From Fedora Project Wiki
Description
This test case is to validates a secure NFSv4 root setup by running the connectathon test suite. This test requires at least 3 systems in the same domain. The first one is a Key Distribution Server (KDC) server, the second one is a NFS server, and the third one is a NFS client.
How to test
- First, configure the KDC server. For more details, consult Kerberos_KDC_Quickstart_Guide.
- Next, configure the NFS client. If you have not already done so, install
krb5-libs
first.- yum -y install krb5-libs
- Configure the NFS client to sync time using NTP to sync the clock for later kerberos communications.
- service ntpd restart
- Backup the original krb5.conf, and use the same krb5.conf as the as above.
- Now, use
kadmin
to create the server principal.- kadmin
- kadmin: addprinc -randkey nfs/<NFS client hostname>
- kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname>
- kadmin: quit
- cp /etc/krb5.keytab /etc/krb5.keytab.orig
- cp /tmp/keytab /etc/krb5.keytab
- Change
/etc/sysconfig/nfs
to uncomment or add the following line.- SECURE_NFS="yes"
- Now, restart rpcsvcgssd service.
- service rpcsvcgssd restart
- If the above failed, check the file
/var/log/messages
for the presence of a failure similar to the following.- ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor
- code may provide more information - Key table entry not found
- unable to obtain root (machine) credentials
- do you have a keytab entry for nfs/your.host@YOUR.REALM in /etc/krb5.keytab?
- If you find a similar failure in
/var/log/messages
, it is likely due to incorrect reserve DNS lookup to a loopback address. Look at/etc/hosts
, if it has something like this,- 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 <NFS client FQDN>
- ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN>
- Remove the above <NFS client FQDN> from the line, and restart the daemon again.
Then, configure the NFS server to find the KDC server.
- If you have not already done so, install
krb5-libs
first.- yum -y install krb5-libs
- Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications.
- service ntpd restart
- Backup the original krb5.conf, and use the same krb5.conf as the as above.
- Now, use
kadmin
to create the server principal.- kadmin
- kadmin: addprinc -randkey nfs/<NFS server hostname>
- kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname>
- kadmin: quit
- cp /etc/krb5.keytab /etc/krb5.keytab.orig
- cp /tmp/keytab /etc/krb5.keytab
- Change /etc/sysconfig/nfs to uncomment or add the following line.
- SECURE_NFS="yes"
- Next, create an NFS export and restart NFS daemon.
- cp /etc/exports /etc/exports.orig
- echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports
- mkdir /nfs
- service nfs restart
- Create test tree structure on the server.
- git clone git://fedorapeople.org/~steved/cthon04
- cd cthon04
- ./runcthon --mkdirs /nfs
Finally, start the test from the client.
- Download the connectathon testsuite from client.
- git clone git://fedorapeople.org/~steved/cthon04
- Run the connectathon testsuite from the client.
- cd cthon04
- make
- ./runcthon --mkdirs /mnt/
- ./runcthon --server <NFS server IP> --serverdir /nfs
Expected Results
- Step #1 completes without error.
- The testsuite finishes without error; no nfs*.error files in /tmp.