Description

This test case is to validates a secure NFSv4 root setup by running a generic filesystem test suite. This test requires at least 3 systems. The first one is a Key Distribution Server (KDC) server which you can use the pre-configured one during the event, the second one is a NFS server, and the third one is a NFS client. Note, this test can take a while.

How to test

1. First, configure the KDC server. You can use the pre-configured one for the event. If you want to setup your own KDC server, please consult Kerberos_KDC_Quickstart_Guide.
2. Next, configure the NFS client. If you have not already done so, install krb5-libs first.

   yum -y install krb5-libs

3. Configure the NFS client to sync time using NTP to sync the clock for later kerberos communications.

   service ntpd restart

4. Backup the original krb5.conf, and use the the following krb5.conf for the pre-configured KDC server or adjust to use your own.

   [logging]

   default = FILE:/var/log/krb5libs.log

   kdc = FILE:/var/log/krb5kdc.log

   admin_server = FILE:/var/log/kadmind.log

   [libdefaults]

   default_realm = FEDORAPROJECT.ORG

   dns_lookup_realm = false

   dns_lookup_kdc = false

   ticket_lifetime = 24h

   renew_lifetime = 7d

   forwardable = yes

   [realms]

   FEDORAPROJECT.ORG = {

   kdc = kerberos1.fedoraproject.org:88

   admin_server = kerberos1.fedoraproject.org:749

   }

   [domain_realm]

   .fedoraproject.org = FEDORAPROJECT.ORG

   fedoraproject.org = FEDORAPROJECT.ORG

5. Now, use kadmin to create the server principal - password is "testday" for the pre-configured KDC server.

   kadmin root/admin

6. If it returned a similar error like this, it is likely you will need to fix your system time to be actual.

   kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

7. Continue...

   kadmin: addprinc -randkey nfs/<NFS client hostname>

   kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname>

   kadmin: quit

   cp /etc/krb5.keytab /etc/krb5.keytab.orig

   cp /tmp/keytab /etc/krb5.keytab

8. Change /etc/sysconfig/nfs to uncomment or add the following line.

   SECURE_NFS="yes"

9. Now, restart rpcgssd service.

   service rpcgssd restart

10. If the above failed, check the file /var/log/messages for the presence of a failure similar to the following.

    ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor

    code may provide more information - Key table entry not found

    unable to obtain root (machine) credentials

    do you have a keytab entry for nfs/your.host@YOUR.REALM in /etc/krb5.keytab?

11. If you find a similar failure in /var/log/messages, it is likely due to incorrect reserve DNS lookup to a loopback address. Look at /etc/hosts, if it has something like this,

    127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 <NFS client FQDN>

    ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN>

    Remove the above <NFS client FQDN> from the line, and restart the daemon again.

Then, configure the NFS server to find the KDC server.

1. If you have not already done so, install krb5-libs first.

   yum -y install krb5-libs

2. Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications.

   service ntpd restart

3. Backup the original krb5.conf, and use the same krb5.conf as the above.
4. Now, use kadmin to create the server principal - password is "testday" for the pre-configured KDC server.

   kadmin root/admin

   kadmin: addprinc -randkey nfs/<NFS server hostname>

   kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname>

   kadmin: quit

   cp /etc/krb5.keytab /etc/krb5.keytab.orig

   cp /tmp/keytab /etc/krb5.keytab

5. Change /etc/sysconfig/nfs to uncomment or add the following line.

   SECURE_NFS="yes"

6. Next, create an NFS export and restart NFS daemon.

   cp /etc/exports /etc/exports.orig

   echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports

   mkdir /nfs

   chmod 777 /nfs

   service rpcsvcgssd restart

   service nfs restart

7. Make sure the server's firewall allow kerberos communication, or turn of the firewall temporarily.

   iptables -F

Finally, start the test from the client.

1. Mount the NFS directory to /tmp on the client, since tests will manipulate files in that directory.

   mount -t nfs4 -o sec=krb5 <server IP>:/nfs /tmp

2. Download LTP testsuite from the client.

   wget -c 'http://sourceforge.net/projects/ltp/files/LTP%20Source/OLD-ltp-20090731/ltp-full-20090731.tgz/download'

3. Install dependencies to compile LTP.

   yum -y install procmail flex bison kernel-devel

4. From the client system, setup the LTP filesystems tests.

   tar zxvf ltp-full-20090731.tgz

   cd ltp-full-20090731

5. Comment out this line in the file runtest/fs.

   proc01 proc01

6. Run the testsuite from the client.

   ./configure

   make

   make install

   ./runltp -p -d /tmp -l /tmp/ltp.log -o /tmp/ltp.run.log -f fs

7. Save the output from the tests to TESTOUT.log, copy /var/log/messages from both the server and client, and then tar and compress them together with /tmp/ltp.log and /tmp.ltp.run.log to upload it to the wiki. Please include a link to the uploaded file in your test day results.

   mkdir log

   scp root@<server hostname>:/var/log/messages messages.server

   cp TESTOUT.log messages.server /var/log/messages /tmp/ltp*.log log/

   tar czvf /tmp/nfs_generic_secure-results.tgz-<fedora user name> log/

8. Cleanup.

   umount /tmp

Expected Results

1. Step #1 completes without error.
2. Step #2 completes without error.
3. Step #3 completes without error.
4. Step #4 completes without error.
5. Step #5 completes without error.
6. The testsuite finishes without error; no nfs*.error files in /tmp.
7. Step #7 completes without error.
8. Step #8 completes without error.