****RE: ****Re: ****Re: Linux Administration - Users in (any) database howto/why... SAMBA and CERTS

[Lisa Kachold]

I think the LDAP article(s) find a nice balance between complexity and simplicity - and those are just example ACL's Craig.  

Samba leaves a great deal to be desired as you so eloquently describe.  To get around the smbpasswd password changing issues, you can do a "csh" or "screen" before implementing the command, so no bash_history will be retained.  To automate user smbpasswd changes, you can run an exec from a ssh script on another server.  And you can yum install expect to wait for command line input and actually CHANGE the password from a central server script for all your systems in the farm, even referencing a database or doing a bind password comparison and netbios verification?

Hey, I am all about user education, especially when it comes to certs.  

Perhaps you might have a Intranet page, with clear questions and answers or write a little cscript "application" that prompts them through the process?  


www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis |  (503)754-4452
January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3PM


> Subject: Re: ****RE: ****Re: ****Re: Linux Administration - Users in (any)	database howto/why...
> From: craigwhite at azapple.com
> To: plug-discuss at lists.plug.phoenix.az.us
> Date: Fri, 2 Jan 2009 20:21:16 -0700
> 
> On Sat, 2009-01-03 at 02:48 +0000, Lisa Kachold wrote:
> > Here's the definitive guide for hammering down LDAP, noting defaults
> > for use, etc.
> > http://eatingsecurity.blogspot.com/2008/11/openldap-security.html
> ----
> I'd hardly call it a definitive guide to hammering down LDAP when there
> are only 2 ACL's. I think a better handle for that URL is some thoughts
> about securing LDAP.
> 
> It makes me absolutely insane that the only way to set the bind password
> for samba is via a command line 'smbpasswd -w SOME_STINKIN_PASSWORD' so
> you have to clear history after performing such a command.
> 
> For the most part, I have found it useful to allow anonymous binds for
> virtually everything except self access to userPassword, sambaNTPassword
> and sambaLMPassword.
> 
> That way, all shared Address Books, all the various clients such as
> Postfix, Cyrus-IMAPd, etc. can get what they need without any
> credentials laying around and obviously try to require all
> authentication to happen via encrypted connections...which means that
> you have to educate users on how to get very stupid client applications
> like Outlook to accept self-signed certs, which means that I create
> certificates with long usage times and sort of is just a PITA.
> 
> I'm not sure which is worse, devices like an iPhone which just happily
> accepts just about any cert without much of a fuss or Firefox 3 which
> freaks people out when presented a self-signed cert.
> 
> Craig
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

_________________________________________________________________
Send e-mail faster without improving your typing skills.
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090103/962a955f/attachment.htm