[Pkg-samba-maint] Bug#700729: swat: Password management has stopped working

Sat Feb 16 18:24:55 UTC 2013

Package: swat
Version: 2:3.6.6-5
Severity: important

Hi,

At some point in the last month server password management using Swat has
stopped working. Swat can be logged into and the old and new server passwords
entered, but choosing "Change Password" appears to just reload the page
without changing anything. Entering the wrong old password or mismatching
new passwords does the same thing.

The only relevant logging I can find is in /var/log/samba/log. which has
recently started getting lots of lines like this when Swat is used:

[2013/02/16 15:02:30.297508,  0] passdb/secrets.c:76(secrets_init)
  Failed to open /var/lib/samba/secrets.tdb

# ls -l /var/lib/samba/secrets.tdb 
-rw------- 1 root root 430080 Aug 24 23:30 /var/lib/samba/secrets.tdb

24 August is the date I first installed Samba.

Swat is running through stunnel, which has always occasionally logged SSL
errors, but there don't appear to have been any recent changes to stunnel or
its dependancies.

While I don't know the Samba code, it looks at least possible to me that the
problem was introduced by the patch for CVE-2013-0214.

My smb.conf file looks like this:

[global]
        workgroup = FUNDAMENTALS
        server string = %h server
        interfaces = 127.0.0.0/8, bond0
        bind interfaces only = Yes
        obey pam restrictions = Yes
        pam password change = Yes
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        load printers = No
        os level = 65
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        invalid users = root
[Service]
        comment = Service files
        path = /srv/smb/service
        read only = No
        create mask = 0775
        force create mode = 0664
        directory mask = 0770
        force directory mode = 0770
        oplocks = No
        level2 oplocks = No

There are several other similar share definitions.

Apart from the security update, the only other recent changes I can think of
are adding the "level2 oplocks = No" parameter, but I can't imagine that
affecting Swat, and I briefly tried "max protocol = SMB2" but reverted that
when it appeared to negatively impact reliability in Windows.

As my only use of Swat is to allow users to change their passwords, this has
had a major affect on the usability of the package.

Thank you for your assistance,

Roger

-- System Information:
Debian Release: 7.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages swat depends on:
ii  dpkg                              1.16.9
ii  libc6                             2.13-37
ii  libcap2                           1:2.22-1.2
ii  libcomerr2                        1.42.5-1
ii  libcups2                          1.5.3-2.14
ii  libgssapi-krb5-2                  1.10.1+dfsg-3
ii  libk5crypto3                      1.10.1+dfsg-3
ii  libkrb5-3                         1.10.1+dfsg-3
ii  libldap-2.4-2                     2.4.31-1
ii  libpam0g                          1.1.3-7.1
ii  libpopt0                          1.16-7
ii  libtalloc2                        2.0.7+git20120207-1
ii  libtdb1                           1.2.10-2
ii  libwbclient0                      2:3.6.6-5
ii  openbsd-inetd [inet-superserver]  0.20091229-2
ii  samba                             2:3.6.6-5
ii  zlib1g                            1:1.2.7.dfsg-13

Versions of packages swat recommends:
ii  samba-doc  2:3.6.6-5

swat suggests no packages.

-- no debconf information