No edit summary |
(fixed <pre> tags) |
||
(13 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
|actions= | |actions= | ||
<ol> | |||
<li> First, configure the KDC '''server'''. You can use the pre-configured one for the event. If you want to setup your own KDC server, please consult [[Kerberos_KDC_Quickstart_Guide]]. | |||
</li> | |||
<li> Next, configure the NFS '''client'''. If you have not already done so, install {{package|krb5-libs}} and {{package|ntp}} first. | |||
<pre> | |||
yum install krb5-libs krb5-workstation ntp</pre> | |||
</li> | |||
<li> Configure the NFS client to sync time using NTP to sync the clock for later kerberos communications. | |||
<pre> | |||
service ntpd restart</pre> | |||
</li> | |||
<li> Backup the original krb5.conf, and use the the following krb5.conf for the pre-configured KDC server or adjust to use your own. | |||
<pre> | |||
[logging] | |||
default = FILE:/var/log/krb5libs.log | |||
kdc = FILE:/var/log/krb5kdc.log | |||
admin_server = FILE:/var/log/kadmind.log | |||
[libdefaults] | |||
default_realm = FEDORAPROJECT.ORG | |||
dns_lookup_realm = false | |||
dns_lookup_kdc = false | |||
ticket_lifetime = 24h | |||
renew_lifetime = 7d | |||
forwardable = yes | |||
[realms] | |||
FEDORAPROJECT.ORG = { | |||
kdc = kerberos1.fedoraproject.org:88 | |||
admin_server = kerberos1.fedoraproject.org:749 | |||
} | |||
[domain_realm] | |||
.fedoraproject.org = FEDORAPROJECT.ORG | |||
fedoraproject.org = FEDORAPROJECT.ORG | |||
</pre> | |||
</li> | |||
<li> Now, use {{command|kadmin}} to create the server principal - password is "testday" for the pre-configured KDC server. | |||
<pre> | |||
kadmin root/admin</pre> | |||
</li> | |||
<li> If it returned a similar error like this, it is likely you will need to fix your system time to be actual. | |||
<pre> | |||
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface</pre> | |||
</li> | |||
<li> Continue... | |||
<pre> | |||
kadmin: addprinc -randkey nfs/<NFS client hostname> | |||
kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname> | |||
kadmin: quit | |||
cp /etc/krb5.keytab /etc/krb5.keytab.orig | |||
cp /tmp/keytab /etc/krb5.keytab</pre> | |||
</li> | |||
<li> Change {{filename|/etc/sysconfig/nfs}} to uncomment or add the following line. | |||
<pre> | |||
SECURE_NFS="yes"</pre> | |||
</li> | |||
<li> Now, restart rpcgssd service. | |||
<pre> | |||
service rpcgssd restart</pre> | |||
</li> | |||
<li> If the above failed, check the file {{filename|/var/log/messages}} for the presence of a failure similar to the following. | |||
<pre> | |||
ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor | |||
code may provide more information - Key table entry not found | |||
unable to obtain root (machine) credentials | |||
do you have a keytab entry for nfs/your.host@YOUR.REALM in /etc/krb5.keytab?</pre> | |||
</li> | |||
<li> If you find a similar failure in {{filename|/var/log/messages}}, it is likely due to incorrect reserve DNS lookup to a loopback address. Look at {{filename|/etc/hosts}}, if it has something like this, | |||
<pre> | |||
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 <NFS client FQDN> | |||
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN> | |||
</pre> | |||
Remove the above <NFS client FQDN> from the line, and restart the daemon again. | |||
Then, configure the NFS server to find the KDC server. | Then, configure the NFS server to find the KDC server. | ||
</li> | |||
<li> If you have not already done so, install {{package|krb5-libs}} first. | |||
<pre> | |||
yum -y install krb5-libs </pre> | |||
</li> | |||
<li> Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications. | |||
<pre> | |||
service ntpd restart</pre> | |||
</li> | |||
<li> Backup the original krb5.conf, and use the same krb5.conf as the above. | |||
</li> | |||
<li> Now, use {{command|kadmin}} to create the server principal - password is "testday" for the pre-configured KDC server. | |||
<pre> | |||
kadmin root/admin | |||
kadmin: addprinc -randkey nfs/<NFS server hostname> | |||
kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname> | |||
kadmin: quit | |||
cp /etc/krb5.keytab /etc/krb5.keytab.orig | |||
cp /tmp/keytab /etc/krb5.keytab</pre> | |||
</li> | |||
<li> Change /etc/sysconfig/nfs to uncomment or add the following line. | |||
<pre> | |||
SECURE_NFS="yes"</pre> | |||
</li> | |||
<li> Next, create an NFS export and restart NFS daemon. | |||
<pre> | |||
cp /etc/exports /etc/exports.orig | |||
echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports | |||
mkdir /nfs | |||
service rpcsvcgssd restart | |||
service nfs restart</pre> | |||
</li> | |||
<li> Create test tree structure on the server. | |||
<pre> | |||
git clone git://fedorapeople.org/~steved/cthon04 | |||
cd cthon04 | |||
./runcthon --mkdirs /nfs | |||
chmod 777 -R /nfs</pre> | |||
</li> | |||
<li> Make sure the server's firewall allow kerberos communication, or turn of the firewall temporarily. | |||
<pre>iptables -F</pre> | |||
Finally, start the test from the client. | Finally, start the test from the client. | ||
</li> | |||
<li> Setup the connectathon testsuite from client by root. | |||
<pre> | |||
git clone git://fedorapeople.org/~steved/cthon04 | |||
cd cthon04 | |||
make | |||
mkdir /mnt | |||
chmod 777 /mnt</pre> | |||
</li> | |||
<li> Run the testsuite by root. | |||
<pre> | |||
./runcthon --server <NFS server IP> --serverdir /nfs --onlyv4 --onlykrb5</pre> | |||
</li> | |||
<li> Save the output from the tests to TESTOUT.log, copy {{filename|/var/log/messages}} from both the server and client, and then tar and compress them together with {{filename|/tmp/nfs*.error}} if any to [[Special:Upload|upload it]] to the wiki. Please include a link to the uploaded file in your test day results. | |||
<pre> | |||
mkdir log | |||
scp root@<server hostname>:/var/log/messages messages.server | |||
cp TESTOUT.log messages.server /var/log/messages /tmp/nfs*.error log/ | |||
tar czvf /tmp/nfs_connectathon-results-<fedora user name>.tgz log/</pre> | |||
</li> | |||
</ol> | |||
|results= | |results= | ||
# Step #1 completes without error. | # Step #1 completes without error. | ||
# The testsuite finishes without error; no nfs*.error files in /tmp. | # The testsuite finishes without error; no nfs*.error files in /tmp. | ||
# Step #3 completes without error. | |||
}} | }} | ||
[[Category:NFS_Test_Cases]] | [[Category:NFS_Test_Cases]] |
Latest revision as of 17:45, 1 June 2011
Description
This test case is to validates a secure NFSv4 root setup by running the connectathon test suite. This test requires at least 3 systems in the same domain. The first one is a Key Distribution Server (KDC) server, the second one is a NFS server, and the third one is a NFS client.
How to test
- First, configure the KDC server. You can use the pre-configured one for the event. If you want to setup your own KDC server, please consult Kerberos_KDC_Quickstart_Guide.
- Next, configure the NFS client. If you have not already done so, install
krb5-libs
andntp
first.yum install krb5-libs krb5-workstation ntp
- Configure the NFS client to sync time using NTP to sync the clock for later kerberos communications.
service ntpd restart
- Backup the original krb5.conf, and use the the following krb5.conf for the pre-configured KDC server or adjust to use your own.
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = FEDORAPROJECT.ORG dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes [realms] FEDORAPROJECT.ORG = { kdc = kerberos1.fedoraproject.org:88 admin_server = kerberos1.fedoraproject.org:749 } [domain_realm] .fedoraproject.org = FEDORAPROJECT.ORG fedoraproject.org = FEDORAPROJECT.ORG
- Now, use
kadmin
to create the server principal - password is "testday" for the pre-configured KDC server.kadmin root/admin
- If it returned a similar error like this, it is likely you will need to fix your system time to be actual.
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
- Continue...
kadmin: addprinc -randkey nfs/<NFS client hostname> kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname> kadmin: quit cp /etc/krb5.keytab /etc/krb5.keytab.orig cp /tmp/keytab /etc/krb5.keytab
- Change
/etc/sysconfig/nfs
to uncomment or add the following line.SECURE_NFS="yes"
- Now, restart rpcgssd service.
service rpcgssd restart
- If the above failed, check the file
/var/log/messages
for the presence of a failure similar to the following.ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - Key table entry not found unable to obtain root (machine) credentials do you have a keytab entry for nfs/your.host@YOUR.REALM in /etc/krb5.keytab?
- If you find a similar failure in
/var/log/messages
, it is likely due to incorrect reserve DNS lookup to a loopback address. Look at/etc/hosts
, if it has something like this,127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 <NFS client FQDN> ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN>
Remove the above <NFS client FQDN> from the line, and restart the daemon again. Then, configure the NFS server to find the KDC server.
- If you have not already done so, install
krb5-libs
first.yum -y install krb5-libs
- Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications.
service ntpd restart
- Backup the original krb5.conf, and use the same krb5.conf as the above.
- Now, use
kadmin
to create the server principal - password is "testday" for the pre-configured KDC server.kadmin root/admin kadmin: addprinc -randkey nfs/<NFS server hostname> kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname> kadmin: quit cp /etc/krb5.keytab /etc/krb5.keytab.orig cp /tmp/keytab /etc/krb5.keytab
- Change /etc/sysconfig/nfs to uncomment or add the following line.
SECURE_NFS="yes"
- Next, create an NFS export and restart NFS daemon.
cp /etc/exports /etc/exports.orig echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports mkdir /nfs service rpcsvcgssd restart service nfs restart
- Create test tree structure on the server.
git clone git://fedorapeople.org/~steved/cthon04 cd cthon04 ./runcthon --mkdirs /nfs chmod 777 -R /nfs
- Make sure the server's firewall allow kerberos communication, or turn of the firewall temporarily.
iptables -F
Finally, start the test from the client.
- Setup the connectathon testsuite from client by root.
git clone git://fedorapeople.org/~steved/cthon04 cd cthon04 make mkdir /mnt chmod 777 /mnt
- Run the testsuite by root.
./runcthon --server <NFS server IP> --serverdir /nfs --onlyv4 --onlykrb5
- Save the output from the tests to TESTOUT.log, copy
/var/log/messages
from both the server and client, and then tar and compress them together with/tmp/nfs*.error
if any to upload it to the wiki. Please include a link to the uploaded file in your test day results.mkdir log scp root@<server hostname>:/var/log/messages messages.server cp TESTOUT.log messages.server /var/log/messages /tmp/nfs*.error log/ tar czvf /tmp/nfs_connectathon-results-<fedora user name>.tgz log/
Expected Results
- Step #1 completes without error.
- The testsuite finishes without error; no nfs*.error files in /tmp.
- Step #3 completes without error.