Re: [lpi-examdev] LPIC-300 Objective Discussion

[Mark Clarke]

I get it you think IPA is the best technology ever and everybody else is
ignorant for not adopting it sooner but I don't think the purpose of LPI
is to push what we think is the next big thing but to see what is
actually out there in use. From you own anecdotal evidence of the use of
IPA it is a technology that may be in the process of being slowly
adopted.  So is BTRFS, ZFS,  Linux capabilities, name spaces etc. If it
use continues to grow we have a process to review the level of coverage
- and if something else ends up replacing it then we can swap it out.

There are plenty of technologies people are passionate about but have
not yet been widely adopted - I don't see people using LPI objectives to
push these agendas. Upstart/Systemd is a case in point.



On 21/09/2016 13:15, Bryan Smith wrote:
>
> And if you're unaware ...
>
> SuSE shipped OpenLDAP as it's pre-configured directory server (and
> very well), but once acquired by Novell (now Attachment), they started
> pushing their proprietary server. This was around the same time Red
> Hat acquired iPlanet assets a dozen years ago.
>
> Canonical has long just pushed people towards a couple of costly,
> proprietary add-ons (we're talking CALs of US$100s per Linux system)
> to add POSIX policies to AD DCs running Windows.
>
> Samba doesn't address POSIX services, it's just a Windows client
> service, even the DC is an AD/Windows-only capability, atop of a POSIX
> platform. There is no AD facility to support the underlying POSIX
> platform, no standard schema in AD to support POSIX platforms, and
> Identity Management for UNIX (IDMU) only adds extremely basic user
> (iNetOrgPerson IETF 2307bis) to AD, which is dropped in Win10/2016
> Domain/Forest levels.
>
> No, you have to manage POSIX attributes with POSIX schema in LDAP,
> ideally with Certificate and Kerberos for both Security and Trust
> aspects.  So, what is the *only* open source solution in the world
> that has done this?  The only one to introduces an "equivalent" to the
> NT LSA in SSSD, the only one that handles a full, multi-domain,
> multi-tree, AD Forrest in Kerberos Trusts (IPA Server) all while
> making Keys and POSIX Policy Objects cake to push out to the POSIX
> clients (IPA Client, via SSSD)?
>
> Name one other, 100% open source solution from client to server, and
> I'm all ears.  Until then, distros have scrambled to add NSS/SSSD/IPA
> Client, and desperately are trying to integrate 389/Dogtag/IPA Server,
> after years of ignoring Red Hat overtures as they either tried to sell
> their "proprietary" add-on, or ignored the problem altogether and
> relied on proprietary 3rd parties.
>
> That's the history, in-a-nutshell.
>
> -- bjs
>
> DISCLAIMER: Sent from phone, please excuse any typos
> -- 
> Bryan J Smith - Technology Mercenary
> b.j.sm...@ieee.org  - m...@bjsmith.me
>  - http://linkedin.com/in/bjsmith
>
>
>
> On Sep 21, 2016 06:58, "Bryan Smith"  > wrote:
>
> They used to say the same thing about NSS/389/Dogtag.  Now every
> distribution is hacking in support for SSSD and IPA.  Why is that? ;)
>
> E.g.., how many people used to not only OpenLDAP was the only open
> source directory server, but say inherent, multi-master
> replication wasn't available or didn't work well?
>
> I. e., cannot help if people are unfamiliar, and distributions
> don't get enough maintainers to port it. The first time someone
> sees AD Forest Trusts at work, they are instantly drawn to it.
> Heck, just the SSSD portion draws them.
>
> So, let me re-iterate my point one more time ...
>
> AD Group Policy Objects (GPO) are used to manage Windows
> attributes. So why would we include them in a POSIX (UNIX/Linux)
> security exam?  There are no free or open source implementations
> that add POSIX support to GPOs, only proprietary solutions.
>
> Ergo ...
>
> If we're going to add any 'Policy' objectives to any POSIX
> security exam, they should be the POSIX attributes that can be
> stored in a LDAP set of schema instead.  And I'd argue the most
> 'standarized' set of 'Policy' Objects are the ones that cover
> certificates, SSH, sudoers, auto_home, etc...
>
> These were popularized in NSS/389/Dogtag (fka iPlanet
> Security/Directory/Certificate, well proliferated in major
> installations), acquired by Red Hat in 2004, fully open sourced in
> 2005 (a few components were re-written), including its inherent,
> multi-master replication, and most people implement in Identity,
> Policy, Audit (IPA) out-of-the-box. Other than certificate, this
> schema can also be implemented in OpenLDAP as well.
>
> Most distributions have been hacking in SSSD/IPA support, after
> ignoring NSS/389/Dogtag for a decade, because unlike
> Samba-Winbindd/OpenLDAP, it actually addresses a crapload of
> interoperability 

Re: [lpi-examdev] LPIC-300 Objective Discussion

[Bryan Smith]

Now my more productive response ...  ;)


  o  Short version ...

SSSD support of Policy Objects is well proliferated.


  o  In bullets ...

_If_ we are going to include 'Policy Objects' ...
 - Start with the IPA ones, specifically where ...
 - SSSD**, w/o IPA, supports them so not only ...
 - All Linux distros** support them, but ...
 - Any LDAP server (OpenLDAP, 389, etc... ) does too


  o  Case-in-point ...

**This assumption is the the most frustrating reality I deal with
day-in, day out:
  "the only distro that supports it is Fedora,
   and is largely unsupported in the rest of them.
   Seems like a distro specific feature?"

I hear that from Ubuntu admins on SSSD regularly.  But then I ask them
to "humor me," and then they setup SSSD for the first time, and say 2
things ...

1)  "Why the heck was I hacking up PAM (LDAP/KRB5), Samba (Winbindd)
and dealing with flaky NSCD?"

SSSD was designed by some of the best Samba and Directory Server
maintainers for a reason.  Many things that SSSD implemented has been
ported and patched in Winbindd, but doesn't solve the root issues that
SSSD does.

2)  "But can't there be an easier, single client that prevents me from
having to setup anything?"

That's IPA Client.  If distros would have adopted and integrated
NSS/389/Dogtag some dozen (12) years ago, then IPA Client would be a
no-brainer.  But because they didn't, they are behind.


  o  The cringe-worthy ...

The sad thing here is, AD architects follow me better than Linux
"enthusiasts."  Especially when I explain SSSD modular stack as being
like the NT LSA modular stack.

I literally _cringe_ when Linux "enthusiasts" tell client
stakeholders, "Oh, Linux doesn't have something like that, or it's not
easy to support, so just buy" ... (insert really expensive,
proprietary client).

It's _not_ about IPA at all.
It's about Policy Objects.
SSSD supports them, including ...
With_out_ IPA.

IPA is really _nothing_ more than a 'canned' LDAP + Kerberos + DNS +
Certificate + Policy + etc..., and relies on all the features in SSSD
stack on the client side ...

Just like AD relies on the LSA stack on the client side.

If your distro supports SSSD, and virtually _everyone_ does today, a
number of Policy Objects are supported out-of-the-box.  That's what
this is literally about, _not_ the directory server.

Now the added reality is ... imagine if you had to setup AD-LDAP
'manually' and other things, with MS-Kerberos, etc...   No, the
Windows world wouldn't accept that.  Heck, Canonical doesn't even
bother.

IPA is just well-liked because you run ipa-client, and you're done.
You don't have to hack up files, from PAM to SSSD to LDAP to Kerberos
to various RPC to others.  But you do _not_ need to do such.  You can
use _any_ LDAP server for many of the policies.

_Every_ distro has SSSD now, and most have the IPA Client ported over.
But because they didn't integrate the NSS/389/Dogtag stack a dozen
years ago, they are shotgunning efforts now.

Has _nothing_ to do with "distro-specific," but user ignorance.  Many
users of many distros don't work in corporate environments where they
push open source first.  They just buy something proprietary instead.

That's the problem.  ;)

-- bjs


On Wed, Sep 21, 2016 at 7:16 AM, Bryan Smith  wrote:
> Again, ignorance is bliss.
>
> DISCLAIMER: Sent from phone, please excuse any typos
> --
> Bryan J Smith - Technology Mercenary
> b.j.sm...@ieee.org - m...@bjsmith.me - http://linkedin.com/in/bjsmith
>
>
>
> On Sep 21, 2016 07:09, "Mark Clarke"  wrote:
>>
>> On 21/09/2016 12:58, Bryan Smith wrote:
>> >
>> > They used to say the same thing about NSS/389/Dogtag.  Now every
>> > distribution is hacking in support for SSSD and IPA.  Why is that? ;)
>> >
>> > E.g.., how many people used to not only OpenLDAP was the only open
>> > source directory server, but say inherent, multi-master replication
>> > wasn't available or didn't work well?
>> >
>> > I. e., cannot help if people are unfamiliar, and distributions don't
>> > get enough maintainers to port it. The first time someone sees AD
>> > Forest Trusts at work, they are instantly drawn to it. Heck, just the
>> > SSSD portion draws them.
>> >
>> I wouldn't say NSS/389/Dogtag has been widely adopted outside RedHat yet
>> - it very well might be an emerging technology but its not something
>> every sys admin needs to know. If its included  at an "awareness level"
>> then ok - but until it gets wide spread adoption, and mind share, I
>> can't agree that it should be covered in any more details. To be frank I
>> think there the coverage in 303 is overboard. BTRFS and ZFS should have
>> a much bigger weighting in the certs - but that is not relevant here :)
>>
>>
>>
>>
>> --
>> Mark Clarke
>> 📱  +2711-781 8014
>> 🌠  www.JumpingBean.co.za
>>
>> ___
>> lpi-examdev mailing list
>> lpi-examdev@lpi.org
>> http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev

Re: [lpi-examdev] LPIC-300 Objective Discussion

[Bryan Smith]

Again, ignorance is bliss.

DISCLAIMER: Sent from phone, please excuse any typos
-- 
Bryan J Smith - Technology Mercenary
b.j.sm...@ieee.org - m...@bjsmith.me - http://linkedin.com/in/bjsmith


On Sep 21, 2016 07:09, "Mark Clarke"  wrote:

> On 21/09/2016 12:58, Bryan Smith wrote:
> >
> > They used to say the same thing about NSS/389/Dogtag.  Now every
> > distribution is hacking in support for SSSD and IPA.  Why is that? ;)
> >
> > E.g.., how many people used to not only OpenLDAP was the only open
> > source directory server, but say inherent, multi-master replication
> > wasn't available or didn't work well?
> >
> > I. e., cannot help if people are unfamiliar, and distributions don't
> > get enough maintainers to port it. The first time someone sees AD
> > Forest Trusts at work, they are instantly drawn to it. Heck, just the
> > SSSD portion draws them.
> >
> I wouldn't say NSS/389/Dogtag has been widely adopted outside RedHat yet
> - it very well might be an emerging technology but its not something
> every sys admin needs to know. If its included  at an "awareness level"
> then ok - but until it gets wide spread adoption, and mind share, I
> can't agree that it should be covered in any more details. To be frank I
> think there the coverage in 303 is overboard. BTRFS and ZFS should have
> a much bigger weighting in the certs - but that is not relevant here :)
>
>
>
>
> --
> Mark Clarke
> 📱  +2711-781 8014
> 🌠  www.JumpingBean.co.za
>
> ___
> lpi-examdev mailing list
> lpi-examdev@lpi.org
> http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
>
___
lpi-examdev mailing list
lpi-examdev@lpi.org
http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev

Re: [lpi-examdev] LPIC-300 Objective Discussion

[Bryan Smith]

And if you're unaware ...

SuSE shipped OpenLDAP as it's pre-configured directory server (and very
well), but once acquired by Novell (now Attachment), they started pushing
their proprietary server. This was around the same time Red Hat acquired
iPlanet assets a dozen years ago.

Canonical has long just pushed people towards a couple of costly,
proprietary add-ons (we're talking CALs of US$100s per Linux system) to add
POSIX policies to AD DCs running Windows.

Samba doesn't address POSIX services, it's just a Windows client service,
even the DC is an AD/Windows-only capability, atop of a POSIX platform.
There is no AD facility to support the underlying POSIX platform, no
standard schema in AD to support POSIX platforms, and Identity Management
for UNIX (IDMU) only adds extremely basic user (iNetOrgPerson IETF 2307bis)
to AD, which is dropped in Win10/2016 Domain/Forest levels.

No, you have to manage POSIX attributes with POSIX schema in LDAP, ideally
with Certificate and Kerberos for both Security and Trust aspects.  So,
what is the *only* open source solution in the world that has done this?
The only one to introduces an "equivalent" to the NT LSA in SSSD, the only
one that handles a full, multi-domain, multi-tree, AD Forrest in Kerberos
Trusts (IPA Server) all while making Keys and POSIX Policy Objects cake to
push out to the POSIX clients (IPA Client, via SSSD)?

Name one other, 100% open source solution from client to server, and I'm
all ears.  Until then, distros have scrambled to add NSS/SSSD/IPA Client,
and desperately are trying to integrate 389/Dogtag/IPA Server, after years
of ignoring Red Hat overtures as they either tried to sell their
"proprietary" add-on, or ignored the problem altogether and relied on
proprietary 3rd parties.

That's the history, in-a-nutshell.

-- bjs

DISCLAIMER: Sent from phone, please excuse any typos
-- 
Bryan J Smith - Technology Mercenary
b.j.sm...@ieee.org - m...@bjsmith.me - http://linkedin.com/in/bjsmith


On Sep 21, 2016 06:58, "Bryan Smith"  wrote:

> They used to say the same thing about NSS/389/Dogtag.  Now every
> distribution is hacking in support for SSSD and IPA.  Why is that? ;)
>
> E.g.., how many people used to not only OpenLDAP was the only open source
> directory server, but say inherent, multi-master replication wasn't
> available or didn't work well?
>
> I. e., cannot help if people are unfamiliar, and distributions don't get
> enough maintainers to port it. The first time someone sees AD Forest Trusts
> at work, they are instantly drawn to it. Heck, just the SSSD portion draws
> them.
>
> So, let me re-iterate my point one more time ...
>
> AD Group Policy Objects (GPO) are used to manage Windows attributes. So
> why would we include them in a POSIX (UNIX/Linux) security exam?  There are
> no free or open source implementations that add POSIX support to GPOs, only
> proprietary solutions.
>
> Ergo ...
>
> If we're going to add any 'Policy' objectives to any POSIX security exam,
> they should be the POSIX attributes that can be stored in a LDAP set of
> schema instead.  And I'd argue the most 'standarized' set of 'Policy'
> Objects are the ones that cover certificates, SSH, sudoers, auto_home,
> etc...
>
> These were popularized in NSS/389/Dogtag (fka iPlanet 
> Security/Directory/Certificate,
> well proliferated in major installations), acquired by Red Hat in 2004,
> fully open sourced in 2005 (a few components were re-written), including
> its inherent, multi-master replication, and most people implement in
> Identity, Policy, Audit (IPA) out-of-the-box. Other than certificate, this
> schema can also be implemented in OpenLDAP as well.
>
> Most distributions have been hacking in SSSD/IPA support, after ignoring
> NSS/389/Dogtag for a decade, because unlike Samba-Winbindd/OpenLDAP, it
> actually addresses a crapload of interoperability and security issues, let
> alone provides a "canned" Policy set that is a serious PITA to setup in a
> generic LDAP server, like OpenLDAP or 389 itself for that matter.  It was
> also, heavily written by Samba maintainers, especially IPAv3 components
> that add AD Forest Trusts.
>
> Because AD schema isn't designed for POSIX attributes, but Windows ones.
> And in an AD Forest, all domains and systems have to have the same schema.
> Microsoft, prior to Windows 10 (Server 2016), only supports basic IETF
> RFC2307bis (IDMU), no POSIX Policy. And with 10/2016, they are dropping it.
>
> In other words ... one cannot store POSIX Policy Objects and Attributes in
> AD, so GPOs are useless for POSIX systems. Meanwhile, Microsoft has dropped
> even basic POSIX attributes from the latest AD/Server, because IPA exists
> with its AD Forest Trust. That way AD Forest can stay "pure Windows
> attributes" like 99% of AD architects expect (let alone too many AD admins
> are ignorant of), and all POSIX attributes and resources go into an IPA
> domain.
>
> Including Samba Servers being in an IPA domain, instead of 

Re: [lpi-examdev] LPIC-300 Objective Discussion

[Bryan Smith]

They used to say the same thing about NSS/389/Dogtag.  Now every
distribution is hacking in support for SSSD and IPA.  Why is that? ;)

E.g.., how many people used to not only OpenLDAP was the only open source
directory server, but say inherent, multi-master replication wasn't
available or didn't work well?

I. e., cannot help if people are unfamiliar, and distributions don't get
enough maintainers to port it. The first time someone sees AD Forest Trusts
at work, they are instantly drawn to it. Heck, just the SSSD portion draws
them.

So, let me re-iterate my point one more time ...

AD Group Policy Objects (GPO) are used to manage Windows attributes. So why
would we include them in a POSIX (UNIX/Linux) security exam?  There are no
free or open source implementations that add POSIX support to GPOs, only
proprietary solutions.

Ergo ...

If we're going to add any 'Policy' objectives to any POSIX security exam,
they should be the POSIX attributes that can be stored in a LDAP set of
schema instead.  And I'd argue the most 'standarized' set of 'Policy'
Objects are the ones that cover certificates, SSH, sudoers, auto_home,
etc...

These were popularized in NSS/389/Dogtag (fka iPlanet
Security/Directory/Certificate, well proliferated in major installations),
acquired by Red Hat in 2004, fully open sourced in 2005 (a few components
were re-written), including its inherent, multi-master replication, and
most people implement in Identity, Policy, Audit (IPA) out-of-the-box.
Other than certificate, this schema can also be implemented in OpenLDAP as
well.

Most distributions have been hacking in SSSD/IPA support, after ignoring
NSS/389/Dogtag for a decade, because unlike Samba-Winbindd/OpenLDAP, it
actually addresses a crapload of interoperability and security issues, let
alone provides a "canned" Policy set that is a serious PITA to setup in a
generic LDAP server, like OpenLDAP or 389 itself for that matter.  It was
also, heavily written by Samba maintainers, especially IPAv3 components
that add AD Forest Trusts.

Because AD schema isn't designed for POSIX attributes, but Windows ones.
And in an AD Forest, all domains and systems have to have the same schema.
Microsoft, prior to Windows 10 (Server 2016), only supports basic IETF
RFC2307bis (IDMU), no POSIX Policy. And with 10/2016, they are dropping it.

In other words ... one cannot store POSIX Policy Objects and Attributes in
AD, so GPOs are useless for POSIX systems. Meanwhile, Microsoft has dropped
even basic POSIX attributes from the latest AD/Server, because IPA exists
with its AD Forest Trust. That way AD Forest can stay "pure Windows
attributes" like 99% of AD architects expect (let alone too many AD admins
are ignorant of), and all POSIX attributes and resources go into an IPA
domain.

Including Samba Servers being in an IPA domain, instead of AD. That way,
via the AD Forest Trusts, the POSIX architects/admins can put AD Security
groups in IPA [Resource] Groups that have access to Samba shares.  All the
meanwhile, the same IPA domain can push down actual POSIX (UNIX/Linux)
policies on the actual POSIX/Samba server, something AD with it's GPOs
cannot do outside of the Samba server itself 'emulating" itself as a
Windows server (quite literally nothing).

I cannot help of people are wholly unfamiliar with how AD, GPOs,
schema/attributes (especially Windows v. IETF/POSIX) works, especially how
limited Samba is, and why many Samba contributors took 389/Dogtag and
basically invented AD for POSIX. Same thing goes for distributions that
snubbed NSS, and didn't integrate 389/Dogtag, but are now scrambling to add
SSSD/IPA because it's a killer service set that has no equal.

It's certainly not because Red Hat/Fedora doesn't put maintainers time on
other distributions (like a lot of what they do, even employer other
distributions maintainers), but because too many users don't work in huge,
corporate environments where 389/Dogtag already exists because of OpenLDAP
limitation, and now love what SSSD/IPA finally addresses.

Ignorance is bliss. ;)

-- bjs

DISCLAIMER: Sent from phone, please excuse any typos
-- 
Bryan J Smith - Technology Mercenary
b.j.sm...@ieee.org - m...@bjsmith.me - http://linkedin.com/in/bjsmith


On Sep 21, 2016 06:22, "Mark Clarke"  wrote:

> I don't do a lot of work with Samba, other than fairly vanilla
> implementations, but can comment on the IPA/FreeIPA that has been included
> in the security cert. The issue I have IPA/FreeIPA is the only distro that
> supports it is Fedora/Feroda and is largely unsupported in the rest of
> them. Seems like a distro specific feature?
>
> On 21/09/2016 06:11, Kenneth Peiruza wrote:
>
> Hi,
>
> Why do we have openldap on the same course as Samba?
>
> We lost t'he 'centralized auth' ldap part when LPIC 301 passed away.
>
> IMHO, FreeIPA would make a lot more sense in this de facto 'Centralized
> Authentication Services' LPIc rather than in LPIc 3 security.
>
> Regards,
>
>
>
> Sent from 

Re: [lpi-examdev] LPIC-300 Objective Discussion

[Kenneth Peiruza]

Hi,

Why do we have openldap on the same course as Samba?

We lost t'he 'centralized auth' ldap part when LPIC 301 passed away.

IMHO, FreeIPA would make a lot more sense in this de facto 'Centralized Authentication Services' LPIc rather than in LPIc 3 security.

Regards,



Sent from my Mi phoneOn Bryan Smith , Sep 20, 2016 2:41 AM wrote:Policies?  That's really a 100% Windows client aspect.
I don't see how it has anything to do with POSIX (UNIX/Linux), and
requires an entire discussion of Windows client assumptions, from the
NT Local Security Authority (LSA) on down.  Furthermore, on the AD
Forest side, even Samba4 has limited, AD Forest support and related
tree/domain delegation/trust.  Most of its limited support has been
hacked in from IPA contributions (long story).  It's really a topic
for Microsoft's dedicated policy and security exams in their tracks.
Again, it's a Windows aspect, because AD schema is only designed to
manage Windows schema.**  The only non-Windows, like POSIX, support
with Policy Objects are all costly, proprietary add-ons.  I haven't
seen a free one yet.  The free ones only provide similar functionality
to SSSD and, more legcy, Winbindd.  And even when it comes to basic
IETF 2307bis -- aka Identity Management for UNIX (IDMU), Microsoft has
announced they are no longer going to provide it with Windows 10.**
-- bjs
**P.S.  In-a-nutshell, Microsoft has all but agreed Red Hat has the
right idea by using IPA domains, keeping POSIX objects and schema
_away_ from AD, because AD admins don't install/use IDMU, much less
populate.  It's much easier to use AD Forest Trusts between AD domains
and IPA domains, with AD admins designating what AD resources external
IPA groups have access to, and vice-versa.
On Mon, Sep 19, 2016 at 8:11 PM, alexbm...@gmail.com
 wrote:
> Gentlemen,
>
> It would be interesting to insert GPO referring to samba.
>
> To: Relevance of NT4 domains vs. AD domains.
>
>
>
>
>
>
> On 09/18/2016 01:07 PM, Bryan Smith wrote:
>
> Well, Samba 3 and Samba 4 aren't much different.  The protocol in
> Samba 4 is the same as Samba 3.
>
> Samba 4 introduces the DC option, but not all distros include it.
> E.g., Red Hat has gone the IPA route for AD Forest Trusts, instead of
> allowing a Samba Server to be a DC in a native AD Forest.
>
>
> On Sun, Sep 18, 2016 at 9:17 AM, G. Matthew Rice  wrote:
>
> +1 for these changes...samba 3 should definitely go.
>
> I know there are a lot of samba3 installs still out therebut there
> shouldn't be. :)
>
>
> On Sep 17, 2016 2:17 PM, "Fabian Thorns"  wrote:
>
> Dear all,
>
> taking a look at
>
>   https://wiki.lpi.org/wiki/LPIC-3_300_Objectives_V1
>
> You will notice that it's time to review the current LPIC-300 objectives
> to ensure they are still up to date. Therefore I'd like you all to share
> your thoughts about our current objectives with the list, including wishes
> what should be changed in the next update. We have however to obey that it
> will be "minor update", so we can't fundamentally turn the while exam
> around.
>
> Some things we should discuss from my point of view would be:
>
>  * Relevance of NT4 domains vs. AD domains
>  * Same for NBNS vs. DNS
>  * Shift from Samba 3 to Samba 4 (which shouldn't cause too much trouble,
> though)
>
> However, I don't want to limit the discussion on these points. Just go
> ahead and point out what you think. As usual, I will comment when necessary
> and condense all the comments into a draft for potential updated objectives
> which we will then review altogether again.
>
> Looking forward to an interesting discussion,
>
> Fabian
>
>
> ___
> lpi-examdev mailing list
> lpi-examdev@lpi.org
> http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
>
> ___
> lpi-examdev mailing list
> lpi-examdev@lpi.org
> http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
>
>
>
> --
> Alex Clemente
> 11 979919870
> a.clementesi...@uol.com.br
> alexbm...@gmail.com
> Analista Linux e Unix
> Instrutor Linux e Open Source
> Alex Clemente
> 11 979919870
> a.clementesi...@uol.com.br
> alexbm...@gmail.com
> Analista Linux e Unix
> Instrutor Linux e Open Source
> Linux+ – CompTIA Linux+ (Powered by LPI)
> SUSE CLA 11 – Certified Linux Administrator
> SUSE CLP 12 – Certified Linux Professional
> SUSE 11 Tech Espec – Technical Especialist
> LPIC-1 – Linux Professional Institute Certified Level 1
> LPIC-2 – Linux Professional Institute Certified Level 2
>
>
> ___
> lpi-examdev mailing list
> lpi-examdev@lpi.org
> http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
-- 
--
Bryan J Smith  -  http://www.linkedin.com/in/bjsmith
E-mail:  b.j.smith at ieee.org  or  me at bjsmith.me
___
lpi-examdev mailing list
lpi-examdev@lpi.org

Re: [lpi-examdev] LPIC-300 Objective Discussion

[Bryan Smith]

Typo ...

" ... Again, it's a Windows aspect, because AD schema is only designed
to manage Windows" ATTRIBUTES (not schema)

-- bjs
___
lpi-examdev mailing list
lpi-examdev@lpi.org
http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev

Re: [lpi-examdev] LPIC-300 Objective Discussion

[mwienstroer39194]

Dear Fabian,
I got the same opinion like harald, you and some others.
NT4 is not supported from Microsoft, a long time ago.
AD is the only possibility. So NT4 should go.
As Harald said, NetBios is only part of compatibilty with old systems.
But this should be very rare. WINS should be the same.

The shift from Samba 3 to 4 is very welcome.

The other topics should be okay from my point of view.
I scrolled through all of it and they seems to be okay.


Regards



Maik Wienströer


 

 

 

-Original Message-
From: Fabian Thorns <ftho...@lpi.org>
To: This is the lpi-examdev mailing list. <lpi-examdev@lpi.org>
Sent: Sat, Sep 17, 2016 8:17 pm
Subject: [lpi-examdev] LPIC-300 Objective Discussion



Dear all,


taking a look at 


  https://wiki.lpi.org/wiki/LPIC-3_300_Objectives_V1


You will notice that it's time to review the current LPIC-300 objectives to 
ensure they are still up to date. Therefore I'd like you all to share your 
thoughts about our current objectives with the list, including wishes what 
should be changed in the next update. We have however to obey that it will be 
"minor update", so we can't fundamentally turn the while exam around.


Some things we should discuss from my point of view would be:


 * Relevance of NT4 domains vs. AD domains
 * Same for NBNS vs. DNS
 * Shift from Samba 3 to Samba 4 (which shouldn't cause too much trouble, 
though)


However, I don't want to limit the discussion on these points. Just go ahead 
and point out what you think. As usual, I will comment when necessary and 
condense all the comments into a draft for potential updated objectives which 
we will then review altogether again.


Looking forward to an interesting discussion,


Fabian



___
lpi-examdev mailing list
lpi-examdev@lpi.org
http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
___
lpi-examdev mailing list
lpi-examdev@lpi.org
http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev

Re: [lpi-examdev] LPIC-300 Objective Discussion

[Bryan Smith]

Well, Samba 3 and Samba 4 aren't much different.  The protocol in
Samba 4 is the same as Samba 3.

Samba 4 introduces the DC option, but not all distros include it.
E.g., Red Hat has gone the IPA route for AD Forest Trusts, instead of
allowing a Samba Server to be a DC in a native AD Forest.


On Sun, Sep 18, 2016 at 9:17 AM, G. Matthew Rice  wrote:
> +1 for these changes...samba 3 should definitely go.
>
> I know there are a lot of samba3 installs still out therebut there
> shouldn't be. :)
>
>
> On Sep 17, 2016 2:17 PM, "Fabian Thorns"  wrote:
>>
>> Dear all,
>>
>> taking a look at
>>
>>   https://wiki.lpi.org/wiki/LPIC-3_300_Objectives_V1
>>
>> You will notice that it's time to review the current LPIC-300 objectives
>> to ensure they are still up to date. Therefore I'd like you all to share
>> your thoughts about our current objectives with the list, including wishes
>> what should be changed in the next update. We have however to obey that it
>> will be "minor update", so we can't fundamentally turn the while exam
>> around.
>>
>> Some things we should discuss from my point of view would be:
>>
>>  * Relevance of NT4 domains vs. AD domains
>>  * Same for NBNS vs. DNS
>>  * Shift from Samba 3 to Samba 4 (which shouldn't cause too much trouble,
>> though)
>>
>> However, I don't want to limit the discussion on these points. Just go
>> ahead and point out what you think. As usual, I will comment when necessary
>> and condense all the comments into a draft for potential updated objectives
>> which we will then review altogether again.
>>
>> Looking forward to an interesting discussion,
>>
>> Fabian
>>
>>
>> ___
>> lpi-examdev mailing list
>> lpi-examdev@lpi.org
>> http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
>
>
> ___
> lpi-examdev mailing list
> lpi-examdev@lpi.org
> http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev



-- 

--
Bryan J Smith  -  http://www.linkedin.com/in/bjsmith
E-mail:  b.j.smith at ieee.org  or  me at bjsmith.me
___
lpi-examdev mailing list
lpi-examdev@lpi.org
http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev

Re: [lpi-examdev] LPIC-300 Objective Discussion

[G. Matthew Rice]

+1 for these changes...samba 3 should definitely go.

I know there are a lot of samba3 installs still out therebut there
shouldn't be. :)

On Sep 17, 2016 2:17 PM, "Fabian Thorns"  wrote:

> Dear all,
>
> taking a look at
>
>   https://wiki.lpi.org/wiki/LPIC-3_300_Objectives_V1
>
> You will notice that it's time to review the current LPIC-300 objectives
> to ensure they are still up to date. Therefore I'd like you all to share
> your thoughts about our current objectives with the list, including wishes
> what should be changed in the next update. We have however to obey that it
> will be "minor update", so we can't fundamentally turn the while exam
> around.
>
> Some things we should discuss from my point of view would be:
>
>  * Relevance of NT4 domains vs. AD domains
>  * Same for NBNS vs. DNS
>  * Shift from Samba 3 to Samba 4 (which shouldn't cause too much trouble,
> though)
>
> However, I don't want to limit the discussion on these points. Just go
> ahead and point out what you think. As usual, I will comment when necessary
> and condense all the comments into a draft for potential updated objectives
> which we will then review altogether again.
>
> Looking forward to an interesting discussion,
>
> Fabian
>
>
> ___
> lpi-examdev mailing list
> lpi-examdev@lpi.org
> http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
>
___
lpi-examdev mailing list
lpi-examdev@lpi.org
http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev

[lpi-examdev] LPIC-300 Objective Discussion

[Fabian Thorns]

Dear all,

taking a look at

  https://wiki.lpi.org/wiki/LPIC-3_300_Objectives_V1

You will notice that it's time to review the current LPIC-300 objectives to
ensure they are still up to date. Therefore I'd like you all to share your
thoughts about our current objectives with the list, including wishes what
should be changed in the next update. We have however to obey that it will
be "minor update", so we can't fundamentally turn the while exam around.

Some things we should discuss from my point of view would be:

 * Relevance of NT4 domains vs. AD domains
 * Same for NBNS vs. DNS
 * Shift from Samba 3 to Samba 4 (which shouldn't cause too much trouble,
though)

However, I don't want to limit the discussion on these points. Just go
ahead and point out what you think. As usual, I will comment when necessary
and condense all the comments into a draft for potential updated objectives
which we will then review altogether again.

Looking forward to an interesting discussion,

Fabian
___
lpi-examdev mailing list
lpi-examdev@lpi.org
http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev