How I selected my Red Hat CoE Exams

So it would seem that my Red Hat journey will end soon, EX362 will be my fifth and last exam under the Red Hat Learning Subscription. I wanted to talk through how I choose my exams.

I wanted exams that were relevant to me, either in a field I was aiming to go, or to enhance my knowledge in an area. I didn’t want to do exams that I didn’t feel were relevant to the UK job market.

Red Hat has really gone two ways, it’s either Ansible or OpenShift. They are it’s two areas of focus. I attended a Red Hat conference 18 months ago and this message was loud and clear.

I had already been doing Ansible, but OpenShift was new to me, and this was my main area of focus. It picked itself, I wanted to learn OpenShift and so EX280 was number 1 in my list.

The next one also picked itself, I wanted to be “THE Ansible guy” at work, so I wanted to absorb as much as possible. So Ansible Best Practices or Advanced Ansible EX477 went into #2 position.

There wasn’t anything else that screamed “Pick me!” from the list, so I had a little creative license. Red Hat Security EX415 was very similar to my (very) old EX413 exam I did. It looked like fun, so it found it’s way onto my list at #3.

Next I wanted a toughie, I wasn’t interested in padded records or nothing exams like EX318. I had identified EX342 Troubleshooting and EX442 Performance Tuning as the two toughest exams. EX442 being the tougher of the two. EX342 is tough because you are fixing things that could be broken in any number of ways – and in an exam situation without Google this could be tough.

I initially picked EX442 but it bored me senseless.


So I started EX342, I knew this would provide me valuable skills. So this became #4.

And then I had one slot left, and my pick was …. EX403 Satellite Server, but I had a problem in that they were rewriting the course from v6.2.1 to v6.6 and there wasn’t a clear timeframe as to when this would happen. So I went through the remaining exams and picked EX362 Identity Management.

Now EX362 may seem a strange pick, but EX342 had tought me a fair bit of LDAP + Kerberos and this forms the backbone of EX362. Also at work this was a growth area, so EX362 took my final slot.

So my list became:

#1 EX280 OpenShift Administration

#2 EX447 Advanced Ansible Best Practices

#3 EX415 Linux Security

#4 EX342 Linux Troubleshooting

#5 EX362 Identity Management


Unfortunately because of a rule change (or rather a loophole being closed). My journey ends there, initially if you didn’t fail any exams you could do additional exams using your retake allocation but that’s been stopped now. It’s a shame as I would have liked to have done EX403 Satellite v6.6 and EX442 Performance Tuning.


Red Hat Cancelled my Exam

So with 20 hours before my scheduled Exam in the UK, Red Hat cancelled all exams due to the Coronavirus.

Very frustrating obviously, but by the same token completely understandable . So now the personal challenge is to stay ready for when testing facilities reopen.

I don’t have long left of my RHLS, so I am in discussion with Red Hat about what happens next.

This Coronavirus has invaded normal life, let’s hope everything gets back to normal.

EX362 Objective 12 – Single Sign On

Next stop, a simple one once you have done it a couple of times – we are going to configure a SSO using httpd


but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts



This is a relatively simple task but one point to remember is that sync sometimes breaks!


Let’s do this!

Install httpd server

yum install -y httpd mod_auth_kerb


Get an admin ticket

kinit admin

Add service and pull down into keytab

ipa service-add HTTP/
ipa-getkeytab -s -p HTTP/ -k /etc/httpd/http.keytab
chown apache:apache /etc/httpd/http.keytab

Let’s create our top-secret area

mkdir /var/www/html/secret/
echo linuxbuff > /var/www/html/secret/index.html


Let’s create our config file

[root@utility ~]# rpm -ql mod_auth_kerb

cp /usr/share/doc/mod_auth_kerb-5.4/example.conf /etc/httpd/conf.d/secret.conf


let’s edit it as follows

<Location /secret>
AuthType Kerberos
KrbMethodNegotiate On
KrbMethodK5Passwd Off
Krb5KeyTab /etc/httpd/http.keytab
require user ops2@RED.EXAMPLE.NET dev1@RED.EXAMPLE.NET


Start services

systemctl enable httpd --now
firewall-cmd --add-service=http --permanent
firewall-cmd --reload


Now using my workstation I do the following

yum install -y krb5_workstation
scp /tmp/krb5.conf
export KRB5_CONFIG=/tmp/krb5.conf
kinit dev1

Enter about:config and update the item highlighted


Now let’s try and login


and boom!



All good! Another one down!


EX362 Objective 9 – Certificate Authority

Next stop, another toughie – Certificates


but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts



I am not a fan of this area – I admit to not fully understanding it myself – so here goes nothing


We are going to do the following:

  • Create a NSS Certificate Database
  • Create a Certificate (CSR + Cert)
  • Certificate Lifecycle work
  • Configure IdM for Certificate SSO
  • Install and Configure vsftpd SSO

Part 1 – Create a NSS Certificate Database

I never remember the syntax so I “cheat” – if you go into IdM and Certificates you can grab the command you need to run from there

Authentication –> Certificates –> Click Issue and you can see the commands in there


So let’s run those commands

Create the directory first otherwise command fails

mkdir ~/dev1

Now create the NSS Certificate Database

[root@idm ~]# certutil -N -d ~/dev1
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
[root@idm ~]# ls ~/dev1/
cert8.db key3.db secmod.db


Part 2 – Create a Certificate (CSR + Cert)

Let’s create the CSR – now you can do this two ways  I like to grab the output by redirecting it to a file but this is not necessary – but you will need to copy/paste it into the GUI

[root@idm ~]# certutil -R -d ~/dev1 -a -g 2048 -s 'CN=dev1,O=RED.EXAMPLE.NET'
Enter Password or Pin for "NSS Certificate DB":

A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter

Continue typing until the progress meter is full:


Finished. Press enter to continue:

Generating key. This may take a few moments...

Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: dev1
Email: (not specified)
Organization: RED.EXAMPLE.NET
State: (not specified)
Country: (not specified)



Now you need to copy and paste that CSR into the GUI (the blue part)


If we click Refresh we can see the new Cert


Now we need to download it and add it to the NSS Certificate Database. Make a note of that number 19, that’s the Certificate ID

kinit admin

[root@idm ~]# ipa cert-show 19 --certificate-out dev1.pem

[root@idm ~]# file dev1.pem
dev1.pem: PEM certificate


Now man certutil and get the syntax to add a certificate to the database

#  certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file]

let’s adjust that to our environment

[root@idm ~]# certutil -A -d ~/dev1 -n dev1 -t "P,," -i dev1.pem

List certificates in NSS Certificate Store

[root@idm ~]# certutil -K -d ~/dev1
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa d1ff24324a58a56f970a0fcb1333cbbb16b2dc30 NSS Certificate DB:dev1


Part 3 – Certificate Lifecycle work

So now the task is to repeat the exercise to generate a new cert

So let’s generate a CSR (same command as last time)

Note if we were renewing we would use the -k flag and add the ID e.g. NSS Certificate DB:dev1

[root@idm ~]# certutil -R -d ~/dev1 -a -g 2048 -s 'CN=dev1,O=RED.EXAMPLE.NET'

once again – copy and paste into the GUI and now we have number 20


The user dev1 has 2 certificates – let’s revoke the original (#19) – navigate to the user and see that there are 2 certificates


Click Actions –> Revoke –> Revoke


Now we need to download the new cert and add to database

[root@idm ~]# ipa cert-show 20 --certificate-out dev1.pem

[root@idm ~]# certutil -A -d ~/dev1 -n dev1 -t "P,," -i dev1.pem

[root@idm ~]# certutil -K -d ~/dev1
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa d1ff24324a58a56f970a0fcb1333cbbb16b2dc30 NSS Certificate DB:dev1
< 1> rsa f0c153878541cf98b7ad3290892372b28e2b3edf NSS Certificate DB:dev1



Part 4 – Configure IdM for Certificate SSO

This also uses the same script we created in Part 8


Then we need to convert the cert into a .p12 format

[root@idm ~]# certutil -K -d ~/dev1
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa d1ff24324a58a56f970a0fcb1333cbbb16b2dc30 NSS Certificate DB:dev1
< 1> rsa f0c153878541cf98b7ad3290892372b28e2b3edf NSS Certificate DB:dev1
[root@idm ~]# man pk12util
[root@idm ~]# pk12util -d ~/dev1 -o dev1.p12 -n dev1
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
Re-enter password:

Move that file to the same machine running Firefox

Import CA

Let’s open Firefox and configure it

Click the Configured button and go through the Wizard to add the CA certificate


Import Cert

Follow the images below to import into Firefox and use


Part 5 – Install and Configure vsftpd SSO


This is another toughie – we are going to need semanage so let’s install that along with vsftpd

yum install -y policycoreutils-python vsftpd


Let’s create the directory for the certificates and update selinux

mkdir /etc/vsftpd/certs
semanage fcontext -a -t cert_t "/etc/vsftpd/certs(/.*)?"
restorecon -Rv /etc/vsftpd/


Let’s create the service principal

kinit admin
ipa service-add ftp/


Let’s get some certificates

ipa-getcert request -f /etc/vsftpd/certs/cert.pem -k /etc/vsftpd/certs/cert.key -K ftp/ -D
New signing request "20200311082308" added.
# ls /etc/vsftpd/certs/
cert.key  cert.pem


Now we have to configure vsftpd – add the following lines (note use man vsftpd.conf to get the syntax in an exam)



Note that 10000 is just I port I picked so it’s easy to open the firewall for ftp’s data port which is normally dynamically assigned


Let’s configure firewall and services

firewall-cmd --add-service=ftp --permanent
firewall-cmd --add-port=10000/tcp --permanent
firewall-cmd --reload
systemctl enable vsftpd --now


Let’s create a local user to use

useradd --home=/export/home/localuser -m localuser
echo linuxbuff | passwd --stdin localuser




Let’s test from another service using lftp

[root@client ~]# lftp -e debug
lftp> user localuser
lftp> ls
---- Connecting to ( port 21
<--- 220 (vsFTPd 3.0.2)
---> FEAT
<--- 211-Features:
<---  AUTH TLS
<---  EPRT
<---  EPSV
<---  MDTM
<---  PASV
<---  PBSZ
<---  PROT
<---  SIZE
<---  TVFS
<---  UTF8
<--- 211 End
<--- 234 Proceed with negotiation.
Certificate: O=RED.EXAMPLE.NET,
 Issued by: O=RED.EXAMPLE.NET,CN=Certificate Authority
<--- 200 Always in UTF8 mode.
---> USER localuser
<--- 331 Please specify the password.
<--- 230 Login successful.       
---> PWD
<--- 257 "/export/home/localuser"
---> PBSZ 0
<--- 200 PBSZ set to 0.
---> PROT P
<--- 200 PROT now Private.
---> PASV
<--- 227 Entering Passive Mode (192,168,122,74,39,16).
---- Connecting data socket to ( port 10000
---- Data connection established
---> LIST
<--- 150 Here comes the directory listing.
Certificate: O=RED.EXAMPLE.NET,
 Issued by: O=RED.EXAMPLE.NET,CN=Certificate Authority
---- Got EOF on data connection
---- Closing data socket
<--- 226 Directory send OK.


There we have it, I have seen a lot of guides that don’t properly set up the firewall or test it fully.





EX362 Objective 7 – Integrate IdM with Active Directory

Next stop, a biggie, AD integration


but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts



This is a relatively simple task (if they give you a starter script). Otherwise it becomes more of a pain.


We are going to do the following:

  • Configure an Active Directory Trust
  • Configure a Direct AD connection (without IdM)
  • Configure ID View


Part 1 – AD Trust

This require software and rules – but we already set that up when we installed IdM here

So the rough sequence is:

  • Install IdM to AD Trust Software (already done)
  • Configure Firewall (already done)
  • Add DNS records
  • Add AD Trust



DNS Records are set on AD and a forwarder is added to IdM – essentially everything should be able to resolve everything

First let’s disable DNSSEC – on both idm and replica

sed 's/dnssec-validation yes/dnssec-validation no/' /etc/named.conf -i
systemctl restart named-pkcs11.service


Now let’s add records to Windows


Once done – add a DNS forwarder using the IdM GUI


Once done – test using dig

dig @
dig -t SRV @
dig -t SRV @


Now let’s install the software before setting up the trust – run on both servers (just in case) – note Say yes to everything


[root@idm ~]# ipa-adtrust-install

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

admin password:

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.

Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

Enable trusted domains support in slapi-nis? [no]: yes

Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.

NetBIOS domain name [RED]: REDEXAMPLE

WARNING: 12 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.

Do you want to run the ipa-sidgen task? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
[1/25]: validate server hostname
[2/25]: stopping smbd
[3/25]: creating samba domain object
[4/25]: creating samba config registry
[5/25]: writing samba config file
[6/25]: adding cifs Kerberos principal
[7/25]: adding cifs and host Kerberos principals to the adtrust agents group
[8/25]: check for cifs services defined on other replicas
[9/25]: adding cifs principal to S4U2Proxy targets
[10/25]: adding admin(group) SIDs
[11/25]: adding RID bases
[12/25]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[13/25]: activating CLDAP plugin
[14/25]: activating sidgen task
[15/25]: map BUILTIN\Guests to nobody group
[16/25]: configuring smbd to start on boot
[17/25]: adding special DNS service records
[18/25]: enabling trusted domains support for older clients via Schema Compatibility plugin
[19/25]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[20/25]: adding fallback group
[21/25]: adding Default Trust View
[22/25]: setting SELinux booleans
[23/25]: starting CIFS services
[24/25]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
[25/25]: restarting smbd
Done configuring CIFS.

Setup complete

You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range
* 3268: msft-gc
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details




Add AD Trust

IPA Server –> Trusts and click Add – set the options as per below and hopefully it should add a trust


Once done – we will test using command line

[root@idm ~]# getent passwd

[root@idm ~]# ssh
Creating home directory for
-sh-4.2$ id
uid=211201105(aduser01@EXAMPLE.NET) gid=211201105(aduser01@EXAMPLE.NET) groups=211201105(aduser01@EXAMPLE.NET),211200513(domain users@EXAMPLE.NET) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


That’s it – we have an AD trust set up.

Note that we are testing by logging onto replica and not client because client has automounted home directories so we don’t want to clash with other objectives


Part 2 – AD Direct


This is where a single server domains a Windows Domain

On the generic server – Install realmd software (we will work out other elements later)

yum -y install realmd


Update DNS to point to Windows AD

nmcli con mod System\ eth0 ipv4.dns
nmcli con up System\ eth0


Test DNS records

dig -t SRV
dig -t SRV


Run a discover command (which has the bonus of giving us a required software list)

[root@generic ~]# realm discover -v
* Resolving:
* Performing LDAP DSE lookup on:
* Successfully discovered: EXAMPLE.NET
type: kerberos
realm-name: EXAMPLE.NET
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
type: kerberos
realm-name: EXAMPLE.NET
configured: no


See all those required-packages? we need all of those – so let’s install them

yum install -y sssd oddjob oddjob-mkhomedir adcli samba-common-tools


Now we are ready to join the domain

realm join -v

This will ask for an Administrator user


We can now test it

getent passwd


So far so good, but the task also says to update the system so it can login using software and update it’s home directory so let’s update /etc/sssd/sssd.conf

use_fully_qualified_names = False
fallback_homedir = /home/%u

Let’s restart sssd and clear it’s cache

systemctl stop sssd
sss_cache -E
systemctl start sssd


Now the final test

[root@generic ~]# ssh aduser01@generic
aduser01@generic's password:
Last login: Thu Mar 5 22:07:42 2020 from
[aduser01@generic ~]$ pwd


A direct realmd connection is often used alongside samba – which we are not doing here but worth bearing in mind.


Part 3 – ID Views

ID View is a mechanism to override items similar to what we did in the sssd.conf file in the AD Direct task. But doing so globally.

So let’s create the framework of what we want the user to inherit – so local group and directory

mkdir -p /adhome/aduser02-idview
groupadd -g 4321 adusers

chown 4321:4321 /adhome #just in case

Now we need to go into the GUI

Identity –> ID Views Click Add – enter a name and then Add and Edit

Click Hosts and add client

Click Users –> Add and enter information as follows


Let’s restart sssd and clear it’s cache

systemctl stop sssd
sss_cache -E
systemctl start sssd


Finally, SELinux is going to throw a wobbly unless we set the context of the new home directory property

[root@client ~]# semanage fcontext -a -t home_root_t "/adhome(/.*)?"
[root@client ~]# restorecon -Rv /adhome


Time to try it

[root@client ~]# ssh
Last login: Tue Mar 10 09:17:18 2020 from
-sh-4.2$ id
uid=4321(aduser02@EXAMPLE.NET) gid=4321(adusers) groups=4321(adusers),211200513(domain users@EXAMPLE.NET) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.2$ pwd



All good! Another one down!


EX362 Objective 10 – Backup and Restore IdM

Next stop, a biggie, Backup and Restore


but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts



This is a relatively simple task but one point to remember is that sync sometimes breaks!


We are going to do the following:

  • Backup IdM
  • Restore IdM
  • Re-initialise sync

Part 1 – Backup IdM

[root@replica ~]# ipa-backup
Preparing backup on
Stopping IPA services
Backing up ipaca in RED-EXAMPLE-NET to LDIF
Backing up userRoot in RED-EXAMPLE-NET to LDIF
Backing up files
Starting IPA service
Backed up to /var/lib/ipa/backup/ipa-full-2020-03-10-11-19-20
The ipa-backup command was successful

The command takes approx 1 minute


Part 2 – Restore IdM

[root@replica ~]# ipa-restore /var/lib/ipa/backup/ipa-full-2020-03-10-11-19-20
Directory Manager (existing master) password:

Preparing restore from /var/lib/ipa/backup/ipa-full-2020-03-10-11-19-20 on
Performing FULL restore from FULL backup
Temporary setting umask to 022
Restoring data will overwrite existing live data. Continue to restore? [no]: yes
Each master will individually need to be re-initialized or
re-created from this one. The replication agreements on
masters running IPA 3.1 or earlier will need to be manually
re-enabled. See the man page for details.
Disabling all replication.
Disabling replication agreement on to
Disabling CA replication agreement on to
Stopping IPA services
Configuring certmonger to stop tracking system certificates for CA
Systemwide CA database updated.
Restoring files
Systemwide CA database updated.
Restoring from userRoot in RED-EXAMPLE-NET
Restoring from ipaca in RED-EXAMPLE-NET
Restarting GSS-proxy
Starting IPA services
Restarting SSSD
Restarting oddjobd
Restoring umask to 18
The ipa-restore command was successful


The command takes approx 3 minute


Part 3 – Re-initialise sync

[root@replica ~]# ipa-replica-manage re-initialize
re-initialize requires the option –from <host name>
[root@replica ~]# ipa-replica-manage re-initialize –from
Update in progress, 3 seconds elapsed
Update succeeded

Let’s create a user and ensure it appears in the GUI

[root@replica ~]# ipa user-add --first test --last user backuptest1
Added user "backuptest1"
User login: backuptest1
First name: test
Last name: user
Full name: test user
Display name: test user
Initials: tu
Home directory: /home/backuptest1
GECOS: test user
Login shell: /bin/bash
Principal name: backuptest1@RED.EXAMPLE.NET
Principal alias: backuptest1@RED.EXAMPLE.NET
Email address:
UID: 677900502
GID: 677900502
Password: False
Member of groups: ipausers
Kerberos keys available: False



All good! Another one down!


EX362 Objective 8 – Configure Policies

Next stop, Policies


but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts



Policies is a wide ranging area


We are going to do the following:

  • Create a vault, add a file to it on one server and extract that file on another server
  • Create a HBAC service
  • Update Self Service
  • Configure Delegation
  • Configure OTP


Part 1 – KRA/VAULT

Firstly we need to run this script (I run it on both idm and replica in turn)


The script will ask for the password of the Directory Admin and install the necessary bits, it takes approx 10 minutes

Then we create an add a file to it

[root@idm ~]# kinit ops2
Password for ops2@RED.EXAMPLE.NET:
[root@idm ~]# ipa vault-add --type standard vault1
Added vault "vault1"
Vault name: vault1
Type: standard
Owner users: ops2
Vault user: ops2
[root@idm ~]# ipa vault-archive --in /etc/redhat-release vault1
Archived data into vault "vault1"

We can verify this using the GUI



Now the second element, we are going to extract this file on another server

[root@client ~]# ls /tmp/client1
ls: cannot access /tmp/client1: No such file or directory
[root@client ~]# kinit ops2
Password for ops2@RED.EXAMPLE.NET:
[root@client ~]# ipa vault-retrieve --out /tmp/client1 vault1
Retrieved data from vault "vault1"
[root@client ~]# cat /tmp/client1
CentOS Linux release 7.7.1908 (Core)


All done – moving onto HBAC task



Policy –> Host-Based Access Control –> HBAC Service Groups – click Add and configure it so it matches below screenshot


Then create the Rule by navigating to Policy –> Host-Based Access Control –> HBAC Rules – Click Add – choose the name as allow_idm_test and Add and Edit

Configure it so it matches below screenshot


Now we need to test it – the requirement here shows that we don’t need to disable the ‘enable_all’ rule which is the catchall rule which allows all access. Without disabling this rule we are effectively saying “ignore all other rules”. The up-side is that the GUI has a built-in testing mechanism

Policy –> Host-Based Access Control –> HBAC Test

Go through the wizard selecting the correct options and run test



3. Self Service

This is a mechanism to allow a user to edit parts of their own user details – the task is to allow users to update their email address – so let’s see what a user CAN edit when they login


If we login as the user into the IdM GUI – we can see the email address is fixed and there is no edit box.

Log back in as admin

Policy –> Host-Based Access Control –> Service Service Permissions and click Add  and select the following options


Now log off and log back in as ops2 again and verify the field is now available



4. Delegations

Delegations is a mechanism to allow user x to edit the record of user y, but in a controlled non-admin way

If we log in as dev1 we can see the user can view the record of ops2 but not change their email address


Log back into the GUI as admin

Policy –> Host-Based Access Control –> Delegations and click Add – and configure as below


Now we log in as dev1 and try to access the record of ops2


Easy peasy, next!


4. Free OTP / Two Factor Authentication


In order to do 2FA you need to run a couple of commands on the server first

So let’s get a ticket

kinit admin

Then we generate and run the required script

ipa-advise config-server-for-smart-card-auth >
chmod +x

If you don’t get the ticket first – it causes the script to fail

Once that’s done you can login as an Admin and tick the box for 2FA for any user (make sure you click Save)


Scroll back to the top and click Actions –> Add OTP Token (note it should be ops3 not ops2)


Leave all options as they are then presented and click Add – this will generate a code that you need to scan into your FreeOTP app



You can then login using the users password + the code e.g.



Note that the above does seem to mess up kinit as per this bug

So a wide ranging topic but all good!

EX362 Objective 5 – REST API

Next stop, bit of an odd-ball API


but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts



This is a relatively simple task (if they give you a starter script). Otherwise it becomes more of a pain.


We are going to do the following:

  • Modify the API script found here so that it shows all details about the ops group


Part 1 – Environment Variables

So let’s grab the starter script from my github here


First we declare the variables:

export COOKIEJAR=/tmp/cookies
export ADMINPWD="LinuxBuff123."
export IDMSERVER=""
export PAYLOAD='{"method":"group_find/1","params":[[""],{}],"id":0}'


Part 2 – Login Request

Next we need to perform a login request

echo "Logging into IdM"
curl -k \
-H "Referer:https://${IDMSERVER}/ipa" \
-H "Content-Type:application/x-www-form-urlencoded" \
-H "Accept:text/plain" \
-d "user=admin&password=${ADMINPWD}" \

If the above command has worked the cookiejar will be created – let’s take a look

# cat /tmp/cookies
# Netscape HTTP Cookie File
# This file was generated by libcurl! Edit at your own risk. FALSE /ipa TRUE 0 ipa_session MagBearerToken=z6hgcTXViRHfhInGBTjLCBHwMJANufgVu9A2bLTG2cggKlBwDZ8rFMe5qT%2b4cbL6oA0kcShyMGF398C5zFJZY9IaPdhpi2BQr42%2fY8fW8WD5eW2L6nbzCMGuL5m5fVZrIOJRS7XY%2br8f4i3ogJ6NY41MpKvg0AsMgxRJ5bk9BQI8asO7dn43UBJrZGa0GkRZ0fmkB2ZQFlfaKKfCz2gc8A%3d%3d



Part 3 – Identify Payload

So far so good, once we have that – we subtlety modify the command to not login but to deliver a payload. My script template lists all groups

echo "List all the groups"
curl -k \
-H "Referer:https://${IDMSERVER}/ipa" \
-H "Content-Type:application/json" \
-H "Accept:text/json" \
-d "${PAYLOAD}" \


but the task is to change the script to get all info about the ops group – so in order to do that we have to run the command by hand and grab the payload. The command we want to replicate is

# kinit admin
# ipa group-show --all ops

So we have to run that command with the -vv option

#  ipa -vv group-show --all ops


we can see the request parameters and we need to scoop all that up which is below:

"id": 0,
"method": "group_show/1",
"params": [
"all": true,
"version": "2.231"

then we can convert all that onto a single line


{ "id": 0, "method": "group_show/1", "params": [["ops"],{"all": true,"version": "2.231"}]}

and that’s our payload – let’s edit the script

export PAYLOAD='{ "id": 0, "method": "group_show/1", "params": [["ops"],{"all": true,"version": "2.231"}]}'


Let’s also make the output a little more readable – you can tack on | python -m json.tool or json_pp – on my system I have json_pp so I will update the curl to pipe it through that



Boom! not too – bad



OK so two issues.

  1. How do you start the script if you don’t have an initial script
  2. Where can you get more info on the API from


The #2 is easy – in the GUI you can click on API Browser as per the image below


But the #1 is far more difficult, now there is a way but I don’t think it’s within the scope of the exam.

If you use Firefox – you can enable debug mode by hitting F12 and then login. You can then work out the header and post information needed to login

Once you have done it a couple of times it isn’t so bad. But it’s way too web-devvy for the exam.

EX362 Objective 4 – Automated Home Directory

Next stop, time to get serious – let’s configure some Automated Home Directories


but first some housekeeping …

Hit like if you like this post and would like to see more like it, or follow to be kept informed of any new posts



This is where things start getting tough, we are going to set up a Kerberos-aware NFS Server and configure NFS Clients to use Kerberos Authentication. This is an area where there is lots of variance in other guides. Use mine, it’s better.

We are going to do the following:

    1. Configure to act as a NFS server with the following attributes:
      • The NFS service should run using a kerberos service principal nfs/ and be stored in /etc/krb5.keytab
      • The NFS service should be auto-start with the server at boot time
      • Create and export /export/home using security krb5 krb5i and krb5p options
    2. Configure to act as a NFS client
    3. On do the following:
      • Create a user called nfsuser1 and password linuxbuff
      • Pre-Create it’s home directory in /export/home/nfsuser1
    4. Test on (ensure there are no kerberos tickets) for nfsuser1 and then ssh across to – the user should login WITH a password and it’s home directory should be auto-mounted from


Part 1 – Configure NFS Server

Get an admin ticket

kinit admin


Add the Service

ipa service-add nfs/


Pull the keytab into the standard location

ipa-getkeytab -s -p nfs/ -k /etc/krb5.keytab 


Install NFS software

yum install -y nfs-utils


Make the export home directory

mkdir -p /export/home
echo "/export/home *(rw,sec=krb5:krb5i:krb5p)" >> /etc/exports

Note that I am using krb5, krb5i and krb5p options only – so use Kerberos or don’t get in


Configure all services

ipa-client-automount -U
systemctl enable nfs-secure nfs-server rpcbind rpcidmapd --now
exportfs -rav
exportfs -sv
showmount -e


Add the following firewall services

firewall-cmd --add-service=nfs --add-service=nfs3 --add-service=rpc-bind --add-service=mountd --permanent
firewall-cmd --reload

My tip here is enable more rather than less. Let’s better to lose a few points for a slightly less secure service than lose more points for in inaccessible system


Now we need to test from client

[root@client ~]# showmount -e utility
Export list for utility:
/export/home *



Part 2 – Configure IdM


Network Services –> Automount –> Default and click Add – select options as below


Then  click on auto.home and then Add – and enter details as below




Part 3 – Configure the client

ipa-client-automount -U
systemctl enable rpcidmapd --now
systemctl enable rpcgssd --now
systemctl enable nfs --now


Part 4 – Pre-create the users home directory on the NFS server and create it’s home directory

ipa user-add --first first --last user --password nfsuser01
mkhomedir_helper nfsuser01
mv /home/nfsuser01 /export/home


Part 5 – Test

on the idm server – remove all tickets

kdestroy -A

Now let’s test logging in (and changing password as needed)

[root@idm ~]# ssh
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
[nfsuser01@client ~]$ id
uid=432800009(nfsuser01) gid=432800009(nfsuser01) groups=432800009(nfsuser01) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[nfsuser01@client ~]$ pwd
[nfsuser01@client ~]$ df | grep nfs 6486016 1736704 4749312 27% /home/nfsuser01


Verify it’s using Kerberos (look for sec=krb5 )

[nfsuser01@client ~]$ mount | grep nfs
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
nfsd on /proc/fs/nfsd type nfsd (rw,relatime) on /home/nfsuser01 type nfs4 (rw,relatime,vers=4.1,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5,clientaddr=,local_lock=none,addr=



All done – we now have configured Automated Home Directories