How I selected my Red Hat CoE Exams

So it would seem that my Red Hat journey will end soon, EX362 will be my fifth and last exam under the Red Hat Learning Subscription. I wanted to talk through how I choose my exams.

I wanted exams that were relevant to me, either in a field I was aiming to go, or to enhance my knowledge in an area. I didn’t want to do exams that I didn’t feel were relevant to the UK job market.

Red Hat has really gone two ways, it’s either Ansible or OpenShift. They are it’s two areas of focus. I attended a Red Hat conference 18 months ago and this message was loud and clear.

I had already been doing Ansible, but OpenShift was new to me, and this was my main area of focus. It picked itself, I wanted to learn OpenShift and so EX280 was number 1 in my list.

The next one also picked itself, I wanted to be “THE Ansible guy” at work, so I wanted to absorb as much as possible. So Ansible Best Practices or Advanced Ansible EX477 went into #2 position.

There wasn’t anything else that screamed “Pick me!” from the list, so I had a little creative license. Red Hat Security EX415 was very similar to my (very) old EX413 exam I did. It looked like fun, so it found it’s way onto my list at #3.

Next I wanted a toughie, I wasn’t interested in padded records or nothing exams like EX318. I had identified EX342 Troubleshooting and EX442 Performance Tuning as the two toughest exams. EX442 being the tougher of the two. EX342 is tough because you are fixing things that could be broken in any number of ways – and in an exam situation without Google this could be tough.

I initially picked EX442 but it bored me senseless.

ex442-boring

So I started EX342, I knew this would provide me valuable skills. So this became #4.

And then I had one slot left, and my pick was …. EX403 Satellite Server, but I had a problem in that they were rewriting the course from v6.2.1 to v6.6 and there wasn’t a clear timeframe as to when this would happen. So I went through the remaining exams and picked EX362 Identity Management.

Now EX362 may seem a strange pick, but EX342 had tought me a fair bit of LDAP + Kerberos and this forms the backbone of EX362. Also at work this was a growth area, so EX362 took my final slot.

So my list became:

#1 EX280 OpenShift Administration

#2 EX447 Advanced Ansible Best Practices

#3 EX415 Linux Security

#4 EX342 Linux Troubleshooting

#5 EX362 Identity Management

 

Unfortunately because of a rule change (or rather a loophole being closed). My journey ends there, initially if you didn’t fail any exams you could do additional exams using your retake allocation but that’s been stopped now. It’s a shame as I would have liked to have done EX403 Satellite v6.6 and EX442 Performance Tuning.

 

Red Hat Cancelled my Exam

So with 20 hours before my scheduled Exam in the UK, Red Hat cancelled all exams due to the Coronavirus.

Very frustrating obviously, but by the same token completely understandable . So now the personal challenge is to stay ready for when testing facilities reopen.

I don’t have long left of my RHLS, so I am in discussion with Red Hat about what happens next.

This Coronavirus has invaded normal life, let’s hope everything gets back to normal.

EX362 Objective 12 – Single Sign On

Next stop, a simple one once you have done it a couple of times – we are going to configure a SSO using httpd

 

but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts

 

Overview:

This is a relatively simple task but one point to remember is that sync sometimes breaks!

 

Let’s do this!

Install httpd server

yum install -y httpd mod_auth_kerb

 

Get an admin ticket

kinit admin

Add service and pull down into keytab

ipa service-add HTTP/utility.red.example.net
ipa-getkeytab -s idm.red.example.net -p HTTP/utility.red.example.net -k /etc/httpd/http.keytab
chown apache:apache /etc/httpd/http.keytab

Let’s create our top-secret area

mkdir /var/www/html/secret/
echo linuxbuff > /var/www/html/secret/index.html

 

Let’s create our config file

[root@utility ~]# rpm -ql mod_auth_kerb
/etc/httpd/conf.modules.d/10-auth_kerb.conf
/run/httpd/krbcache
/usr/lib/tmpfiles.d/httpd-krbcache.conf
/usr/lib64/httpd/modules/mod_auth_kerb.so
/usr/share/doc/mod_auth_kerb-5.4
/usr/share/doc/mod_auth_kerb-5.4/LICENSE
/usr/share/doc/mod_auth_kerb-5.4/LICENSE.ASL
/usr/share/doc/mod_auth_kerb-5.4/README
/usr/share/doc/mod_auth_kerb-5.4/example.conf


cp /usr/share/doc/mod_auth_kerb-5.4/example.conf /etc/httpd/conf.d/secret.conf

 

let’s edit it as follows

<Location /secret>
AuthType Kerberos
AuthName RED.EXAMPLE.NET
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms RED.EXAMPLE.NET
Krb5KeyTab /etc/httpd/http.keytab
require user ops2@RED.EXAMPLE.NET dev1@RED.EXAMPLE.NET
</Location>

 

Start services

systemctl enable httpd --now
firewall-cmd --add-service=http --permanent
firewall-cmd --reload

 

Now using my workstation I do the following

yum install -y krb5_workstation
scp idm.red.example.net:/etc/krb5.conf /tmp/krb5.conf
export KRB5_CONFIG=/tmp/krb5.conf
kinit dev1
firefox

Enter about:config and update the item highlighted

ex362-12-1

Now let’s try and login

firefox http://utility.red.example.net/secret/index.html

and boom!

ex362-12-2

 

All good! Another one down!

 

EX362 Objective 9 – Certificate Authority

Next stop, another toughie – Certificates

 

but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts

 

Overview:

I am not a fan of this area – I admit to not fully understanding it myself – so here goes nothing

 

We are going to do the following:

  • Create a NSS Certificate Database
  • Create a Certificate (CSR + Cert)
  • Certificate Lifecycle work
  • Configure IdM for Certificate SSO
  • Install and Configure vsftpd SSO

Part 1 – Create a NSS Certificate Database

I never remember the syntax so I “cheat” – if you go into IdM and Certificates you can grab the command you need to run from there

Authentication –> Certificates –> Click Issue and you can see the commands in there

ex362-9-1

So let’s run those commands

Create the directory first otherwise command fails

mkdir ~/dev1

Now create the NSS Certificate Database

[root@idm ~]# certutil -N -d ~/dev1
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
[root@idm ~]# ls ~/dev1/
cert8.db key3.db secmod.db

 

Part 2 – Create a Certificate (CSR + Cert)

Let’s create the CSR – now you can do this two ways  I like to grab the output by redirecting it to a file but this is not necessary – but you will need to copy/paste it into the GUI

[root@idm ~]# certutil -R -d ~/dev1 -a -g 2048 -s 'CN=dev1,O=RED.EXAMPLE.NET'
Enter Password or Pin for "NSS Certificate DB":

A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished. Press enter to continue:


Generating key. This may take a few moments...


Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: dev1
Email: (not specified)
Organization: RED.EXAMPLE.NET
State: (not specified)
Country: (not specified)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICbjCCAVYCAQAwKTEYMBYGA1UEChMPUkVELkVYQU1QTEUuTkVUMQ0wCwYDVQQD
EwRkZXYxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0nQcnGvTOLuX
6SOZIF/JtmGblmFrRcxr0pftel8cYxeBpQaRExWrV0o31lStw+YFgOzrdyZovNe8
3ToLnRhQoa7FQK8ddFE1lo+IdFjV4CHLR7hd5t7paSS17U6F8NPz4Nbx73q85jDX
WqrA5ywxsPs9UHqd0JcjQ0gcnc1C/TTEYa0AqtfUKJmRsjVQLPTsvNnfStNpf8ZQ
jOmUr3hNDZ1FzafRAB35IJk09qhk8y6ZyQoXKo8WnfoWMX5OQgT9e4uDFcamd5In
J33tI1s879oxXSBQ8W5Z6++UqB6kokZPOk4NNjiy7OcvybuPNkFuWaVxflCJmGIs
B0iAHH6VNQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAK1JcQxqcOdtuwVw6Roa
UmrmacxxxsZxVB/8dcSjvFd57kYMzIWjMcHp9mawoY5LNj2fmEnE4/tNU1UUePBh
pTrEQcBDhXs/ZmkVjZiB3IHKjTVStCqdOWFlAfwPt8rIx6eiXu1WvbbCmtNugAWJ
fUsMu2ODSt1N+FfAwrJPlHcrEQmNwB6TNUZYoBQOj6ahPp89OCeWj/hRQTAjt73M
7G5a6VzBeCCUDHnLWzZKl3bcYy/lv9wx+82Mps4uskdefonaliByhy3okWKNkRXz
fKFXJMq8WYwlzl5kzg0pDzDZg5DmVjUP0ZzEffbOpnYxOfY/Jw5gX2oqW3XlO9qQ
oRk=
-----END NEW CERTIFICATE REQUEST-----

 

Now you need to copy and paste that CSR into the GUI (the blue part)

ex362-9-2

If we click Refresh we can see the new Cert

ex362-9-3

Now we need to download it and add it to the NSS Certificate Database. Make a note of that number 19, that’s the Certificate ID

kinit admin

[root@idm ~]# ipa cert-show 19 --certificate-out dev1.pem


[root@idm ~]# file dev1.pem
dev1.pem: PEM certificate

 

Now man certutil and get the syntax to add a certificate to the database

#  certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file]

let’s adjust that to our environment

[root@idm ~]# certutil -A -d ~/dev1 -n dev1 -t "P,," -i dev1.pem

List certificates in NSS Certificate Store

[root@idm ~]# certutil -K -d ~/dev1
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa d1ff24324a58a56f970a0fcb1333cbbb16b2dc30 NSS Certificate DB:dev1

 

Part 3 – Certificate Lifecycle work

So now the task is to repeat the exercise to generate a new cert

So let’s generate a CSR (same command as last time)

Note if we were renewing we would use the -k flag and add the ID e.g. NSS Certificate DB:dev1

[root@idm ~]# certutil -R -d ~/dev1 -a -g 2048 -s 'CN=dev1,O=RED.EXAMPLE.NET'

once again – copy and paste into the GUI and now we have number 20

ex362-9-4

The user dev1 has 2 certificates – let’s revoke the original (#19) – navigate to the user and see that there are 2 certificates

ex362-9-5

Click Actions –> Revoke –> Revoke

 

Now we need to download the new cert and add to database

[root@idm ~]# ipa cert-show 20 --certificate-out dev1.pem

[root@idm ~]# certutil -A -d ~/dev1 -n dev1 -t "P,," -i dev1.pem

[root@idm ~]# certutil -K -d ~/dev1
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa d1ff24324a58a56f970a0fcb1333cbbb16b2dc30 NSS Certificate DB:dev1
< 1> rsa f0c153878541cf98b7ad3290892372b28e2b3edf NSS Certificate DB:dev1

 

 

Part 4 – Configure IdM for Certificate SSO

This also uses the same smart.sh script we created in Part 8

 

Then we need to convert the cert into a .p12 format

[root@idm ~]# certutil -K -d ~/dev1
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa d1ff24324a58a56f970a0fcb1333cbbb16b2dc30 NSS Certificate DB:dev1
< 1> rsa f0c153878541cf98b7ad3290892372b28e2b3edf NSS Certificate DB:dev1
[root@idm ~]# man pk12util
[root@idm ~]# pk12util -d ~/dev1 -o dev1.p12 -n dev1
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL

Move that file to the same machine running Firefox

Import CA

Let’s open Firefox and configure it

Click the Configured button and go through the Wizard to add the CA certificate

 

Import Cert

Follow the images below to import into Firefox and use

 

Part 5 – Install and Configure vsftpd SSO

 

This is another toughie – we are going to need semanage so let’s install that along with vsftpd

yum install -y policycoreutils-python vsftpd

 

Let’s create the directory for the certificates and update selinux

mkdir /etc/vsftpd/certs
semanage fcontext -a -t cert_t "/etc/vsftpd/certs(/.*)?"
restorecon -Rv /etc/vsftpd/

 

Let’s create the service principal

kinit admin
ipa service-add ftp/utility.red.example.net

 

Let’s get some certificates

ipa-getcert request -f /etc/vsftpd/certs/cert.pem -k /etc/vsftpd/certs/cert.key -K ftp/utility.red.example.net -D utility.red.example.net
New signing request "20200311082308" added.
# ls /etc/vsftpd/certs/
cert.key  cert.pem

 

Now we have to configure vsftpd – add the following lines (note use man vsftpd.conf to get the syntax in an exam)

ssl_enable=YES
rsa_cert_file=/etc/vsftpd/certs/cert.pem 
rsa_private_key_file=/etc/vsftpd/certs/cert.key
allow_writeable_chroot=YES
pasv_enable=YES
pasv_min_port=10000
pasv_max_port=10000

 

Note that 10000 is just I port I picked so it’s easy to open the firewall for ftp’s data port which is normally dynamically assigned

 

Let’s configure firewall and services

firewall-cmd --add-service=ftp --permanent
firewall-cmd --add-port=10000/tcp --permanent
firewall-cmd --reload
systemctl enable vsftpd --now

 

Let’s create a local user to use

useradd --home=/export/home/localuser -m localuser
echo linuxbuff | passwd --stdin localuser

 

 

 

Let’s test from another service using lftp

[root@client ~]# lftp -e debug utility.red.example.net
lftp utility.red.example.net:~> user localuser
Password: 
lftp localuser@utility.red.example.net:~> ls
---- Connecting to utility.red.example.net (192.168.122.74) port 21
<--- 220 (vsFTPd 3.0.2)
---> FEAT
<--- 211-Features:
<---  AUTH TLS
<---  EPRT
<---  EPSV
<---  MDTM
<---  PASV
<---  PBSZ
<---  PROT
<---  REST STREAM
<---  SIZE
<---  TVFS
<---  UTF8
<--- 211 End
---> AUTH TLS
<--- 234 Proceed with negotiation.
---> OPTS UTF8 ON
Certificate: O=RED.EXAMPLE.NET,CN=utility.red.example.net
 Issued by: O=RED.EXAMPLE.NET,CN=Certificate Authority
  Trusted
<--- 200 Always in UTF8 mode.
---> USER localuser
<--- 331 Please specify the password.
---> PASS XXXX
<--- 230 Login successful.       
---> PWD
<--- 257 "/export/home/localuser"
---> PBSZ 0
<--- 200 PBSZ set to 0.
---> PROT P
<--- 200 PROT now Private.
---> PASV
<--- 227 Entering Passive Mode (192,168,122,74,39,16).
---- Connecting data socket to (192.168.122.74) port 10000
---- Data connection established
---> LIST
<--- 150 Here comes the directory listing.
Certificate: O=RED.EXAMPLE.NET,CN=utility.red.example.net
 Issued by: O=RED.EXAMPLE.NET,CN=Certificate Authority
  Trusted
---- Got EOF on data connection
---- Closing data socket
<--- 226 Directory send OK.

 

There we have it, I have seen a lot of guides that don’t properly set up the firewall or test it fully.

 

 

 

 

EX362 Objective 7 – Integrate IdM with Active Directory

Next stop, a biggie, AD integration

 

but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts

 

Overview:

This is a relatively simple task (if they give you a starter script). Otherwise it becomes more of a pain.

 

We are going to do the following:

  • Configure an Active Directory Trust
  • Configure a Direct AD connection (without IdM)
  • Configure ID View

 

Part 1 – AD Trust

This require software and rules – but we already set that up when we installed IdM here

So the rough sequence is:

  • Install IdM to AD Trust Software (already done)
  • Configure Firewall (already done)
  • Add DNS records
  • Add AD Trust

 

DNS

DNS Records are set on AD and a forwarder is added to IdM – essentially everything should be able to resolve everything

First let’s disable DNSSEC – on both idm and replica

sed 's/dnssec-validation yes/dnssec-validation no/' /etc/named.conf -i
systemctl restart named-pkcs11.service

 

Now let’s add records to Windows

ex362-7-1

Once done – add a DNS forwarder using the IdM GUI

ex362-7-2

Once done – test using dig

dig @192.168.122.30 idm.red.example.net
dig -t SRV @192.168.122.30 _ldap._tcp.red.example.net
dig -t SRV @192.168.122.30 _ldap._tcp.example.net

 

Now let’s install the software before setting up the trust – run on both servers (just in case) – note Say yes to everything

 

[root@idm ~]# ipa-adtrust-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

admin password:

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.


Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

Enable trusted domains support in slapi-nis? [no]: yes

Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.


NetBIOS domain name [RED]: REDEXAMPLE


WARNING: 12 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.

Do you want to run the ipa-sidgen task? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
[1/25]: validate server hostname
[2/25]: stopping smbd
[3/25]: creating samba domain object
[4/25]: creating samba config registry
[5/25]: writing samba config file
[6/25]: adding cifs Kerberos principal
[7/25]: adding cifs and host Kerberos principals to the adtrust agents group
[8/25]: check for cifs services defined on other replicas
[9/25]: adding cifs principal to S4U2Proxy targets
[10/25]: adding admin(group) SIDs
[11/25]: adding RID bases
[12/25]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[13/25]: activating CLDAP plugin
[14/25]: activating sidgen task
[15/25]: map BUILTIN\Guests to nobody group
[16/25]: configuring smbd to start on boot
[17/25]: adding special DNS service records
[18/25]: enabling trusted domains support for older clients via Schema Compatibility plugin
[19/25]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[20/25]: adding fallback group
[21/25]: adding Default Trust View
[22/25]: setting SELinux booleans
[23/25]: starting CIFS services
[24/25]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
[25/25]: restarting smbd
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range
* 3268: msft-gc
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================

 

 

Add AD Trust

IPA Server –> Trusts and click Add – set the options as per below and hopefully it should add a trust

ex362-7-3

Once done – we will test using command line

[root@idm ~]# getent passwd aduser01@example.net
aduser01@EXAMPLE.NET:*:211201105:211201105:aduser01:/home/EXAMPLE.NET/aduser01:

[root@idm ~]# ssh aduser01@example.net@replica
Password:
Creating home directory for aduser01@example.net.
-sh-4.2$ id
uid=211201105(aduser01@EXAMPLE.NET) gid=211201105(aduser01@EXAMPLE.NET) groups=211201105(aduser01@EXAMPLE.NET),211200513(domain users@EXAMPLE.NET) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.2$

 

That’s it – we have an AD trust set up.

Note that we are testing by logging onto replica and not client because client has automounted home directories so we don’t want to clash with other objectives

 

Part 2 – AD Direct

 

This is where a single server domains a Windows Domain

On the generic server – Install realmd software (we will work out other elements later)

yum -y install realmd

 

Update DNS to point to Windows AD

nmcli con mod System\ eth0 ipv4.dns 192.168.122.30
nmcli con up System\ eth0

 

Test DNS records

dig -t SRV _ldap._tcp.red.example.net
dig -t SRV _ldap._tcp.example.net

 

Run a discover command (which has the bonus of giving us a required software list)

[root@generic ~]# realm discover -v example.net
* Resolving: _ldap._tcp.example.net
* Performing LDAP DSE lookup on: 192.168.122.30
* Successfully discovered: EXAMPLE.NET
EXAMPLE.NET
type: kerberos
realm-name: EXAMPLE.NET
domain-name: example.net
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
example.net
type: kerberos
realm-name: EXAMPLE.NET
domain-name: example.net
configured: no

 

See all those required-packages? we need all of those – so let’s install them

yum install -y sssd oddjob oddjob-mkhomedir adcli samba-common-tools

 

Now we are ready to join the domain

realm join -v example.net

This will ask for an Administrator user

 

We can now test it

getent passwd aduser01@example.net

 

So far so good, but the task also says to update the system so it can login using software and update it’s home directory so let’s update /etc/sssd/sssd.conf

use_fully_qualified_names = False
fallback_homedir = /home/%u

Let’s restart sssd and clear it’s cache

systemctl stop sssd
sss_cache -E
systemctl start sssd

 

Now the final test

[root@generic ~]# ssh aduser01@generic
aduser01@generic's password:
Last login: Thu Mar 5 22:07:42 2020 from replica.red.example.net
[aduser01@generic ~]$ pwd
/home/aduser01

 

A direct realmd connection is often used alongside samba – which we are not doing here but worth bearing in mind.

 

Part 3 – ID Views

ID View is a mechanism to override items similar to what we did in the sssd.conf file in the AD Direct task. But doing so globally.

So let’s create the framework of what we want the user to inherit – so local group and directory

mkdir -p /adhome/aduser02-idview
groupadd -g 4321 adusers

chown 4321:4321 /adhome #just in case

Now we need to go into the GUI

Identity –> ID Views Click Add – enter a name and then Add and Edit

Click Hosts and add client

Click Users –> Add and enter information as follows

ex362-7-4

Let’s restart sssd and clear it’s cache

systemctl stop sssd
sss_cache -E
systemctl start sssd

 

Finally, SELinux is going to throw a wobbly unless we set the context of the new home directory property

[root@client ~]# semanage fcontext -a -t home_root_t "/adhome(/.*)?"
[root@client ~]# restorecon -Rv /adhome

 

Time to try it

[root@client ~]# ssh aduser02@example.net@client.red.example.net
Password:
Last login: Tue Mar 10 09:17:18 2020 from replica.red.example.net
-sh-4.2$ id
uid=4321(aduser02@EXAMPLE.NET) gid=4321(adusers) groups=4321(adusers),211200513(domain users@EXAMPLE.NET) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.2$ pwd
/adhome/aduser02-view

 

 

All good! Another one down!

 

EX362 Objective 10 – Backup and Restore IdM

Next stop, a biggie, Backup and Restore

 

but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts

 

Overview:

This is a relatively simple task but one point to remember is that sync sometimes breaks!

 

We are going to do the following:

  • Backup IdM
  • Restore IdM
  • Re-initialise sync

Part 1 – Backup IdM

[root@replica ~]# ipa-backup
Preparing backup on replica.red.example.net
Stopping IPA services
Backing up ipaca in RED-EXAMPLE-NET to LDIF
Backing up userRoot in RED-EXAMPLE-NET to LDIF
Backing up RED-EXAMPLE-NET
Backing up files
Starting IPA service
Backed up to /var/lib/ipa/backup/ipa-full-2020-03-10-11-19-20
The ipa-backup command was successful

The command takes approx 1 minute

 

Part 2 – Restore IdM

[root@replica ~]# ipa-restore /var/lib/ipa/backup/ipa-full-2020-03-10-11-19-20
Directory Manager (existing master) password:

Preparing restore from /var/lib/ipa/backup/ipa-full-2020-03-10-11-19-20 on replica.red.example.net
Performing FULL restore from FULL backup
Temporary setting umask to 022
Restoring data will overwrite existing live data. Continue to restore? [no]: yes
Each master will individually need to be re-initialized or
re-created from this one. The replication agreements on
masters running IPA 3.1 or earlier will need to be manually
re-enabled. See the man page for details.
Disabling all replication.
Disabling replication agreement on idm.red.example.net to replica.red.example.net
Disabling CA replication agreement on idm.red.example.net to replica.red.example.net
Stopping IPA services
Configuring certmonger to stop tracking system certificates for CA
Systemwide CA database updated.
Restoring files
Systemwide CA database updated.
Restoring from userRoot in RED-EXAMPLE-NET
Restoring from ipaca in RED-EXAMPLE-NET
Restarting GSS-proxy
Starting IPA services
Restarting SSSD
Restarting oddjobd
Restoring umask to 18
The ipa-restore command was successful

 

The command takes approx 3 minute

 

Part 3 – Re-initialise sync

[root@replica ~]# ipa-replica-manage re-initialize
re-initialize requires the option –from <host name>
[root@replica ~]# ipa-replica-manage re-initialize –from idm.red.example.net
Update in progress, 3 seconds elapsed
Update succeeded

Let’s create a user and ensure it appears in the GUI

[root@replica ~]# ipa user-add --first test --last user backuptest1
------------------------
Added user "backuptest1"
------------------------
User login: backuptest1
First name: test
Last name: user
Full name: test user
Display name: test user
Initials: tu
Home directory: /home/backuptest1
GECOS: test user
Login shell: /bin/bash
Principal name: backuptest1@RED.EXAMPLE.NET
Principal alias: backuptest1@RED.EXAMPLE.NET
Email address: backuptest1@red.example.net
UID: 677900502
GID: 677900502
Password: False
Member of groups: ipausers
Kerberos keys available: False

ex362-10-1

 

All good! Another one down!

 

EX362 Objective 8 – Configure Policies

Next stop, Policies

 

but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts

 

Overview:

Policies is a wide ranging area

 

We are going to do the following:

  • Create a vault, add a file to it on one server and extract that file on another server
  • Create a HBAC service
  • Update Self Service
  • Configure Delegation
  • Configure OTP

 

Part 1 – KRA/VAULT

Firstly we need to run this script (I run it on both idm and replica in turn)

ipa-kra-install

The script will ask for the password of the Directory Admin and install the necessary bits, it takes approx 10 minutes

Then we create an add a file to it

[root@idm ~]# kinit ops2
Password for ops2@RED.EXAMPLE.NET:
[root@idm ~]# ipa vault-add --type standard vault1
--------------------
Added vault "vault1"
--------------------
Vault name: vault1
Type: standard
Owner users: ops2
Vault user: ops2
[root@idm ~]# ipa vault-archive --in /etc/redhat-release vault1
---------------------------------
Archived data into vault "vault1"
---------------------------------

We can verify this using the GUI

ex362-8-1

 

Now the second element, we are going to extract this file on another server

[root@client ~]# ls /tmp/client1
ls: cannot access /tmp/client1: No such file or directory
[root@client ~]# kinit ops2
Password for ops2@RED.EXAMPLE.NET:
[root@client ~]# ipa vault-retrieve --out /tmp/client1 vault1
----------------------------------
Retrieved data from vault "vault1"
----------------------------------
[root@client ~]# cat /tmp/client1
CentOS Linux release 7.7.1908 (Core)

 

All done – moving onto HBAC task

 

2. HBAC

Policy –> Host-Based Access Control –> HBAC Service Groups – click Add and configure it so it matches below screenshot

ex362-8-2

Then create the Rule by navigating to Policy –> Host-Based Access Control –> HBAC Rules – Click Add – choose the name as allow_idm_test and Add and Edit

Configure it so it matches below screenshot

ex362-8-3

Now we need to test it – the requirement here shows that we don’t need to disable the ‘enable_all’ rule which is the catchall rule which allows all access. Without disabling this rule we are effectively saying “ignore all other rules”. The up-side is that the GUI has a built-in testing mechanism

Policy –> Host-Based Access Control –> HBAC Test

Go through the wizard selecting the correct options and run test

ex362-8-4

 

3. Self Service

This is a mechanism to allow a user to edit parts of their own user details – the task is to allow users to update their email address – so let’s see what a user CAN edit when they login

ex362-8-5

If we login as the user into the IdM GUI – we can see the email address is fixed and there is no edit box.

Log back in as admin

Policy –> Host-Based Access Control –> Service Service Permissions and click Add  and select the following options

ex362-8-6

Now log off and log back in as ops2 again and verify the field is now available

ex362-8-7

 

4. Delegations

Delegations is a mechanism to allow user x to edit the record of user y, but in a controlled non-admin way

If we log in as dev1 we can see the user can view the record of ops2 but not change their email address

ex362-8-5

Log back into the GUI as admin

Policy –> Host-Based Access Control –> Delegations and click Add – and configure as below

ex362-8-8

Now we log in as dev1 and try to access the record of ops2

ex362-8-9

Easy peasy, next!

 

4. Free OTP / Two Factor Authentication

 

In order to do 2FA you need to run a couple of commands on the server first

So let’s get a ticket

kinit admin

Then we generate and run the required script

ipa-advise config-server-for-smart-card-auth > smart.sh
chmod +x smart.sh
./smart.sh

If you don’t get the ticket first – it causes the script to fail

Once that’s done you can login as an Admin and tick the box for 2FA for any user (make sure you click Save)

ex362-8-10

Scroll back to the top and click Actions –> Add OTP Token (note it should be ops3 not ops2)

ex362-8-11

Leave all options as they are then presented and click Add – this will generate a code that you need to scan into your FreeOTP app

ex362-8-12

 

You can then login using the users password + the code e.g.

securepassword6723568

 

Note that the above does seem to mess up kinit as per this bug

So a wide ranging topic but all good!

EX362 Objective 5 – REST API

Next stop, bit of an odd-ball API

 

but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts

 

Overview:

This is a relatively simple task (if they give you a starter script). Otherwise it becomes more of a pain.

 

We are going to do the following:

  • Modify the API script found here so that it shows all details about the ops group

 

Part 1 – Environment Variables

So let’s grab the starter script from my github here

 

First we declare the variables:

export COOKIEJAR=/tmp/cookies
export ADMINPWD="LinuxBuff123."
export IDMSERVER="idm.blue.example.net"
export PAYLOAD='{"method":"group_find/1","params":[[""],{}],"id":0}'

 

Part 2 – Login Request

Next we need to perform a login request

echo "Logging into IdM"
curl -k \
-H "Referer:https://${IDMSERVER}/ipa" \
-H "Content-Type:application/x-www-form-urlencoded" \
-H "Accept:text/plain" \
-X POST \
-d "user=admin&password=${ADMINPWD}" \
-c $COOKIEJAR -b $COOKIEJAR \
https://${IDMSERVER}/ipa/session/login_password

If the above command has worked the cookiejar will be created – let’s take a look

# cat /tmp/cookies
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_idm.red.example.net FALSE /ipa TRUE 0 ipa_session MagBearerToken=z6hgcTXViRHfhInGBTjLCBHwMJANufgVu9A2bLTG2cggKlBwDZ8rFMe5qT%2b4cbL6oA0kcShyMGF398C5zFJZY9IaPdhpi2BQr42%2fY8fW8WD5eW2L6nbzCMGuL5m5fVZrIOJRS7XY%2br8f4i3ogJ6NY41MpKvg0AsMgxRJ5bk9BQI8asO7dn43UBJrZGa0GkRZ0fmkB2ZQFlfaKKfCz2gc8A%3d%3d

 

 

Part 3 – Identify Payload

So far so good, once we have that – we subtlety modify the command to not login but to deliver a payload. My script template lists all groups

echo "List all the groups"
curl -k \
-H "Referer:https://${IDMSERVER}/ipa" \
-H "Content-Type:application/json" \
-H "Accept:text/json" \
-X POST \
-d "${PAYLOAD}" \
-c $COOKIEJAR -b $COOKIEJAR \
https://${IDMSERVER}/ipa/session/json

 

but the task is to change the script to get all info about the ops group – so in order to do that we have to run the command by hand and grab the payload. The command we want to replicate is

# kinit admin
# ipa group-show --all ops

So we have to run that command with the -vv option

#  ipa -vv group-show --all ops

ex362-5-1

we can see the request parameters and we need to scoop all that up which is below:

{
"id": 0,
"method": "group_show/1",
"params": [
[
"ops"
],
{
"all": true,
"version": "2.231"
}
]
}

then we can convert all that onto a single line

 

{ "id": 0, "method": "group_show/1", "params": [["ops"],{"all": true,"version": "2.231"}]}

and that’s our payload – let’s edit the script

export PAYLOAD='{ "id": 0, "method": "group_show/1", "params": [["ops"],{"all": true,"version": "2.231"}]}'

 

Let’s also make the output a little more readable – you can tack on | python -m json.tool or json_pp – on my system I have json_pp so I will update the curl to pipe it through that

ex362-5-2

 

Boom! not too – bad

 

Bonus:

OK so two issues.

  1. How do you start the script if you don’t have an initial script
  2. Where can you get more info on the API from

 

The #2 is easy – in the GUI you can click on API Browser as per the image below

ex362-5-3

But the #1 is far more difficult, now there is a way but I don’t think it’s within the scope of the exam.

If you use Firefox – you can enable debug mode by hitting F12 and then login. You can then work out the header and post information needed to login

Once you have done it a couple of times it isn’t so bad. But it’s way too web-devvy for the exam.

EX362 Objective 4 – Automated Home Directory

Next stop, time to get serious – let’s configure some Automated Home Directories

 

but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts

 

Overview:

This is where things start getting tough, we are going to set up a Kerberos-aware NFS Server and configure NFS Clients to use Kerberos Authentication. This is an area where there is lots of variance in other guides. Use mine, it’s better.

We are going to do the following:

    1. Configure utility.blue.example.net to act as a NFS server with the following attributes:
      • The NFS service should run using a kerberos service principal nfs/utility.blue.example.net and be stored in /etc/krb5.keytab
      • The NFS service should be auto-start with the server at boot time
      • Create and export /export/home using security krb5 krb5i and krb5p options
    2. Configure client.blue.example.net to act as a NFS client
    3. On utility.blue.example.net do the following:
      • Create a user called nfsuser1 and password linuxbuff
      • Pre-Create it’s home directory in /export/home/nfsuser1
    4. Test on idm.blue.example.net (ensure there are no kerberos tickets) for nfsuser1 and then ssh across to client.blue.example.net – the user should login WITH a password and it’s home directory should be auto-mounted from utility.blue.example.net

 

Part 1 – Configure NFS Server

Get an admin ticket

kinit admin

 

Add the Service

ipa service-add nfs/utility.red.example.net

 

Pull the keytab into the standard location

ipa-getkeytab -s idm.red.example.net -p nfs/utility.red.example.net -k /etc/krb5.keytab 

 

Install NFS software

yum install -y nfs-utils

 

Make the export home directory

mkdir -p /export/home
echo "/export/home *(rw,sec=krb5:krb5i:krb5p)" >> /etc/exports

Note that I am using krb5, krb5i and krb5p options only – so use Kerberos or don’t get in

 

Configure all services

ipa-client-automount -U
systemctl enable nfs-secure nfs-server rpcbind rpcidmapd --now
exportfs -rav
exportfs -sv
showmount -e utility.red.example.net

 

Add the following firewall services

firewall-cmd --add-service=nfs --add-service=nfs3 --add-service=rpc-bind --add-service=mountd --permanent
firewall-cmd --reload

My tip here is enable more rather than less. Let’s better to lose a few points for a slightly less secure service than lose more points for in inaccessible system

 

Now we need to test from client

[root@client ~]# showmount -e utility
Export list for utility:
/export/home *

 

 

Part 2 – Configure IdM

 

Network Services –> Automount –> Default and click Add – select options as below

ex362-4-1

Then  click on auto.home and then Add – and enter details as below

ex362-4-2

 

 

Part 3 – Configure the client

ipa-client-automount -U
systemctl enable rpcidmapd --now
systemctl enable rpcgssd --now
systemctl enable nfs --now

 

Part 4 – Pre-create the users home directory on the NFS server and create it’s home directory

ipa user-add --first first --last user --password nfsuser01
mkhomedir_helper nfsuser01
mv /home/nfsuser01 /export/home

 

Part 5 – Test

on the idm server – remove all tickets

kdestroy -A

Now let’s test logging in (and changing password as needed)

[root@idm ~]# ssh nfsuser01@client.red.example.net
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
[nfsuser01@client ~]$ id
uid=432800009(nfsuser01) gid=432800009(nfsuser01) groups=432800009(nfsuser01) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[nfsuser01@client ~]$ pwd
/home/nfsuser01
[nfsuser01@client ~]$ df | grep nfs
utility.red.example.net:/export/home/nfsuser01 6486016 1736704 4749312 27% /home/nfsuser01

 

Verify it’s using Kerberos (look for sec=krb5 )

[nfsuser01@client ~]$ mount | grep nfs
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
nfsd on /proc/fs/nfsd type nfsd (rw,relatime)
utility.red.example.net:/export/home/nfsuser01 on /home/nfsuser01 type nfs4 (rw,relatime,vers=4.1,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.122.73,local_lock=none,addr=192.168.122.74)

 

 

All done – we now have configured Automated Home Directories