Hi Bryan, > And I agree, "strong" is not required. > > But an enterprise Samba administrator needs to understand how > non-Windows Networking authentication, objects and naming work -- > including various services and their interaction. That includes GSSAPI > capabilities, elementary KDC configuration and Kerberos principles, how > computers/users/group objects can be named, authenticated, synchronized, > etc... not to just native Windows servers, but to both local and remote > UNIX/Linux-based stores, etc... (...) > But I do care that a Samba administrator knows how to authenticate and > get user/group information from more than just the local UNIX methods > (files, NIS, etc...), or an ADS server (NTLM, SAM, etc...). I want them > to know how to authenticate against a real KDC (not just ADS'), how to > get user/group information from a generic LDAP system, and not just it's > own "cookbook" schema for OpenLDAP.
Hey, if you want the samba admin to be able to use a generic LDAP schema and not just the "cookbook" samba-ldap schema you want the samba admin to be also a generic LDAP admin and so you are in fact requiring "strong" ldap skills. I propose a progression from "basic" unix network authentication (nis, kerberos) to samba-specifcs (winbind, pam_smb) and them to full-featured directory (ldap). The entry level could also include basic file services like ACLs and NFS or we could have a higher level NFS with kerberos exam and other file sharing services. > > So far I understand there are three propostions. Please correct me if I am > > wrong: > > 1. LPI Initial plan for LPIC-3, > > both required for achieving LPICP-3 > > 1.1 Samba exam > > 1.2 Ldap exam > > 2. Bryan proposal, > > first and one of the other two required for achieving LPICP-3 > > 2.1. Core auth/naming exam, covers ldap and winbind > > First off, _be_careful_ on assuming what I'm saying. Have you read "so far I understand"? :-) I just built a sumary of what I understood to try to better focus the discussion. Of course any sumary will leve out many important details, and my understanding may be at fault. > I'm not talking about "LDAP" and "Winbindd". I'm talking about naming > (DNS w/SysV, DHCP w/DDNS, WINS and possibly even a note on SAP, etc...), Our main divergence is: you take samba services related to auth (like winbind) and wants them on the general auth exam. I want samba-specific services (or anything that depends on windows technology and protocols) to be contained on the Samba exam, so professionals who decide to become experts in other fields don't have to bother with samba-related stuff. > local Authentication/Object services (files and NIS, PAM and NSS, > etc...), remote Authentication/Object services (Kerberos and GSSAPI, > LDAP and basic object schema including synchronization, NTLM and SAM via > Winbindd, etc...) -- including system authentication as well as > user/group. LDAP syncronization, that is, replication from one ldap server to another would be a matter for the ldap specific exam, not for a core exam IMHO. Just as winbind would be a matter for the samba exam. > Again, you're still not looking at the "bigger picture." I can't deliver an exam based on the "bigger picture". An exam tests for specifics. The bigger picture helps building a program which contains many exams. I think we agree on the big picture and are arguing about the exam details. > I'm talking about Samba and _authorization_ details. We've already > shown how to do authentication of objects, and map network objects into > local ones. We do _not_ need to re-cover that. We _only_ need to focus > on getting access to files and how you are authorized (access control) > to use those files -- as well as locking, filtering, etc... In that > mix, as we cover _basic_ UNIX/Linux filesystem-level details, we will > also be covering NFS concepts "for free." > > In a nutshell, anything that is an RPC service, not an authentication or > object service. You mean authorization on windows (smb) networks are not rpc-based? And do an employee cares about what is rpc-based or not? I can't explain to a hirer that part of the skills from a samba admin is on the auth exam and part on the file services exam. He wants a samba expert that manages anything related to samba, but not anything related to file services or auth, just enough to administer the samba servers. > > 2.3. LDAP exam, covers directory replication, performance and schema > > customization > > Again, _be_careful_ on "depth." > > E.g., directory replication should be left to the "Availability and > Redundancy" exam No way! I expect an ldap expert to be able to setup and manage the replicaton between all openldap servers (or whatever directory server I use). But I don't expect him to be able to setup a virtualization server or a web server farm or a HPC cluster. The way you think on the exams you force all candidates to pass all them to have any usefull certification. Please don't think about what you do know or about what the perfect linux consultant should master. Think about what kinds of professionals you'd hire as part of your team. > > 3. My proposal, > > first and one of the other two required for achieving LPICP-3 > > 3.1. Core auth/naming/files exam, covers PAM, NSS, ACLs, basic LDAP, > > 3.2. Samba exam, including winbind doesn't cover winbind > > How can you cover network object authorization and mapping without > Winbindd? Is winbind the only way to do that? Why should a core exam be complete on all related topics and products? > Does this analogy make any sense? I mean, how you map and/or > synchronize objects across a network doesn't matter if you're running > Samba or not -- to/from other UNIX/Linux systems, to/from Windows > systems, etc... In practice it matters a lot if I am running samba or not, because if I run samba I have a specific requirement for windows integration that I may not have on an all linux/unix company. And I do know some of these companies, for which any samba knowledge, including winbind, is useless. :-) Put in another way, why should someone need to learn about NetBIOS inner workings to understand PAM and NSS? > > 3.3. LDAP exam, including samba integration > > I think either mine or Bryan's make it easier future creation of > > aditional exams like security and A&R. But as I said, is LPI open for > > discussing this? Or it is already settled on proposal (1)? > > Nothing is settled. This was a question for Matt, as he's the one who speaks for LPI in this regard. > The _only_ thing I'm trying to do is get people to realize that things > like Winbindd have _nothing_ to do with actual Samba file services via > RPC. Winbindd is only provided by the Samba project, but not just for > Samba and it's RPC/authorization. It's object authentication and > mapping. Forget about how winbind is build. Both smbd, nmbd *and* winbindd serve integration with windows. It makes no sense to use them without this need. So they belong together on the same certification exam, and not as separate exams just because one provides file services, the second name-to-ip translation and the third user information. []s, Fernando Lozano _______________________________________________ lpi-examdev mailing list [email protected] http://list.lpi.org/mailman/listinfo/lpi-examdev
