Topic: Authorization Required for Server Manager?

[Cyrus]

OK here's my story:

I was ssh'd into my SME 6.01 box and using the lazy admin tools to add groups, this went on fine and when each group was finished I was double checking them in server manager.

Suddenly I was prompted for a username and password for the server manager. OK then, put it in, but it would not accept it? So tried to connect up to it via ssh again, fine accepts both the admin and root logons, yet when I try to access the server manager in the admin logon, it does not like the password either?

OK reboot time, came back fine, still wont let me onto the server manager, Authorization Required. So I rebooted and went into single user mode and changed the root and admin passwords there, and still no access to server manager?

HELP?!?!? I can ssh logon as root and admin fine, yet that same password does not let me onto the server manager?

[Cyrus]

UPDATE:

Alright went hunting in log files and found these in /var/log/httpd/admin_error_log

[Thu Jun 23 11:31:26 2005] [error] access to /etc/e-smith/web/panels/manager/html failed for 127.0.0.1, reason: AuthExtern pwauth [/usr/lib/apache/pwauth]: Failed (255) for user root
[Thu Jun 23 11:38:29 2005] [error] access to /etc/e-smith/web/panels/manager/html failed for 127.0.0.1, reason: AuthExtern pwauth [/usr/lib/apache/pwauth]: Failed (255) for user admin

But that is crap as I logged onto ssh using both these logons and passwords fine?

[Cyrus]

OK now I am realy confused, I have done nothing to the box, just tried again to see if I can get access to server manager through the admin logon and got this:

[root@ms04 var]# su admin
su: cannot run /sbin/e-smith/console: Permission denied


Yet I can still logon to ssh fine with root?

[dmac]

What are the file permission on this directory?

Did you add the admin and root accounts to a group that may be limiting your access now?

[Cyrus]

Permissions for /sbin/e-smith:
Permissions for /sbin/e-smith/console:

I was only adding in email groups, I was not adding in unix groups, nor was I changing them?

Just checked in groups and it seems that admin has been taken out of several groups for some reason? Lucky I had a backup and worked at putting admin into the groups that they were missing from. Still have no idea why they went missing....?

But I did notice that all the other groups have www and admin in them, yet these ones I added in from the server manager and you dont have access to ticking them, so why have they been added to all the groups?

Oh and by adding back in the admin into the proper groups in the groups and groups- files I now have access to the server manager again, thanks for the tip dmac!

[Michiel]

Just checked in groups and it seems that admin has been taken out of several groups for some reason? Lucky I had a backup and worked at putting admin into the groups that they were missing from. Still have no idea why they went missing....?

That's what happens if you run lat-groups with the -n (--no-admin) switch. Be sure to read the man pages before using this feature.

Using the -n switch is NOT recommended unless you really understand the consequences. Basically it means that if you use it, you can break the 28-groups barrier but should stop using the server-manager because you (admin) might otherwise get locked out.

Michiel

[Cyrus]

Michiel I dont understand that, I thought you would want to use the -n switch as then the admin and www does not get added to each group and therefore does not break the 28-groups barrier?

Which is why I did use the -n switch? Should I not use it and let admin and www be put into every group that is created....? But wont that then (once I get over 28 groups) break the 28 groups barrier?

I am confused, should I use -n or not?

[Michiel]

I am confused, should I use -n or not?

Sorry for the late reply, I just got back from three computerless weeks

The default behaviour of SME is to add both "admin" and "www" to each group. As a consequence you can not create more than 28 groups on a standard SME machine.

To get around this limitation I added the -n switch to lat-groups. This will create groups without both accounts so you can create more than 28 groups.

BUT!!! Each time you use the server-manager to create/modify a group, it will stubbornly add again both accounts to ALL groups. If this results in "admin" being member of more than 28 groups, "admin" will no longer be able to log in (neither at the console nor the server-manager!)

Bottom line: Only use the -n switch if you REALLY ( I mean REALLY) need more than 28 groups.

And if you do use the -n switch:
1/ stop using the server-manager to manage groups (maybe even remove the panel)
2/ Give a user account sudo rights to lat-group so you can fix things if you happen to forget rule 1
3/ Create an hourly cron job that runs lat-groups with the -n switch to fix things if you forget rules 1 & 2.
(e.g.:  lat-groups -a -n -i /root/groups.list)

I hope this clarified it a bit. If not, don't hesitate to ask again.

regards,
Michiel[/list]

[Cyrus]

Ah ha, now I understand, ok, well got around it, created a number of smaller groups and created a whole heap of psudonyms to point to them.

Thanks for that!

Maybe someone should look at tht bit of code and remove that "feature" out to get around this problem?

[Michiel]

Maybe someone should look at tht bit of code and remove that "feature" out to get around this problem?

It really goes to the core of Linux (no user can be member of more than 32 groups) and SME (admin must be a member of every group). Changing this would require a major overhaul of the way SME works and so far nobody was bothered enough to tackle this. Apparently not that many people need more than 28 groups.

regards,
Michiel

[Cyrus]

Maybe someone should look at tht bit of code and remove that "feature" out to get around this problem?

It really goes to the core of Linux (no user can be member of more than 32 groups) and SME (admin must be a member of every group). Changing this would require a major overhaul of the way SME works and so far nobody was bothered enough to tackle this. Apparently not that many people need more than 28 groups.

regards,
Michiel

Question is why does admin and www need to be in every group?

[Michiel]

Question is why does admin and www need to be in every group?

So far I haven't seen any satisfactory explanation for this. I suspect that www is needed to make all ibays internet-accessible (apache needs access to the directories), and admin is needed for admin purposes (server-manager needs access to all user directories).

I agree it's regrettable the folks at e-smith made this decision. But than again, the server was designed with small organisations in mind and I can't think of many SMEs that really need more than 28 groups. If you think of it, you really only need different groups if you want to prevent one group of users having access to files from an other group. All other situations can be solved in a different way.

Michiel

[Cyrus]

True, true.

Thanks for the help and explanations Michiel, muchly appreciated!

[gordonr]

I agree it's regrettable the folks at e-smith made this decision.

Alternative solutions welcomed.

[Michiel]

Alternative solutions welcomed.

I already created an alternative solution (lat-groups -n), but admittedly it's a really dirty hack.

As I said in a previous post (and you know that better than anyone else), it would be a MAJOR task to change it now and only few SMEs really need more than 28 groups.

That doesn't preclude me from regretting the design decision . Maybe things could have been done differently at design time, but that's all water under the bridge. No big deal.

Michiel