No edit summary |
No edit summary |
||
Line 35: | Line 35: | ||
#: <pre> | #: <pre> | ||
#: /usr/kerberos/sbin/kdb5_util create -s</pre> | #: /usr/kerberos/sbin/kdb5_util create -s</pre> | ||
# | # Configure the KDC server to sync time using NTP to sync the clock for later kerberos communications. | ||
#: <pre> | #: <pre> | ||
#: service | #: service ntpd restart</pre> | ||
# If you have not already done so, install {{package|krb5-libs}} | # Edit the /var/kerberos/krb5kdc/kadm5.acl file to have only this line. | ||
#: <pre> | |||
#: */admin *</pre> | |||
# Type the following kadmin.local command at the KDC terminal to create the first principal: | |||
#: <pre> | |||
#: /usr/kerberos/sbin/kadmin.local -q "addprinc root/admin"</pre> | |||
# Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily. | |||
#: <pre> | |||
#: iptables -F | |||
#: ip6tables -F</pre> | |||
# Start Kerberos using the following commands: | |||
#: <pre> | |||
#: /sbin/service krb5kdc start | |||
#: /sbin/service kadmin start</pre> | |||
# Next, configure the NFS server to find the KDC server. | |||
# If you have not already done so, install {{package|krb5-libs}} first. | |||
#: <pre> | #: <pre> | ||
#: yum -y install krb5-libs </pre> | #: yum -y install krb5-libs </pre> | ||
# | # Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications. | ||
#: <pre> | #: <pre> | ||
#: | #: service ntpd restart</pre> | ||
# Backup the original krb5.conf, and use the same krb5.conf as the as above. | |||
# Now, use {{command|kadmin}} to create the server principal. | # Now, use {{command|kadmin}} to create the server principal. | ||
#: <pre> | #: <pre> | ||
#: kadmin</pre> | #: kadmin | ||
# Next, create an NFS export and restart NFS | #: kadmin: addprinc -randkey nfs/<NFS server hostname> | ||
#: kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname> | |||
#: kadmin: quit | |||
#: cp /etc/krb5.keytab /etc/krb5.keytab.orig | |||
#: cp /tmp/keytab /etc/krb5.keytab</pre> | |||
# Next, create an NFS export and restart NFS daemon. | |||
#: <pre> | #: <pre> | ||
#: cp /etc/exports /etc/exports.orig | #: cp /etc/exports /etc/exports.orig | ||
#: echo '/nfs | #: echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports | ||
#: mkdir /nfs | #: mkdir /nfs | ||
#: service nfs restart</pre> | #: service nfs restart</pre> | ||
# Download the connectathon testsuite | # Finally, configure the NFS client. | ||
# If you have not already done so, install {{package|krb5-libs}} first. | |||
#: <pre> | |||
#: yum -y install krb5-libs </pre> | |||
# Configure the NFS client to sync time using NTP to sync the clock for later kerberos communications. | |||
#: <pre> | |||
#: service ntpd restart</pre> | |||
# Backup the original krb5.conf, and use the same krb5.conf as the as above. | |||
# Now, use {{command|kadmin}} to create the server principal. | |||
#: <pre> | |||
#: kadmin | |||
#: kadmin: addprinc -randkey nfs/<NFS client hostname> | |||
#: kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname> | |||
#: kadmin: quit | |||
#: cp /etc/krb5.keytab /etc/krb5.keytab.orig | |||
#: cp /tmp/keytab /etc/krb5.keytab</pre> | |||
# Start rpcsvcgssd service. | |||
#: <pre> | |||
#: service rpcsvcgssd restart</pre> | |||
#: If the above failed, and you sense something like this in /var/log/messages. | |||
#: <pre> | |||
#: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - Key table entry not found | |||
#: unable to obtain root (machine) credentials | |||
#: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?</pre> | |||
#: It is likely due to incorrect reserve DNS lookup to a loopback address. Look at /etc/hosts, if it has something like this, | |||
#: <pre> | |||
#: 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 <NFS client FQDN> | |||
#: ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN></pre> | |||
#: Remove the above <NFS client FQDN> from the line, and restart the daemon again. | |||
# Download the connectathon testsuite from client. | |||
#: <pre> | #: <pre> | ||
#: git clone git://fedorapeople.org/~steved/cthon04</pre> | #: git clone git://fedorapeople.org/~steved/cthon04</pre> | ||
Line 76: | Line 110: | ||
#: cd cthon04 | #: cd cthon04 | ||
#: make | #: make | ||
#: ./runcthon --server <server IP> --serverdir /nfs </pre> | #: ./runcthon --mkdirs /mnt/ | ||
#: ./runcthon --server <NFS server IP> --serverdir /nfs</pre> | |||
|results= | |results= |
Revision as of 07:47, 2 February 2010
Description
This test case is to validates a secure NFSv4 root setup by running the connectathon test suite.
How to test
- This test requires at least 3 systems in the same domain. The first one is a Key Distribution Server (KDC) server, the second one is a NFS server, and the third one is a NFS client.
- First, configure the KDC server.
- Install the
krb5-libs
,krb5-server
, andkrb5-workstation
if have not done so.- yum -y install krb5-libs krb5-server krb5-workstation
- Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com.
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
- [libdefaults]
- default_realm = REDHAT.COM
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = yes
- [realms]
- REDHAT.COM = {
- kdc = <KDC server hostname>:88
- admin_server = <KDC server hostname>:749
- }
- [domain_realm]
- .redhat.com = REDHAT.COM
- redhat.com = REDHAT.COM
- Create the database using the kdb5_util utility from a shell prompt:
- /usr/kerberos/sbin/kdb5_util create -s
- Configure the KDC server to sync time using NTP to sync the clock for later kerberos communications.
- service ntpd restart
- Edit the /var/kerberos/krb5kdc/kadm5.acl file to have only this line.
- */admin *
- Type the following kadmin.local command at the KDC terminal to create the first principal:
- /usr/kerberos/sbin/kadmin.local -q "addprinc root/admin"
- Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.
- iptables -F
- ip6tables -F
- Start Kerberos using the following commands:
- /sbin/service krb5kdc start
- /sbin/service kadmin start
- Next, configure the NFS server to find the KDC server.
- If you have not already done so, install
krb5-libs
first.- yum -y install krb5-libs
- Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications.
- service ntpd restart
- Backup the original krb5.conf, and use the same krb5.conf as the as above.
- Now, use
kadmin
to create the server principal.- kadmin
- kadmin: addprinc -randkey nfs/<NFS server hostname>
- kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname>
- kadmin: quit
- cp /etc/krb5.keytab /etc/krb5.keytab.orig
- cp /tmp/keytab /etc/krb5.keytab
- Next, create an NFS export and restart NFS daemon.
- cp /etc/exports /etc/exports.orig
- echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports
- mkdir /nfs
- service nfs restart
- Finally, configure the NFS client.
- If you have not already done so, install
krb5-libs
first.- yum -y install krb5-libs
- Configure the NFS client to sync time using NTP to sync the clock for later kerberos communications.
- service ntpd restart
- Backup the original krb5.conf, and use the same krb5.conf as the as above.
- Now, use
kadmin
to create the server principal.- kadmin
- kadmin: addprinc -randkey nfs/<NFS client hostname>
- kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname>
- kadmin: quit
- cp /etc/krb5.keytab /etc/krb5.keytab.orig
- cp /tmp/keytab /etc/krb5.keytab
- Start rpcsvcgssd service.
- service rpcsvcgssd restart
- If the above failed, and you sense something like this in /var/log/messages.
#: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - Key table entry not found #: unable to obtain root (machine) credentials #: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?
- It is likely due to incorrect reserve DNS lookup to a loopback address. Look at /etc/hosts, if it has something like this,
#: 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 <NFS client FQDN> #: ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN>
- Remove the above <NFS client FQDN> from the line, and restart the daemon again.
- Download the connectathon testsuite from client.
- git clone git://fedorapeople.org/~steved/cthon04
- Run the connectathon testsuite from the client.
- cd cthon04
- make
- ./runcthon --mkdirs /mnt/
- ./runcthon --server <NFS server IP> --serverdir /nfs
Expected Results
- Step #1 completes without error.
- The testsuite finishes without error; no nfs*.error files in /tmp.