LPIC-300 Objectives V3.0

From LPI Wiki
Revision as of 15:50, 24 January 2019 by FabianThorns (Talk | contribs) (393.2 File Share Security (weight: 3))

Jump to: navigation, search

ATTENTION: THIS PAGE IS UNDER CONSTRUCTION



ATTENTION: THIS PAGE IS UNDER CONSTRUCTION

Contents

Introduction

A complete description of the LPIC-3 certification program can be found here.


Version Information

These objectives are A DRAFT FOR version 3.0.

LPIC-300 version 1.0 was partially formed from content in the 301 and 302 exams.


Addenda

Version Release (DATE TBD)

  • released version 3.0


Translations of Objectives

The following translations of the objectives are available on this wiki:


Objectives

Topic 392: Samba Basics

392.1 Samba Concepts and Architecture (weight: 2)

Weight

2

Description

Candidates should understand the essential concepts of Samba, including the various Samba server processes and networking protocols used by Samba when acting in various roles.

Key Knowledge Areas:

  • Understand the roles of the various Samba daemons and components
  • Understand key issues regarding heterogeneous networks
  • Understand the networking services used with SMB/CIFS and Active Directory, including their ports
  • Understand the major features of SMB protocol versions 1.0, 2.0, 2.1 and 3.0
  • Knowledge of Samba 3 and Samba 4 differences
  • Awareness of Samba VFS modules
  • Awareness of Samba Clustering and CTDB

Partial list of the used files, terms and utilities:

  • smbd, nmbd, samba, winbindd


392.2 Configure Samba (weight: 4)

Weight

4

Description

Candidates should be able to configure the Samba daemons.

Key Knowledge Areas:

  • Knowledge of Samba server file based configuration
  • Knowledge of Samba server registry based configuration
  • Knowledge of Samba configuration parameters and variables
  • Understand Samba server roles and security modes
  • Configure Samba to use TLS
  • Check the validity of a Samba configuration
  • Troubleshoot and debug configuration problems with Samba
  • Understand Windows tools used to configure a Samba Server


The following is a partial list of the used files, terms and utilities:

  • smb.conf
    • security
    • server role
    • server string
    • server services
    • tls enabled
    • tls keyfile
    • tls certfile
    • tls dh params file
    • tls cafile
    • config backend
    • registry shares
    • include
    • vfs objects
  • samba-regedit
  • HKLM\Software\Samba\
  • REG_SZ, REG_MULTI_SZ
  • testparm
  • net registry (including relevant subcommands)
  • Microsoft RSAT Tools
  • Microsoft MMC
  • Microsoft ADSI Edit
  • Microsoft LDP
  • Microsoft Regedit


392.3 Regular Samba Maintenance (weight: 2)

Weight


2

Description

Candidates should know about the various tools and utilities that are part of a Samba installation.

Key Knowledge Areas:

  • Start and stop Samba services on domain controllers and file servers
  • Monitor and interact with running Samba daemons
  • Backup and restore TDB files
  • Backup and restore an Active Directory domain controller
  • Understand backup and recovery strategies for Active Directory domain controllers
  • Understand the impact of virtualization on Active Directory domain controllers

The following is a partial list of the used files, terms and utilities:

  • systemctl
  • smbcontrol (including relevant message types)
  • smbstatus
  • tdbbackup
  • tdbrestore
  • samba-tool domain backup (including subcommands)
  • Virtual Machine Generation Identifier
  • Virtual Machine Snapshots


392.4 Troubleshooting Samba (weight: 3)

Weight

3

Description

Candidates should be able to analyze and troubleshoot Samba issues. This includes accessing and modifying LDAP contents of a Samba server hosting an Active directory as well as working with trivial database files. Furthermore, candidates should be able to create a renamed clone of an existing Active Directory for debugging.

Key Knowledge Areas:

  • Configure Samba logging, including setting log levels for specific debug classes and client-specific logging
  • Query and modify the Samba password database
  • Understand the contents of important TDB files
  • List and edit TDB file content
  • Identify TDB file corruption
  • Access and modify objects in a Samba LDAP directory
  • Enable and use the LDAP recycle bin
  • Confirm the integrity of a domain controller’s database
  • Create a renamed clone of a domain controller
  • Awareness of Samba eventlog shipping
  • Use rpcclient to query information on a Samba server


The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • log level
    • debuglevel
  • /var/log/samba/
  • smbpasswd
  • pdbedit
  • registry.tdb
  • secrets.tdb
  • tdbdump
  • tdbtool
  • ldbsearch
  • ldbmodify
  • ldbedit
  • ldbadd
  • ldbdel
  • LDIF
  • samba-tool dbcheck
  • samba-tool domain backup (including relevant subcommands)
  • rpcclient


Topic 3XX: Samba and Active Directory Domains

3XX.1 Samba as Active Directory Domain Controller (weight: 5)

Weight

5

Description

Candidates should be able to configure Samba as an Active Directory domain controller. This includes managing an Active Directory domain.

Key Knowledge Areas:

  • Understand the concepts of Active Directory
  • Understand the principles of the network services used by Active Directory (i.e. DNS, Kerberos, NTP and LDAP and CIFS and MS-RPC)
  • Set up a new Active Directory domain using Samba
  • Add a Samba domain controller to an existing Active Directory domain
  • Demote and remove online and offline domain controllers
  • Verify AD replication
  • Understand and query the global catalog and the partial attribute set
  • Understand and configure domain functional levels
  • Understand and configure Active Directory forest and domain trusts
  • Understand and configure Active Directory sites, including subnet assignments
  • Understand and manage FSMO roles, including their impact in case of an outage
  • Configure SYSVOL replication using rsync or robocopy
  • Integrate Samba with ntpd
  • Awareness of Windows NT4 domains

The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • server role
  • samba-tool domain (including relevant subcommands)
  • samba-tool fsmo (including relevant subcommands)
  • samba-tool drs (including relevant subcommands)
  • samba-tool sites (including relevant subcommands)
  • rsync
  • rsync.conf
  • /var/lib/samba/sysvol
  • robocopy
  • ntpd.conf
    • ntpsigndsocket


3XX.2 Active Directory Name Resolution (weight: 2)

Weight

2

Description

Candidates should be familiar with the internal DNS server of Samba.

Key Knowledge Areas:

  • Understand and manage DNS for Samba as an AD domain controller
  • Manage DNS records in Samba DNS
  • DNS forwarding
  • Standardized names in an Active Directory
  • Multicast DNS
  • Awareness of BIND9 DLZ DNS back end
  • Awareness of NetBIOS name resolution and WINS

The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • dns forwarder
    • allow dns updates
    • multicst dns register
  • samba-tool dns (with subcommands)
  • samba_dnsupdate
  • dig
  • host
  • /etc/resolv.conf


3XX.3 Active Directory User Management (weight: 4)

Weight

4

Description

Candidates should be able to manage user and group accounts on a standalone server and in a Samba based Active Directory.

Key Knowledge Areas:

  • Manage user accounts and user group for standalone servers and Samba AD
  • Knowledge of user account management tools
  • Delegate administrative permissions in AD to specific users / user groups
  • Configure password expiration and change requirements
  • Manage password policies and password setting objects
  • Principals and their identification SID (DN, GUID)
  • User Principal Name (UPN) and User Principal Name Suffix (UPN Suffix)
  • Security and Distribution Groups
  • Understand and manage LDAP attributes of security principals
  • Understand and manage RFC2307 attributes in a Samba AD
  • Map Kerberos service principal names to user accounts
  • Export Kerberos keytabs for a specific principal
  • Awareness of LDAP Account Manager

The following is a partial list of the used files, terms and utilities:

  • samba-tool user (including relevant subcommands)
  • samba-tool group (including relevant subcommands)
  • samba-tool domain passwordsettings
  • samba-tool domain exportkeytab
  • samba-tool spn (including relevant subcommands)
  • smbpasswd
  • pdbedit
  • kinit
  • klist


3XX.4 Samba Domain Membership (weight: 4)

Weight

4

Description

Candidates should be able to join a Samba server into an existing Active Directory domain and authorize domain users to use the server. This includes installing and configuring the Winbindd service.

Key Knowledge Areas:

  • Joining Samba to an existing AD domain
  • Configure Winbind service, including ID mapping

Understand and configure Winbind ID mapping, including various mapping backends

  • Configure PAM and NSS to use Winbind

The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • security
    • server role
    • realm
    • workgroup
    • idmap config
    • winbind enumerate users
    • winbind enumerate groups
    • winbind offline logon
    • winbind separator
    • template shell
    • template homedir
    • allow trusted domains
  • idmap_ad
  • idmap_autorid
  • idmap_ldap
  • idmap_rfc2307
  • idmap_rid
  • idmap_tdb
  • idmap_tdb2
  • net ads (including relevant subcommands)
  • /etc/nsswitch.conf
  • /etc/pam.conf
  • /etc/pam.d/
  • libnss_winbind
  • libpam_winbind
  • getent
  • wbinfo


394.5 Samba Local User Management (weight: 2)

Weight

2

Description

Candidates should be able to create and manage local user accounts on a stand alone samba server.

Key Knowledge Areas:

  • Setup a local password database
  • Perform password synchronization
  • Knowledge of different passdb backends
  • Convert between Samba passdb backends

The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • passdb backend
  • /etc/passwd
  • /etc/group
  • pam_smbpass.so
  • smbpasswd
  • pdbedit


Topic 393: Samba Share Configuration

393.1 File Share Configuration (weight: 4)

Weight

4

Description

Candidates should be able to create and configure CIFS file shares in Samba.

Key Knowledge Areas:

  • Create and configure CIFS file shares
  • Samba share access configuration parameters
  • Registry based share configuration
  • Manage profile and user home shares
  • Plan file service migration
  • Limit access to IPC$
  • Awareness of user shares
  • Awareness of existing VFS modules and their general functionality, including modules to support audit logs and snapshots / shadow copies

The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • path
    • browsable
    • writable / write ok / read only
    • valid users
    • invalid users
    • read list
    • write list
    • guest ok
    • hosts allow / allow hosts
    • hosts deny / deny hosts
    • copy
    • hide unreadable
    • hide unwritable files
    • hide dot files
    • hide special files
    • veto files
    • delete veto files
  • [homes]
  • [IPC$]
  • smbcquotas


393.2 File Share Security (weight: 3)

Weight

3

Description

Candidates should understand file permissions on CIFS shares and on a Linux file system.

Key Knowledge Areas:

  • Enforce ownership and permissions of files and directories
  • Manage ACLs for shares and folders
  • Understand POSIX, Extended POSIX and Windows ACLs
  • Understand how Samba stores Windows ACLs in Linux ACLs and extended attributes
  • Configure ACLs for profile and home folder shares

The following is a partial list of the used files, terms and utilities:

  • smb.conf
    • create mask / create mode
    • directory mask / directory mode
    • force create mode
    • force directory mode
    • force user
    • force group / group
    • profile acls
    • inherit acls
    • map acl inherit
    • store dos attributes
    • vfs objects
  • chown
  • chmod
  • getfacl
  • setfacl
  • getfattr
  • smbcacls
  • sharesec
  • SeDiskOperatorPrivilege
  • vfs_acl_xattr
  • vfs_acl_tdb
  • samba-tool ntacl (including subcommands)


393.X DFS Shares (weight: 1)

Weight

1

Description

Candidates should be able to create and manage DFS shares in Samba.

Key Knowledge Areas:

  • Understand DFS
  • Configure DFS shares

The following is a partial list of the used files, terms and utilities:

  • smb.conf:
    • host msdfs
    • msdfs root
    • msdfs proxy
  • ln


393.3 Print Services (weight: 2)

Weight

2

Description

Candidates should be able to create and manage print shares in a mixed environment.

Key Knowledge Areas:

  • Create and configure printer sharing
  • Configure integration between Samba and CUPS
  • Manage Windows print drivers and configure downloading of print drivers
  • Configure [print$]
  • Understand security concerns with printer sharing
  • Uploading printer drivers for Point'n'Print driver installation using 'Add Print Driver Wizard' in Windows

The following is a partial list of the used files, terms and utilities:

  • smb.conf
  • [print$]
  • CUPS
  • cupsd.conf
  • /var/spool/samba/
  • smbspool
  • rpcclient
  • net


Topic 394: Samba User and Group Management

394.1 Managing User Accounts and Groups (weight: 4)

Weight

4

Description

Candidates should be able to manage user and group accounts in a mixed environment.

Key Knowledge Areas:

  • Manager user and group accounts
  • Understand user and group mapping
  • Knowledge of user account management tools
  • Use of the smbpasswd program
  • Force ownership of file and directory objects

The following is a partial list of the used files, terms and utilities:

  • pdbedit
  • smb.conf
  • samba-tool user (with subcommands)
  • samba-tool group (with subcommands)
  • smbpasswd
  • /etc/passwd
  • /etc/group
  • force user, force group
  • idmap


394.2 Authentication, Authorization and Winbind (weight: 5)

Weight

5

Description

Candidates should understand the various authentication mechanisms and configure access control. Candidates should be able to install and configure the Winbind service.

Key Knowledge Areas:

  • Setup a local password database
  • Perform password synchronization
  • Knowledge of different passdb backends
  • Convert between Samba passdb backends
  • Integrate Samba with LDAP
  • Configure Winbind service
  • Configure PAM and NSS

The following is a partial list of the used files, terms and utilities:

  • smb.conf
  • smbpasswd, tdbsam, ldapsam
  • passdb backend
  • libnss_winbind
  • libpam_winbind
  • libpam_smbpass
  • wbinfo
  • getent
  • SID and foreign SID
  • /etc/passwd
  • /etc/group


Topic 395: Samba Domain Integration

395.1 Samba as a PDC and BDC (weight: 3)

Weight

3

Description

Candidates should be able to setup and maintain primary and backup domain controllers. Candidates should be able to manage Windows/Linux client access to the NT-Style domains.

Key Knowledge Areas:

  • Understand and configure domain membership and trust relationships
  • Create and maintain a primary domain controller with Samba3 and Samba4
  • Create and maintain a backup domain controller with Samba3 and Samba4
  • Add computers to an existing domain
  • Configure logon scripts
  • Configure roaming profiles
  • Configure system policies

The following is a partial list of the used files, terms and utilities:

  • smb.conf
  • security mode
  • server role
  • domain logons
  • domain master
  • logon script
  • logon path
  • NTConfig.pol
  • net
  • profiles
  • add machine script
  • profile acls


395.2 Samba4 as an AD compatible Domain Controller (weight: 3)

Weight

3

Description

Candidates should be able to configure Samba 4 as an AD Domain Controller.

Key Knowledge Areas:

  • Configure and test Samba 4 as an AD DC
  • Using smbclient to confirm AD operation
  • Understand how Samba integrates with AD services: DNS, Kerberos, NTP, LDAP

The following is a partial list of the used files, terms and utilities:

  • smb.conf
  • server role
  • samba-tool domain (with subcommands)
  • samba


395.3 Configure Samba as a Domain Member Server (weight: 3)

Weight

3

Description

Candidates should be able to integrate Linux servers into an environment where Active Directory is present.

Key Knowledge Areas:

  • Joining Samba to an existing NT4 domain
  • Joining Samba to an existing AD domain
  • Ability to obtain a TGT from a KDC

The following is a partial list of the used files, terms and utilities:

  • smb.conf
  • server role
  • server security
  • net command
  • kinit, TGT and REALM



Topic 396: Samba Name Services

396.1 NetBIOS and WINS (weight: 3)

Weight

3

Description

Candidates should be familiar with NetBIOS/WINS concepts and understand network browsing.

Key Knowledge Areas:

  • Understand WINS concepts
  • Understand NetBIOS concepts
  • Understand the role of a local master browser
  • Understand the role of a domain master browser
  • Understand the role of Samba as a WINS server
  • Understand name resolution
  • Configure Samba as a WINS server
  • Configure WINS replication
  • Understand NetBIOS browsing and browser elections
  • Understand NETBIOS name types

The following is a partial list of the used files, terms and utilities:

  • smb.conf
  • nmblookup
  • smbclient
  • name resolve order
  • lmhosts
  • wins support, wins server, wins proxy, dns proxy
  • domain master, os level, preferred master


396.2 Active Directory Name Resolution (weight: 2)

Weight

2

Description

Candidates should be familiar with the internal DNS server with Samba4.

Key Knowledge Areas:

  • Understand and manage DNS for Samba4 as an AD Domain Controller
  • DNS forwarding with the internal DNS server of Samba4

The following is a partial list of the used files, terms and utilities:

  • samba-tool dns (with subcommands)
  • smb.conf
  • dns forwarder
  • /etc/resolv.conf
  • dig, host


Topic 397: Working with Linux and Windows Clients

397.1 CIFS Integration (weight: 3)

Weight

3

Description

Candidates should be comfortable working with CIFS in a mixed environment.

Key Knowledge Areas:

  • Understand SMB/CIFS concepts
  • Access and mount remote CIFS shares from a Linux client
  • Securely storing CIFS credentials
  • Understand features and benefits of CIFS
  • Understand permissions and file ownership of remote CIFS shares

The following is a partial list of the used files, terms and utilities:

  • SMB/CIFS
  • mount, mount.cifs
  • smbclient
  • smbget
  • smbtar
  • smbtree
  • findsmb
  • smb.conf
  • smbcquotas
  • /etc/fstab


397.2 Working with Windows Clients (weight: 2)

Weight

2

Description

Candidates should be able to interact with remote Windows clients, and configure Windows workstations to access file and print services from Linux servers.

Key Knowledge Areas:

  • Knowledge of Windows clients
  • Explore browse lists and SMB clients from Windows
  • Share file / print resources from Windows
  • Use of the smbclient program
  • Use of the Windows net utility

The following is a partial list of the used files, terms and utilities:

  • Windows net command
  • smbclient
  • control panel
  • rdesktop
  • workgroup