From Fedora Project Wiki

No edit summary
No edit summary
Line 4: Line 4:
|actions=
|actions=
# This test requires at least 3 systems in the same domain. The first one is a Key Distribution Server (KDC) server, the second one is a NFS server, and the third one is a NFS client.
# This test requires at least 3 systems in the same domain. The first one is a Key Distribution Server (KDC) server, the second one is a NFS server, and the third one is a NFS client.
# First, configure the KDC server.
 
First, configure the KDC server.
 
# Install the {{package|krb5-libs}}, {{package|krb5-server}}, and {{package|krb5-workstation}} if have not done so.
# Install the {{package|krb5-libs}}, {{package|krb5-server}}, and {{package|krb5-workstation}} if have not done so.
#: <pre>
#: <pre>
Line 52: Line 54:
#: /sbin/service krb5kdc start
#: /sbin/service krb5kdc start
#: /sbin/service kadmin start</pre>
#: /sbin/service kadmin start</pre>
# Next, configure the NFS server to find the KDC server.
 
# If you have not already done so, install {{package|krb5-libs}} first.
Next, configure the NFS client.
#: <pre>
 
#: yum -y install krb5-libs </pre>
# Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications.
#: <pre>
#: service ntpd restart</pre>
# Backup the original krb5.conf, and use the same krb5.conf as the as above.
# Now, use {{command|kadmin}} to create the server principal.
#: <pre>
#: kadmin
#: kadmin: addprinc -randkey nfs/<NFS server hostname>
#: kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname>
#: kadmin: quit
#: cp /etc/krb5.keytab /etc/krb5.keytab.orig
#: cp /tmp/keytab /etc/krb5.keytab</pre>
# Next, create an NFS export and restart NFS daemon.
#: <pre>
#: cp /etc/exports /etc/exports.orig
#: echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports
#: mkdir /nfs
#: service nfs restart</pre>
# Finally, configure the NFS client.
# If you have not already done so, install {{package|krb5-libs}} first.
# If you have not already done so, install {{package|krb5-libs}} first.
#: <pre>
#: <pre>
Line 103: Line 85:
#: ::1        localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN></pre>
#: ::1        localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN></pre>
#: Remove the above <NFS client FQDN> from the line, and restart the daemon again.
#: Remove the above <NFS client FQDN> from the line, and restart the daemon again.
Then, configure the NFS server to find the KDC server.
# If you have not already done so, install {{package|krb5-libs}} first.
#: <pre>
#: yum -y install krb5-libs </pre>
# Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications.
#: <pre>
#: service ntpd restart</pre>
# Backup the original krb5.conf, and use the same krb5.conf as the as above.
# Now, use {{command|kadmin}} to create the server principal.
#: <pre>
#: kadmin
#: kadmin: addprinc -randkey nfs/<NFS server hostname>
#: kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname>
#: kadmin: quit
#: cp /etc/krb5.keytab /etc/krb5.keytab.orig
#: cp /tmp/keytab /etc/krb5.keytab</pre>
# Next, create an NFS export and restart NFS daemon.
#: <pre>
#: cp /etc/exports /etc/exports.orig
#: echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports
#: mkdir /nfs
#: service nfs restart</pre>
# Create test tree structure on the server.
#: <pre>
#: git clone git://fedorapeople.org/~steved/cthon04
#: cd cthon04
#: ./runcthon --mkdirs /nfs</pre>
Finally, start the test from the client.
# Download the connectathon testsuite from client.
# Download the connectathon testsuite from client.
#: <pre>
#: <pre>

Revision as of 09:26, 2 February 2010

Description

This test case is to validates a secure NFSv4 root setup by running the connectathon test suite.


How to test

  1. This test requires at least 3 systems in the same domain. The first one is a Key Distribution Server (KDC) server, the second one is a NFS server, and the third one is a NFS client.

First, configure the KDC server.

  1. Install the krb5-libs, krb5-server, and krb5-workstation if have not done so. 
    

    yum -y install krb5-libs krb5-server krb5-workstation 
    2. 

  2. Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com.

    

    [logging]
    

    default = FILE:/var/log/krb5libs.log
    

    kdc = FILE:/var/log/krb5kdc.log
    

    admin_server = FILE:/var/log/kadmind.log
    

    

    [libdefaults]
    

    default_realm = REDHAT.COM
    

    dns_lookup_realm = false
    

    dns_lookup_kdc = false
    

    ticket_lifetime = 24h
    

    renew_lifetime = 7d
    

    forwardable = yes
    

    

    [realms]
    

    REDHAT.COM = {
    

    kdc = <KDC server hostname>:88
    

    admin_server = <KDC server hostname>:749
    

    }
    

    

    [domain_realm]
    

    .redhat.com = REDHAT.COM
    

    redhat.com = REDHAT.COM
    3. 

  3. Create the database using the kdb5_util utility from a shell prompt:

    

    /usr/kerberos/sbin/kdb5_util create -s
    4. 

  4. Configure the KDC server to sync time using NTP to sync the clock for later kerberos communications.

    

    service ntpd restart
    5. 

  5. Edit the /var/kerberos/krb5kdc/kadm5.acl file to have only this line.

    

    */admin *
    6. 

  6. Type the following kadmin.local command at the KDC terminal to create the first principal:

    

    /usr/kerberos/sbin/kadmin.local -q "addprinc root/admin"
    7. 

  7. Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.

    

    iptables -F
    

    ip6tables -F
    8. 

  8. Start Kerberos using the following commands:

    

    /sbin/service krb5kdc start
    

    /sbin/service kadmin start


Next, configure the NFS client.



  1. If you have not already done so, install krb5-libs first.

    

    yum -y install krb5-libs 
    2. 

  2. Configure the NFS client to sync time using NTP to sync the clock for later kerberos communications.

    

    service ntpd restart
    3. 

  3. Backup the original krb5.conf, and use the same krb5.conf as the as above.
    4. 

  4. Now, use kadmin to create the server principal.

    

    kadmin
    

    kadmin: addprinc -randkey nfs/<NFS client hostname>
    

    kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname>
    

    kadmin: quit
    

    cp /etc/krb5.keytab /etc/krb5.keytab.orig
    

    cp /tmp/keytab /etc/krb5.keytab
    5. 

  5. Start rpcsvcgssd service.

    

    service rpcsvcgssd restart
    

    If the above failed, and you sense something like this in /var/log/messages.
    


#: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - Key table entry not found
#: unable to obtain root (machine) credentials
#: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?

  1. It is likely due to incorrect reserve DNS lookup to a loopback address. Look at /etc/hosts, if it has something like this,
    


#: 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 <NFS client FQDN>
#: ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN>

  1. Remove the above <NFS client FQDN> from the line, and restart the daemon again.


Then, configure the NFS server to find the KDC server.



  1. If you have not already done so, install krb5-libs first.

    

    yum -y install krb5-libs 
    2. 

  2. Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications.

    

    service ntpd restart
    3. 

  3. Backup the original krb5.conf, and use the same krb5.conf as the as above.
    4. 

  4. Now, use kadmin to create the server principal.

    

    kadmin
    

    kadmin: addprinc -randkey nfs/<NFS server hostname>
    

    kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname>
    

    kadmin: quit
    

    cp /etc/krb5.keytab /etc/krb5.keytab.orig
    

    cp /tmp/keytab /etc/krb5.keytab
    5. 

  5. Next, create an NFS export and restart NFS daemon.

    

    cp /etc/exports /etc/exports.orig
    

    echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports
    

    mkdir /nfs
    

    service nfs restart
    6. 

  6. Create test tree structure on the server.

    

    git clone git://fedorapeople.org/~steved/cthon04
    

    cd cthon04
    

    ./runcthon --mkdirs /nfs


Finally, start the test from the client.



  1. Download the connectathon testsuite from client.

    

    git clone git://fedorapeople.org/~steved/cthon04
    2. 

  2. Run the connectathon testsuite from the client.

    

    cd cthon04
    

    make
    

    ./runcthon --mkdirs /mnt/
    

    ./runcthon --server <NFS server IP> --serverdir /nfs


Expected Results


  1. Step #1 completes without error.
    2. 

  2. The testsuite finishes without error; no nfs*.error files in /tmp.
Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_nfs_connectathon_secure&oldid=149628"