[lpi-discuss] Re: LPIC-3 core exam -- testing enterprise Linux technology ...

Bryan J. Smith b.j.smith at ieee.org
Tue Dec 5 14:44:36 EST 2006


I'll make this one exception ...

Alan McKinnon <alan at linuxholdings.co.za> wrote:
> Linux clients play nicely with AD just like Windows clients do;

In other words, it's easy to make Linux PAM (via Winbindd and others)
as well as Samba the "bitch" of Windows ADS.  ;->

> Someday, a Linux box can replace a Windows PDC and BDC;
> LDAP, Kerberos, single sign-on, not necessarily Windows-style;
> Edge of network security;

"Someday"?  WTF?  ;->

Samba _already_ offers _completely_ NT SAM (Systems Accounts Manager)
store and protocol replacement.  It has since version 2.2, and it's
even more capable in 3.0.

Regarding integration of network authentication, directory, naming
and related scheme, Linux capability *PRE-DATES* Windows ADS'
introduction (early 1999).  In fact, back then, we replaced the NT
GINA (Graphical Login/Authentication) with whatever we needed. 
Novell did the same thing.

Understand all Samba 2.0, 2.2 and, even more so, 3.0 does is offers
the capability to "emulate" what the client expects on the server. 
So we don't have to replace the GINA.

Now if you want Linux to be a "native Windows ADS" that can support
MS Exchange, SQL Server, etc... "out-of-the-box," that's a pipe
dream.  It's a massively moving target.  With each new product,
you've got more proprietary schema and protocols to reverse engineer.

Heck, you can't even mix'n match 2000, 2003 and forthcoming "Longhorn
Server" stuff!  That's why Microsoft recommends you have _all_ XP
clients for Windows Server 2003, and _no_ 2000 clients.  It's why
Vista ("Longhorn Client") is being introduced 1 year before "Longhorn
Server."  XP is going to be undercut for corporations.

Understand what ADS is.  It's the legacy SAM plus LDAP with
proprietary schema built around DNS and Kerberos for authentication. 
It's a sprawling mess of time-limited capabilities, with things that
"just get broken" on a regular basis.

My personal favorite is the Windows XP Pro patch that broke the
authentication handshake.  If you had a Windows Server 2003 you could
login.  If you had a Samba server, you could not.  Why?  Because
Windows Server 2003 wasn't enforcing the handshake, and blindly let
the XP client by-pass a credential exchange.  Samba, properly, told
the Windows XP Pro client to screw off, you did authenticate
completely.

Samba broken?  Or a solution that doesn't actually enforce its own
security?  ;->

*REAL* enterprises run a _peer_ LDAP tree to ADS.  Why?  Because most
of those LDAP trees were _already_ in place _before_ ADS.

As far as the non-sense that LDAP is not applicable to web/Internet
services?  Companies I've consultant at (and yes, doing Linux ;-) --
Boeing, Disney, State Farm and many -- would _not_ consider you if
you didn't have exposure to Netscape Directory Server (now Fedora/Red
Hat Directory Server) or Netegrity LDAP (not just eDirectory/NDS or
ADS).

I mean, how do you think these _major_ Internet presences tie into
their customer data?

> In other words, if I estimate the target market for LPIC-3
> correctly, Bryan is 100% on the money

You don't have to estimate.  ;->


-- 
Bryan J. Smith   Professional, Technical Annoyance
b.j.smith at ieee.org    http://thebs413.blogspot.com
--------------------------------------------------
     Fission Power:  An Inconvenient Solution


More information about the lpi-discuss mailing list