput></screen> - <indexterm zone="samba3 samba3-init"> - <primary sortas="f-winbind">winbind</primary> - </indexterm> + <para>After starting the SWAT boot script the tool can be accessed by + pointing your web browser to https://localhost:905. Note: + <emphasis>https</emphasis>. If access to the tool needs to be + further restricted, then <xref linkend='iptables'/> can be + used.</para> - <para>The default <application>Samba</application> installation uses the - <systemitem class='username'>nobody</systemitem> user for guest access - to the server. This can be overridden by setting the - <option>guest account =</option> parameter in the - <filename>/etc/samba/smb.conf</filename> file. If you utilize the - <option>guest account =</option> parameter, ensure this user exists in - the <filename>/etc/passwd</filename> file. To use the default user, - issue the following commands as the - <systemitem class='username'>root</systemitem> user:</para> + </sect4> -<screen><userinput>groupadd -g 99 nogroup && -useradd -c "Unprivileged Nobody" -d /dev/null -g nogroup \ - -s /bin/false -u 99 nobody</userinput></screen> + </sect3> - <para>Install the <filename>samba</filename> script with the following - command issued as the <systemitem class="username">root</systemitem> - user:</para> + <sect3> + <title/> -<screen role="root"><userinput>make install-samba</userinput></screen> - <para>If you also need the <filename>winbind</filename> - script:</para> + <indexterm zone="samba3 samba3-swat-config"> + <primary sortas="e-etc-pam.d-samba">/etc/pam.d/samba</primary> + </indexterm> -<screen role="root"><userinput>make install-winbind</userinput></screen> - </sect3> + </sect2> <sect2 role="content"> @@ -670,10 +635,10 @@ <seglistitem> <seg>cifs.upcall, eventlogadm, findsmb, ldbadd, ldbdel, ldbedit, - ldbmodify, ldbrename, ldbsearch, mount.cifs, net, nmbd, + ldbmodify, ldbrename, ldbsearch, net, nmbd, nmblookup, ntlm_auth, pdbedit, profiles, rpcclient, sharesec, smbcacls, smbclient, smbcontrol, smbcquotas, smbd, smbget, smbpasswd, smbspool, - smbstatus, smbtar, smbtree, swat, testparm, umount.cifs, wbinfo, + smbstatus, smbtar, smbtree, swat, testparm, wbinfo, winbindd, and (if not using system TDB) tdbbackup, tdbdump, and tdbtool</seg> <seg>libnss_winbind.so, libnss_wins.so, libnetapi.so, libsmbclient.so, @@ -789,18 +754,6 @@ </listitem> </varlistentry> - <varlistentry id="mount.cifs"> - <term><command>mount.cifs</command></term> - <listitem> - <para>mounts a Linux CIFS filesystem. It is usually invoked - indirectly by the <command>mount</command> command when using the - <option>-t cifs</option> option.</para> - <indexterm zone="samba3 mount.cifs"> - <primary sortas="b-mount.cifs">mount.cifs</primary> - </indexterm> - </listitem> - </varlistentry> - <varlistentry id="net"> <term><command>net</command></term> <listitem> @@ -1063,19 +1016,6 @@ </listitem> </varlistentry> - <varlistentry id="umount.cifs"> - <term><command>umount.cifs</command></term> - <listitem> - <para>is used by normal, non-<systemitem - class="username">root</systemitem> users, to - <command>unmount</command> their own Common Internet File System - (CIFS) mounts.</para> - <indexterm zone="samba3 umount.cifs"> - <primary sortas="b-umount.cifs">umount.cifs</primary> - </indexterm> - </listitem> - </varlistentry> - <varlistentry id="wbinfo"> <term><command>wbinfo</command></term> <listitem> Modified: trunk/bootscripts/Makefile =================================================================== --- trunk/bootscripts/Makefile 2011-11-12 04:33:41 UTC (rev 8956) +++ trunk/bootscripts/Makefile 2011-11-13 02:22:21 UTC (rev 8957) @@ -367,6 +367,16 @@ ln -sf ../init.d/samba ${EXTDIR}/rc.d/rc5.d/S45samba ln -sf ../init.d/samba ${EXTDIR}/rc.d/rc6.d/K48samba +install-swat: create-dirs + install -m ${MODE} blfs/init.d/swat ${EXTDIR}/rc.d/init.d/ + ln -sf ../init.d/swat ${EXTDIR}/rc.d/rc0.d/K47swat + ln -sf ../init.d/swat ${EXTDIR}/rc.d/rc1.d/K47swat + ln -sf ../init.d/swat ${EXTDIR}/rc.d/rc2.d/K47swat + ln -sf ../init.d/swat ${EXTDIR}/rc.d/rc3.d/S46swat + ln -sf ../init.d/swat ${EXTDIR}/rc.d/rc4.d/S46swat + ln -sf ../init.d/swat ${EXTDIR}/rc.d/rc5.d/S46swat + ln -sf ../init.d/swat ${EXTDIR}/rc.d/rc6.d/K47swat + install-sendmail: create-dirs install -m ${MODE} blfs/init.d/sendmail ${EXTDIR}/rc.d/init.d/ ln -sf ../init.d/sendmail ${EXTDIR}/rc.d/rc0.d/K25sendmail Copied: trunk/bootscripts/blfs/init.d/swat (from rev 8956, trunk/bootscripts/blfs/init.d/samba) =================================================================== --- trunk/bootscripts/blfs/init.d/swat (rev 0) +++ trunk/bootscripts/blfs/init.d/swat 2011-11-13 02:22:21 UTC (rev 8957) @@ -0,0 +1,62 @@ +#!/bin/sh +# Begin /etc/init.d/swat + +### BEGIN INIT INFO +# Provides: swat +# Required-Start: $network +# Should-Start: $remote_fs +# Required-Stop: $network +# Should-Stop: $remote_fs +# Default-Start: 3 4 5 +# Default-Stop: 0 1 2 6 +# Short-Description: Provides Samba configuration tool +# Description: Starts Samba configuration tool over a secure +# tunnel; +# X-LFS-Provided-By: BLFS +### END INIT INFO + +. /lib/lsb/init-functions + +#$LastChangedBy$ +#$Date$ + +config=/etc/stunnel/swat.conf + +if [ ! -r /etc/stunnel/swat.conf ]; then + log_failure_msg "swat configuration file missing: $config" + exit 1 +fi + +# Pid coordinates with /etc/stunnel/swat.conf +pidfile=/run/stunnel-swat.pid + +case "$1" in + start) + log_info_msg "Starting swat..." + start_daemon /usr/sbin/stunnel $config + evaluate_retval + ;; + + stop) + log_info_msg "Stopping swat..." + killproc -p $pidfile /usr/bin/stunnel + evaluate_retval + ;; + + restart) + $0 stop + sleep 1 + $0 start + ;; + + status) + statusproc -p $pidfile /usr/bin/stunnel + ;; + + *) + echo "Usage: $0 {start|stop|restart|status}" + exit 1 + ;; +esac + +# End /etc/init.d/samba -- http://linuxfromscratch.org/mailman/listinfo/blfs-book FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
