summaryrefslogtreecommitdiff
path: root/docs/Samba3-HOWTO/TOSHARG-SWAT.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/Samba3-HOWTO/TOSHARG-SWAT.xml')
-rw-r--r--docs/Samba3-HOWTO/TOSHARG-SWAT.xml606
1 files changed, 606 insertions, 0 deletions
diff --git a/docs/Samba3-HOWTO/TOSHARG-SWAT.xml b/docs/Samba3-HOWTO/TOSHARG-SWAT.xml
new file mode 100644
index 0000000000..349312d61a
--- /dev/null
+++ b/docs/Samba3-HOWTO/TOSHARG-SWAT.xml
@@ -0,0 +1,606 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<chapter id="SWAT">
+<chapterinfo>
+ &author.jht;
+ <pubdate>April 21, 2003</pubdate>
+</chapterinfo>
+
+<title>SWAT &smbmdash; The Samba Web Administration Tool</title>
+
+<para>
+There are many and varied opinions regarding the usefulness of SWAT.
+No matter how hard one tries to produce the perfect configuration tool, it remains
+an object of personal taste. SWAT is a tool that will allow Web-based configuration
+of Samba. It has a wizard that may help to get Samba configured
+quickly, it has context-sensitive help on each &smb.conf; parameter, it provides for monitoring of current state
+of connection information, and it allows network-wide MS Windows network password
+management.
+</para>
+
+<sect1>
+<title>Features and Benefits</title>
+
+<para>
+SWAT is a facility that is part of the Samba suite. The main executable is called
+<command>swat</command> and is invoked by the inter-networking super daemon.
+See <link linkend="xinetd">appropriate section</link> for details.
+</para>
+
+<para>
+SWAT uses integral samba components to locate parameters supported by the particular
+version of Samba. Unlike tools and utilities that are external to Samba, SWAT is always
+up to date as known Samba parameters change. SWAT provides context-sensitive help for each
+configuration parameter, directly from <command>man</command> page entries.
+</para>
+
+<para>
+There are network administrators who believe that it is a good idea to write systems
+documentation inside configuration files, and for them SWAT will always be a nasty tool. SWAT
+does not store the configuration file in any intermediate form, rather, it stores only the
+parameter settings, so when SWAT writes the &smb.conf; file to disk, it will write only
+those parameters that are at other than the default settings. The result is that all comments,
+as well as parameters that are no longer supported, will be lost from the &smb.conf; file.
+Additionally, the parameters will be written back in internal ordering.
+</para>
+
+<note><para>
+Before using SWAT, please be warned &smbmdash; SWAT will completely replace your &smb.conf; with
+a fully-optimized file that has been stripped of all comments you might have placed there
+and only non-default settings will be written to the file.
+</para></note>
+
+</sect1>
+
+<sect1>
+<title>Guidelines and Technical Tips</title>
+
+<para>
+This section aims to unlock the dark secrets behind how SWAT may be made to work,
+may be made more secure, and how to solve Internationalization support problems.
+</para>
+
+<sect2>
+<title>Validate SWAT Installation</title>
+
+<para>
+The very first step that should be taken before attempting to configure a host
+system for SWAT operation is to check that it is installed. This may seem a trivial
+point to some, however several Linux distributions do not install SWAT by default,
+even though they do ship an install-able binary support package containing SWAT
+on the distribution media.
+</para>
+
+<para>
+When you have confirmed that SWAT is installed it is necessary to validate
+that the installation includes the binary <command>swat</command> file as well
+as all the supporting text and Web files. A number of operating system distributions
+in the past have failed to include the necessary support files, even though the
+<command>swat</command> binary executable file was installed.
+</para>
+
+<para>
+Finally, when you are sure that SWAT has been fully installed, please check the SWAT
+has been enabled in the control file for the inter-networking super-daemon (inetd or xinetd)
+that is used on your operating system platform.
+</para>
+
+<sect3>
+<title>Locating the <command>swat</command> File</title>
+
+<para>
+To validate that SWAT is installed, first locate the <command>swat</command> binary
+file on the system. It may be found under the following directories:
+<simplelist>
+ <member><filename>/usr/local/samba/bin</filename> &smbmdash; the default Samba location.</member>
+ <member><filename>/usr/sbin</filename> &smbmdash; the default location on most Linux systems.</member>
+ <member><filename>/opt/samba/bin</filename></member>
+</simplelist>
+</para>
+
+<para>
+The actual location is much dependant on the choice of the operating system vendor, or as determined
+by the administrator who compiled and installed Samba.
+</para>
+
+<para>
+There are a number methods that may be used to locate the <command>swat</command> binary file.
+The following methods may be helpful:
+</para>
+
+<para>
+If <command>swat</command> is in your current operating system search path it will be easy to
+find it. You can ask what are the command-line options for <command>swat</command> as shown here:
+<screen>
+frodo:~ # swat -?
+Usage: swat [OPTION...]
+ -a, --disable-authentication Disable authentication (demo mode)
+
+Help options:
+ -?, --help Show this help message
+ --usage Display brief usage message
+
+Common samba options:
+ -d, --debuglevel=DEBUGLEVEL Set debug level
+ -s, --configfile=CONFIGFILE Use alternative configuration file
+ -l, --log-basename=LOGFILEBASE Basename for log/debug files
+ -V, --version Print version
+</screen>
+</para>
+
+</sect3>
+
+<sect3>
+<title>Locating the SWAT Support Files</title>
+
+<para>
+Now that you have found that <command>swat</command> is in the search path, it is easy
+to identify where the file is located. Here is another simple way this may be done:
+<screen>
+frodo:~ # whereis swat
+swat: /usr/sbin/swat /usr/share/man/man8/swat.8.gz
+</screen>
+</para>
+
+<para>
+If the above measures fail to locate the <command>swat</command> binary, another approach
+is needed. The following may be used:
+<screen>
+frodo:/ # find / -name swat -print
+/etc/xinetd.d/swat
+/usr/sbin/swat
+/usr/share/samba/swat
+frodo:/ #
+</screen>
+</para>
+
+<para>
+This list shows that there is a control file for <command>xinetd</command>, the internetwork
+super-daemon that is installed on this server. The location of the SWAT binary file is
+<filename>/usr/sbin/swat</filename>, and the support files for it are located under the
+directory <filename>/usr/share/samba/swat</filename>.
+</para>
+
+<para>
+We must now check where <command>swat</command> expects to find its support files. This can
+be done as follows:
+<screen>
+frodo:/ # strings /usr/sbin/swat | grep "/swat"
+/swat/
+...
+/usr/share/samba/swat
+frodo:/ #
+</screen>
+</para>
+
+<para>
+The <filename>/usr/share/samba/swat/</filename> entry shown in this listing is the location of the
+support files. You should verify that the support files exist under this directory. A sample
+list is as shown:
+<screen>
+jht@frodo:/> find /usr/share/samba/swat -print
+/usr/share/samba/swat
+/usr/share/samba/swat/help
+/usr/share/samba/swat/lang
+/usr/share/samba/swat/lang/ja
+/usr/share/samba/swat/lang/ja/help
+/usr/share/samba/swat/lang/ja/help/welcome.html
+/usr/share/samba/swat/lang/ja/images
+/usr/share/samba/swat/lang/ja/images/home.gif
+...
+/usr/share/samba/swat/lang/ja/include
+/usr/share/samba/swat/lang/ja/include/header.nocss.html
+...
+/usr/share/samba/swat/lang/tr
+/usr/share/samba/swat/lang/tr/help
+/usr/share/samba/swat/lang/tr/help/welcome.html
+/usr/share/samba/swat/lang/tr/images
+/usr/share/samba/swat/lang/tr/images/home.gif
+...
+/usr/share/samba/swat/lang/tr/include
+/usr/share/samba/swat/lang/tr/include/header.html
+/usr/share/samba/swat/using_samba
+...
+/usr/share/samba/swat/images
+/usr/share/samba/swat/images/home.gif
+...
+/usr/share/samba/swat/include
+/usr/share/samba/swat/include/footer.html
+/usr/share/samba/swat/include/header.html
+jht@frodo:/>
+</screen>
+</para>
+
+<para>
+If the files needed are not available it will be necessary to obtain and install them
+before SWAT can be used.
+</para>
+
+</sect3>
+</sect2>
+
+<sect2 id="xinetd">
+<title>Enabling SWAT for Use</title>
+
+<para>
+SWAT should be installed to run via the network super-daemon. Depending on which system
+your UNIX/Linux system has, you will have either an <command>inetd</command>- or
+<command>xinetd</command>-based system.
+</para>
+
+<para>
+The nature and location of the network super-daemon varies with the operating system
+implementation. The control file (or files) can be located in the file
+<filename>/etc/inetd.conf</filename> or in the directory <filename>/etc/[x]inet[d].d</filename>
+or similar.
+</para>
+
+<para>
+The control entry for the older style file might be:
+<indexterm><primary>swat</primary><secondary>enable</secondary></indexterm>
+</para>
+
+
+<para><programlisting>
+ # swat is the Samba Web Administration Tool
+ swat stream tcp nowait.400 root /usr/sbin/swat swat
+</programlisting></para>
+
+<para>
+A control file for the newer style xinetd could be:
+</para>
+
+<para>
+ <smbfile name="xinetd.swat">
+<programlisting>
+# default: off
+# description: SWAT is the Samba Web Admin Tool. Use swat \
+# to configure your Samba server. To use SWAT, \
+# connect to port 901 with your favorite web browser.
+service swat
+{
+ port = 901
+ socket_type = stream
+ wait = no
+ only_from = localhost
+ user = root
+ server = /usr/sbin/swat
+ log_on_failure += USERID
+ disable = no
+}
+</programlisting>
+</smbfile>
+In the above, the default setting for <parameter>disable</parameter> is <constant>yes</constant>.
+This means that SWAT is disabled. To enable use of SWAT, set this parameter to <constant>no</constant>
+as shown.
+</para>
+
+<para>
+Both of the above examples assume that the <command>swat</command> binary has been
+located in the <filename>/usr/sbin</filename> directory. In addition to the above,
+SWAT will use a directory access point from which it will load its Help files
+as well as other control information. The default location for this on most Linux
+systems is in the directory <filename>/usr/share/samba/swat</filename>. The default
+location using Samba defaults will be <filename>/usr/local/samba/swat</filename>.
+</para>
+
+<para>
+Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user,
+the only permission allowed is to view certain aspects of configuration as well as
+access to the password change facility. The buttons that will be exposed to the non-root
+user are: <guibutton>HOME</guibutton>, <guibutton>STATUS</guibutton>, <guibutton>VIEW</guibutton>,
+<guibutton>PASSWORD</guibutton>. The only page that allows
+change capability in this case is <guibutton>PASSWORD</guibutton>.
+</para>
+
+<para>
+As long as you log onto SWAT as the user <emphasis>root</emphasis>, you should obtain
+full change and commit ability. The buttons that will be exposed include:
+<guibutton>HOME</guibutton>, <guibutton>GLOBALS</guibutton>, <guibutton>SHARES</guibutton>, <guibutton>PRINTERS</guibutton>,
+<guibutton>WIZARD</guibutton>, <guibutton>STATUS</guibutton>, <guibutton>VIEW</guibutton>, <guibutton>PASSWORD</guibutton>.
+</para>
+
+</sect2>
+
+<sect2>
+<title>Securing SWAT through SSL</title>
+
+
+<para>
+<indexterm><primary>swat</primary><secondary>security</secondary></indexterm>
+Many people have asked about how to setup SWAT with SSL to allow for secure remote
+administration of Samba. Here is a method that works, courtesy of Markus Krieger.
+</para>
+
+<para>
+Modifications to the SWAT setup are as follows:
+</para>
+
+<procedure>
+ <step><para>
+ Install OpenSSL.
+ </para></step>
+
+ <step><para>
+ Generate certificate and private key.
+
+<screen>
+&rootprompt;<userinput>/usr/bin/openssl req -new -x509 -days 365 -nodes -config \
+ /usr/share/doc/packages/stunnel/stunnel.cnf \
+ -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem</userinput>
+</screen></para></step>
+
+ <step><para>
+ Remove swat-entry from [x]inetd.
+ </para></step>
+
+ <step><para>
+ Start <command>stunnel</command>.
+
+<screen>
+&rootprompt;<userinput>stunnel -p /etc/stunnel/stunnel.pem -d 901 \
+ -l /usr/local/samba/bin/swat swat </userinput>
+</screen></para></step>
+</procedure>
+
+<para>
+Afterward, simply connect to swat by using the URL <ulink noescape="1" url="https://myhost:901">https://myhost:901</ulink>, accept the certificate
+and the SSL connection is up.
+</para>
+
+</sect2>
+
+<sect2>
+<title>Enabling SWAT Internationalization Support</title>
+
+<para>
+SWAT can be configured to display its messages to match the settings of
+the language configurations of your Web browser. It will be passed to SWAT
+in the Accept-Language header of the HTTP request.
+</para>
+
+<para>
+To enable this feature:
+</para>
+
+<itemizedlist>
+ <listitem><para>
+ Install the proper <command>msg</command> files from the Samba
+ <filename>source/po</filename> directory into $LIBDIR.
+ </para></listitem>
+
+ <listitem><para>
+ Set your browsers language setting.
+ </para></listitem>
+</itemizedlist>
+
+<para>
+The name of msg file is same as the language ID sent by the browser. For
+example en means "English", ja means "Japanese", fr means "French.
+</para>
+
+<para>
+If you do not like some of messages, or there are no <command>msg</command> files for
+your locale, you can create them simply by copying the <command>en.msg</command> files
+to the directory for <quote>your language ID.msg</quote> and filling in proper strings
+to each <quote>msgstr</quote>. For example, in <filename>it.msg</filename>, the
+<command>msg</command> file for the Italian locale, just set:
+<screen>
+msgid "Set Default"
+msgstr "Imposta Default"
+</screen>
+and so on. If you find a mistake or create a new <command>msg</command> file, please email it
+to us so we will include this in the next release of Samba. The <command>msg</command> file should be encoded in UTF-8.
+</para>
+
+<para>
+Note that if you enable this feature and the <smbconfoption name="display charset"/> is not
+matched to your browsers setting, the SWAT display may be corrupted. In a future version of
+Samba, SWAT will always display messages with UTF-8 encoding. You will then not need to set
+this &smb.conf; file parameter.
+</para>
+
+</sect2>
+
+</sect1>
+
+<sect1>
+<title>Overview and Quick Tour</title>
+
+<para>
+SWAT is a tools that many be used to configure Samba, or just to obtain useful links
+to important reference materials such as the contents of this book, as well as other
+documents that have been found useful for solving Windows networking problems.
+</para>
+
+<sect2>
+<title>The SWAT Home Page</title>
+
+<para>
+The SWAT title page provides access to the latest Samba documentation. The manual page for
+each Samba component is accessible from this page, as are the Samba HOWTO-Collection (this
+document) as well as the O'Reilly book <quote>Using Samba.</quote>
+</para>
+
+<para>
+Administrators who wish to validate their Samba configuration may obtain useful information
+from the man pages for the diagnostic utilities. These are available from the SWAT home page
+also. One diagnostic tool that is not mentioned on this page, but that is particularly
+useful is <ulink url="http://www.ethereal.com/"><command>ethereal</command>.</ulink>
+</para>
+
+<warning><para>
+SWAT can be configured to run in <emphasis>demo</emphasis> mode. This is not recommended
+as it runs SWAT without authentication and with full administrative ability. Allows
+changes to &smb.conf; as well as general operation with root privileges. The option that
+creates this ability is the <option>-a</option> flag to swat. <emphasis>Do not use this in a
+production environment.</emphasis>
+</para></warning>
+
+</sect2>
+
+<sect2>
+<title>Global Settings</title>
+
+<para>
+The <guibutton>GLOBALS</guibutton> button will expose a page that allows configuration of the global parameters
+in &smb.conf;. There are two levels of exposure of the parameters:
+</para>
+
+<itemizedlist>
+ <listitem><para>
+ <guibutton>Basic</guibutton> &smbmdash; exposes common configuration options.
+ </para></listitem>
+
+ <listitem><para>
+ <guibutton>Advanced</guibutton> &smbmdash; exposes configuration options needed in more
+ complex environments.
+ </para></listitem>
+</itemizedlist>
+
+<para>
+To switch to other than <guibutton>Basic</guibutton> editing ability, click on <guibutton>Advanced</guibutton>.
+You may also do this by clicking on the radio button, then click on the <guibutton>Commit Changes</guibutton> button.
+</para>
+
+<para>
+After making any changes to configuration parameters, make sure that
+you click on the
+<guibutton>Commit Changes</guibutton> button before moving to another area, otherwise
+your changes will be lost.
+</para>
+
+<note><para>
+SWAT has context-sensitive help. To find out what each parameter is
+for, simply click on the
+<guibutton>Help</guibutton> link to the left of the configuration parameter.
+</para></note>
+
+</sect2>
+
+<sect2>
+<title>Share Settings</title>
+
+<para>
+To effect a currently configured share, simply click on the pull down button between the
+<guibutton>Choose Share</guibutton> and the <guibutton>Delete Share</guibutton> buttons,
+select the share you wish to operate on, then to edit the settings
+click on the
+<guibutton>Choose Share</guibutton> button. To delete the share, simply press the
+<guibutton>Delete Share</guibutton> button.
+</para>
+
+<para>
+To create a new share, next to the button labeled <guibutton>Create Share</guibutton> enter
+into the text field the name of the share to be created, then click on the
+<guibutton>Create Share</guibutton> button.
+</para>
+
+</sect2>
+
+<sect2>
+<title>Printers Settings</title>
+
+<para>
+To affect a currently configured printer, simply click on the pull down button between the
+<guibutton>Choose Printer</guibutton> and the <guibutton>Delete Printer</guibutton> buttons,
+select the printer you wish to operate on, then to edit the settings
+click on the
+<guibutton>Choose Printer</guibutton> button. To delete the share, simply press the
+<guibutton>Delete Printer</guibutton> button.
+</para>
+
+<para>
+To create a new printer, next to the button labeled <guibutton>Create Printer</guibutton> enter
+into the text field the name of the share to be created, then click on the
+<guibutton>Create Printer</guibutton> button.
+</para>
+
+</sect2>
+
+<sect2>
+<title>The SWAT Wizard</title>
+
+<para>
+The purpose if the SWAT Wizard is to help the Microsoft-knowledgeable network administrator
+to configure Samba with a minimum of effort.
+</para>
+
+<para>
+The Wizard page provides a tool for rewriting the &smb.conf; file in fully optimized format.
+This will also happen if you press the <guibutton>Commit</guibutton> button. The two differ
+since the <guibutton>Rewrite</guibutton> button ignores any changes that may have been made,
+while the <guibutton>Commit</guibutton> button causes all changes to be affected.
+</para>
+
+<para>
+The <guibutton>Edit</guibutton> button permits the editing (setting) of the minimal set of
+options that may be necessary to create a working Samba server.
+</para>
+
+<para>
+Finally, there are a limited set of options that will determine what type of server Samba
+will be configured for, whether it will be a WINS server, participate as a WINS client, or
+operate with no WINS support. By clicking one button, you can elect to expose (or not) user
+home directories.
+</para>
+
+</sect2>
+
+<sect2>
+<title>The Status Page</title>
+
+<para>
+The status page serves a limited purpose. First, it allows control of the Samba daemons.
+The key daemons that create the Samba server environment are: &smbd;, &nmbd;, &winbindd;.
+</para>
+
+<para>
+The daemons may be controlled individually or as a total group. Additionally, you may set
+an automatic screen refresh timing. As MS Windows clients interact with Samba, new smbd processes
+will be continually spawned. The auto-refresh facility will allow you to track the changing
+conditions with minimal effort.
+</para>
+
+<para>
+Lastly, the Status page may be used to terminate specific smbd client connections in order to
+free files that may be locked.
+</para>
+
+</sect2>
+
+<sect2>
+<title>The View Page</title>
+
+<para>
+This page allows the administrator to view the optimized &smb.conf; file and, if you are
+particularly masochistic, will permit you also to see all possible global configuration
+parameters and their settings.
+</para>
+
+</sect2>
+
+<sect2>
+<title>The Password Change Page</title>
+
+<para>
+The Password Change page is a popular tool that allows the creation, deletion, deactivation,
+and reactivation of MS Windows networking users on the local machine. Alternately, you can use
+this tool to change a local password for a user account.
+</para>
+
+<para>
+When logged in as a non-root account, the user will have to provide the old password as well as
+the new password (twice). When logged in as <emphasis>root</emphasis>, only the new password is
+required.
+</para>
+
+<para>
+One popular use for this tool is to change user passwords across a range of remote MS Windows
+servers.
+</para>
+
+</sect2>
+</sect1>
+
+</chapter>