LinuxBuff EX362 Sample / Practice Exam


This is my opinion – based on the publicly listed Exam Objectives. I have not taken the exam, I have created it to test myself, Don’t rely on it. It is very likely to be completely wide off the mark. Use at your own risk.

I have put some timings which is how long I think the tasks should take, once again these are a guide only.


  • You will need 4 servers, for the sake of simplicity called idm, replica, client, and utility. But these can be any server you have.
  • You will also need a Linux Desktop which runs Firefox
  • The domain name will be
  • I have added some sample timings for the completion of the task
  • You will also need the FreeOTP app – I am using Android
  • Certain tasks deliberately do not have 100% detail, where there is detail missing you can use your own judgement AS LONG AS the objective is achieved
  • You will also need an Active Directory Server (not too difficult to setup) with the domain

1. Install IdM in a scalable environment (30 mins)

  • On – install IdM with the following options:
    • Password: Linuxbuff123.
    • Setup DNS (with no forwarders, and auto reverse zone)
    • Make home directory
  • Configure the DNS server to automatically create PTR records
  • Change the default shell to /bin/bash
  • On – install IdM as a replica with the following options:
    • Setup DNS (with no forwarders)
    • Setup CA
    • Make home directory

2. Create Users/Groups/Policies (25 mins)

  • Create the following Groups and their settings
    • Name: ops Description: “Ops Group”
    • Name: devs Description: “Devs Group”
  • Create the following users and their settings
    • Type: Staged Name: ops1 Group: n/a Password: linuxbuff
    • Type: Active Name: ops3 Group: ops Password: linuxbuff
    • Type: Active Name: ops2 Group: ops Password: linuxbuff
    • Type: Active Name: dev1 Group: devs Password: linuxbuff
    • Type: Active Name: enroller Group: n/a Password: linuxbuff
  • Create an automember group called devops – and add anyone with name matching either ops* or dev* to it
  • Create a role called Enroller and add the Host Enrollment and Host Administrators Privilege, assign this role to the enroller user
  • Update the Global Password policy to have a max retry count of 7, and turn off mininum life 
  • Create a New Password Policy for group DevOps which a minimum length of 9 characters
  • Ensure members of DevOps are bound to the minimum password length of 9 characters by updating the password of the dev1 user
  • Set the enroller user’s password to a 8 character password
  • Set the ops2 user’s password to a 9 character password

3. Configure IdM Clients (30 mins)

  • On, install and configure the IdM client – using the user enroller to enrol the server, ensure that it points to and enable mkhomedir
  • From replica – obtain a Kerberos ticket for user dev1 – and then ssh across to – passwordless authentication should occur and the home directory should be /home/dev1
  • On, install and configure the IdM client – using the user enroller to enrol the server, ensure that it points to and enable mkhomedir
  • On, Manually configure enrollment without using ipa-client-install utility – with the following options:
    • Install krb5-workstation and pam_krb5 and sssd packages
    • Add DNS records for
    • Update PAM to use Kerberos Authentication
    • Configure LDAP for User Information using TLS (copy the /etc/ipa/ca.crt to the relevant place on
    • Configure server to automatically create home directories
    • From – ssh across as admin (entering password) – the home directory of /home/admin should be automatically created

4. Automated Home Directory (25 mins)

  • Configure to act as a NFS server with the following attributes:
    • The NFS service should run using a kerberos service principal nfs/ and be stored in /etc/krb5.keytab
    • The NFS service should be auto-start with the server at boot time
    • Create and export /export/home using security krb5 krb5i and krb5p options
  • Configure to act as a NFS client
  • On do the following:
    • Create a user called nfsuser1 and password linuxbuff
    • Pre-Create it’s home directory in /export/home/nfsuser1
  • Test on (ensure there are no kerberos tickets) for nfsuser1 and then ssh across to – the user should login WITH a password and it’s home directory should be auto-mounted from

5. REST API (10 mins)

  • Modify the API script found here so that it shows all details about the ops group

6. Kerberised Services (n/a)

  • No additional tasks – covered by:
    • NFS task in Section 4
    • vsftpd task in Section 9
    • httpd task in Section 12

7. AD Trust Relationship (30 mins)

  • Configure IDM to have a trust relationship with the following attributes:
    • DNS records present on AD for NS and A records
    • A forward DNS for
    • It should be possible to run the command and login
      • ssh
  • Configure with an AD direct connection with the following attributes:
    • realmd
    • Configure AD users to be able to login using shortname
    • Configure AD users to have a home directory of /home/<username>
    • Test using ssh aduser01@generic and associated password
  • Configure an ID View for user – with the following attributes:
    • ID View called idview1
    • On
    • Create a local group called viewusers with id 4321
    • Configure a home directory of /adhome/aduser02-idview – change ownership to 4321
    • ID View called idview1
    • Test by doing the following command:
      • ssh
      • the above should login and report the home directory is /adhome/aduser02-idview and id reports a uid of 4321

8. Configure Policies (25 mins)

  • Vault/KRA
    • On – As user ops2 a standard vault called vault1 and add /etc/redhat-release to that vault.
    • On – extract from the vault to /tmp/vault1
  • Create a HBAC service that meets the following criteria
    • A HBAC rule called allow_idm_test which contains service sshd in a group called ssh-test
    • The user ops2 is able to run this against The ops2 user should not be permitted to log onto using ssh
      • this should be tested but the allow_all rule must be enabled at the end of the test
  • Create Self Service to meet the following criteria
    • Self-service name is called UserCanChangeEmail
    • The Self Service rule allows a non-admin user to change their own email address when logging into the IDM GUI
  • Configure the group devs to be able to manage the user records of users in the ops group so that they can update email address.
    • Test by confirming that dev1 can edit the email address of the ops2 user
  • Enable OTP Authentication for the user ops3 and then add an OTP token (this will require the app FreeOTP).
    • Test this by logging onto the GUI with the password+OTP token

9. Certificate Authority (40 mins)

  • On
  • Create a NSS Certificate Database in ~/dev1
  • Create a CSR (CN=dev1,O=BLUE.EXAMPLE.NET) and submit this to CA using (profile IECUSerRoles)
  • Download Certificate and save to NSS Certificate Database (using nickname dev1 -t of P,,)
  • Make another CSR using the nickname (from NSS Certificate Database)
  • Download and Add certificate to NSS Certificate Database
  • Revoke the original certificate using reason Unspecified
  • Download the updated certificated and Add certificate to NSS Certificate Database
  • Configure IdM for Certificate Based Authentication (Smart Card) and then configure Firefox to use the Certificate created above to SSO using Certificate log into the GUI at
  • Install and configure vsftpd on and configure this to use Certificates provided by IdM (note store the certificates in /etc/vsftpd/certs)
    • Confirm that it is possible to use ftp from a remote host (i.e. configure firewalls etc)

10. Backup and Restore IdM (15 mins)

  • On
    • Backup IdM
    • Restore IdM
  • Re initialise the sync between idm and replica to ensure that users created on replica are seen from the idm server

11. Integrate IdM (25 mins)

  • Integrate Tower with IdM
  • Integrate Satellite with IdM

12. SSO (25 mins)

  • Configure httpd service on to use Kerberos for SSO and meets the following criteria
    • The keytab is held in file /etc/httpd/http.keytab
    • Create a a file /var/www/html/secret/index.html with the text linuxbuff
    • The users ops2 and dev1 are able to log into but not admin
    • Test using Firefox on a workstation – take whatever steps are needed on the workstation to permit Firefox to work with Kerberos tickets

I hope you enjoyed it – please let me know if you found it useful either in the comments below or using my twitter handler @linuxbuff

One thought on “LinuxBuff EX362 Sample / Practice Exam

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s