[stunnel-users] Trouble wrapping samba SWAT...

Marco Gaiarin gaio at sv.lnf.it
Mon Jun 16 12:53:36 CEST 2014

I was used to use stunnel3 to 'wrap' swat (samba web interface) in '-P'
mode (change password), to provide to roaming users a web interface for
the password change. I'm mostly using debian.

In stunnel3 (and also for stunnel4 'till squeeze, eg stunnel
4.29-1+squeeze1) i simply put on /etc/inetd.conf:

	swat            stream  tcp     nowait.400      root    /usr/bin/stunnel stunnel -l /usr/sbin/swat -- swat -P

and works as expected, providing the correct certificates in

Now on wheezy (4.53-1.1) that row does not work (browser complain about
wrong certificates, or something like that), so i've tried to switch to
'stunnel4' sintyax, putting:

	swat		stream	tcp	nowait		root	/usr/bin/stunnel4 stunnel4 /etc/stunnel/swat.conf.inetd

and in /etc/stunnel/swat.conf.inetd:

	cert = /etc/ssl/certs/LNFFVGNobel.pem
	key = /etc/ssl/private/LNFFVGNobel.pem
	CAfile = /etc/ssl/certs/LNFFVG.pem

	service = swat
	exec = /usr/sbin/swat
	execargs = swat -P

and now SWAT page open, i can login, but if i try to change password, i
see on samba logs a bounch of:

	[2014/06/13 12:59:48.626211,  0] passdb/secrets.c:76(secrets_init)
	  Failed to open /var/lib/samba/secrets.tdb

obviously file exist:

	root at nobel:~# ls -la /var/lib/samba/secrets.tdb
	-rw------- 1 root root 20480 nov  2  2011 /var/lib/samba/secrets.tdb

the only thing i suppose is that for some reason stunnel4, run by root
in inetd, then switch to an unprivileged user before running swat,
preventing access to /var/lib/samba/secrets.tdb .

I've read docs and manpage, and also googled around, but found nothing


dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                    http://www.sv.lnf.it/
  Polo FVG   -   Via della Bont´┐Ż, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the stunnel-users mailing list