[Samba] SWAT: Non privileged user cannot access secrets.tdb
guillaume.chanel at unige.ch
Wed Mar 12 09:22:32 MDT 2014
I have installed SWAT so that my samba users can change their passwords
easily and remotely as they do not have login access to the samba server.
Broadly speaking my problem is that when registered as a user, it seems
that swat cannot access the file /var/lib/samba/private/secrets.tdb
Linux platform: CentOS 6.5
Linux Kernel: 2.6.32-431
My users can access the password page (i.e. PAM authentication is OK as
can be seen in the audit.log), but the samba authentication in the
password page does not work (see details bellow).
I installed SWAT using yum and configured xinetd / iptables accordingly
- opening port 911 in iptables;
- allowing SWAT as a service in xinetd (disable = no in /etc/xinetd.d/swat);
- SWAT is also run as root (user = root in /etc/xinetd.d/swat + I also
check that user=0 in the xinetd dump);
- limited acces to some IP (only_from = 127.0.0.1 129.XXX.0.0/16)
However in /var/log/samba/log. I have (log level = 3):
[2014/03/10 15:35:39.241122, 2] ../lib/util/tdb_wrap.c:65(tdb_wrap_log)
tdb(/var/lib/samba/private/secrets.tdb): tdb_open_ex: could not open
file /var/lib/samba/private/secrets.tdb: Permission denied
[2014/03/10 15:35:39.241165, 3] lib/dbwrap_tdb.c:359(db_open_tdb)
Could not open tdb: Permission denied
[2014/03/10 15:35:39.241206, 0] passdb/secrets.c:76(secrets_init)
Failed to open /var/lib/samba/private/secrets.tdb
When I am logged as root in SWAT I can change any password without troubles.
I initially thought about a selinux problem but the problem persist
after switching to permissive mode and I cannot see any unsuccessful
message in the audit.log.
User password change using smbpasswd works fine.
The file secrets.tdb is rw for root only (as it should be). I changed
those permissions with rw for all and this worked. I thus conclude that
the swat daemon does not get the correct root access (cannot setuid root
?) Unfortunately this does not solve the problem since I obviously do
not want to have my secrets readable by anyone.
Any idea would be more than welcome as SWAT is to my knowledge the only
alternative for user password changing. I could of course implement a
web form myself but it would certainly be less secure.
P.S.: before switching to production I will obviously implement SWAT
More information about the samba