Difference between revisions of "LPIC-300 Objectives V3.0"

From LPI Wiki
Jump to: navigation, search
(393.1 File Services (weight: 4))
(304.3 Windows Clients (weight: 3))
 
(52 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
'''ATTENTION: THIS PAGE IS UNDER CONSTRUCTION'''
 
  
 
__FORCETOC__
 
__FORCETOC__
 
 
'''ATTENTION: THIS PAGE IS UNDER CONSTRUCTION'''
 
  
 
==Introduction==
 
==Introduction==
Line 15: Line 10:
 
==Version Information==
 
==Version Information==
  
These objectives are '''A DRAFT FOR''' version 3.0.
+
These objectives are for version 3.0.
  
LPIC-300 version 1.0 was partially formed from content in the [[LPIC-3_301_Objectives|301]] and [[LPIC-3_302_Objectives|302]] exams.
+
The preceding version [[LPIC-3 300 Objectives V1|1.0 objectives]] can be found [[LPIC-3 300 Objectives V1|here]].
 
+
<br />
+
 
+
==Addenda==
+
 
+
===''Version Release (DATE TBD)''===
+
 
+
* released version 3.0
+
  
 
<br />
 
<br />
Line 34: Line 21:
  
 
* [[LPIC-3_300_Objectives_V3.0|English]]
 
* [[LPIC-3_300_Objectives_V3.0|English]]
* [[LPIC-3_300_Objectives_V3.0(FR)|French]]
+
* [[LPIC-3_300_Objectives_V3.0(JA)|Japanese]]
* [[LPIC-3_300_Objectives_V3.0(ES)|Spanish]]
+
  
 
<br />
 
<br />
Line 41: Line 27:
 
==Objectives==
 
==Objectives==
  
===''Topic 392: Samba Basics''===
+
===''Topic 301: Samba Basics''===
  
====<span style="color:navy">392.1 Samba Concepts and Architecture (weight: 2)</span>====
+
====<span style="color:navy">301.1 Samba Concepts and Architecture (weight: 2)</span>====
  
 
{|
 
{|
Line 58: Line 44:
 
| style="background:#eaeaea" |  
 
| style="background:#eaeaea" |  
  
Candidates should understand the essential concepts of Samba, including the various Samba server processes and networking protocols used by Samba when acting in various roles.
+
Candidates should understand the essential concepts of Samba, including the various Samba server processes and networking protocols used by Samba when acting in various roles. Samba version 4.8 or higher is covered.
 
+
 
|}
 
|}
  
Line 68: Line 53:
 
* Understand the networking services used with SMB/CIFS and Active Directory, including their ports
 
* Understand the networking services used with SMB/CIFS and Active Directory, including their ports
 
* Understand the major features of SMB protocol versions 1.0, 2.0, 2.1 and 3.0
 
* Understand the major features of SMB protocol versions 1.0, 2.0, 2.1 and 3.0
* Knowledge of Samba 3 and Samba 4 differences
+
* Understand of Samba 3 and Samba 4 differences
 
* Awareness of Samba VFS modules
 
* Awareness of Samba VFS modules
 
* Awareness of Samba Clustering and CTDB
 
* Awareness of Samba Clustering and CTDB
Line 78: Line 63:
 
<br />
 
<br />
  
====<span style="color:navy">392.2 Configure Samba (weight: 4)</span>====
+
====<span style="color:navy">301.2 Samba Configuration (weight: 4)</span>====
  
 
{|
 
{|
Line 99: Line 84:
 
'''Key Knowledge Areas:'''
 
'''Key Knowledge Areas:'''
  
* Knowledge of Samba server file based configuration
+
* Manage Samba server file-based configuration
* Knowledge of Samba server registry based configuration
+
* Manage of Samba server registry-based configuration
* Knowledge of Samba configuration parameters and variables
+
* Manage of Samba configuration parameters and variables
 
* Understand Samba server roles and security modes
 
* Understand Samba server roles and security modes
 
* Configure Samba to use TLS
 
* Configure Samba to use TLS
Line 107: Line 92:
 
* Troubleshoot and debug configuration problems with Samba
 
* Troubleshoot and debug configuration problems with Samba
 
* Understand Windows tools used to configure a Samba Server
 
* Understand Windows tools used to configure a Samba Server
 
  
 
'''The following is a partial list of the used files, terms and utilities:'''
 
'''The following is a partial list of the used files, terms and utilities:'''
Line 138: Line 122:
 
<br />
 
<br />
  
====<span style="color:navy">392.3 Regular Samba Maintenance (weight: 2)</span>====
+
====<span style="color:navy">301.3 Regular Samba Maintenance (weight: 2)</span>====
  
 
{|
 
{|
Line 144: Line 128:
  
 
'''Weight'''
 
'''Weight'''
 
  
 
| style="background:#eaeaea" | 2
 
| style="background:#eaeaea" | 2
Line 154: Line 137:
 
| style="background:#eaeaea" |  
 
| style="background:#eaeaea" |  
  
Candidates should know about the various tools and utilities that are part of a Samba installation.
+
Candidates should know the various tools and utilities that are part of a Samba installation.
  
 
|}
 
|}
Line 180: Line 163:
 
<br />
 
<br />
  
====<span style="color:navy">392.4 Troubleshooting Samba (weight: 3)</span>====
+
====<span style="color:navy">301.4 Troubleshooting Samba (weight: 3)</span>====
  
 
{|
 
{|
Line 195: Line 178:
 
| style="background:#eaeaea" |  
 
| style="background:#eaeaea" |  
  
Candidates should be able to analyze and troubleshoot Samba issues. This includes accessing and modifying LDAP contents of a Samba server hosting an Active directory as well as working with trivial database files. Furthermore, candidates should be able to create a renamed clone of an existing Active Directory for debugging.
+
Candidates should be able to analyze and troubleshoot Samba issues. This includes accessing and modifying the LDAP content of a Samba server hosting an Active directory as well as working with trivial database files. Furthermore, candidates should be able to create a renamed clone of an existing Active Directory for debugging.
  
 
|}
 
|}
Line 238: Line 221:
 
<br />
 
<br />
  
===''Topic 3XX: Samba and Active Directory Domains''===
+
===''Topic 302: Samba and Active Directory Domains''===
  
====<span style="color:navy">3XX.1 Samba as Active Directory Domain Controller (weight: 5)</span>====
+
====<span style="color:navy">302.1 Samba as Active Directory Domain Controller (weight: 5)</span>====
  
 
{|
 
{|
Line 272: Line 255:
 
* Understand and configure Active Directory sites, including subnet assignments
 
* Understand and configure Active Directory sites, including subnet assignments
 
* Understand and manage FSMO roles, including their impact in case of an outage
 
* Understand and manage FSMO roles, including their impact in case of an outage
 +
* Configure authentication audit logging
 
* Configure SYSVOL replication using rsync or robocopy
 
* Configure SYSVOL replication using rsync or robocopy
 
* Integrate Samba with ntpd
 
* Integrate Samba with ntpd
Line 280: Line 264:
 
* smb.conf:
 
* smb.conf:
 
** server role
 
** server role
 +
** log level
 
* samba-tool domain (including relevant subcommands)
 
* samba-tool domain (including relevant subcommands)
 
* samba-tool fsmo (including relevant subcommands)
 
* samba-tool fsmo (including relevant subcommands)
Line 292: Line 277:
 
<br />
 
<br />
  
====<span style="color:navy">3XX.2 Active Directory Name Resolution (weight: 2)</span>====
+
====<span style="color:navy">302.2 Active Directory Name Resolution (weight: 2)</span>====
  
 
{|
 
{|
Line 334: Line 319:
 
<br />
 
<br />
  
====<span style="color:navy">3XX.3 Active Directory User Management (weight: 4)</span>====
+
====<span style="color:navy">302.3 Active Directory User Management (weight: 4)</span>====
  
 
{|
 
{|
Line 360: Line 345:
 
* Configure password expiration and change requirements
 
* Configure password expiration and change requirements
 
* Manage password policies and password setting objects
 
* Manage password policies and password setting objects
* Principals and their identification SID (DN, GUID)
+
* Understand principals and their identification SID (DN, GUID)
* User Principal Name (UPN) and User Principal Name Suffix (UPN Suffix)
+
* Understand User Principal Name (UPN) and User Principal Name Suffix (UPN Suffix)
* Security and Distribution Groups
+
* Understand and manage Security and Distribution Groups
 
* Understand and manage LDAP attributes of security principals
 
* Understand and manage LDAP attributes of security principals
 
* Understand and manage RFC2307 attributes in a Samba AD
 
* Understand and manage RFC2307 attributes in a Samba AD
Line 382: Line 367:
 
<br />
 
<br />
  
====<span style="color:navy">3XX.4 Samba Domain Membership (weight: 4)</span>====
+
====<span style="color:navy">302.4 Samba Domain Membership (weight: 4)</span>====
  
 
{|
 
{|
Line 397: Line 382:
 
| style="background:#eaeaea" |
 
| style="background:#eaeaea" |
  
Candidates should be able to join a Samba server into an existing Active Directory domain and authorize domain users to use the server. This includes installing and configuring the Winbindd service.
+
Candidates should be able to join a Samba server into an existing Active Directory domain and authorize domain users to use the server. This includes installing and configuring the Winbind service.
  
 
|}
 
|}
Line 403: Line 388:
 
'''Key Knowledge Areas:'''
 
'''Key Knowledge Areas:'''
  
* Joining Samba to an existing AD domain
+
* Join Samba to an existing AD domain
 
* Configure Winbind service, including ID mapping
 
* Configure Winbind service, including ID mapping
 
+
* Understand and configure Winbind ID mapping, including various mapping backends  
Understand and configure Winbind ID mapping, including various mapping backends  
+
 
+
 
* Configure PAM and NSS to use Winbind
 
* Configure PAM and NSS to use Winbind
  
Line 442: Line 425:
 
<br />
 
<br />
  
====<span style="color:navy">394.5 Samba Local User Management (weight: 2)</span>====
+
====<span style="color:navy">302.5 Samba Local User Management (weight: 2)</span>====
  
 
{|
 
{|
Line 457: Line 440:
 
| style="background:#eaeaea" |
 
| style="background:#eaeaea" |
  
Candidates should be able to create and manage local user accounts on a stand alone samba server.
+
Candidates should be able to create and manage local user accounts on a stand alone Samba server.
  
 
|}
 
|}
Line 479: Line 462:
 
<br />
 
<br />
  
===''Topic 393: Samba Share Configuration''===
+
===''Topic 303: Samba Share Configuration''===
  
====<span style="color:navy">393.1 File Share Configuration (weight: 4)</span>====
+
====<span style="color:navy">303.1 File Share Configuration (weight: 4)</span>====
  
 
{|
 
{|
Line 503: Line 486:
  
 
* Create and configure CIFS file shares
 
* Create and configure CIFS file shares
* Samba share access configuration parameters
+
* Manage Samba share access configuration parameters
* Registry based share configuration
+
* Use registry based share configuration
 
* Manage profile and user home shares
 
* Manage profile and user home shares
 
* Plan file service migration
 
* Plan file service migration
Line 537: Line 520:
 
<br />
 
<br />
  
====<span style="color:navy">393.2 Linux File System and Share/Service Permissions (weight: 3)</span>====
+
====<span style="color:navy">303.2 File Share Security (weight: 3)</span>====
  
 
{|
 
{|
Line 552: Line 535:
 
| style="background:#eaeaea" |  
 
| style="background:#eaeaea" |  
  
Candidates should understand file permissions on a Linux file system in a mixed environment.
+
Candidates should understand file permissions on CIFS shares and on a Linux file system.
  
 
|}
 
|}
Line 558: Line 541:
 
'''Key Knowledge Areas:'''
 
'''Key Knowledge Areas:'''
  
* Knowledge of file / directory permission control
+
* Enforce ownership and permissions of files and directories
* Understand how Samba interacts with Linux file system permissions and ACLs
+
* Manage ACLs for shares and folders
* Use Samba VFS to store Windows ACLs
+
* Understand POSIX, Extended POSIX and Windows ACLs
 +
* Understand how Samba stores Windows ACLs in Linux ACLs and extended attributes
 +
* Configure ACLs for profile and home folder shares
 +
* Configure encryption of CIFS connections
  
 
'''The following is a partial list of the used files, terms and utilities:'''
 
'''The following is a partial list of the used files, terms and utilities:'''
  
 
* smb.conf
 
* smb.conf
* chmod, chown
+
** create mask / create mode
* create mask, directory mask, force create mode, force directory mode
+
** directory mask / directory mode
 +
** force create mode
 +
** force directory mode
 +
** force user
 +
** force group / group
 +
** profile acls
 +
** inherit acls
 +
** map acl inherit
 +
** store dos attributes
 +
** vfs objects
 +
** smb encrypt
 +
* chown
 +
* chmod
 +
* getfacl
 +
* setfacl
 +
* getfattr
 
* smbcacls
 
* smbcacls
* getfacl, setfacl
+
* sharesec
* vfs_acl_xattr, vfs_acl_tdb and vfs objects
+
* SeDiskOperatorPrivilege
 +
* vfs_acl_xattr
 +
* vfs_acl_tdb
 +
* samba-tool ntacl (including subcommands)
 
<br />
 
<br />
  
====<span style="color:navy">393.3 Print Services (weight: 2)</span>====
+
====<span style="color:navy">303.3 DFS Share Configuration (weight: 1)</span>====
  
 
{|
 
{|
| style="background:#dadada" |  
+
| style="background:#dadada" |
  
 
'''Weight'''
 
'''Weight'''
  
| style="background:#eaeaea" | 2
+
| style="background:#eaeaea" | 1
 
|-
 
|-
| style="background:#dadada; padding-right:1em" |  
+
| style="background:#dadada; padding-right:1em" |
  
 
'''Description'''
 
'''Description'''
  
| style="background:#eaeaea" |  
+
| style="background:#eaeaea" |
  
Candidates should be able to create and manage print shares in a mixed environment.
+
Candidates should be able to create and manage DFS shares in Samba.
  
 
|}
 
|}
Line 593: Line 597:
 
'''Key Knowledge Areas:'''
 
'''Key Knowledge Areas:'''
  
* Create and configure printer sharing
+
* Understand DFS
* Configure integration between Samba and CUPS
+
* Configure DFS shares
* Manage Windows print drivers and configure downloading of print drivers
+
* Configure [print$]
+
* Understand security concerns with printer sharing
+
* Uploading printer drivers for Point'n'Print driver installation using 'Add Print Driver Wizard' in Windows
+
  
 
'''The following is a partial list of the used files, terms and utilities:'''
 
'''The following is a partial list of the used files, terms and utilities:'''
  
* smb.conf
+
* smb.conf:
* [print$]
+
** host msdfs
* CUPS
+
** msdfs root
* cupsd.conf
+
** msdfs proxy
* /var/spool/samba/
+
* ln
* smbspool
+
* rpcclient
+
* net
+
 
<br />
 
<br />
  
===''Topic 394: Samba User and Group Management''===
+
====<span style="color:navy">303.4 Print Share Configuration (weight: 2)</span>====
 
+
====<span style="color:navy">394.1 Managing User Accounts and Groups (weight: 4)</span>====
+
  
 
{|
 
{|
Line 621: Line 616:
 
'''Weight'''
 
'''Weight'''
  
| style="background:#eaeaea" | 4
+
| style="background:#eaeaea" | 2
 
|-
 
|-
 
| style="background:#dadada; padding-right:1em" |  
 
| style="background:#dadada; padding-right:1em" |  
Line 629: Line 624:
 
| style="background:#eaeaea" |  
 
| style="background:#eaeaea" |  
  
Candidates should be able to manage user and group accounts in a mixed environment.
+
Candidates should be able to create and manage print shares in Samba.
  
 
|}
 
|}
Line 635: Line 630:
 
'''Key Knowledge Areas:'''
 
'''Key Knowledge Areas:'''
  
* Manager user and group accounts
+
* Understand Samba printing, including raw printing
* Understand user and group mapping
+
* Create and configure print shares
* Knowledge of user account management tools
+
* Configure integration between Samba and CUPS
* Use of the smbpasswd program
+
* Manage Windows print drivers and configure downloading of print drivers
* Force ownership of file and directory objects
+
* Upload printer drivers using 'Add Print Driver Wizard' in Windows
 +
* Preconfigure driver settings
 +
* Configure paper sizes and forms
 +
* Supported driver versions
 +
* Manage GPO options for trusted print servers
 +
* Awareness of spoolssd
  
 
'''The following is a partial list of the used files, terms and utilities:'''
 
'''The following is a partial list of the used files, terms and utilities:'''
  
* pdbedit
+
*smb.conf:
* smb.conf
+
** printing
* samba-tool user (with subcommands)
+
** printable / print ok
* samba-tool group (with subcommands)
+
** printcap name / printcap
* smbpasswd
+
** spoolss: architecture = Windows x64
* /etc/passwd
+
* [printers]
* /etc/group
+
* [print$]
* force user, force group
+
* CUPS
* idmap
+
* cupsd.conf
 +
* /var/spool/samba/
 +
* smbspool
 +
* rpcclient (to execute topic-related commands (enumdrivers, enumprinters, setdriver)
 +
* net (included topic-related subcommands)
 +
* SePrintOperatorPrivilege
 
<br />
 
<br />
  
====<span style="color:navy">394.2 Authentication, Authorization and Winbind (weight: 5)</span>====
+
===''Topic 304: Samba Client Configuration''===
 +
 
 +
====<span style="color:navy">304.1 Linux Authentication Clients (weight: 5)</span>====
  
 
{|
 
{|
| style="background:#dadada" |  
+
| style="background:#dadada" |
  
 
'''Weight'''
 
'''Weight'''
Line 663: Line 670:
 
| style="background:#eaeaea" | 5
 
| style="background:#eaeaea" | 5
 
|-
 
|-
| style="background:#dadada; padding-right:1em" |  
+
| style="background:#dadada; padding-right:1em" |
  
 
'''Description'''
 
'''Description'''
  
| style="background:#eaeaea" |  
+
| style="background:#eaeaea" |
  
Candidates should understand the various authentication mechanisms and configure access control. Candidates should be able to install and configure the Winbind service.
+
Candidates should be familiar with management and authentication of user accounts. This includes configuration and use of NSS, PAM, SSSD and Kerberos for both local and remote directories and authentication mechanisms as well as enforcing a password policy.
  
 
|}
 
|}
Line 675: Line 682:
 
'''Key Knowledge Areas:'''
 
'''Key Knowledge Areas:'''
  
* Setup a local password database
+
* Understand and configure NSS and PAM
* Perform password synchronization
+
* Enforce password complexity policies and periodic password changes
* Knowledge of different passdb backends
+
* Create home directories for new users
* Convert between Samba passdb backends
+
* Lock accounts automatically after failed login attempts
* Integrate Samba with LDAP
+
* Configure NSS and PAM to retrieve information from LDAP
* Configure Winbind service
+
* Configure SSSD authentication against Active Directory, IPA, LDAP and Kerberos domains and the local system’s authentication database
* Configure PAM and NSS
+
* Manage local accounts through SSSD
 +
* Obtain and manage Kerberos tickets
  
 
'''The following is a partial list of the used files, terms and utilities:'''
 
'''The following is a partial list of the used files, terms and utilities:'''
  
* smb.conf
+
* /etc/pam.conf
* smbpasswd, tdbsam, ldapsam
+
* /etc/pam.d/
* passdb backend
+
* /etc/nsswitch.conf
* libnss_winbind
+
* /etc/login.defs
* libpam_winbind
+
* pam_ldap.so
* libpam_smbpass
+
* ldap.conf
* wbinfo
+
* pam_krb5.so
* getent
+
* pam_cracklib.so
* SID and foreign SID
+
* pam_tally2.so
* /etc/passwd
+
* pam_faillock.so
* /etc/group
+
* pam_mkhomedir.so
 
+
* chage
 +
* faillog
 +
* sssd
 +
* sssd.conf
 +
* sss_override
 +
* sss_cache
 +
* sss_debuglevel
 +
* sss_user* and sss_group*
 +
* /var/lib/sss/db/
 +
* krb5.conf
 +
* kinit
 +
* klist
 +
* kdestroy
 
<br />
 
<br />
  
===''Topic 395: Samba Domain Integration''===
+
====<span style="color:navy">304.2 Linux CIFS Clients (weight: 3)</span>====
 
+
====<span style="color:navy">395.1 Samba as a PDC and BDC (weight: 3)</span>====
+
  
 
{|
 
{|
Line 716: Line 734:
 
| style="background:#eaeaea" |  
 
| style="background:#eaeaea" |  
  
Candidates should be able to setup and maintain primary and backup domain controllers.  Candidates should be able to manage Windows/Linux client access to the NT-Style domains.
+
Candidates should be able to use remote CIFS shares from a Linux client. This includes client-side management of CIFS credentials and managing remote ACLs and quotas.
  
 
|}
 
|}
Line 722: Line 740:
 
'''Key Knowledge Areas:'''
 
'''Key Knowledge Areas:'''
  
* Understand and configure domain membership and trust relationships
+
* Access remote CIFS shares from a Linux client
* Create and maintain a primary domain controller with Samba3 and Samba4
+
* Mount remote CIFS shares on a Linux client
* Create and maintain a backup domain controller with Samba3 and Samba4
+
* Automatically mount home directories
* Add computers to an existing domain
+
* Store and manage CIFS credentials securely
* Configure logon scripts
+
* Understand and manage permissions and file ownership of remote CIFS shares
* Configure roaming profiles
+
* Understand and manage quotas on CIFS shares
* Configure system policies
+
  
 
'''The following is a partial list of the used files, terms and utilities:'''
 
'''The following is a partial list of the used files, terms and utilities:'''
  
 
* smb.conf
 
* smb.conf
* security mode
+
* smbclient (including relevant subcommands)
* server role
+
* mount
* domain logons
+
* mount.cifs
* domain master
+
* /etc/fstab
* logon script
+
* pam_mount.so
* logon path
+
* pam_mount.conf.xml
* NTConfig.pol
+
* cifscreds
* net
+
* getcifsacl
* profiles
+
* setcifsacl
* add machine script
+
* smbcquotas
* profile acls
+
* cifsiostat
 +
* smbget
 +
* smbtar
  
 
<br />
 
<br />
  
====<span style="color:navy">395.2 Samba4 as an AD compatible Domain Controller (weight: 3)</span>====
+
====<span style="color:navy">304.3 Windows Clients (weight: 3)</span>====
  
 
{|
 
{|
Line 762: Line 781:
 
| style="background:#eaeaea" |  
 
| style="background:#eaeaea" |  
  
Candidates should be able to configure Samba 4 as an AD Domain Controller.
+
Candidates should be able to access CIFS and print shares from Windows hosts and join such hosts into an Active Directory domain. Furthermore, candidates should be able to manage Windows hosts using GPOs and access remote Windows hosts.
  
 
|}
 
|}
Line 768: Line 787:
 
'''Key Knowledge Areas:'''
 
'''Key Knowledge Areas:'''
  
* Configure and test Samba 4 as an AD DC
+
* Understand how to set up and use Windows hosts
* Using smbclient to confirm AD operation
+
* Join a Windows host to an Active Directory domain
* Understand how Samba integrates with AD services: DNS, Kerberos, NTP, LDAP
+
* Access remote CIFS shares from a Windows client
 +
* Configure printing to remote printers from a Windows client
 +
* Configure file and print shares on a Windows host
 +
* Understand the concept, structure and capabilities of GPOs
 +
* Create and modify GPOs and apply GPOs to machines or users
 +
* Access a remote Windows desktop
 +
* Create and configure logon scripts
 +
* Configure roaming profiles for Active Directory users
 +
* Configure profile folder redirects
  
 
'''The following is a partial list of the used files, terms and utilities:'''
 
'''The following is a partial list of the used files, terms and utilities:'''
  
* smb.conf
+
* smb.conf:
* server role
+
** logon path
* samba-tool domain (with subcommands)
+
** logon script
* samba
+
* net (Windows command; including all relevant subcommands)
 
+
* samba-tool gpo (including all relevant subcommands)
 +
* gpupdate (Windows command)
 +
* rdesktop
 
<br />
 
<br />
  
====<span style="color:navy">395.3 Configure Samba as a Domain Member Server (weight: 3)</span>====
+
===''Topic 305: Linux Identity Management and File Sharing''===
 +
 
 +
====<span style="color:navy">305.1 FreeIPA Installation and Maintenance (weight: 2)</span>====
  
 
{|
 
{|
| style="background:#dadada" |  
+
| style="background:#dadada" |
  
 
'''Weight'''
 
'''Weight'''
  
| style="background:#eaeaea" | 3
+
| style="background:#eaeaea" | 2
 
|-
 
|-
| style="background:#dadada; padding-right:1em" |  
+
| style="background:#dadada; padding-right:1em" |
  
 
'''Description'''
 
'''Description'''
  
| style="background:#eaeaea" |  
+
| style="background:#eaeaea" |
  
Candidates should be able to integrate Linux servers into an environment where Active Directory is present.
+
Candidates should be able to set up and manage a FreeIPA domain using standard settings and default services. This includes setting up replication and joining clients to the domain.
  
 
|}
 
|}
Line 802: Line 833:
 
'''Key Knowledge Areas:'''
 
'''Key Knowledge Areas:'''
  
* Joining Samba to an existing NT4 domain
+
* Understand the features, architecture as well as server-side and client-side components of FreeIPA
* Joining Samba to an existing AD domain
+
* Install a FreeIPA server
* Ability to obtain a TGT from a KDC
+
* Set up and manage a FreeIPA domain using standard settings and default services
 +
* Understand replication topology and configure FreeIPA replication
 +
* Join clients to an existing FreeIPA domain
 +
* Awareness of ipa-backup
  
 
'''The following is a partial list of the used files, terms and utilities:'''
 
'''The following is a partial list of the used files, terms and utilities:'''
  
* smb.conf
+
* ipa-server-install
* server role
+
* ipa-replica-prepare
* server security
+
* ipa-replica-install
* net command
+
* ipa-client-install
* kinit, TGT and REALM
+
* ipactl
 
+
 
<br />
 
<br />
<br />
 
 
===''Topic 396: Samba Name Services''===
 
 
 
  
====<span style="color:navy">396.1 NetBIOS and WINS (weight: 3)</span>====
+
====<span style="color:navy">305.2 FreeIPA Entity Management (weight: 4)</span>====
  
 
{|
 
{|
| style="background:#dadada" |  
+
| style="background:#dadada" |
  
 
'''Weight'''
 
'''Weight'''
  
| style="background:#eaeaea" | 3
+
| style="background:#eaeaea" | 4
 
|-
 
|-
| style="background:#dadada; padding-right:1em" |  
+
| style="background:#dadada; padding-right:1em" |
  
 
'''Description'''
 
'''Description'''
  
| style="background:#eaeaea" |  
+
| style="background:#eaeaea" |
  
Candidates should be familiar with NetBIOS/WINS concepts and understand network browsing.
+
Candidates should be able manage users, hosts and services in a FreeIPA domain.
  
 
|}
 
|}
Line 842: Line 870:
 
'''Key Knowledge Areas:'''
 
'''Key Knowledge Areas:'''
  
* Understand WINS concepts
+
* Manage user accounts and groups
* Understand NetBIOS concepts
+
* Manage hosts, hostgroups and services
* Understand the role of a local master browser
+
* Understand the principle of IPA access control permissions, privileges and roles
* Understand the role of a domain master browser
+
* Understand ID views
* Understand the role of Samba as a WINS server
+
* Awareness of sudo, autofs, SSH, SELinux and NIS integration as well as host based access control in FreeIPA
* Understand name resolution
+
* Awareness of the FreeIPA CA
* Configure Samba as a WINS server
+
* Configure WINS replication
+
* Understand NetBIOS browsing and browser elections
+
* Understand NETBIOS name types
+
  
 
'''The following is a partial list of the used files, terms and utilities:'''
 
'''The following is a partial list of the used files, terms and utilities:'''
  
* smb.conf
+
* ipa (including relevant user-*, stageuser-* and group-* and idview-* subcommands)
* nmblookup
+
* ipa (including relevant host-*, hostgroup-*, service-* and getkeytab subcommands)
* smbclient
+
* ipa (including relevant permission-*, privilege-*, and role-* subcommands)
* name resolve order
+
* ipctl
* lmhosts
+
* ipa-advice
* wins support, wins server, wins proxy, dns proxy
+
* domain master, os level, preferred master
+
 
+
 
<br />
 
<br />
  
====<span style="color:navy">396.2 Active Directory Name Resolution (weight: 2)</span>====
+
====<span style="color:navy">305.3 FreeIPA Active Directory Integration (weight: 2)</span>====
  
 
{|
 
{|
| style="background:#dadada" |  
+
| style="background:#dadada" |
  
 
'''Weight'''
 
'''Weight'''
Line 874: Line 895:
 
| style="background:#eaeaea" | 2
 
| style="background:#eaeaea" | 2
 
|-
 
|-
| style="background:#dadada; padding-right:1em" |  
+
| style="background:#dadada; padding-right:1em" |
  
 
'''Description'''
 
'''Description'''
  
| style="background:#eaeaea" |  
+
| style="background:#eaeaea" |
  
Candidates should be familiar with the internal DNS server with Samba4.
+
Candidates should be able to set up a cross-forest trust between a FreeIPA and an Active Directory domain.
  
 
|}
 
|}
Line 886: Line 907:
 
'''Key Knowledge Areas:'''
 
'''Key Knowledge Areas:'''
  
* Understand and manage DNS for Samba4 as an AD Domain Controller
+
* Understand and set up FreeIPA and Active Directory integration using Kerberos cross-realm trusts
* DNS forwarding with the internal DNS server of Samba4
+
* Configure ID ranges in FreeIPA
 +
* Understand and manage external non-POSIX groups in FreeIPA
 +
* Awareness of Microsoft Privilege Attribute Certificates and how they are handled by FreeIPA
 +
* Awareness of replication based FreeIPA and Active Directory integration
  
 
'''The following is a partial list of the used files, terms and utilities:'''
 
'''The following is a partial list of the used files, terms and utilities:'''
  
* samba-tool dns (with subcommands)
+
* ipa-adtrust-install
* smb.conf
+
* ipa (including relevant trust-*, idrange-* and group-* subcommands)
* dns forwarder
+
* /etc/resolv.conf
+
* dig, host
+
 
+
 
<br />
 
<br />
  
===''Topic 397: Working with Linux and Windows Clients''===
+
====<span style="color:navy">305.4 Network File System (weight: 3)</span>====
 
+
====<span style="color:navy">397.1 CIFS Integration (weight: 3)</span>====
+
  
 
{|
 
{|
| style="background:#dadada" |  
+
| style="background:#dadada" |
  
 
'''Weight'''
 
'''Weight'''
Line 910: Line 928:
 
| style="background:#eaeaea" | 3
 
| style="background:#eaeaea" | 3
 
|-
 
|-
| style="background:#dadada; padding-right:1em" |  
+
| style="background:#dadada; padding-right:1em" |
  
 
'''Description'''
 
'''Description'''
  
| style="background:#eaeaea" |  
+
| style="background:#eaeaea" |
  
Candidates should be comfortable working with CIFS in a mixed environment.
+
Candidates should be able to use NFSv4. This includes understanding ID mapping, NFSv4 ACLs and Kerberos authentication for NFS.
  
 
|}
 
|}
Line 922: Line 940:
 
'''Key Knowledge Areas:'''
 
'''Key Knowledge Areas:'''
  
* Understand SMB/CIFS concepts
+
* Understand major NFSv4 features
* Access and mount remote CIFS shares from a Linux client
+
* Configure and manage an NFSv4 server and clients
* Securely storing CIFS credentials
+
* Understand and use the NFSv4 pseudo file system
* Understand features and benefits of CIFS
+
* Understand and use NFSv4 ACLs
* Understand permissions and file ownership of remote CIFS shares
+
* Use Kerberos for for NFSv4 authentication  
  
 
'''The following is a partial list of the used files, terms and utilities:'''
 
'''The following is a partial list of the used files, terms and utilities:'''
  
* SMB/CIFS
+
* exportfs
* mount, mount.cifs
+
* /etc/exports
* smbclient
+
* /etc/idmapd.conf
* smbget
+
* nfs4_editfacl
* smbtar
+
* nfs4_getfacl
* smbtree
+
* nfs4_setfacl
* findsmb
+
* mount (including common NFS mount options)
* smb.conf
+
* smbcquotas
+
 
* /etc/fstab
 
* /etc/fstab
 
<br />
 
 
====<span style="color:navy">397.2 Working with Windows Clients (weight: 2)</span>====
 
 
{|
 
| style="background:#dadada" |
 
 
'''Weight'''
 
 
| style="background:#eaeaea" | 2
 
|-
 
| style="background:#dadada; padding-right:1em" |
 
 
'''Description'''
 
 
| style="background:#eaeaea" |
 
 
Candidates should be able to interact with remote Windows clients, and configure Windows workstations to access file and print services from Linux servers.
 
 
|}
 
 
'''Key Knowledge Areas:'''
 
 
* Knowledge of Windows clients
 
* Explore browse lists and SMB clients from Windows
 
* Share file / print resources from Windows
 
* Use of the smbclient program
 
* Use of the Windows net utility
 
 
'''The following is a partial list of the used files, terms and utilities:'''
 
 
* Windows net command
 
* smbclient
 
* control panel
 
* rdesktop
 
* workgroup
 
 
 
<br />
 
<br />

Latest revision as of 12:30, 15 February 2021


Introduction

A complete description of the LPIC-3 certification program can be found here.


Version Information

These objectives are for version 3.0.

The preceding version 1.0 objectives can be found here.


Translations of Objectives

The following translations of the objectives are available on this wiki:


Objectives

Topic 301: Samba Basics

301.1 Samba Concepts and Architecture (weight: 2)

Weight

2

Description

Candidates should understand the essential concepts of Samba, including the various Samba server processes and networking protocols used by Samba when acting in various roles. Samba version 4.8 or higher is covered.

Key Knowledge Areas:

  • Understand the roles of the various Samba daemons and components
  • Understand key issues regarding heterogeneous networks
  • Understand the networking services used with SMB/CIFS and Active Directory, including their ports
  • Understand the major features of SMB protocol versions 1.0, 2.0, 2.1 and 3.0
  • Understand of Samba 3 and Samba 4 differences
  • Awareness of Samba VFS modules
  • Awareness of Samba Clustering and CTDB

Partial list of the used files, terms and utilities:

  • smbd, nmbd, samba, winbindd


301.2 Samba Configuration (weight: 4)

Weight

4

Description

Candidates should be able to configure the Samba daemons.

Key Knowledge Areas:

  • Manage Samba server file-based configuration
  • Manage of Samba server registry-based configuration
  • Manage of Samba configuration parameters and variables
  • Understand Samba server roles and security modes
  • Configure Samba to use TLS
  • Check the validity of a Samba configuration
  • Troubleshoot and debug configuration problems with Samba
  • Understand Windows tools used to configure a Samba Server

The following is a partial list of the used files, terms and utilities:

  • smb.conf
    • security
    • server role
    • server string
    • server services
    • tls enabled
    • tls keyfile
    • tls certfile
    • tls dh params file
    • tls cafile
    • config backend
    • registry shares
    • include
    • vfs objects
  • samba-regedit
  • HKLM\Software\Samba\
  • REG_SZ, REG_MULTI_SZ
  • testparm
  • net registry (including relevant subcommands)
  • Microsoft RSAT Tools
  • Microsoft MMC
  • Microsoft ADSI Edit
  • Microsoft LDP
  • Microsoft Regedit


301.3 Regular Samba Maintenance (weight: 2)

Weight

2

Description

Candidates should know the various tools and utilities that are part of a Samba installation.

Key Knowledge Areas:

  • Start and stop Samba services on domain controllers and file servers
  • Monitor and interact with running Samba daemons
  • Backup and restore TDB files
  • Backup and restore an Active Directory domain controller
  • Understand backup and recovery strategies for Active Directory domain controllers
  • Understand the impact of virtualization on Active Directory domain controllers

The following is a partial list of the used files, terms and utilities:

  • systemctl
  • smbcontrol (including relevant message types)
  • smbstatus
  • tdbbackup
  • tdbrestore
  • samba-tool domain backup (including subcommands)
  • Virtual Machine Generation Identifier
  • Virtual Machine Snapshots


301.4 Troubleshooting Samba (weight: 3)

Weight

3

Description

Candidates should be able to analyze and troubleshoot Samba issues. This includes accessing and modifying the LDAP content of a Samba server hosting an Active directory as well as working with trivial database files. Furthermore, candidates should be able to create a renamed clone of an existing Active Directory for debugging.

Key Knowledge Areas:

  • Configure Samba logging, including setting log levels for specific debug classes and client-specific logging
  • Query and modify the Samba password database
  • Understand the contents of important TDB files
  • List and edit TDB file content
  • Identify TDB file corruption
  • Access and modify objects in a Samba LDAP directory
  • Enable and use the LDAP recycle bin
  • Confirm the integrity of a domain controller’s database
  • Create a renamed clone of a domain controller
  • Awareness of Samba eventlog shipping
  • Use rpcclient to query information on a Samba server


The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • log level
    • debuglevel
  • /var/log/samba/
  • smbpasswd
  • pdbedit
  • registry.tdb
  • secrets.tdb
  • tdbdump
  • tdbtool
  • ldbsearch
  • ldbmodify
  • ldbedit
  • ldbadd
  • ldbdel
  • LDIF
  • samba-tool dbcheck
  • samba-tool domain backup (including relevant subcommands)
  • rpcclient


Topic 302: Samba and Active Directory Domains

302.1 Samba as Active Directory Domain Controller (weight: 5)

Weight

5

Description

Candidates should be able to configure Samba as an Active Directory domain controller. This includes managing an Active Directory domain.

Key Knowledge Areas:

  • Understand the concepts of Active Directory
  • Understand the principles of the network services used by Active Directory (i.e. DNS, Kerberos, NTP and LDAP and CIFS and MS-RPC)
  • Set up a new Active Directory domain using Samba
  • Add a Samba domain controller to an existing Active Directory domain
  • Demote and remove online and offline domain controllers
  • Verify AD replication
  • Understand and query the global catalog and the partial attribute set
  • Understand and configure domain functional levels
  • Understand and configure Active Directory forest and domain trusts
  • Understand and configure Active Directory sites, including subnet assignments
  • Understand and manage FSMO roles, including their impact in case of an outage
  • Configure authentication audit logging
  • Configure SYSVOL replication using rsync or robocopy
  • Integrate Samba with ntpd
  • Awareness of Windows NT4 domains

The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • server role
    • log level
  • samba-tool domain (including relevant subcommands)
  • samba-tool fsmo (including relevant subcommands)
  • samba-tool drs (including relevant subcommands)
  • samba-tool sites (including relevant subcommands)
  • rsync
  • rsync.conf
  • /var/lib/samba/sysvol
  • robocopy
  • ntpd.conf
    • ntpsigndsocket


302.2 Active Directory Name Resolution (weight: 2)

Weight

2

Description

Candidates should be familiar with the internal DNS server of Samba.

Key Knowledge Areas:

  • Understand and manage DNS for Samba as an AD domain controller
  • Manage DNS records in Samba DNS
  • DNS forwarding
  • Standardized names in an Active Directory
  • Multicast DNS
  • Awareness of BIND9 DLZ DNS back end
  • Awareness of NetBIOS name resolution and WINS

The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • dns forwarder
    • allow dns updates
    • multicst dns register
  • samba-tool dns (with subcommands)
  • samba_dnsupdate
  • dig
  • host
  • /etc/resolv.conf


302.3 Active Directory User Management (weight: 4)

Weight

4

Description

Candidates should be able to manage user and group accounts on a standalone server and in a Samba based Active Directory.

Key Knowledge Areas:

  • Manage user accounts and user group for standalone servers and Samba AD
  • Knowledge of user account management tools
  • Delegate administrative permissions in AD to specific users / user groups
  • Configure password expiration and change requirements
  • Manage password policies and password setting objects
  • Understand principals and their identification SID (DN, GUID)
  • Understand User Principal Name (UPN) and User Principal Name Suffix (UPN Suffix)
  • Understand and manage Security and Distribution Groups
  • Understand and manage LDAP attributes of security principals
  • Understand and manage RFC2307 attributes in a Samba AD
  • Map Kerberos service principal names to user accounts
  • Export Kerberos keytabs for a specific principal
  • Awareness of LDAP Account Manager

The following is a partial list of the used files, terms and utilities:

  • samba-tool user (including relevant subcommands)
  • samba-tool group (including relevant subcommands)
  • samba-tool domain passwordsettings
  • samba-tool domain exportkeytab
  • samba-tool spn (including relevant subcommands)
  • smbpasswd
  • pdbedit
  • kinit
  • klist


302.4 Samba Domain Membership (weight: 4)

Weight

4

Description

Candidates should be able to join a Samba server into an existing Active Directory domain and authorize domain users to use the server. This includes installing and configuring the Winbind service.

Key Knowledge Areas:

  • Join Samba to an existing AD domain
  • Configure Winbind service, including ID mapping
  • Understand and configure Winbind ID mapping, including various mapping backends
  • Configure PAM and NSS to use Winbind

The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • security
    • server role
    • realm
    • workgroup
    • idmap config
    • winbind enumerate users
    • winbind enumerate groups
    • winbind offline logon
    • winbind separator
    • template shell
    • template homedir
    • allow trusted domains
  • idmap_ad
  • idmap_autorid
  • idmap_ldap
  • idmap_rfc2307
  • idmap_rid
  • idmap_tdb
  • idmap_tdb2
  • net ads (including relevant subcommands)
  • /etc/nsswitch.conf
  • /etc/pam.conf
  • /etc/pam.d/
  • libnss_winbind
  • libpam_winbind
  • getent
  • wbinfo


302.5 Samba Local User Management (weight: 2)

Weight

2

Description

Candidates should be able to create and manage local user accounts on a stand alone Samba server.

Key Knowledge Areas:

  • Setup a local password database
  • Perform password synchronization
  • Knowledge of different passdb backends
  • Convert between Samba passdb backends

The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • passdb backend
  • /etc/passwd
  • /etc/group
  • pam_smbpass.so
  • smbpasswd
  • pdbedit


Topic 303: Samba Share Configuration

303.1 File Share Configuration (weight: 4)

Weight

4

Description

Candidates should be able to create and configure CIFS file shares in Samba.

Key Knowledge Areas:

  • Create and configure CIFS file shares
  • Manage Samba share access configuration parameters
  • Use registry based share configuration
  • Manage profile and user home shares
  • Plan file service migration
  • Limit access to IPC$
  • Awareness of user shares
  • Awareness of existing VFS modules and their general functionality, including modules to support audit logs and snapshots / shadow copies

The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • path
    • browsable
    • writable / write ok / read only
    • valid users
    • invalid users
    • read list
    • write list
    • guest ok
    • hosts allow / allow hosts
    • hosts deny / deny hosts
    • copy
    • hide unreadable
    • hide unwritable files
    • hide dot files
    • hide special files
    • veto files
    • delete veto files
  • [homes]
  • [IPC$]
  • smbcquotas


303.2 File Share Security (weight: 3)

Weight

3

Description

Candidates should understand file permissions on CIFS shares and on a Linux file system.

Key Knowledge Areas:

  • Enforce ownership and permissions of files and directories
  • Manage ACLs for shares and folders
  • Understand POSIX, Extended POSIX and Windows ACLs
  • Understand how Samba stores Windows ACLs in Linux ACLs and extended attributes
  • Configure ACLs for profile and home folder shares
  • Configure encryption of CIFS connections

The following is a partial list of the used files, terms and utilities:

  • smb.conf
    • create mask / create mode
    • directory mask / directory mode
    • force create mode
    • force directory mode
    • force user
    • force group / group
    • profile acls
    • inherit acls
    • map acl inherit
    • store dos attributes
    • vfs objects
    • smb encrypt
  • chown
  • chmod
  • getfacl
  • setfacl
  • getfattr
  • smbcacls
  • sharesec
  • SeDiskOperatorPrivilege
  • vfs_acl_xattr
  • vfs_acl_tdb
  • samba-tool ntacl (including subcommands)


303.3 DFS Share Configuration (weight: 1)

Weight

1

Description

Candidates should be able to create and manage DFS shares in Samba.

Key Knowledge Areas:

  • Understand DFS
  • Configure DFS shares

The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • host msdfs
    • msdfs root
    • msdfs proxy
  • ln


303.4 Print Share Configuration (weight: 2)

Weight

2

Description

Candidates should be able to create and manage print shares in Samba.

Key Knowledge Areas:

  • Understand Samba printing, including raw printing
  • Create and configure print shares
  • Configure integration between Samba and CUPS
  • Manage Windows print drivers and configure downloading of print drivers
  • Upload printer drivers using 'Add Print Driver Wizard' in Windows
  • Preconfigure driver settings
  • Configure paper sizes and forms
  • Supported driver versions
  • Manage GPO options for trusted print servers
  • Awareness of spoolssd

The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • printing
    • printable / print ok
    • printcap name / printcap
    • spoolss: architecture = Windows x64
  • [printers]
  • [print$]
  • CUPS
  • cupsd.conf
  • /var/spool/samba/
  • smbspool
  • rpcclient (to execute topic-related commands (enumdrivers, enumprinters, setdriver)
  • net (included topic-related subcommands)
  • SePrintOperatorPrivilege


Topic 304: Samba Client Configuration

304.1 Linux Authentication Clients (weight: 5)

Weight

5

Description

Candidates should be familiar with management and authentication of user accounts. This includes configuration and use of NSS, PAM, SSSD and Kerberos for both local and remote directories and authentication mechanisms as well as enforcing a password policy.

Key Knowledge Areas:

  • Understand and configure NSS and PAM
  • Enforce password complexity policies and periodic password changes
  • Create home directories for new users
  • Lock accounts automatically after failed login attempts
  • Configure NSS and PAM to retrieve information from LDAP
  • Configure SSSD authentication against Active Directory, IPA, LDAP and Kerberos domains and the local system’s authentication database
  • Manage local accounts through SSSD
  • Obtain and manage Kerberos tickets

The following is a partial list of the used files, terms and utilities:

  • /etc/pam.conf
  • /etc/pam.d/
  • /etc/nsswitch.conf
  • /etc/login.defs
  • pam_ldap.so
  • ldap.conf
  • pam_krb5.so
  • pam_cracklib.so
  • pam_tally2.so
  • pam_faillock.so
  • pam_mkhomedir.so
  • chage
  • faillog
  • sssd
  • sssd.conf
  • sss_override
  • sss_cache
  • sss_debuglevel
  • sss_user* and sss_group*
  • /var/lib/sss/db/
  • krb5.conf
  • kinit
  • klist
  • kdestroy


304.2 Linux CIFS Clients (weight: 3)

Weight

3

Description

Candidates should be able to use remote CIFS shares from a Linux client. This includes client-side management of CIFS credentials and managing remote ACLs and quotas.

Key Knowledge Areas:

  • Access remote CIFS shares from a Linux client
  • Mount remote CIFS shares on a Linux client
  • Automatically mount home directories
  • Store and manage CIFS credentials securely
  • Understand and manage permissions and file ownership of remote CIFS shares
  • Understand and manage quotas on CIFS shares

The following is a partial list of the used files, terms and utilities:

  • smb.conf
  • smbclient (including relevant subcommands)
  • mount
  • mount.cifs
  • /etc/fstab
  • pam_mount.so
  • pam_mount.conf.xml
  • cifscreds
  • getcifsacl
  • setcifsacl
  • smbcquotas
  • cifsiostat
  • smbget
  • smbtar


304.3 Windows Clients (weight: 3)

Weight

3

Description

Candidates should be able to access CIFS and print shares from Windows hosts and join such hosts into an Active Directory domain. Furthermore, candidates should be able to manage Windows hosts using GPOs and access remote Windows hosts.

Key Knowledge Areas:

  • Understand how to set up and use Windows hosts
  • Join a Windows host to an Active Directory domain
  • Access remote CIFS shares from a Windows client
  • Configure printing to remote printers from a Windows client
  • Configure file and print shares on a Windows host
  • Understand the concept, structure and capabilities of GPOs
  • Create and modify GPOs and apply GPOs to machines or users
  • Access a remote Windows desktop
  • Create and configure logon scripts
  • Configure roaming profiles for Active Directory users
  • Configure profile folder redirects

The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • logon path
    • logon script
  • net (Windows command; including all relevant subcommands)
  • samba-tool gpo (including all relevant subcommands)
  • gpupdate (Windows command)
  • rdesktop


Topic 305: Linux Identity Management and File Sharing

305.1 FreeIPA Installation and Maintenance (weight: 2)

Weight

2

Description

Candidates should be able to set up and manage a FreeIPA domain using standard settings and default services. This includes setting up replication and joining clients to the domain.

Key Knowledge Areas:

  • Understand the features, architecture as well as server-side and client-side components of FreeIPA
  • Install a FreeIPA server
  • Set up and manage a FreeIPA domain using standard settings and default services
  • Understand replication topology and configure FreeIPA replication
  • Join clients to an existing FreeIPA domain
  • Awareness of ipa-backup

The following is a partial list of the used files, terms and utilities:

  • ipa-server-install
  • ipa-replica-prepare
  • ipa-replica-install
  • ipa-client-install
  • ipactl


305.2 FreeIPA Entity Management (weight: 4)

Weight

4

Description

Candidates should be able manage users, hosts and services in a FreeIPA domain.

Key Knowledge Areas:

  • Manage user accounts and groups
  • Manage hosts, hostgroups and services
  • Understand the principle of IPA access control permissions, privileges and roles
  • Understand ID views
  • Awareness of sudo, autofs, SSH, SELinux and NIS integration as well as host based access control in FreeIPA
  • Awareness of the FreeIPA CA

The following is a partial list of the used files, terms and utilities:

  • ipa (including relevant user-*, stageuser-* and group-* and idview-* subcommands)
  • ipa (including relevant host-*, hostgroup-*, service-* and getkeytab subcommands)
  • ipa (including relevant permission-*, privilege-*, and role-* subcommands)
  • ipctl
  • ipa-advice


305.3 FreeIPA Active Directory Integration (weight: 2)

Weight

2

Description

Candidates should be able to set up a cross-forest trust between a FreeIPA and an Active Directory domain.

Key Knowledge Areas:

  • Understand and set up FreeIPA and Active Directory integration using Kerberos cross-realm trusts
  • Configure ID ranges in FreeIPA
  • Understand and manage external non-POSIX groups in FreeIPA
  • Awareness of Microsoft Privilege Attribute Certificates and how they are handled by FreeIPA
  • Awareness of replication based FreeIPA and Active Directory integration

The following is a partial list of the used files, terms and utilities:

  • ipa-adtrust-install
  • ipa (including relevant trust-*, idrange-* and group-* subcommands)


305.4 Network File System (weight: 3)

Weight

3

Description

Candidates should be able to use NFSv4. This includes understanding ID mapping, NFSv4 ACLs and Kerberos authentication for NFS.

Key Knowledge Areas:

  • Understand major NFSv4 features
  • Configure and manage an NFSv4 server and clients
  • Understand and use the NFSv4 pseudo file system
  • Understand and use NFSv4 ACLs
  • Use Kerberos for for NFSv4 authentication  

The following is a partial list of the used files, terms and utilities:

  • exportfs
  • /etc/exports
  • /etc/idmapd.conf
  • nfs4_editfacl
  • nfs4_getfacl
  • nfs4_setfacl
  • mount (including common NFS mount options)
  • /etc/fstab