I think the LDAP article(s) find a nice balance between complexity and simplicity - and those are just example ACL's Craig. Samba leaves a great deal to be desired as you so eloquently describe. To get around the smbpasswd password changing issues, you can do a "csh" or "screen" before implementing the command, so no bash_history will be retained. To automate user smbpasswd changes, you can run an exec from a ssh script on another server. And you can yum install expect to wait for command line input and actually CHANGE the password from a central server script for all your systems in the farm, even referencing a database or doing a bind password comparison and netbios verification? Hey, I am all about user education, especially when it comes to certs. Perhaps you might have a Intranet page, with clear questions and answers or write a little cscript "application" that prompts them through the process? www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | (503)754-4452 January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3PM > Subject: Re: ****RE: ****Re: ****Re: Linux Administration - Users in (any) database howto/why... > From: craigwhite@azapple.com > To: plug-discuss@lists.plug.phoenix.az.us > Date: Fri, 2 Jan 2009 20:21:16 -0700 > > On Sat, 2009-01-03 at 02:48 +0000, Lisa Kachold wrote: > > Here's the definitive guide for hammering down LDAP, noting defaults > > for use, etc. > > http://eatingsecurity.blogspot.com/2008/11/openldap-security.html > ---- > I'd hardly call it a definitive guide to hammering down LDAP when there > are only 2 ACL's. I think a better handle for that URL is some thoughts > about securing LDAP. > > It makes me absolutely insane that the only way to set the bind password > for samba is via a command line 'smbpasswd -w SOME_STINKIN_PASSWORD' so > you have to clear history after performing such a command. > > For the most part, I have found it useful to allow anonymous binds for > virtually everything except self access to userPassword, sambaNTPassword > and sambaLMPassword. > > That way, all shared Address Books, all the various clients such as > Postfix, Cyrus-IMAPd, etc. can get what they need without any > credentials laying around and obviously try to require all > authentication to happen via encrypted connections...which means that > you have to educate users on how to get very stupid client applications > like Outlook to accept self-signed certs, which means that I create > certificates with long usage times and sort of is just a PITA. > > I'm not sure which is worse, devices like an iPhone which just happily > accepts just about any cert without much of a fuss or Firefox 3 which > freaks people out when presented a self-signed cert. > > Craig > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss _________________________________________________________________ Send e-mail faster without improving your typing skills. http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008