Disclaimer: Apple does not necessarily endorse any suggestions, solutions, or third-party software products that may be mentioned in the topic below. Apple encourages you to first seek a solution at Apple Support. The following links are provided as is, with no guarantee of the effectiveness or reliability of the information. Apple does not guarantee that these links will be maintained or functional at any given time. Use the information below at your own discretion.
How to enable Samba's SWAT in 10.2
SWAT - Samba Web Administration Tool - is the the Samba way to modify the smb.conf file that controls the way Mac OSX 10.2 Windows File Sharing works. A number of posts on these threads and other threads on macosxhints and other forums (fora?) indicate people want this, but have mixed success. This post is to hopefuly summarise the issues and provide a complete 10.2 procedure to enable SWAT.
SWAT, which runs as root, is for advanced users only.
Prioir to 10.2, Samba was available to individual users who downloaded 2.2.2 from the Samba X web site. Post 10.2, Mac OS X includes Samba (version 2.2.3a) in Apple's Jaguar release for Windows networking.
1. Different OSX users have different experiences of enabling SWAT due to whether they upgraded from 10.1 with SWAT already installed, whether or not enabled, and possibly whether they have the developer tools installed. A google search will reveal a number of threads on the topic.
2. Apple does not appear to distribute the SWAT support files in the current Jaguar release CDs. The SWAT program itself IS included in the 10.2 update CD, but not the supporting web server files. Therefore users who find they do not have the files already installed must install them manually. Possibly the Jaguar commercial release CD includes the files - I only have the updater that was shipped with a recently purchased iBook.
3. In 10.2 Apple made a transition from inetd way to start services to xinetd. On various discussion threads and forums are instructions how to enable SWAT on inetd and on xinetd. There are discrepencies in some of these posts. Below is offered a fully tested method for both inetd and xinetd. xinetd is recommended because it provides higher security - modifying smb.conf should require both root access and localhost access for maximum security. Without the security wrapper, it's possible for a remote host that has your root password gain access and modify the smb.conf file.
4. Following are instructions (all as root user) to fully implement SWAT with correct inetd and xinetd procedures. 4.1 installs the files if required then 4.2 (xinetd method) or 4.3 (inetd method) enables swat.
4.1 Make sure SWAT files are available. The files required should be located in /usr/share/swat.
[Computer:~] root# ls /usr/share/swat
help images include using_samba
If these files are missing, one way to acquire them is to download and install the pre-OSX 10.2 Samba 2.2.2 files, an installation which puts all its files in /usr/local/samba. After installing the files copy the files in /usr/local/samba/swat to /usr/share/swat. After copying the files, the installation can be deleted. Personally, I installed 2.2.2 in a test partition to ensure there was no conflict with 10.2 and copied the files to my production 10.2 partition. If anyone knows a better source, please post.
The Samba 2.2.2 install is here:
http://xamba.sourceforge.net/sambax/index.shtml
4.2 Configure OS 10.2 to enable SWAT using xinetd (recommended)
4.2.1 Configure service "swat" in NetInfo
Start Netinfo Manager and authenticate. Create and save a new Service called swat as follows:
Name = swat
port = 901
protocol = tcp
4.2.2 Add a swat configuration file to /etc/xinetd.d with content exactly as follows:
service swat
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/swat
server_args = -s /private/etc/smb.conf
groups = yes
flags = REUSE
disable = no
only_from = localhost
logonfailure += USERID
}
Notes:
The above may need to be tabbed for clarity.
disable is set to "no". Most threads suggest "yes" which does not work.
server_args specifies the correct smb.conf file. The default is /usr/local/samba/lib/smb.conf
only_from does not typically appear in other threads, but provides the necessary security tcp wrapper.
4.2.3 Restart the system, open Explorer and go to "http://127.0.0.1:901/".
Note - with the only_from command set to localhost, the browser will fail unless the access is from the localhost.
The following system.log shows attempts to access from various hosts including "192.168.0.101" the localhost real IP:
Dec 8 18:02:22 Administrators-Computer xinetd[318]: xinetd Version 2.3.5 started with libwrap options compiled in.
Dec 8 18:02:22 Administrators-Computer xinetd[318]: Started working: 1 available service
Dec 8 18:04:00 Administrators-Computer xinetd[318]: START: swat pid=396 from=127.0.0.1
Dec 8 18:04:04 Administrators-Computer xinetd[318]: START: swat pid=397 from=127.0.0.1
Dec 8 18:07:27 Administrators-Computer xinetd[318]: START: swat pid=400 from=127.0.0.1
Dec 8 18:07:29 Administrators-Computer xinetd[318]: START: swat pid=401 from=127.0.0.1
Dec 8 18:07:33 Administrators-Computer xinetd[318]: START: swat pid=402 from=192.168.1.106
Dec 8 18:07:33 Administrators-Computer xinetd[402]: FAIL: swat address from=192.168.1.106
Dec 8 18:07:36 Administrators-Computer xinetd[318]: START: swat pid=403 from=192.168.1.106
Dec 8 18:07:36 Administrators-Computer xinetd[403]: FAIL: swat address from=192.168.1.106
Dec 8 18:07:41 Administrators-Computer xinetd[318]: START: swat pid=404 from=192.168.1.101
Dec 8 18:07:42 Administrators-Computer xinetd[404]: FAIL: swat address from=192.168.1.101
Dec 8 18:07:42 Administrators-Computer xinetd[318]: START: swat pid=405 from=192.168.1.101
Dec 8 18:07:42 Administrators-Computer xinetd[405]: FAIL: swat address from=192.168.1.101
Dec 8 18:07:42 Administrators-Computer xinetd[318]: START: swat pid=406 from=<no address>
Dec 8 18:07:42 Administrators-Computer xinetd[406]: FAIL: swat address from=<no address>
4.3 Configure OS 10.2 to enable SWAT using inetd (not recommended)
4.3.1 Map port 901 to be serviced by swat using tcp in /private/etc/services.
Add the following line anywhere (between accessbuilder 888/udp and telnets 992/tcp perhaps!)
swat 901/tcp
Note the following addition to the header of /etc/services indicates that apple is moving from inetd to xinetd.
# WARNING! This file is not referenced in any way. This information is
# stored in netinfo. Please see the niutil(1) or nicl(1) man page for
# information on editing the netinfo database.
In fact, despite what the header states, inetd does use this file. It's just that no services are defined in inetd.conf! Using 4.2.1 is the exact equivalent function.
In fact, you can use either 4.2.1 or 4.3.1 to open port 901 in either scenario - but I guess both is possibly bad.
4.3.2 Define the swat daemon in the /private/etc/inetd.conf file.
Add the following command anywhere, the end will do. All the other entries in inetd have been commented out.
swat stream tcp nowait.400 root /usr/sbin/swat swat -s /etc/smb.conf
Note that the swat binary is correct for 10.2 and is different from 10.1
Note that the swat command line arguments point to the correct configuration file /etc/smb.conf.
4.3.3 Restart the system and use Explorer go to "http://127.0.0.1:901/".
I'd like to thank especially Jeff Greenberg4 for his encouragement to make this work.
Do you want to provide feedback on this User Contributed Tip or contribute your own? If you have achieved Level 2 status, visit the User Tips Library Contributions forum for more information.
Replies