From Fedora Project Wiki
No edit summary |
No edit summary |
||
Line 28: | Line 28: | ||
#: admin_server = <KDC server hostname>:749 | #: admin_server = <KDC server hostname>:749 | ||
#: } | #: } | ||
# | #: | ||
#: [domain_realm] | #: [domain_realm] | ||
#: .redhat.com = REDHAT.COM | #: .redhat.com = REDHAT.COM |
Revision as of 17:15, 1 February 2010
Description
This test case is to validates a secure NFSv4 root setup by running the connectathon test suite.
How to test
- This test requires at least 3 systems in the same domain. The first one is a Key Distribution Server (KDC) server, the second one is a NFS server, and the third one is a NFS client.
- First, configure the KDC server.
- Install the
krb5-libs
,krb5-server
, andkrb5-workstation
if have not done so.- yum -y install krb5-libs krb5-server krb5-workstation
- Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com.
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
- [libdefaults]
- default_realm = REDHAT.COM
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = yes
- [realms]
- REDHAT.COM = {
- kdc = <KDC server hostname>:88
- admin_server = <KDC server hostname>:749
- }
- [domain_realm]
- .redhat.com = REDHAT.COM
- redhat.com = REDHAT.COM
- Create the database using the kdb5_util utility from a shell prompt:
- /usr/kerberos/sbin/kdb5_util create -s
- You can run both NFS server and client on the same system or use different systems. Configure the server to sync time using NTP to sync the clock for later kerberos communications.
- service ntp restart
- If you have not already done so, install
krb5-libs
- yum -y install krb5-libs
- Next, configure the NFS server to find the KDC server.
- cp /etc/krb5.conf /etc/krb5.conf.orig
- cat <<EOF >/etc/krb5.conf
- [libdefaults]
- default_realm = GREP.BE
- kdc_timesync = 1
- forwardable = true
- proxiable = true
- [realms]
- GREP.BE = {
- kdc = kdc.grep.be
- kdc = kdc-1.grep.be
- admin_server = kdc.grep.be
- }
- [login]
- krb4_convert = false
- krb4_get_tickets = false
- EOF
- Now, use
kadmin
to create the server principal.- kadmin
- Next, create an NFS export and restart NFS
- cp /etc/exports /etc/exports.orig
- echo '/nfs gss/krb5i(sync,subtree_check,rw)' > /etc/exports
- mkdir /nfs
- service nfs restart
- Download the connectathon testsuite
- git clone git://fedorapeople.org/~steved/cthon04
- Run the connectathon testsuite from the client.
- cd cthon04
- make
- ./runcthon --server <server IP> --serverdir /nfs
Expected Results
- Step #1 completes without error.
- The testsuite finishes without error; no nfs*.error files in /tmp.