Difference between revisions of "LPIC-300 Objectives V3.0"
FabianThorns (Talk | contribs) (→393.1 File Services (weight: 4)) |
FabianThorns (Talk | contribs) (→393.2 Linux File System and Share/Service Permissions (weight: 3)) |
||
Line 537: | Line 537: | ||
<br /> | <br /> | ||
− | ====<span style="color:navy">393.2 | + | ====<span style="color:navy">393.2 File Share Security (weight: 3)</span>==== |
{| | {| | ||
Line 552: | Line 552: | ||
| style="background:#eaeaea" | | | style="background:#eaeaea" | | ||
− | Candidates should understand file permissions on a Linux file system | + | Candidates should understand file permissions on CIFS shares and on a Linux file system. |
|} | |} | ||
Line 558: | Line 558: | ||
'''Key Knowledge Areas:''' | '''Key Knowledge Areas:''' | ||
− | * | + | * Enforce ownership and permissions of files and directories |
− | * Understand | + | * Manage ACLs for shares and folders |
− | * | + | * Understand POSIX, Extended POSIX and Windows ACLs |
+ | * Understand how Samba stores Windows ACLs in Linux ACLs and extended attributes | ||
+ | * Configure ACLs for profile and home folder shares | ||
'''The following is a partial list of the used files, terms and utilities:''' | '''The following is a partial list of the used files, terms and utilities:''' | ||
* smb.conf | * smb.conf | ||
− | * | + | ** create mask / create mode |
− | * create mask | + | ** directory mask / directory mode |
+ | ** force create mode | ||
+ | ** force directory mode | ||
+ | ** force user | ||
+ | ** force group / group | ||
+ | ** profile acls | ||
+ | ** inherit acls | ||
+ | ** map acl inherit | ||
+ | ** store dos attributes | ||
+ | ** vfs objects | ||
+ | * chown | ||
+ | * chmod | ||
+ | * getfacl | ||
+ | * setfacl | ||
+ | * getfattr | ||
* smbcacls | * smbcacls | ||
− | * | + | * sharesec |
− | * vfs_acl_xattr | + | * SeDiskOperatorPrivilege |
+ | * vfs_acl_xattr | ||
+ | * vfs_acl_tdb | ||
+ | * samba-tool ntacl (including subcommands) | ||
<br /> | <br /> | ||
Revision as of 15:46, 24 January 2019
ATTENTION: THIS PAGE IS UNDER CONSTRUCTION
ATTENTION: THIS PAGE IS UNDER CONSTRUCTION
Contents
- 1 Introduction
- 2 Version Information
- 3 Addenda
- 4 Translations of Objectives
- 5 Objectives
Introduction
A complete description of the LPIC-3 certification program can be found here.
Version Information
These objectives are A DRAFT FOR version 3.0.
LPIC-300 version 1.0 was partially formed from content in the 301 and 302 exams.
Addenda
Version Release (DATE TBD)
- released version 3.0
Translations of Objectives
The following translations of the objectives are available on this wiki:
Objectives
Topic 392: Samba Basics
392.1 Samba Concepts and Architecture (weight: 2)
Weight |
2 |
Description |
Candidates should understand the essential concepts of Samba, including the various Samba server processes and networking protocols used by Samba when acting in various roles. |
Key Knowledge Areas:
- Understand the roles of the various Samba daemons and components
- Understand key issues regarding heterogeneous networks
- Understand the networking services used with SMB/CIFS and Active Directory, including their ports
- Understand the major features of SMB protocol versions 1.0, 2.0, 2.1 and 3.0
- Knowledge of Samba 3 and Samba 4 differences
- Awareness of Samba VFS modules
- Awareness of Samba Clustering and CTDB
Partial list of the used files, terms and utilities:
- smbd, nmbd, samba, winbindd
392.2 Configure Samba (weight: 4)
Weight |
4 |
Description |
Candidates should be able to configure the Samba daemons. |
Key Knowledge Areas:
- Knowledge of Samba server file based configuration
- Knowledge of Samba server registry based configuration
- Knowledge of Samba configuration parameters and variables
- Understand Samba server roles and security modes
- Configure Samba to use TLS
- Check the validity of a Samba configuration
- Troubleshoot and debug configuration problems with Samba
- Understand Windows tools used to configure a Samba Server
The following is a partial list of the used files, terms and utilities:
- smb.conf
- security
- server role
- server string
- server services
- tls enabled
- tls keyfile
- tls certfile
- tls dh params file
- tls cafile
- config backend
- registry shares
- include
- vfs objects
- samba-regedit
- HKLM\Software\Samba\
- REG_SZ, REG_MULTI_SZ
- testparm
- net registry (including relevant subcommands)
- Microsoft RSAT Tools
- Microsoft MMC
- Microsoft ADSI Edit
- Microsoft LDP
- Microsoft Regedit
392.3 Regular Samba Maintenance (weight: 2)
Weight
|
2 |
Description |
Candidates should know about the various tools and utilities that are part of a Samba installation. |
Key Knowledge Areas:
- Start and stop Samba services on domain controllers and file servers
- Monitor and interact with running Samba daemons
- Backup and restore TDB files
- Backup and restore an Active Directory domain controller
- Understand backup and recovery strategies for Active Directory domain controllers
- Understand the impact of virtualization on Active Directory domain controllers
The following is a partial list of the used files, terms and utilities:
- systemctl
- smbcontrol (including relevant message types)
- smbstatus
- tdbbackup
- tdbrestore
- samba-tool domain backup (including subcommands)
- Virtual Machine Generation Identifier
- Virtual Machine Snapshots
392.4 Troubleshooting Samba (weight: 3)
Weight |
3 |
Description |
Candidates should be able to analyze and troubleshoot Samba issues. This includes accessing and modifying LDAP contents of a Samba server hosting an Active directory as well as working with trivial database files. Furthermore, candidates should be able to create a renamed clone of an existing Active Directory for debugging. |
Key Knowledge Areas:
- Configure Samba logging, including setting log levels for specific debug classes and client-specific logging
- Query and modify the Samba password database
- Understand the contents of important TDB files
- List and edit TDB file content
- Identify TDB file corruption
- Access and modify objects in a Samba LDAP directory
- Enable and use the LDAP recycle bin
- Confirm the integrity of a domain controller’s database
- Create a renamed clone of a domain controller
- Awareness of Samba eventlog shipping
- Use rpcclient to query information on a Samba server
The following is a partial list of the used files, terms and utilities:
- smb.conf:
- log level
- debuglevel
- /var/log/samba/
- smbpasswd
- pdbedit
- registry.tdb
- secrets.tdb
- tdbdump
- tdbtool
- ldbsearch
- ldbmodify
- ldbedit
- ldbadd
- ldbdel
- LDIF
- samba-tool dbcheck
- samba-tool domain backup (including relevant subcommands)
- rpcclient
Topic 3XX: Samba and Active Directory Domains
3XX.1 Samba as Active Directory Domain Controller (weight: 5)
Weight |
5 |
Description |
Candidates should be able to configure Samba as an Active Directory domain controller. This includes managing an Active Directory domain. |
Key Knowledge Areas:
- Understand the concepts of Active Directory
- Understand the principles of the network services used by Active Directory (i.e. DNS, Kerberos, NTP and LDAP and CIFS and MS-RPC)
- Set up a new Active Directory domain using Samba
- Add a Samba domain controller to an existing Active Directory domain
- Demote and remove online and offline domain controllers
- Verify AD replication
- Understand and query the global catalog and the partial attribute set
- Understand and configure domain functional levels
- Understand and configure Active Directory forest and domain trusts
- Understand and configure Active Directory sites, including subnet assignments
- Understand and manage FSMO roles, including their impact in case of an outage
- Configure SYSVOL replication using rsync or robocopy
- Integrate Samba with ntpd
- Awareness of Windows NT4 domains
The following is a partial list of the used files, terms and utilities:
- smb.conf:
- server role
- samba-tool domain (including relevant subcommands)
- samba-tool fsmo (including relevant subcommands)
- samba-tool drs (including relevant subcommands)
- samba-tool sites (including relevant subcommands)
- rsync
- rsync.conf
- /var/lib/samba/sysvol
- robocopy
- ntpd.conf
- ntpsigndsocket
3XX.2 Active Directory Name Resolution (weight: 2)
Weight |
2 |
Description |
Candidates should be familiar with the internal DNS server of Samba. |
Key Knowledge Areas:
- Understand and manage DNS for Samba as an AD domain controller
- Manage DNS records in Samba DNS
- DNS forwarding
- Standardized names in an Active Directory
- Multicast DNS
- Awareness of BIND9 DLZ DNS back end
- Awareness of NetBIOS name resolution and WINS
The following is a partial list of the used files, terms and utilities:
- smb.conf:
- dns forwarder
- allow dns updates
- multicst dns register
- samba-tool dns (with subcommands)
- samba_dnsupdate
- dig
- host
- /etc/resolv.conf
3XX.3 Active Directory User Management (weight: 4)
Weight |
4 |
Description |
Candidates should be able to manage user and group accounts on a standalone server and in a Samba based Active Directory. |
Key Knowledge Areas:
- Manage user accounts and user group for standalone servers and Samba AD
- Knowledge of user account management tools
- Delegate administrative permissions in AD to specific users / user groups
- Configure password expiration and change requirements
- Manage password policies and password setting objects
- Principals and their identification SID (DN, GUID)
- User Principal Name (UPN) and User Principal Name Suffix (UPN Suffix)
- Security and Distribution Groups
- Understand and manage LDAP attributes of security principals
- Understand and manage RFC2307 attributes in a Samba AD
- Map Kerberos service principal names to user accounts
- Export Kerberos keytabs for a specific principal
- Awareness of LDAP Account Manager
The following is a partial list of the used files, terms and utilities:
- samba-tool user (including relevant subcommands)
- samba-tool group (including relevant subcommands)
- samba-tool domain passwordsettings
- samba-tool domain exportkeytab
- samba-tool spn (including relevant subcommands)
- smbpasswd
- pdbedit
- kinit
- klist
3XX.4 Samba Domain Membership (weight: 4)
Weight |
4 |
Description |
Candidates should be able to join a Samba server into an existing Active Directory domain and authorize domain users to use the server. This includes installing and configuring the Winbindd service. |
Key Knowledge Areas:
- Joining Samba to an existing AD domain
- Configure Winbind service, including ID mapping
Understand and configure Winbind ID mapping, including various mapping backends
- Configure PAM and NSS to use Winbind
The following is a partial list of the used files, terms and utilities:
- smb.conf:
- security
- server role
- realm
- workgroup
- idmap config
- winbind enumerate users
- winbind enumerate groups
- winbind offline logon
- winbind separator
- template shell
- template homedir
- allow trusted domains
- idmap_ad
- idmap_autorid
- idmap_ldap
- idmap_rfc2307
- idmap_rid
- idmap_tdb
- idmap_tdb2
- net ads (including relevant subcommands)
- /etc/nsswitch.conf
- /etc/pam.conf
- /etc/pam.d/
- libnss_winbind
- libpam_winbind
- getent
- wbinfo
394.5 Samba Local User Management (weight: 2)
Weight |
2 |
Description |
Candidates should be able to create and manage local user accounts on a stand alone samba server. |
Key Knowledge Areas:
- Setup a local password database
- Perform password synchronization
- Knowledge of different passdb backends
- Convert between Samba passdb backends
The following is a partial list of the used files, terms and utilities:
- smb.conf:
- passdb backend
- /etc/passwd
- /etc/group
- pam_smbpass.so
- smbpasswd
- pdbedit
Weight |
4 |
Description |
Candidates should be able to create and configure CIFS file shares in Samba. |
Key Knowledge Areas:
- Create and configure CIFS file shares
- Samba share access configuration parameters
- Registry based share configuration
- Manage profile and user home shares
- Plan file service migration
- Limit access to IPC$
- Awareness of user shares
- Awareness of existing VFS modules and their general functionality, including modules to support audit logs and snapshots / shadow copies
The following is a partial list of the used files, terms and utilities:
- smb.conf:
- path
- browsable
- writable / write ok / read only
- valid users
- invalid users
- read list
- write list
- guest ok
- hosts allow / allow hosts
- hosts deny / deny hosts
- copy
- hide unreadable
- hide unwritable files
- hide dot files
- hide special files
- veto files
- delete veto files
- [homes]
- [IPC$]
- smbcquotas
Weight |
3 |
Description |
Candidates should understand file permissions on CIFS shares and on a Linux file system. |
Key Knowledge Areas:
- Enforce ownership and permissions of files and directories
- Manage ACLs for shares and folders
- Understand POSIX, Extended POSIX and Windows ACLs
- Understand how Samba stores Windows ACLs in Linux ACLs and extended attributes
- Configure ACLs for profile and home folder shares
The following is a partial list of the used files, terms and utilities:
- smb.conf
- create mask / create mode
- directory mask / directory mode
- force create mode
- force directory mode
- force user
- force group / group
- profile acls
- inherit acls
- map acl inherit
- store dos attributes
- vfs objects
- chown
- chmod
- getfacl
- setfacl
- getfattr
- smbcacls
- sharesec
- SeDiskOperatorPrivilege
- vfs_acl_xattr
- vfs_acl_tdb
- samba-tool ntacl (including subcommands)
393.3 Print Services (weight: 2)
Weight |
2 |
Description |
Candidates should be able to create and manage print shares in a mixed environment. |
Key Knowledge Areas:
- Create and configure printer sharing
- Configure integration between Samba and CUPS
- Manage Windows print drivers and configure downloading of print drivers
- Configure [print$]
- Understand security concerns with printer sharing
- Uploading printer drivers for Point'n'Print driver installation using 'Add Print Driver Wizard' in Windows
The following is a partial list of the used files, terms and utilities:
- smb.conf
- [print$]
- CUPS
- cupsd.conf
- /var/spool/samba/
- smbspool
- rpcclient
- net
Topic 394: Samba User and Group Management
394.1 Managing User Accounts and Groups (weight: 4)
Weight |
4 |
Description |
Candidates should be able to manage user and group accounts in a mixed environment. |
Key Knowledge Areas:
- Manager user and group accounts
- Understand user and group mapping
- Knowledge of user account management tools
- Use of the smbpasswd program
- Force ownership of file and directory objects
The following is a partial list of the used files, terms and utilities:
- pdbedit
- smb.conf
- samba-tool user (with subcommands)
- samba-tool group (with subcommands)
- smbpasswd
- /etc/passwd
- /etc/group
- force user, force group
- idmap
394.2 Authentication, Authorization and Winbind (weight: 5)
Weight |
5 |
Description |
Candidates should understand the various authentication mechanisms and configure access control. Candidates should be able to install and configure the Winbind service. |
Key Knowledge Areas:
- Setup a local password database
- Perform password synchronization
- Knowledge of different passdb backends
- Convert between Samba passdb backends
- Integrate Samba with LDAP
- Configure Winbind service
- Configure PAM and NSS
The following is a partial list of the used files, terms and utilities:
- smb.conf
- smbpasswd, tdbsam, ldapsam
- passdb backend
- libnss_winbind
- libpam_winbind
- libpam_smbpass
- wbinfo
- getent
- SID and foreign SID
- /etc/passwd
- /etc/group
Topic 395: Samba Domain Integration
395.1 Samba as a PDC and BDC (weight: 3)
Weight |
3 |
Description |
Candidates should be able to setup and maintain primary and backup domain controllers. Candidates should be able to manage Windows/Linux client access to the NT-Style domains. |
Key Knowledge Areas:
- Understand and configure domain membership and trust relationships
- Create and maintain a primary domain controller with Samba3 and Samba4
- Create and maintain a backup domain controller with Samba3 and Samba4
- Add computers to an existing domain
- Configure logon scripts
- Configure roaming profiles
- Configure system policies
The following is a partial list of the used files, terms and utilities:
- smb.conf
- security mode
- server role
- domain logons
- domain master
- logon script
- logon path
- NTConfig.pol
- net
- profiles
- add machine script
- profile acls
395.2 Samba4 as an AD compatible Domain Controller (weight: 3)
Weight |
3 |
Description |
Candidates should be able to configure Samba 4 as an AD Domain Controller. |
Key Knowledge Areas:
- Configure and test Samba 4 as an AD DC
- Using smbclient to confirm AD operation
- Understand how Samba integrates with AD services: DNS, Kerberos, NTP, LDAP
The following is a partial list of the used files, terms and utilities:
- smb.conf
- server role
- samba-tool domain (with subcommands)
- samba
395.3 Configure Samba as a Domain Member Server (weight: 3)
Weight |
3 |
Description |
Candidates should be able to integrate Linux servers into an environment where Active Directory is present. |
Key Knowledge Areas:
- Joining Samba to an existing NT4 domain
- Joining Samba to an existing AD domain
- Ability to obtain a TGT from a KDC
The following is a partial list of the used files, terms and utilities:
- smb.conf
- server role
- server security
- net command
- kinit, TGT and REALM
Topic 396: Samba Name Services
396.1 NetBIOS and WINS (weight: 3)
Weight |
3 |
Description |
Candidates should be familiar with NetBIOS/WINS concepts and understand network browsing. |
Key Knowledge Areas:
- Understand WINS concepts
- Understand NetBIOS concepts
- Understand the role of a local master browser
- Understand the role of a domain master browser
- Understand the role of Samba as a WINS server
- Understand name resolution
- Configure Samba as a WINS server
- Configure WINS replication
- Understand NetBIOS browsing and browser elections
- Understand NETBIOS name types
The following is a partial list of the used files, terms and utilities:
- smb.conf
- nmblookup
- smbclient
- name resolve order
- lmhosts
- wins support, wins server, wins proxy, dns proxy
- domain master, os level, preferred master
396.2 Active Directory Name Resolution (weight: 2)
Weight |
2 |
Description |
Candidates should be familiar with the internal DNS server with Samba4. |
Key Knowledge Areas:
- Understand and manage DNS for Samba4 as an AD Domain Controller
- DNS forwarding with the internal DNS server of Samba4
The following is a partial list of the used files, terms and utilities:
- samba-tool dns (with subcommands)
- smb.conf
- dns forwarder
- /etc/resolv.conf
- dig, host
Topic 397: Working with Linux and Windows Clients
397.1 CIFS Integration (weight: 3)
Weight |
3 |
Description |
Candidates should be comfortable working with CIFS in a mixed environment. |
Key Knowledge Areas:
- Understand SMB/CIFS concepts
- Access and mount remote CIFS shares from a Linux client
- Securely storing CIFS credentials
- Understand features and benefits of CIFS
- Understand permissions and file ownership of remote CIFS shares
The following is a partial list of the used files, terms and utilities:
- SMB/CIFS
- mount, mount.cifs
- smbclient
- smbget
- smbtar
- smbtree
- findsmb
- smb.conf
- smbcquotas
- /etc/fstab
397.2 Working with Windows Clients (weight: 2)
Weight |
2 |
Description |
Candidates should be able to interact with remote Windows clients, and configure Windows workstations to access file and print services from Linux servers. |
Key Knowledge Areas:
- Knowledge of Windows clients
- Explore browse lists and SMB clients from Windows
- Share file / print resources from Windows
- Use of the smbclient program
- Use of the Windows net utility
The following is a partial list of the used files, terms and utilities:
- Windows net command
- smbclient
- control panel
- rdesktop
- workgroup