Not authorized to login to DSM Desktop

Questions and mods regarding system management may go here
Forum rules
Please note the disclaimer before modifying your Synology Product.
jinie
Trainee
Trainee
Posts: 13
Joined: Fri Apr 12, 2013 10:34 am
Location: Viborg, Denmark

Not authorized to login to DSM Desktop

Postby jinie » Thu Aug 25, 2016 10:45 am

I accidentally locked myself out of the DSM desktop, by removing "default group privileges", and not explicitly setting permissions for my own user.
Having spent a rather long time this morning trying to get back into my DSM, i thought i'd share the "fix".

It requires SSH access, and knowledge of how to use SQLite.

first, find your user ID (replace guest with your username)

Code: Select all

user@host:~$ sudo grep guest /etc/passwd
guest:x:1025:100:Guest:/nonexist:/usr/bin/nologin

Your userID is the first number (1025) for the above.

second, open up the App Privilege database with SQLite:

Code: Select all

sudo sqlite3 synoappprivilege.db


Next, find out if your user already has privileges assigned:

Code: Select all

sqlite> SELECT * FROM AppPrivRule WHERE ID=1026 AND App='SYNO.Desktop';
0|1026|SYNO.Desktop|0.0.0.0|0000:0000:0000:0000:0000:FFFF:0000:0000||


If your user doesn't have access, use the following to add it (replace <userid> with the userid you found above)

Code: Select all

INSERT INTO AppPrivRule VALUES(0,<userid>,'0.0.0.0','0000:0000:0000:0000:0000:0000:FFFF:0000:0000','','');


If your user already has privileges assigned, use the following to "unlock" it. (replace <userid> with the userid you found above)

Code: Select all

UPDATE AppPrivRule SET AllowIp='0.0.0.0',AllowIPStd='0000:0000:0000:0000:0000:0000:FFFF:0000:0000',DenyIp='',DenyIpStd='' WHERE ID=<userid>;


Your access is now restored.
DS1511+, DS209+, DS415Play, DS415+, 2 x DS115j, DS716+
THT_38
I'm New!
I'm New!
Posts: 2
Joined: Mon Sep 19, 2016 1:18 pm

Re: Not authorized to login to DSM Desktop

Postby THT_38 » Wed Sep 21, 2016 7:43 am

Thank a lot Jinie, for your post.

When i done the last update of the DSM (6.0.2 version), i noticed a new service or application named "desktop" that can be allowed or refused for either user accounts or groups.
Then i applied "refused" in "users group" for these application, thinking to increase the security.
After, i could not have opened DSM desktop, as my administrator account is a member of both admin group and user group (i don't now why ! is not possible to do otherwise on DSM, why ?).

I used your "fix", but with some adjustement for my case.
I applied the "unlock" procedure on "the standard users group", with ID=100 finded in the file "/etc/group".
(In your code, there is an '0000' in excess).

And now, i can manage my NAS again by the DSM desktop :) .

TT
jxt
I'm New!
I'm New!
Posts: 1
Joined: Tue Oct 25, 2016 11:56 am

Re: Not authorized to login to DSM Desktop

Postby jxt » Tue Oct 25, 2016 12:15 pm

I'm also locked out of the Desktop, and I'm not familiar with sqlite at all, but I'm trying to follow the steps above. When I enter SELECT * FROM AppPrivRule WHERE ID=1027 AND App='SYNO.Desktop'; I get "Error: no such table: AppPrivRule'. How do I progress? Can anyone assist please? Thanks and regards
THT_38
I'm New!
I'm New!
Posts: 2
Joined: Mon Sep 19, 2016 1:18 pm

Re: Not authorized to login to DSM Desktop

Postby THT_38 » Sun Oct 30, 2016 3:17 pm

Why you used ID=1027 ? is an ID for an user name or a group, in my case I use the ID for the group 'users' (looking in the file /etc/group by the command VIA).
In an other way, you must change the directory before to launch the command 'SELECT * FROM AppPrivRule', you must to point on 'etc/' directory (by CD /etc ).
And you can miss 'AND App='SYNO.Desktop' ' in the command, then you would see more applications than 'SYNO.Desktop' (don't forgot the ';' at the end).

TT
se7en__
Rookie
Rookie
Posts: 38
Joined: Sun Oct 20, 2013 11:40 am

Re: Not authorized to login to DSM Desktop

Postby se7en__ » Thu Mar 02, 2017 11:45 pm

You're a life saver. I did the idiocy of disabling Desktop access without explicitly allowing the admin user.

Anyway, for anyone that reaches this with the "You are not authorized to use this service" error, you might have done the same, the command to allow the admin user (in my case ID=1026) is of now the following (using DSM 6.1):

Code: Select all

INSERT INTO AppPrivRule VALUES(0,1026,'SYNO.Desktop','0.0.0.0','0000:0000:0000:0000:0000:FFFF:0000:0000','','');


Also, for reference, this the AppPrivRule table layout:

Code: Select all

0|Type|INTEGER|0||0
1|ID|INTEGER|0||0
2|App|varchar(50)|0||0
3|AllowIP|TEXT|0||0
4|AllowIPStd|TEXT|0||0
5|DenyIP|TEXT|0||0
6|DenyIPStd|TEXT|0||0


To the OP: it could be useful to modify the topic with the full error message in the subject so that it has more relevance for search engines.
Synology DS412+ (2Gb RAM, 3 WD drives)
User avatar
xnaas
I'm New!
I'm New!
Posts: 3
Joined: Fri Mar 17, 2017 11:30 pm
Contact:

Re: Not authorized to login to DSM Desktop

Postby xnaas » Fri Mar 17, 2017 11:33 pm

se7en__ wrote:You're a life saver. I did the idiocy of disabling Desktop access without explicitly allowing the admin user.

Anyway, for anyone that reaches this with the "You are not authorized to use this service" error, you might have done the same, the command to allow the admin user (in my case ID=1026) is of now the following (using DSM 6.1):

Code: Select all

INSERT INTO AppPrivRule VALUES(0,1026,'SYNO.Desktop','0.0.0.0','0000:0000:0000:0000:0000:FFFF:0000:0000','','');


Also, for reference, this the AppPrivRule table layout:

Code: Select all

0|Type|INTEGER|0||0
1|ID|INTEGER|0||0
2|App|varchar(50)|0||0
3|AllowIP|TEXT|0||0
4|AllowIPStd|TEXT|0||0
5|DenyIP|TEXT|0||0
6|DenyIPStd|TEXT|0||0


To the OP: it could be useful to modify the topic with the full error message in the subject so that it has more relevance for search engines.


Pullin' my hair out here. I definitely think the steps provided here assume the user has any knowledge whatsoever of CLI SQL junk. I would be one of the number of people who do not.

Following your command (my user is also 1026) gives me nothin'. I assume I need to write the database or something...but

Code: Select all

.save synoappprivilege.db
just tells me that database is locked...any assistance here would be greatly appreciated. I have a backup of my config from many months ago (should have done another before playing with permissions...), but would rather not resort to that just yet.
se7en__
Rookie
Rookie
Posts: 38
Joined: Sun Oct 20, 2013 11:40 am

Re: Not authorized to login to DSM Desktop

Postby se7en__ » Sat Mar 18, 2017 12:41 pm

Are you using sudo?

Code: Select all

sudo sqlite3 synoappprivilege.db


Try to restart the NAS and make the changes right after that.
Synology DS412+ (2Gb RAM, 3 WD drives)
User avatar
xnaas
I'm New!
I'm New!
Posts: 3
Joined: Fri Mar 17, 2017 11:30 pm
Contact:

Re: Not authorized to login to DSM Desktop

Postby xnaas » Mon Mar 20, 2017 9:40 pm

se7en__ wrote:Are you using sudo?

Code: Select all

sudo sqlite3 synoappprivilege.db


Try to restart the NAS and make the changes right after that.


To keep a long story short, I eventually got it all sorted out. Thanks all above for the great information! :)

Return to “System Managment Mods”

Who is online

Users browsing this forum: No registered users and 2 guests