Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: Cyrus on June 23, 2005, 03:17:55 AM
-
OK here's my story:
I was ssh'd into my SME 6.01 box and using the lazy admin tools to add groups, this went on fine and when each group was finished I was double checking them in server manager.
Suddenly I was prompted for a username and password for the server manager. OK then, put it in, but it would not accept it? So tried to connect up to it via ssh again, fine accepts both the admin and root logons, yet when I try to access the server manager in the admin logon, it does not like the password either?
OK reboot time, came back fine, still wont let me onto the server manager, Authorization Required. So I rebooted and went into single user mode and changed the root and admin passwords there, and still no access to server manager?
HELP?!?!? I can ssh logon as root and admin fine, yet that same password does not let me onto the server manager?
-
UPDATE:
Alright went hunting in log files and found these in /var/log/httpd/admin_error_log
[Thu Jun 23 11:31:26 2005] [error] access to /etc/e-smith/web/panels/manager/html failed for 127.0.0.1, reason: AuthExtern pwauth [/usr/lib/apache/pwauth]: Failed (255) for user root
[Thu Jun 23 11:38:29 2005] [error] access to /etc/e-smith/web/panels/manager/html failed for 127.0.0.1, reason: AuthExtern pwauth [/usr/lib/apache/pwauth]: Failed (255) for user admin
But that is crap as I logged onto ssh using both these logons and passwords fine?
-
OK now I am realy confused, I have done nothing to the box, just tried again to see if I can get access to server manager through the admin logon and got this:
[root@ms04 var]# su admin
su: cannot run /sbin/e-smith/console: Permission denied
Yet I can still logon to ssh fine with root?
-
What are the file permission on this directory?
Did you add the admin and root accounts to a group that may be limiting your access now?
-
Permissions for /sbin/e-smith:
Permissions for /sbin/e-smith/console:
I was only adding in email groups, I was not adding in unix groups, nor was I changing them?
Just checked in groups and it seems that admin has been taken out of several groups for some reason? Lucky I had a backup and worked at putting admin into the groups that they were missing from. Still have no idea why they went missing....?
But I did notice that all the other groups have www and admin in them, yet these ones I added in from the server manager and you dont have access to ticking them, so why have they been added to all the groups?
Oh and by adding back in the admin into the proper groups in the groups and groups- files I now have access to the server manager again, thanks for the tip dmac!
-
Just checked in groups and it seems that admin has been taken out of several groups for some reason? Lucky I had a backup and worked at putting admin into the groups that they were missing from. Still have no idea why they went missing....?
That's what happens if you run lat-groups with the -n (--no-admin) switch. Be sure to read the man pages before using this feature.
Using the -n switch is NOT recommended unless you really understand the consequences. Basically it means that if you use it, you can break the 28-groups barrier but should stop using the server-manager because you (admin) might otherwise get locked out.
Michiel
-
Michiel I dont understand that, I thought you would want to use the -n switch as then the admin and www does not get added to each group and therefore does not break the 28-groups barrier?
Which is why I did use the -n switch? Should I not use it and let admin and www be put into every group that is created....? But wont that then (once I get over 28 groups) break the 28 groups barrier?
I am confused, should I use -n or not?
-
I am confused, should I use -n or not?
Sorry for the late reply, I just got back from three computerless weeks :-)
The default behaviour of SME is to add both "admin" and "www" to each group. As a consequence you can not create more than 28 groups on a standard SME machine.
To get around this limitation I added the -n switch to lat-groups. This will create groups without both accounts so you can create more than 28 groups.
BUT!!! Each time you use the server-manager to create/modify a group, it will stubbornly add again both accounts to ALL groups. If this results in "admin" being member of more than 28 groups, "admin" will no longer be able to log in (neither at the console nor the server-manager!)
Bottom line: Only use the -n switch if you REALLY ( I mean REALLY) need more than 28 groups.
And if you do use the -n switch:
1/ stop using the server-manager to manage groups (maybe even remove the panel)
2/ Give a user account sudo rights to lat-group so you can fix things if you happen to forget rule 1
3/ Create an hourly cron job that runs lat-groups with the -n switch to fix things if you forget rules 1 & 2.
(e.g.: lat-groups -a -n -i /root/groups.list)
I hope this clarified it a bit. If not, don't hesitate to ask again.
regards,
Michiel[/list]
-
Ah ha, now I understand, ok, well got around it, created a number of smaller groups and created a whole heap of psudonyms to point to them.
Thanks for that!
Maybe someone should look at tht bit of code and remove that "feature" out to get around this problem?
-
Maybe someone should look at tht bit of code and remove that "feature" out to get around this problem?
It really goes to the core of Linux (no user can be member of more than 32 groups) and SME (admin must be a member of every group). Changing this would require a major overhaul of the way SME works and so far nobody was bothered enough to tackle this. Apparently not that many people need more than 28 groups.
regards,
Michiel
-
Maybe someone should look at tht bit of code and remove that "feature" out to get around this problem?
It really goes to the core of Linux (no user can be member of more than 32 groups) and SME (admin must be a member of every group). Changing this would require a major overhaul of the way SME works and so far nobody was bothered enough to tackle this. Apparently not that many people need more than 28 groups.
regards,
Michiel
Question is why does admin and www need to be in every group?
-
Question is why does admin and www need to be in every group?
So far I haven't seen any satisfactory explanation for this. I suspect that www is needed to make all ibays internet-accessible (apache needs access to the directories), and admin is needed for admin purposes (server-manager needs access to all user directories).
I agree it's regrettable the folks at e-smith made this decision. But than again, the server was designed with small organisations in mind and I can't think of many SMEs that really need more than 28 groups. If you think of it, you really only need different groups if you want to prevent one group of users having access to files from an other group. All other situations can be solved in a different way.
Michiel
-
True, true.
Thanks for the help and explanations Michiel, muchly appreciated!
-
I agree it's regrettable the folks at e-smith made this decision.
Alternative solutions welcomed.
-
Alternative solutions welcomed.
I already created an alternative solution (lat-groups -n), but admittedly it's a really dirty hack.
As I said in a previous post (and you know that better than anyone else), it would be a MAJOR task to change it now and only few SMEs really need more than 28 groups.
That doesn't preclude me from regretting the design decision ;-). Maybe things could have been done differently at design time, but that's all water under the bridge. No big deal.
Michiel
-
No no no the lat-groups -n worked fine, it was when you then go and add or modify any groups using the server manager it checks and adds admin/www to each group, but as stated it can only add it to a certain number of groups, what I think happens is because the groups file gets parsed from the top to the bottom, only the bottom groups then have them added to them, thus taking them out of the top groups, which of course are root, www, and admin.
Maybe if you expanded your lat-groups script to actually replace the standard groups panel as the script runs fine, just whip up a panel page which runs it and replace the standard one with it?
And everytime it runs then just add admin and www to the groups it needs to be in for the core of SME to work properly, and also add the disclaimer that some groups might not work with ibays and the like. Just because I dont use ibays and stuff, I couldnt care less if these groups did have access to them, as long as the groups worked for emails I'd be happy.
Only problem is that I have no idea how to do that and how hard it would actually be to do. I know that there have been disscussions about this on the development mailing list as before I started this thread I did do some searching around to see if anyone else was having this problem.
-
I already created an alternative solution (lat-groups -n), but admittedly it's a really dirty hack.
Sure, but we can't implement something which has the possibility of breaking the server-manager (something you have clearly stated every time).
BTW: my comment wasn't meant as an attack - I would really like to see a solution for this, while maintaining the existing feature set.
As I said in a previous post (and you know that better than anyone else), it would be a MAJOR task to change it now and only few SMEs really need more than 28 groups.
I'm pretty sure we (collectively) can come up with a solution if we think hard enough about it.
One partial solution would be to put www and admin into the groups only when web access is required. There would then be a non-deterministic limit to the number of groups, related to the number of web accessible i-bays.
That doesn't preclude me from regretting the design decision ;-). Maybe things could have been done differently at design time, but that's all water under the bridge. No big deal.
No, it's a very annoying limitation for the larger end of "SME".
Gordon
-
I'm pretty sure we (collectively) can come up with a solution if we think hard enough about it.
Then again, it may be easier than we thought:
https://sourceforge.net/tracker/index.php?func=detail&aid=1245421&group_id=96750&atid=615772
-
And look at that, good old Charlie Brady, he probably was working on it to fix this limitation with the SME :-D
Just a couple of questions, is it as simple as running:
[root@test7 ~]# id auser | fold -70
And Charly mentions this feature is in the latest kernel, is SME running it?