On Tue, 2006-06-20 at 15:18 -0200, [EMAIL PROTECTED] wrote: > Hey, if you want the samba admin to be able to use a generic LDAP schema > and not just the "cookbook" samba-ldap schema you want the samba admin > to be also a generic LDAP admin and so you are in fact requiring > "strong" ldap skills.
How so? There is _more to authentication/mapping than NTLM/SAM (Winbindd) or LDAP. You might want to use Kerberos for authentication, and then use local (files, NIS) or maybe another store (doesn't even have to be LDAP) for mapping. > I propose a progression from "basic" unix network authentication > (nis, kerberos) There is _no_ such thing as NIS "authentication." It's local UNIX. > to samba-specifcs (winbind, pam_smb) and them to full-featured > directory (ldap). You're missing object authentication with object mapping. Two entirely different concepts. Samba does _not_ have to use Winbindd or PAM_Smb, even if you have native ADS servers on your network. In fact, you want to _avoid_ it if you can, because it makes your network authentication/mapping Windows-centric. > The entry level could also include basic file services like ACLs > and NFS Why aren't we addressing those _basic_ UNIX/Linux filesystem concepts right in the "Samba" exam then? > or we could have a higher level NFS with kerberos exam and > other file sharing services. Why can't "Kerberos" authentication just be covered once and for all for authorization in the auth/dir/name exam? Other than checking for an option in another config file for various services, that's pretty much it. I'm trying to _simplify_ LPIC-3, instead of making it only "scenario A+B +C" or "scenario A+X+Y". > Our main divergence is: you take samba services related to auth (like\ > winbind) and wants them on the general auth exam. I want > samba-specific services (or anything that depends on windows > technology and protocols) to be contained on the Samba exam, "that depends on Windows technology and protocols" Samba does _not_ have to do that. Samba does _not_ have to use Winbindd. That's is a common _misnomer_. > so professionals who decide to become experts in other fields don't > have to bother with samba-related stuff. But what if I don't have Samba servers, but I want to authenticate my Apache server against ADS? You don't have to know the first thing about providing Samba file services to do that, but you _will_ often use a Samba-provided service to do so. People maintain network file servers, _not_ "Samba" servers. People maintain enterprise auth/dir/name servers, _not_ "LDAP." > LDAP syncronization, that is, replication from one ldap server to another > would be a matter for the ldap specific exam, not for a core exam > IMHO. If we try to through the kitchen sink to each individual exam, we'll not only get way too broad, we're going to _recover_ the same concepts _redundantly_ on separate exams. Why not cover Winbindd on the auth/dir/name exam? That way it could be used for _both_ Samba and Apache. Or why not cover local UNIX auth/name, Kerberos auth, various resource maps (NIS, LDAP schema, user/group-only LDAP, etc...) on one exam, which can be used for _any_ service -- including Samba? > Just as winbind would be a matter for the samba exam. Why? Why not open up Winbindd to _many_ exams? Why ignore the fact that NTLM/SAM access from UNIX/Linux is often used _outside_ just Samba file services? > I can't deliver an exam based on the "bigger picture". Yes you can. > An exam tests for specifics. Yes, like configuring NSSwitch, PAM, Kerberos, etc... for a _number_ of services. Why do we have to make it "only A+X+Y" and "only A+B+Z" all over the place? > The bigger picture helps building a program which contains many > exams. I think we agree on the big picture and are arguing about the > exam details. Why do the exams have to be broken down by "project." Why not by "role/focus" of the professional? > You mean authorization on windows (smb) networks are not > rpc-based? And do an employee cares about what is rpc-based > or not? I can't explain to a hirer that part of the skills > from a samba admin is on the auth exam and part on the file > services exam. Huh? HR departments don't understand jack. Now if you're saying we need to write our exams so they fit what a HR department defines, then you might as well run off to Cisco, Microsoft, Novell, Red Hat, Sun and countless others and tell them they've fsck'd up too! I don't care if you're doing Samba, Apache, etc... -- if we start putting object authentication and naming in _each_ exam, we're going to build some rather limited and redundant exams. > He wants a samba expert that manages anything related to samba, *NO*! He/she wants a "file server" expert that manages anything related to "file servers." He/she might see "Samba" as a keyword, but he/she really doesn't understand the first damn thing about it. > but not anything related to file services or auth, just enough to > administer the samba servers. Buzzword bingo. Call it Samba for HR. But it's a file service. And that relies on _other_ services, including object authentication and naming that Samba does *NOT* provide. > No way! I expect an ldap expert to be able to setup and manage the > replicaton between all openldap servers (or whatever directory server > I use). At what cost of other concepts in the exam? What do we shouve out? How deep do we go? OpenLDAP's replication facilities get rather _involved_. So other than setting up a basic, read-only replication, we can't go deeper. Now Fedora Directory Server replicates well "out-of-the-box." So we can do the same. Anything "more advanced" would go into the "Availability and Redundancy" exam. I think you keep being "absolutist" on anything I say. You're going to have to deal with connecting to Winbindd, PAM, etc... on the Samba exam. But you don't have to get involved with all their functionality -- that's for the exam that deals with object authentication and mapping. The idea is to make this program _manageable_. You go deep by service application, *NOT* by project. Too many things are interrelated and we will _not_ be able to get "deep" because we will be recovering things _redundantly_ on different exams. > But I don't expect him to be able to setup a virtualization server or > a web server farm or a HPC cluster. The way you think on the exams you > force all candidates to pass all them to have any usefull certification. That's the idea behind a potential LPIC-4 -- to pass most/all LPI 30x. For now, how you authenticate and map objects across and domain, and provide file other LAN/WAN resources to those objects, is the focus of the first 2 exams of LPIC-3. > Please don't think about what you do know or about what the perfect > linux consultant should master. Think about what kinds of > professionals you'd hire as part of your team. Ummm, I thought that's basically what I did, based on "real world" experience. How can you be a Samba "guru" if you don't know the first thing about UNIX/Linux filesystem fundamentals that also involved NFS? That's why there are _broken_ Samba installs with _horrendous_ security. > Is winbind the only way to do that? Why should a core exam be complete > on all related topics and products? Because that's how enterprise networks work. > In practice it matters a lot if I am running samba or not, because > if I run samba I have a specific requirement for windows integration > that I may not have on an all linux/unix company. *STOP* thinking in the "all" Windows or "all" UNIX/Linux company. I have _yet_ to be with _any_ enterprise organization that was "all" anything. > And I do know some of these companies, for which any samba knowledge, > including winbind, is useless. :-) But I also know companies that use Winbindd and not Samba. Or Samba -- including synchronization to ADS -- without Winbindd. > Put in another way, why should someone need to learn about NetBIOS > inner workings to understand PAM and NSS? Yes, because I've yet to see _any_ enterprise organization that didn't have NetBIOS flying around. In fact, it's _crucial_ to eliminating it as best as you can. Despite marketing to the contrary, ADS doesn't do it. > Forget about how winbind is build. Both smbd, nmbd *and* winbindd > serve integration with windows. Yes. But the latter two don't have to be used for SMB file services. I've continually given Apache as an example. > It makes no sense to use them without this need. And what enterprise have you seen that doesn't have Windows? In the same regard, what enterprise have you seen that doesn't have at least one UNIX or Linux client? > So they belong together on the same certification exam, and not as > separate exams just because one provides file services, the second > name-to-ip translation and the third user information. Which is why your suggestion is going to make LPIC-3 very, very simplistic covering "standalone" services. It will resemble _nothing_ like "real world" enterprise networks with UNIX, Linux, Windows, etc... integrated. -- Bryan J. Smith Professional, technical annoyance mailto:[EMAIL PROTECTED] http://thebs413.blogspot.com ---------------------------------------------------------- The existence of Linux has far more to do with the breakup of AT&T's monopoly than anything Microsoft has ever done. _______________________________________________ lpi-examdev mailing list [email protected] http://list.lpi.org/mailman/listinfo/lpi-examdev
