LPIC-3 300: Mixed Environment — Deep Dive Study Guide
The LPIC-3 300: Mixed Environment exam validates the ability to integrate Linux systems into heterogeneous networks with Unix, Windows, and directory services. This guide covers each exam objective with configuration examples, commands, and troubleshooting approaches.
Samba Architecture and Components
Samba provides file and print services to SMB/CIFS clients using four core daemons:
| Daemon | Purpose |
|---|---|
| smbd | SMB/CIFS file and print service (TCP 139, 445) |
| nmbd | NetBIOS name service and browsing (UDP 137, 138) |
| winbindd | Authentication and identity resolution from AD or LDAP |
| samba-ad-dc | Active Directory Domain Controller service |
smb.conf Structure
The main Samba configuration file is /etc/samba/smb.conf with two main sections:
[global]
workgroup = MYDOMAIN
server string = File Server %v
netbios name = FILESRV
security = user
map to guest = Bad User
log file = /var/log/samba/%m.log
max log size = 50
[shared]
comment = Shared Documents
path = /srv/samba/shared
browseable = yes
read only = no
guest ok = no
valid users = @staff
create mask = 0664
directory mask = 0775
Samba Security Modes
| Mode | Description |
|---|---|
| user | Users authenticate with local Samba user accounts (smbpasswd) |
| domain | Samba authenticates against a legacy Windows NT domain PDC |
| ads | Samba joins an Active Directory domain using Kerberos |
| share | No authentication (deprecated, use map to guest instead) |
Joining Active Directory
# Install packages
apt-get install samba smbclient winbind libnss-winbind libpam-winbind
# Configure /etc/samba/smb.conf
[global]
security = ads
realm = AD.CORP.EXAMPLE.COM
workgroup = AD
netbios name = LINUXSRV
# Join the domain
net ads join -U Administrator
# Verify
net ads testjoin
wbinfo -u # List domain users
wbinfo -g # List domain groups
LDAP with OpenLDAP
OpenLDAP provides a centralized directory service for user authentication, address books, and configuration data.
slapd Configuration
Modern OpenLDAP uses the config backend (cn=config) for online configuration:
# Install
apt-get install slapd ldap-utils
# After initial configuration, view the config
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
LDAP Database Backends
| Backend | Description |
|---|---|
| mdb | Memory-Mapped DB — recommended, high performance, no size limit |
| bdb | Berkeley DB — deprecated, not recommended for new deployments |
| hdb | Hierarchical BD — deprecated variant with entry-level subtree renaming |
| ldif | Store entries as LDIF files — for testing only |
LDIF Entry Example
dn: uid=jdoe,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: jdoe
cn: John Doe
sn: Doe
uidNumber: 1001
gidNumber: 100
homeDirectory: /home/jdoe
loginShell: /bin/bash
userPassword: {SSHA}encryptedhash
shadowLastChange: 19000
LDAP Search Filters
| Operator | Meaning | Example |
|---|---|---|
= | Equality | (uid=jdoe) |
>= | Greater or equal | (uidNumber>=1000) |
<= | Less or equal | (uidNumber<=2000) |
=* | Present | (mail=*) |
~= | Approximate | (sn~=John) |
& | AND | (&(objectClass=posixAccount)(uidNumber>=1000)) |
| | OR | (|(objectClass=posixAccount)(objectClass=shadowAccount)) |
! | NOT | (!(uid=root)) |
LDAP Access Control
ACLs in slapd.conf (or via olcAccess in cn=config):
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by * none
olcAccess: to *
by self write
by users read
by * none
Kerberos
krb5.conf Structure
[libdefaults]
default_realm = AD.CORP.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
AD.CORP.EXAMPLE.COM = {
kdc = dc01.ad.corp.example.com
kdc = dc02.ad.corp.example.com
admin_server = dc01.ad.corp.example.com
}
[domain_realm]
.ad.corp.example.com = AD.CORP.EXAMPLE.COM
ad.corp.example.com = AD.CORP.EXAMPLE.COM
Key Commands
# Obtain a ticket
kinit administrator@AD.CORP.EXAMPLE.COM
# List cached tickets
klist
# Destroy tickets
kdestroy
# Create a keytab for a service
ktutil
ktutil: addent -password -p HTTP/srv01.ad.corp.example.com@AD.CORP.EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96
ktutil: wkt /etc/httpd.keytab
ktutil: quit
# Verify keytab
klist -kte /etc/httpd.keytab
Kerberized Services Configuration
For a web server using Kerberos authentication:
<Location /secure>
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms AD.CORP.EXAMPLE.COM
KrbServicePrincipal HTTP/srv01.ad.corp.example.com
Krb5KeyTab /etc/httpd.keytab
KrbMethodNegotiate On
Require valid-user
</Location>
Winbind Integration
Winbind resolves Windows user and group identities on Linux systems by querying AD via LDAP and Kerberos.
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat winbind
Winbind Configuration in smb.conf
[global]
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config AD : backend = rid
idmap config AD : range = 10000-999999
winbind use default domain = yes
winbind offline logon = yes
winbind enum users = no
winbind enum groups = no
template shell = /bin/bash
template homedir = /home/%U
NFSv4 in Mixed Environments
NFSv4 provides Kerberos-based authentication for cross-platform file sharing:
# Server side (/etc/exports)
/srv/nfs4 gss/krb5p(rw,sec=krb5p)
# Enable NFSv4 with Kerberos
nfsconf --set nfsd rdma no
nfsconf --set nfsd vers4.2 y
nfsconf --set nfsd vers4.0 y
nfsconf --set gssd use-gss-proxy y
# Client mount
mount -t nfs4 -o sec=krb5p server.example.com:/srv/nfs4 /mnt/nfs
PAM Configuration for Network Authentication
For PAM to use LDAP or Winbind authentication, the pam_ldap or pam_winbind module is configured:
# /etc/pam.d/common-auth
auth [success=1 default=ignore] pam_winbind.so
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
Troubleshooting
Samba Debugging
# Test configuration
testparm
# Check SMB connectivity
smbclient -L //localhost -U%
# Query domain controllers
net ads info
# Test authentication
ntlm_auth --username=jdoe --domain=AD
LDAP Troubleshooting
# Check slapd status
slaptest -v
# Query with debugging
ldapsearch -d 1 -x -H ldap://localhost -b dc=example,dc=com
# Check ACLs
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcAccess
Kerberos Troubleshooting
# Verbose authentication
KRB5_TRACE=/dev/stderr kinit user@REALM
# Check time synchronization (critical for Kerberos)
chronyc sources
# Test DNS SRV records
dig -t SRV _kerberos._tcp.ad.corp.example.com
dig -t SRV _ldap._tcp.ad.corp.example.com
Test Your Knowledge with Practice Exams
Ready to put this knowledge to the test? Our LPI practice portal includes 200+ realistic questions covering LPIC-1, LPIC-2, LPIC-3, and DevOps Tools Engineer certifications. Study mode, timed exams, domain breakdowns, and weak-area analysis included.
Related Articles
- LPIC-3 Certification Guide — "LPIC-3 Certification Guide"
- LPIC-3 303: Security — Deep Dive Study Guide — "LPIC-3 303 Security Deep Dive"
- LPIC-3 304: Virtualization & HA — Deep Dive Study Guide — "LPIC-3 304 Virtualization & HA Deep Dive"
- Is LPIC Worth It in 2026? — Salary impact, employer demand, and certification ROI
- LPIC vs RHCSA vs CompTIA Linux+ — Which certification path is right for you?
- Browse All LPI Resources — Full library of study guides, deep dives, and practice questions