No edit summary |
No edit summary |
||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{QA/Test_Case | {{QA/Test_Case | ||
|description=This test case is to validates a secure NFSv4 root setup by running a generic filesystem test suite. This test requires at least 3 systems. The first one is a Key Distribution Server (KDC) server which you can use the pre-configured one during the event, the second one is a NFS server, and the third one is a NFS client. | |description=This test case is to validates a secure NFSv4 root setup by running a generic filesystem test suite. This test requires at least 3 systems. The first one is a Key Distribution Server (KDC) server which you can use the pre-configured one during the event, the second one is a NFS server, and the third one is a NFS client. Note, this test can take a while. | ||
|actions= | |actions= | ||
Line 12: | Line 12: | ||
# Backup the original krb5.conf, and use the the following krb5.conf for the pre-configured KDC server or adjust to use your own. | # Backup the original krb5.conf, and use the the following krb5.conf for the pre-configured KDC server or adjust to use your own. | ||
#: <pre> | #: <pre> | ||
#: [logging] | #:[logging] | ||
#: | #: default = FILE:/var/log/krb5libs.log | ||
#: | #: kdc = FILE:/var/log/krb5kdc.log | ||
#: | #: admin_server = FILE:/var/log/kadmind.log | ||
#: | #: | ||
#: [libdefaults] | #:[libdefaults] | ||
#: | #: default_realm = FEDORAPROJECT.ORG | ||
#: | #: dns_lookup_realm = false | ||
#: | #: dns_lookup_kdc = false | ||
#: | #: ticket_lifetime = 24h | ||
#: | #: renew_lifetime = 7d | ||
#: | #: forwardable = yes | ||
#: | #: | ||
#: [realms] | #:[realms] | ||
#: | #: FEDORAPROJECT.ORG = { | ||
#: | #: kdc = kerberos1.fedoraproject.org:88 | ||
#: | #: admin_server = kerberos1.fedoraproject.org:749 | ||
#: | #: } | ||
#: | #: | ||
#: [domain_realm] | #:[domain_realm] | ||
#: | #: .fedoraproject.org = FEDORAPROJECT.ORG | ||
#: | #: fedoraproject.org = FEDORAPROJECT.ORG | ||
#: </pre> | #: </pre> | ||
# Now, use {{command|kadmin}} to create the server principal - password is "testday" for the pre-configured KDC server. | # Now, use {{command|kadmin}} to create the server principal - password is "testday" for the pre-configured KDC server. | ||
#: <pre> | #: <pre> | ||
#: kadmin root/admin | #: kadmin root/admin</pre> | ||
# If it returned a similar error like this, it is likely you will need to fix your system time to be actual. | |||
#: <pre> | |||
#: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface</pre> | |||
# Continue... | |||
#: <pre> | |||
#: kadmin: addprinc -randkey nfs/<NFS client hostname> | #: kadmin: addprinc -randkey nfs/<NFS client hostname> | ||
#: kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname> | #: kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname> | ||
Line 72: | Line 77: | ||
# Now, use {{command|kadmin}} to create the server principal - password is "testday" for the pre-configured KDC server. | # Now, use {{command|kadmin}} to create the server principal - password is "testday" for the pre-configured KDC server. | ||
#: <pre> | #: <pre> | ||
#: kadmin | #: kadmin root/admin | ||
#: kadmin: addprinc -randkey nfs/<NFS server hostname> | #: kadmin: addprinc -randkey nfs/<NFS server hostname> | ||
#: kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname> | #: kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname> | ||
Line 86: | Line 91: | ||
#: echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports | #: echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports | ||
#: mkdir /nfs | #: mkdir /nfs | ||
#: chmod 777 /nfs | |||
#: service rpcsvcgssd restart | #: service rpcsvcgssd restart | ||
#: service nfs restart</pre> | #: service nfs restart</pre> | ||
# Make sure the server's firewall allow kerberos communication, or turn of the firewall temporarily. | |||
#: <pre>iptables -F</pre> | |||
Finally, start the test from the client. | Finally, start the test from the client. | ||
Line 100: | Line 108: | ||
#: <pre> | #: <pre> | ||
#: yum -y install procmail flex bison kernel-devel</pre> | #: yum -y install procmail flex bison kernel-devel</pre> | ||
# From the ''client'' system, | # From the ''client'' system, setup the LTP filesystems tests. | ||
#: <pre> | #: <pre> | ||
#: tar zxvf ltp-full-20090731.tgz | #: tar zxvf ltp-full-20090731.tgz | ||
#: cd ltp-full-20090731 | #: cd ltp-full-20090731</pre> | ||
# Comment out this line in the file runtest/fs. | |||
#: <pre> | |||
#: proc01 proc01</pre> | |||
# Run the testsuite from the client. | |||
#: <pre> | |||
#: ./configure | #: ./configure | ||
#: make | #: make | ||
Line 113: | Line 126: | ||
#: scp root@<server hostname>:/var/log/messages messages.server | #: scp root@<server hostname>:/var/log/messages messages.server | ||
#: cp TESTOUT.log messages.server /var/log/messages /tmp/ltp*.log log/ | #: cp TESTOUT.log messages.server /var/log/messages /tmp/ltp*.log log/ | ||
#: tar czvf /tmp/nfs_generic_secure-results.tgz log/</pre> | #: tar czvf /tmp/nfs_generic_secure-results.tgz-<fedora user name> log/</pre> | ||
# Cleanup. | # Cleanup. | ||
#: <pre>umount /tmp</pre> | #: <pre>umount /tmp</pre> | ||
Line 121: | Line 134: | ||
# Step #2 completes without error. | # Step #2 completes without error. | ||
# Step #3 completes without error. | # Step #3 completes without error. | ||
# Step #4 completes without error. | |||
# Step #5 completes without error. | |||
# The testsuite finishes without error; no nfs*.error files in /tmp. | # The testsuite finishes without error; no nfs*.error files in /tmp. | ||
# Step # | # Step #7 completes without error. | ||
# Step # | # Step #8 completes without error. | ||
}} | }} |
Latest revision as of 04:05, 5 February 2010
Description
This test case is to validates a secure NFSv4 root setup by running a generic filesystem test suite. This test requires at least 3 systems. The first one is a Key Distribution Server (KDC) server which you can use the pre-configured one during the event, the second one is a NFS server, and the third one is a NFS client. Note, this test can take a while.
How to test
- First, configure the KDC server. You can use the pre-configured one for the event. If you want to setup your own KDC server, please consult Kerberos_KDC_Quickstart_Guide.
- Next, configure the NFS client. If you have not already done so, install
krb5-libs
first.- yum -y install krb5-libs
- Configure the NFS client to sync time using NTP to sync the clock for later kerberos communications.
- service ntpd restart
- Backup the original krb5.conf, and use the the following krb5.conf for the pre-configured KDC server or adjust to use your own.
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
- [libdefaults]
- default_realm = FEDORAPROJECT.ORG
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = yes
- [realms]
- FEDORAPROJECT.ORG = {
- kdc = kerberos1.fedoraproject.org:88
- admin_server = kerberos1.fedoraproject.org:749
- }
- [domain_realm]
- .fedoraproject.org = FEDORAPROJECT.ORG
- fedoraproject.org = FEDORAPROJECT.ORG
- Now, use
kadmin
to create the server principal - password is "testday" for the pre-configured KDC server.- kadmin root/admin
- If it returned a similar error like this, it is likely you will need to fix your system time to be actual.
- kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
- Continue...
- kadmin: addprinc -randkey nfs/<NFS client hostname>
- kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname>
- kadmin: quit
- cp /etc/krb5.keytab /etc/krb5.keytab.orig
- cp /tmp/keytab /etc/krb5.keytab
- Change
/etc/sysconfig/nfs
to uncomment or add the following line.- SECURE_NFS="yes"
- Now, restart rpcgssd service.
- service rpcgssd restart
- If the above failed, check the file
/var/log/messages
for the presence of a failure similar to the following.- ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor
- code may provide more information - Key table entry not found
- unable to obtain root (machine) credentials
- do you have a keytab entry for nfs/your.host@YOUR.REALM in /etc/krb5.keytab?
- If you find a similar failure in
/var/log/messages
, it is likely due to incorrect reserve DNS lookup to a loopback address. Look at/etc/hosts
, if it has something like this,- 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 <NFS client FQDN>
- ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN>
- Remove the above <NFS client FQDN> from the line, and restart the daemon again.
Then, configure the NFS server to find the KDC server.
- If you have not already done so, install
krb5-libs
first.- yum -y install krb5-libs
- Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications.
- service ntpd restart
- Backup the original krb5.conf, and use the same krb5.conf as the above.
- Now, use
kadmin
to create the server principal - password is "testday" for the pre-configured KDC server.- kadmin root/admin
- kadmin: addprinc -randkey nfs/<NFS server hostname>
- kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname>
- kadmin: quit
- cp /etc/krb5.keytab /etc/krb5.keytab.orig
- cp /tmp/keytab /etc/krb5.keytab
- Change /etc/sysconfig/nfs to uncomment or add the following line.
- SECURE_NFS="yes"
- Next, create an NFS export and restart NFS daemon.
- cp /etc/exports /etc/exports.orig
- echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports
- mkdir /nfs
- chmod 777 /nfs
- service rpcsvcgssd restart
- service nfs restart
- Make sure the server's firewall allow kerberos communication, or turn of the firewall temporarily.
iptables -F
Finally, start the test from the client.
- Mount the NFS directory to /tmp on the client, since tests will manipulate files in that directory.
- mount -t nfs4 -o sec=krb5 <server IP>:/nfs /tmp
- Download LTP testsuite from the client.
- wget -c 'http://sourceforge.net/projects/ltp/files/LTP%20Source/OLD-ltp-20090731/ltp-full-20090731.tgz/download'
- Install dependencies to compile LTP.
- yum -y install procmail flex bison kernel-devel
- From the client system, setup the LTP filesystems tests.
- tar zxvf ltp-full-20090731.tgz
- cd ltp-full-20090731
- Comment out this line in the file runtest/fs.
- proc01 proc01
- Run the testsuite from the client.
- ./configure
- make
- make install
- ./runltp -p -d /tmp -l /tmp/ltp.log -o /tmp/ltp.run.log -f fs
- Save the output from the tests to TESTOUT.log, copy
/var/log/messages
from both the server and client, and then tar and compress them together with/tmp/ltp.log
and/tmp.ltp.run.log
to upload it to the wiki. Please include a link to the uploaded file in your test day results.- mkdir log
- scp root@<server hostname>:/var/log/messages messages.server
- cp TESTOUT.log messages.server /var/log/messages /tmp/ltp*.log log/
- tar czvf /tmp/nfs_generic_secure-results.tgz-<fedora user name> log/
- Cleanup.
umount /tmp
Expected Results
- Step #1 completes without error.
- Step #2 completes without error.
- Step #3 completes without error.
- Step #4 completes without error.
- Step #5 completes without error.
- The testsuite finishes without error; no nfs*.error files in /tmp.
- Step #7 completes without error.
- Step #8 completes without error.