From Fedora Project Wiki

Description

This test case is to validates a secure NFSv4 root setup by running a generic filesystem test suite. This test requires at least 3 systems. The first one is a Key Distribution Server (KDC) server which you can use the pre-configured one during the event, the second one is a NFS server, and the third one is a NFS client. Note, this test can take a while.


How to test

  1. First, configure the KDC server. You can use the pre-configured one for the event. If you want to setup your own KDC server, please consult Kerberos_KDC_Quickstart_Guide.
  2. Next, configure the NFS client. If you have not already done so, install krb5-libs first.
    yum -y install krb5-libs
  3. Configure the NFS client to sync time using NTP to sync the clock for later kerberos communications.
    service ntpd restart
  4. Backup the original krb5.conf, and use the the following krb5.conf for the pre-configured KDC server or adjust to use your own.
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    [libdefaults]
    default_realm = FEDORAPROJECT.ORG
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = yes
    [realms]
    FEDORAPROJECT.ORG = {
    kdc = kerberos1.fedoraproject.org:88
    admin_server = kerberos1.fedoraproject.org:749
    }
    [domain_realm]
    .fedoraproject.org = FEDORAPROJECT.ORG
    fedoraproject.org = FEDORAPROJECT.ORG
  5. Now, use kadmin to create the server principal - password is "testday" for the pre-configured KDC server.
    kadmin root/admin
  6. If it returned a similar error like this, it is likely you will need to fix your system time to be actual.
    kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
  7. Continue...
    kadmin: addprinc -randkey nfs/<NFS client hostname>
    kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname>
    kadmin: quit
    cp /etc/krb5.keytab /etc/krb5.keytab.orig
    cp /tmp/keytab /etc/krb5.keytab
  8. Change /etc/sysconfig/nfs to uncomment or add the following line.
    SECURE_NFS="yes"
  9. Now, restart rpcgssd service.
    service rpcgssd restart
  10. If the above failed, check the file /var/log/messages for the presence of a failure similar to the following.
    ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor
    code may provide more information - Key table entry not found
    unable to obtain root (machine) credentials
    do you have a keytab entry for nfs/your.host@YOUR.REALM in /etc/krb5.keytab?
  11. If you find a similar failure in /var/log/messages, it is likely due to incorrect reserve DNS lookup to a loopback address. Look at /etc/hosts, if it has something like this,
    127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 <NFS client FQDN>
    ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN>
    Remove the above <NFS client FQDN> from the line, and restart the daemon again.

Then, configure the NFS server to find the KDC server.

  1. If you have not already done so, install krb5-libs first.
    yum -y install krb5-libs
  2. Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications.
    service ntpd restart
  3. Backup the original krb5.conf, and use the same krb5.conf as the above.
  4. Now, use kadmin to create the server principal - password is "testday" for the pre-configured KDC server.
    kadmin root/admin
    kadmin: addprinc -randkey nfs/<NFS server hostname>
    kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname>
    kadmin: quit
    cp /etc/krb5.keytab /etc/krb5.keytab.orig
    cp /tmp/keytab /etc/krb5.keytab
  5. Change /etc/sysconfig/nfs to uncomment or add the following line.
    SECURE_NFS="yes"
  6. Next, create an NFS export and restart NFS daemon.
    cp /etc/exports /etc/exports.orig
    echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports
    mkdir /nfs
    chmod 777 /nfs
    service rpcsvcgssd restart
    service nfs restart
  7. Make sure the server's firewall allow kerberos communication, or turn of the firewall temporarily.
    iptables -F

Finally, start the test from the client.

  1. Mount the NFS directory to /tmp on the client, since tests will manipulate files in that directory.
    mount -t nfs4 -o sec=krb5 <server IP>:/nfs /tmp
  2. Download LTP testsuite from the client.
    wget -c 'http://sourceforge.net/projects/ltp/files/LTP%20Source/OLD-ltp-20090731/ltp-full-20090731.tgz/download'
  3. Install dependencies to compile LTP.
    yum -y install procmail flex bison kernel-devel
  4. From the client system, setup the LTP filesystems tests.
    tar zxvf ltp-full-20090731.tgz
    cd ltp-full-20090731
  5. Comment out this line in the file runtest/fs.
    proc01 proc01
  6. Run the testsuite from the client.
    ./configure
    make
    make install
    ./runltp -p -d /tmp -l /tmp/ltp.log -o /tmp/ltp.run.log -f fs
  7. Save the output from the tests to TESTOUT.log, copy /var/log/messages from both the server and client, and then tar and compress them together with /tmp/ltp.log and /tmp.ltp.run.log to upload it to the wiki. Please include a link to the uploaded file in your test day results.
    mkdir log
    scp root@<server hostname>:/var/log/messages messages.server
    cp TESTOUT.log messages.server /var/log/messages /tmp/ltp*.log log/
    tar czvf /tmp/nfs_generic_secure-results.tgz-<fedora user name> log/
  8. Cleanup.
    umount /tmp

Expected Results

  1. Step #1 completes without error.
  2. Step #2 completes without error.
  3. Step #3 completes without error.
  4. Step #4 completes without error.
  5. Step #5 completes without error.
  6. The testsuite finishes without error; no nfs*.error files in /tmp.
  7. Step #7 completes without error.
  8. Step #8 completes without error.