From Fedora Project Wiki

(Provide link to KDC quickstart)
No edit summary
Line 3: Line 3:


|actions=
|actions=
# First, configure the KDC server. For more details, consult [[Kerberos_KDC_Quickstart_Guide]].
# First, configure the KDC server. You can use the pre-configured one for the event. If you want to setup your own KDC server, please consult [[Kerberos_KDC_Quickstart_Guide]].
# Next, configure the NFS client.  If you have not already done so, install {{package|krb5-libs}} first.
# Next, configure the NFS client.  If you have not already done so, install {{package|krb5-libs}} first.
#: <pre>
#: <pre>
Line 10: Line 10:
#: <pre>
#: <pre>
#: service ntpd restart</pre>
#: service ntpd restart</pre>
# Backup the original krb5.conf, and use the same krb5.conf as the as above.
# Backup the original krb5.conf, and use the the following krb5.conf for the pre-configured KDC server or adjust to use your own.
# Now, use {{command|kadmin}} to create the server principal.
#: <pre>
#: <pre>
#: kadmin
#: [logging]
#:  default = FILE:/var/log/krb5libs.log
#:  kdc = FILE:/var/log/krb5kdc.log
#:  admin_server = FILE:/var/log/kadmind.log
#:
#: [libdefaults]
#:  default_realm = FEDORAPROJECT.ORG
#:  dns_lookup_realm = false
#:  dns_lookup_kdc = false
#:  ticket_lifetime = 24h
#:  renew_lifetime = 7d
#:  forwardable = yes
#:
#: [realms]
#:  FEDORAPROJECT.ORG = {
#:  kdc = kerberos1.fedoraproject.org:88
#:  admin_server = kerberos1.fedoraproject.org:749
#:  }
#:
#: [domain_realm]
#:  .fedoraproject.org = FEDORAPROJECT.ORG
#:  fedoraproject.org = FEDORAPROJECT.ORG
#: </pre>
# Now, use {{command|kadmin}} to create the server principal - password is "testday" for the pre-configured KDC server.
#: <pre>
#: kadmin root/admin
#: kadmin: addprinc -randkey nfs/<NFS client hostname>
#: kadmin: addprinc -randkey nfs/<NFS client hostname>
#: kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname>
#: kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname>
Line 45: Line 69:
#: <pre>
#: <pre>
#: service ntpd restart</pre>
#: service ntpd restart</pre>
# Backup the original krb5.conf, and use the same krb5.conf as the as above.
# Backup the original krb5.conf, and use the same krb5.conf as the above.
# Now, use {{command|kadmin}} to create the server principal.
# Now, use {{command|kadmin}} to create the server principal - password is "testday" for the pre-configured KDC server.
#: <pre>
#: <pre>
#: kadmin
#: kadmin
Line 79: Line 103:
#: make
#: make
#: ./runcthon --mkdirs /mnt/
#: ./runcthon --mkdirs /mnt/
#: ./runcthon --server <NFS server IP> --serverdir /nfs</pre>
#: ./runcthon --server <NFS server IP> --serverdir /nfs --onlyv4 --krb5only</pre>


|results=
|results=

Revision as of 16:11, 3 February 2010

Description

This test case is to validates a secure NFSv4 root setup by running the connectathon test suite. This test requires at least 3 systems in the same domain. The first one is a Key Distribution Server (KDC) server, the second one is a NFS server, and the third one is a NFS client.


How to test

  1. First, configure the KDC server. You can use the pre-configured one for the event. If you want to setup your own KDC server, please consult Kerberos_KDC_Quickstart_Guide.
  2. Next, configure the NFS client. If you have not already done so, install krb5-libs first. 
    

    yum -y install krb5-libs 
    3. 

  3. Configure the NFS client to sync time using NTP to sync the clock for later kerberos communications.

    

    service ntpd restart
    4. 

  4. Backup the original krb5.conf, and use the the following krb5.conf for the pre-configured KDC server or adjust to use your own.

    

    [logging]
    

    default = FILE:/var/log/krb5libs.log
    

    kdc = FILE:/var/log/krb5kdc.log
    

    admin_server = FILE:/var/log/kadmind.log
    

    

    [libdefaults]
    

    default_realm = FEDORAPROJECT.ORG
    

    dns_lookup_realm = false
    

    dns_lookup_kdc = false
    

    ticket_lifetime = 24h
    

    renew_lifetime = 7d
    

    forwardable = yes
    

    

    [realms]
    

    FEDORAPROJECT.ORG = {
    

    kdc = kerberos1.fedoraproject.org:88
    

    admin_server = kerberos1.fedoraproject.org:749
    

    }
    

    

    [domain_realm]
    

    .fedoraproject.org = FEDORAPROJECT.ORG
    

    fedoraproject.org = FEDORAPROJECT.ORG
    

    5. 

  5. Now, use kadmin to create the server principal - password is "testday" for the pre-configured KDC server.

    

    kadmin root/admin
    

    kadmin: addprinc -randkey nfs/<NFS client hostname>
    

    kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname>
    

    kadmin: quit
    

    cp /etc/krb5.keytab /etc/krb5.keytab.orig
    

    cp /tmp/keytab /etc/krb5.keytab
    6. 

  6. Change /etc/sysconfig/nfs to uncomment or add the following line.

    

    SECURE_NFS="yes"
    7. 

  7. Now, restart rpcsvcgssd service.

    

    service rpcsvcgssd restart
    8. 

  8. If the above failed, check the file /var/log/messages for the presence of a failure similar to the following.

    

    ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor
    

    code may provide more information - Key table entry not found
    

    unable to obtain root (machine) credentials
    

    do you have a keytab entry for nfs/your.host@YOUR.REALM in /etc/krb5.keytab?
    9. 

  9. If you find a similar failure in /var/log/messages, it is likely due to incorrect reserve DNS lookup to a loopback address.  Look at /etc/hosts, if it has something like this,

    

    127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 <NFS client FQDN>
    

    ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN>
    

    Remove the above <NFS client FQDN> from the line, and restart the daemon again.


Then, configure the NFS server to find the KDC server.



  1. If you have not already done so, install krb5-libs first.

    

    yum -y install krb5-libs 
    2. 

  2. Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications.

    

    service ntpd restart
    3. 

  3. Backup the original krb5.conf, and use the same krb5.conf as the above.
    4. 

  4. Now, use kadmin to create the server principal - password is "testday" for the pre-configured KDC server.

    

    kadmin
    

    kadmin: addprinc -randkey nfs/<NFS server hostname>
    

    kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname>
    

    kadmin: quit
    

    cp /etc/krb5.keytab /etc/krb5.keytab.orig
    

    cp /tmp/keytab /etc/krb5.keytab
    5. 

  5. Change /etc/sysconfig/nfs to uncomment or add the following line.

    

    SECURE_NFS="yes"
    6. 

  6. Next, create an NFS export and restart NFS daemon.

    

    cp /etc/exports /etc/exports.orig
    

    echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports
    

    mkdir /nfs
    

    service nfs restart
    7. 

  7. Create test tree structure on the server.

    

    git clone git://fedorapeople.org/~steved/cthon04
    

    cd cthon04
    

    ./runcthon --mkdirs /nfs


Finally, start the test from the client.



  1. Download the connectathon testsuite from client.

    

    git clone git://fedorapeople.org/~steved/cthon04
    2. 

  2. Run the connectathon testsuite from the client.

    

    cd cthon04
    

    make
    

    ./runcthon --mkdirs /mnt/
    

    ./runcthon --server <NFS server IP> --serverdir /nfs --onlyv4 --krb5only


Expected Results


  1. Step #1 completes without error.
    2. 

  2. The testsuite finishes without error; no nfs*.error files in /tmp.
Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_nfs_connectathon_secure&oldid=150274"