[stunnel-users] Trouble wrapping samba SWAT...

Mon, 16 Jun 2014 12:27:38 -0700 

I was used to use stunnel3 to 'wrap' swat (samba web interface) in '-P'
mode (change password), to provide to roaming users a web interface for
the password change. I'm mostly using debian.

In stunnel3 (and also for stunnel4 'till squeeze, eg stunnel
4.29-1+squeeze1) i simply put on /etc/inetd.conf:

        swat            stream  tcp     nowait.400      root    
/usr/bin/stunnel stunnel -l /usr/sbin/swat -- swat -P

and works as expected, providing the correct certificates in
/ets/stunnel/stunnel.pem.

Now on wheezy (4.53-1.1) that row does not work (browser complain about
wrong certificates, or something like that), so i've tried to switch to
'stunnel4' sintyax, putting:

        swat            stream  tcp     nowait          root    
/usr/bin/stunnel4 stunnel4 /etc/stunnel/swat.conf.inetd

and in /etc/stunnel/swat.conf.inetd:

        cert = /etc/ssl/certs/LNFFVGNobel.pem
        key = /etc/ssl/private/LNFFVGNobel.pem
        CAfile = /etc/ssl/certs/LNFFVG.pem

        service = swat
        exec = /usr/sbin/swat
        execargs = swat -P

and now SWAT page open, i can login, but if i try to change password, i
see on samba logs a bounch of:

        [2014/06/13 12:59:48.626211,  0] passdb/secrets.c:76(secrets_init)
          Failed to open /var/lib/samba/secrets.tdb

obviously file exist:

        root@nobel:~# ls -la /var/lib/samba/secrets.tdb
        -rw------- 1 root root 20480 nov  2  2011 /var/lib/samba/secrets.tdb

the only thing i suppose is that for some reason stunnel4, run by root
in inetd, then switch to an unprivileged user before running swat,
preventing access to /var/lib/samba/secrets.tdb .


I've read docs and manpage, and also googled around, but found nothing
useful.


Thanks.

-- 
dott. Marco Gaiarin                                     GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                    http://www.sv.lnf.it/
  Polo FVG   -   Via della Bont�, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
           http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

Reply via email to