On Tue, 2006-06-20 at 13:52 -0200, [EMAIL PROTECTED] wrote: > I just think an enterprise samba admin should not be required to have > strong LDAP skills.
And I agree, "strong" is not required. But an enterprise Samba administrator needs to understand how non-Windows Networking authentication, objects and naming work -- including various services and their interaction. That includes GSSAPI capabilities, elementary KDC configuration and Kerberos principles, how computers/users/group objects can be named, authenticated, synchronized, etc... not to just native Windows servers, but to both local and remote UNIX/Linux-based stores, etc... They don't have to know the ins and outs of how the Samba or other LDAP schema works. But they do have to understand how their information is used for file access and authorization to those resources. > If LPIC-3 is just LDAP and Samba you make this a requirement. Of > course the LDAP exam would be hard, because LDAP is a complex subject, Which is why I advocate _basic_ understanding and tasks that deal with _elementary_, but _centralized_, object authentication, naming and other network information such as resource lists. I could care less if someone was a LDAP expert. But I do care that a Samba administrator knows how to authenticate and get user/group information from more than just the local UNIX methods (files, NIS, etc...), or an ADS server (NTLM, SAM, etc...). I want them to know how to authenticate against a real KDC (not just ADS'), how to get user/group information from a generic LDAP system, and not just it's own "cookbook" schema for OpenLDAP. > but that would be only for whoever chooses this track. :-) > So far I understand there are three propostions. Please correct me if I am > wrong: > 1. LPI Initial plan for LPIC-3, > both required for achieving LPICP-3 > 1.1 Samba exam > 1.2 Ldap exam > 2. Bryan proposal, > first and one of the other two required for achieving LPICP-3 > 2.1. Core auth/naming exam, covers ldap and winbind First off, _be_careful_ on assuming what I'm saying. I'm not talking about "LDAP" and "Winbindd". I'm talking about naming (DNS w/SysV, DHCP w/DDNS, WINS and possibly even a note on SAP, etc...), local Authentication/Object services (files and NIS, PAM and NSS, etc...), remote Authentication/Object services (Kerberos and GSSAPI, LDAP and basic object schema including synchronization, NTLM and SAM via Winbindd, etc...) -- including system authentication as well as user/group. > 2.2. Samba exam, covers only file services + ldap integration Again, you're still not looking at the "bigger picture." I'm talking about Samba and _authorization_ details. We've already shown how to do authentication of objects, and map network objects into local ones. We do _not_ need to re-cover that. We _only_ need to focus on getting access to files and how you are authorized (access control) to use those files -- as well as locking, filtering, etc... In that mix, as we cover _basic_ UNIX/Linux filesystem-level details, we will also be covering NFS concepts "for free." In a nutshell, anything that is an RPC service, not an authentication or object service. > 2.3. LDAP exam, covers directory replication, performance and schema > customization Again, _be_careful_ on "depth." E.g., directory replication should be left to the "Availability and Redundancy" exam -- where we can expand on those concepts beyond _basic_ usage. Especially since while OpenLDAP only offers read-only replication, Fedora Directory Server allows up to 4 peers to do multi-master replication -- and it's damn simple. ;-> [ NOTE: Fedora Directory Server is _not_ new. It's iPlanet/Netscape Directory Server. Red Hat started down integration of OpenLDAP, but figured it was cheaper and faster to just buy it from AOL-Netscape. ] > 3. My proposal, > first and one of the other two required for achieving LPICP-3 > 3.1. Core auth/naming/files exam, covers PAM, NSS, ACLs, basic LDAP, > 3.2. Samba exam, including winbind doesn't cover winbind How can you cover network object authorization and mapping without Winbindd? It's like a driver exam that covers everything but yield and stop signs, saying they should be on the exam for the mechanic. Yes, the mechanic might need to know about yield and stop signs. But the mechanic only needs to know those when he's driving -- like everyone else (who are not often mechanics, even if they change their own oil or tires)! Does this analogy make any sense? I mean, how you map and/or synchronize objects across a network doesn't matter if you're running Samba or not -- to/from other UNIX/Linux systems, to/from Windows systems, etc... > 3.3. LDAP exam, including samba integration > I think either mine or Bryan's make it easier future creation of > aditional exams like security and A&R. But as I said, is LPI open for > discussing this? Or it is already settled on proposal (1)? Nothing is settled. The _only_ thing I'm trying to do is get people to realize that things like Winbindd have _nothing_ to do with actual Samba file services via RPC. Winbindd is only provided by the Samba project, but not just for Samba and it's RPC/authorization. It's object authentication and mapping. NTLM/SAM auth/object concepts have _nothing_ to do with RPC/SMB service/file. Just like Kerberos/LDAP auth/object concepts have _nothing_ to do with RPC/NFS service/file. Yes, we have to authenticate an object _before_ we can authorize it to use RPC services or access files via NFS and SMB. And yes, we want to map objects across a network between all services, or provide a centralized resource list that systems can find out about. But the services have _nothing_ to do with each other from what they do. -- Bryan J. Smith Professional, technical annoyance mailto:[EMAIL PROTECTED] http://thebs413.blogspot.com ---------------------------------------------------------- The existence of Linux has far more to do with the breakup of AT&T's monopoly than anything Microsoft has ever done. _______________________________________________ lpi-examdev mailing list [email protected] http://list.lpi.org/mailman/listinfo/lpi-examdev
