[Samba] SWAT: Non privileged user cannot access secrets.tdb

Guillaume Chanel guillaume.chanel at unige.ch
Wed Mar 12 09:22:32 MDT 2014 

Dear samba-ers,

I have installed SWAT so that my samba users can change their passwords 
easily and remotely as they do not have login access to the samba server.

Broadly speaking my problem is that when registered as a user, it seems 
that swat cannot access the file /var/lib/samba/private/secrets.tdb

Version info:
Linux platform: CentOS 6.5
Linux Kernel: 2.6.32-431
Samba: 3.6.9-167.el6_5
SWAT: 3.6.9-167.el6_5

My users can access the password page (i.e. PAM authentication is OK as 
can be seen in the audit.log), but the samba authentication in the 
password page does not work (see details bellow).

I installed SWAT using yum and configured xinetd / iptables accordingly 
which means
- opening port 911 in iptables;
- allowing SWAT as a service in xinetd (disable = no in /etc/xinetd.d/swat);
- SWAT is also run as root (user = root in /etc/xinetd.d/swat + I also 
check that user=0 in the xinetd dump);
- limited acces to some IP (only_from = 127.0.0.1 129.XXX.0.0/16)

However in /var/log/samba/log. I have (log level = 3):
[2014/03/10 15:35:39.241122, 2] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)
tdb(/var/lib/samba/private/secrets.tdb): tdb_open_ex: could not open 
file /var/lib/samba/private/secrets.tdb: Permission denied
[2014/03/10 15:35:39.241165, 3] lib/dbwrap_tdb.c:359(db_open_tdb)
Could not open tdb: Permission denied
[2014/03/10 15:35:39.241206, 0] passdb/secrets.c:76(secrets_init)
Failed to open /var/lib/samba/private/secrets.tdb

When I am logged as root in SWAT I can change any password without troubles.

I initially thought about a selinux problem but the problem persist 
after switching to permissive mode and I cannot see any unsuccessful 
message in the audit.log.

User password change using smbpasswd works fine.

The file secrets.tdb is rw for root only (as it should be). I changed 
those permissions with rw for all and this worked. I thus conclude that 
the swat daemon does not get the correct root access (cannot setuid root 
?) Unfortunately this does not solve the problem since I obviously do 
not want to have my secrets readable by anyone.

Any idea would be more than welcome as SWAT is to my knowledge the only 
alternative for user password changing. I could of course implement a 
web form myself but it would certainly be less secure.

P.S.: before switching to production I will obviously implement SWAT 
over https.

More information about the samba mailing list