[ Resend from my original 9:58am EST posting that didn't come through ] On Thu, 2006-06-15 at 21:30 +0200, Alan McKinnon wrote: > Imagine a scenario where Samba is set up correctly, but the client is > using the wrong authentication method. Should we have items on fixing > that client?
On Thu, 2006-06-15 at 21:54 +0200, Alan McKinnon wrote: > I was under the impression that this was to be a Samba > Authentication/Filesharing exam, which is pretty much Samba only. > Considering that this is at an advanced level, I would think there is > enough material in Samba to create a very thorough exam. > Linux Auth/File Sharing with NFS, LDAP and other useful technologies > can become a separate L3 exam. This is where I mentioned the _real_ need to "draw lines." Otherwise we're going to be "all over the place" and we will also _repeat_ the same questions in different exams with mass _redundancy_. To step back, in my opinion (remember, _opinion_), I see 3 "separate" exams to start: - Authentication, Directory, Naming - Network File (and Print) Services - [Network and ]Systems Security (possibly after the first 2) When it comes to _basic_ object naming, system/user authentication and then object meta-data, authorization, etc... that should go into a _dedicated_ Authentication, Directory and Naming exam. This would address Linux, MacOS X, UNIX and Windows clients -- including nmbd, WINS, Winbindd, etc... services. When it comes to an object that has been authorized and knows what resources to access, or how to configure Samba specifically to utilize such external components, that goes in the Network File (and Print) services exam. This approach will solve 2 _major_ issues: 1. Depth -- we can get deep into each set of functions on each exam, instead of trying to hit everything on one and ending up being "too broad." 2. Focus -- if we start talking Samba/Windows-only authentication, naming, etc... details on one exam, then when we do LDAP, NFS, etc... on other exams, we are going to have _redundant_ concepts/questions on each. Again, it is of my _strong_ opinion that we need to "look outside the box" of just Samba, LDAP, etc... and look at the "larger picture" of _enterprise_ level integration of Linux, MacOS X, UNIX and Windows clients _equally_. On Thu, 2006-06-15 at 22:00 -0500, John H Terpstra wrote: > Where in the current Windows Server 2003 and Windows XP Professional > certification is NT4 technology fully covered? Samba-3 is NT4-based. Okay, that's _Microsoft_marketing_. Despite that marketing, understand ADS 2000 and, to a lesser extent, ADS 2003 _still_ rely on NTLM-era technologies. Why? Because many programs/clients in NT5+ (2000+), including NT5.1 XP/2003, _still_ rely on NetBIOS, WINS and other technologies. If you read the Samba docs, they talk about this. And using the products tell me as well. > It knows enough ADS to permit Samba-3 to be an ADS client, but does the Linux > admin know anything about either of these (NT4 and Non-Windows ADS clients)? Yes! Understand that ADS is little more than: 1. DNS w/SysV records 2. Kerberos authentication using the _legacy_ NT3.1+ SAM store 3. LDAP schema and store UNIX has _always_ done #1. Many programs/clients in NT5+ _still_ rely on NetBIOS/WINS. If you read the Microsoft docs, it's _always_ recommended you _always_ have a WINS server. And God knows there's _still_ NetBIOS being broadcast around, no matter how much you try to curb it (although ADS 2003 helps somewhat with newer XP clients). #2 is the reason why ADS is _little_different_ than as far back as NT3.1. Understand the _entire_ difference between a Windows "workgroup" and a Windows "domain" is whether or not the system uses the local Security Accounts Manager (SAM) in the registry or the "network-wide" SAM on the DCs. This even feeds back into core _flaws_ in the design of NTFS (don't get me started) -- which is why DCs _ignore_ their local SAM and only use the "network wide" SAM. So #2 is _unchanged_ from NT3.1 domains through ADS 2003. #3 is really the only part that is "hard to replicate" -- hence why Samba can't be a peer DC to a native Windows server. But that's just proprietary and extensive LDAP schema issues -- not unheard of with eDirectory either. CASE-IN-POINT: Enterprise Linux networking services are _more_ than just Samba, yet they are inter-twined with Samba as well. You cannot test merely test on "Samba alone" and get anywhere near the detail and focus of all that is involved. Again, we need to: 1. Break-up and define the _technologies_ in use 2. Put those _technologies_ as objectives, and then tasks, for each exam 3. Recognize where those "boundaries" are between _technologies_ 4. And make the exams focused on those for _any_ [common] type of service Otherwise, if we have a Samba-specific exam, we're going to get: A. Lots of authentication, naming, etc... that touches NIS, LDAP, NTLM, Kerberos, NFS, etc... in the Samba exam B. Have to repeat those questions in the LDAP and other exams C. Have to revisit _all_ exams for Samba-LDAP, Samba-NFS, Samba-Kerberos, etc... as well as NFS-LDAP, NFS-Samba, NFS-Kerberos, etc... D. And that results in a clusterfsck redundant set of objectives, tasks and resulting exams We'll be fighting ourselves just to write new exams and/or rev existing ones that _ignored_ all of that interoperability. > If not, where does he go to obtain that knowledge? Who certifies that > knowledge today? Microsoft does _not_ testing its MCSA/MCSE candidates on the _first_thing_ about how the DNS, Kerberos, SMB, NTLM, NetBIOS/WINS, etc... actually _acts_. That's the problem. > So if LPI will not take essential knowledge seriously - who will? Then why > have a Samba exam? Don't confuse "marketing" with "essential knowledge." There are _many_ enterprises that run XP _just_fine_ without ADS. ADS is an integrated set of technologies that are designed for 2000/XP and vice-versa. But in reality, they don't work so well. The clients are _so_bad_ that Microsoft recommends you _only_ run Windows XP Pro with Windows Server 2003. If you run Windows 2000 ADS or Windows 2000 Pro, they recommend all sorts of "legacy" items turned on. And even if you run XP Pro, there are many clients and programs that _still_fail_ if you don't. Because there is just too much "legacy NT3.1+" at the _heart_ of ADS itself. Such as how the SAM is the store for Kerberos. -- Bryan J. Smith Professional, technical annoyance mailto:[EMAIL PROTECTED] http://thebs413.blogspot.com ---------------------------------------------------------- The existence of Linux has far more to do with the breakup of AT&T's monopoly than anything Microsoft has ever done. _______________________________________________ lpi-examdev mailing list [email protected] http://list.lpi.org/mailman/listinfo/lpi-examdev
