From Fedora Project Wiki

No edit summary
(fixed <pre> tags)
 
(17 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{QA/Test_Case
{{QA/Test_Case
|description=This test case is to validates a secure NFSv4 root setup by running the connectathon test suite.
|description=This test case is to validates a secure NFSv4 root setup by running the connectathon test suite. This test requires at least 3 systems in the same domain. The first one is a Key Distribution Server (KDC) server, the second one is a NFS server, and the third one is a NFS client.


|actions=
|actions=
# This test requires at least 3 systems in the same domain. The first one is a Key Distribution Server (KDC) server, the second one is a NFS server, and the third one is a NFS client.


First, configure the KDC server.
<ol>
<li> First, configure the KDC '''server'''. You can use the pre-configured one for the event. If you want to setup your own KDC server, please consult [[Kerberos_KDC_Quickstart_Guide]].
</li>
<li> Next, configure the NFS '''client'''.  If you have not already done so, install {{package|krb5-libs}} and {{package|ntp}} first.
<pre>
yum install krb5-libs krb5-workstation ntp</pre>
</li>
<li> Configure the NFS client to sync time using NTP to sync the clock for later kerberos communications.
<pre>
service ntpd restart</pre>
</li>
<li> Backup the original krb5.conf, and use the the following krb5.conf for the pre-configured KDC server or adjust to use your own.
<pre>
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log


# Install the {{package|krb5-libs}}, {{package|krb5-server}}, and {{package|krb5-workstation}} if have not done so.
[libdefaults]
#: <pre>
  default_realm = FEDORAPROJECT.ORG
#: yum -y install krb5-libs krb5-server krb5-workstation </pre>
  dns_lookup_realm = false
# Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com.
  dns_lookup_kdc = false
#: <pre>
  ticket_lifetime = 24h
#: [logging]
  renew_lifetime = 7d
#:  default = FILE:/var/log/krb5libs.log
  forwardable = yes
#:  kdc = FILE:/var/log/krb5kdc.log
#:  admin_server = FILE:/var/log/kadmind.log
#:
#: [libdefaults]
#: default_realm = REDHAT.COM
#: dns_lookup_realm = false
#: dns_lookup_kdc = false
#: ticket_lifetime = 24h
#: renew_lifetime = 7d
#: forwardable = yes
#:
#: [realms]
#:  REDHAT.COM = {
#:  kdc = <KDC server hostname>:88
#:  admin_server = <KDC server hostname>:749
#:  }
#:
#: [domain_realm]
#:  .redhat.com = REDHAT.COM
#:  redhat.com = REDHAT.COM</pre>
# Create the database using the kdb5_util utility from a shell prompt:
#: <pre>
#: /usr/kerberos/sbin/kdb5_util create -s</pre>
# Configure the KDC server to sync time using NTP to sync the clock for later kerberos communications.
#: <pre>
#: service ntpd restart</pre>
# Edit the /var/kerberos/krb5kdc/kadm5.acl file to have only this line.
#: <pre>
#: */admin *</pre>
# Type the following kadmin.local command at the KDC terminal to create the first principal:
#: <pre>
#: /usr/kerberos/sbin/kadmin.local -q "addprinc root/admin"</pre>
# Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.
#: <pre>
#: iptables -F
#: ip6tables -F</pre>
# Start Kerberos using the following commands:
#: <pre>
#: /sbin/service krb5kdc start
#: /sbin/service kadmin start</pre>


Next, configure the NFS client.
[realms]
FEDORAPROJECT.ORG = {
  kdc = kerberos1.fedoraproject.org:88
  admin_server = kerberos1.fedoraproject.org:749
}


# If you have not already done so, install {{package|krb5-libs}} first.
[domain_realm]
#: <pre>
.fedoraproject.org = FEDORAPROJECT.ORG
#: yum -y install krb5-libs </pre>
fedoraproject.org = FEDORAPROJECT.ORG
# Configure the NFS client to sync time using NTP to sync the clock for later kerberos communications.
</pre>
#: <pre>
</li>
#: service ntpd restart</pre>
<li> Now, use {{command|kadmin}} to create the server principal - password is "testday" for the pre-configured KDC server.
# Backup the original krb5.conf, and use the same krb5.conf as the as above.
<pre>
# Now, use {{command|kadmin}} to create the server principal.
kadmin root/admin</pre>
#: <pre>
</li>
#: kadmin
<li> If it returned a similar error like this, it is likely you will need to fix your system time to be actual.
#: kadmin: addprinc -randkey nfs/<NFS client hostname>
<pre>
#: kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname>
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface</pre>
#: kadmin: quit
</li>
#: cp /etc/krb5.keytab /etc/krb5.keytab.orig
<li> Continue...
#: cp /tmp/keytab /etc/krb5.keytab</pre>
<pre>
# Start rpcsvcgssd service.
kadmin: addprinc -randkey nfs/<NFS client hostname>
#: <pre>
kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname>
#: service rpcsvcgssd restart</pre>
kadmin: quit
#: If the above failed, and you sense something like this in /var/log/messages.
cp /etc/krb5.keytab /etc/krb5.keytab.orig
#: <pre>
cp /tmp/keytab /etc/krb5.keytab</pre>
#: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - Key table entry not found
</li>
#: unable to obtain root (machine) credentials
<li> Change {{filename|/etc/sysconfig/nfs}} to uncomment or add the following line.
#: do you have a keytab entry for nfs/<your.host>@<YOUR.REALM> in /etc/krb5.keytab?</pre>
<pre>
#: It is likely due to incorrect reserve DNS lookup to a loopback address. Look at /etc/hosts, if it has something like this,
SECURE_NFS="yes"</pre>
#: <pre>
</li>
#: 127.0.0.1  localhost localhost.localdomain localhost4 localhost4.localdomain4 <NFS client FQDN>
<li> Now, restart rpcgssd service.
#: ::1        localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN></pre>
<pre>
#: Remove the above <NFS client FQDN> from the line, and restart the daemon again.
service rpcgssd restart</pre>
</li>
<li> If the above failed, check the file {{filename|/var/log/messages}} for the presence of a failure similar to the following.
<pre>
ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor
  code may provide more information - Key table entry not found  
unable to obtain root (machine) credentials
do you have a keytab entry for nfs/your.host@YOUR.REALM in /etc/krb5.keytab?</pre>
</li>
<li> If you find a similar failure in {{filename|/var/log/messages}}, it is likely due to incorrect reserve DNS lookup to a loopback address. Look at {{filename|/etc/hosts}}, if it has something like this,
<pre>
127.0.0.1  localhost localhost.localdomain localhost4 localhost4.localdomain4 <NFS client FQDN>
::1        localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN>
</pre>


Remove the above <NFS client FQDN> from the line, and restart the daemon again.
Then, configure the NFS server to find the KDC server.
Then, configure the NFS server to find the KDC server.


# If you have not already done so, install {{package|krb5-libs}} first.
</li>
#: <pre>
<li> If you have not already done so, install {{package|krb5-libs}} first.
#: yum -y install krb5-libs </pre>
<pre>
# Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications.
yum -y install krb5-libs </pre>
#: <pre>
</li>
#: service ntpd restart</pre>
<li> Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications.
# Backup the original krb5.conf, and use the same krb5.conf as the as above.
<pre>
# Now, use {{command|kadmin}} to create the server principal.
service ntpd restart</pre>
#: <pre>
</li>
#: kadmin
<li> Backup the original krb5.conf, and use the same krb5.conf as the above.
#: kadmin: addprinc -randkey nfs/<NFS server hostname>
</li>
#: kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname>
<li> Now, use {{command|kadmin}} to create the server principal - password is "testday" for the pre-configured KDC server.
#: kadmin: quit
<pre>
#: cp /etc/krb5.keytab /etc/krb5.keytab.orig
kadmin root/admin
#: cp /tmp/keytab /etc/krb5.keytab</pre>
kadmin: addprinc -randkey nfs/<NFS server hostname>
# Next, create an NFS export and restart NFS daemon.
kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname>
#: <pre>
kadmin: quit
#: cp /etc/exports /etc/exports.orig
cp /etc/krb5.keytab /etc/krb5.keytab.orig
#: echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports
cp /tmp/keytab /etc/krb5.keytab</pre>
#: mkdir /nfs
</li>
#: service nfs restart</pre>
<li> Change /etc/sysconfig/nfs to uncomment or add the following line.
# Create test tree structure on the server.
<pre>
#: <pre>
SECURE_NFS="yes"</pre>
#: git clone git://fedorapeople.org/~steved/cthon04
</li>
#: cd cthon04
<li> Next, create an NFS export and restart NFS daemon.
#: ./runcthon --mkdirs /nfs</pre>
<pre>
cp /etc/exports /etc/exports.orig
echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports
mkdir /nfs
service rpcsvcgssd restart
service nfs restart</pre>
</li>
<li> Create test tree structure on the server.
<pre>
git clone git://fedorapeople.org/~steved/cthon04
cd cthon04
./runcthon --mkdirs /nfs
chmod 777 -R /nfs</pre>
</li>
<li> Make sure the server's firewall allow kerberos communication, or turn of the firewall temporarily.
<pre>iptables -F</pre>


Finally, start the test from the client.
Finally, start the test from the client.


# Download the connectathon testsuite from client.
</li>
#: <pre>
<li> Setup the connectathon testsuite from client by root.
#: git clone git://fedorapeople.org/~steved/cthon04</pre>
<pre>
# Run the connectathon testsuite from the client.
git clone git://fedorapeople.org/~steved/cthon04
#: <pre>
cd cthon04
#: cd cthon04
make
#: make
mkdir /mnt
#: ./runcthon --mkdirs /mnt/
chmod 777 /mnt</pre>
#: ./runcthon --server <NFS server IP> --serverdir /nfs</pre>
</li>
<li> Run the testsuite by root.
<pre>
./runcthon --server <NFS server IP> --serverdir /nfs --onlyv4 --onlykrb5</pre>
</li>
<li> Save the output from the tests to TESTOUT.log, copy {{filename|/var/log/messages}} from both the server and client, and then tar and compress them together with {{filename|/tmp/nfs*.error}} if any to [[Special:Upload|upload it]] to the wiki. Please include a link to the uploaded file in your test day results.
<pre>
mkdir log
scp root@<server hostname>:/var/log/messages messages.server
cp TESTOUT.log messages.server /var/log/messages /tmp/nfs*.error log/
tar czvf /tmp/nfs_connectathon-results-<fedora user name>.tgz log/</pre>
</li>
</ol>


|results=
|results=
# Step #1 completes without error.
# Step #1 completes without error.
# The testsuite finishes without error; no nfs*.error files in /tmp.
# The testsuite finishes without error; no nfs*.error files in /tmp.
# Step #3 completes without error.
}}
}}


[[Category:NFS_Test_Cases]]
[[Category:NFS_Test_Cases]]

Latest revision as of 17:45, 1 June 2011

Description

This test case is to validates a secure NFSv4 root setup by running the connectathon test suite. This test requires at least 3 systems in the same domain. The first one is a Key Distribution Server (KDC) server, the second one is a NFS server, and the third one is a NFS client.


How to test

  1. First, configure the KDC server. You can use the pre-configured one for the event. If you want to setup your own KDC server, please consult Kerberos_KDC_Quickstart_Guide.
  2. Next, configure the NFS client. If you have not already done so, install Package-x-generic-16.pngkrb5-libs and Package-x-generic-16.pngntp first.
     yum install krb5-libs krb5-workstation ntp
  3. Configure the NFS client to sync time using NTP to sync the clock for later kerberos communications.
     service ntpd restart
  4. Backup the original krb5.conf, and use the the following krb5.conf for the pre-configured KDC server or adjust to use your own.
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = FEDORAPROJECT.ORG
     dns_lookup_realm = false
     dns_lookup_kdc = false
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = yes
    
    [realms]
     FEDORAPROJECT.ORG = {
      kdc = kerberos1.fedoraproject.org:88
      admin_server = kerberos1.fedoraproject.org:749
     }
    
    [domain_realm]
     .fedoraproject.org = FEDORAPROJECT.ORG
     fedoraproject.org = FEDORAPROJECT.ORG
     
  5. Now, use kadmin to create the server principal - password is "testday" for the pre-configured KDC server.
     kadmin root/admin
  6. If it returned a similar error like this, it is likely you will need to fix your system time to be actual.
     kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
  7. Continue...
     kadmin: addprinc -randkey nfs/<NFS client hostname>
     kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS client hostname>
     kadmin: quit
     cp /etc/krb5.keytab /etc/krb5.keytab.orig
     cp /tmp/keytab /etc/krb5.keytab
  8. Change /etc/sysconfig/nfs to uncomment or add the following line.
     SECURE_NFS="yes"
  9. Now, restart rpcgssd service.
     service rpcgssd restart
  10. If the above failed, check the file /var/log/messages for the presence of a failure similar to the following.
     ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor
       code may provide more information - Key table entry not found 
     unable to obtain root (machine) credentials
     do you have a keytab entry for nfs/your.host@YOUR.REALM in /etc/krb5.keytab?
  11. If you find a similar failure in /var/log/messages, it is likely due to incorrect reserve DNS lookup to a loopback address. Look at /etc/hosts, if it has something like this,
     127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 <NFS client FQDN>
     ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6 <NFS client FQDN>
    

    Remove the above <NFS client FQDN> from the line, and restart the daemon again. Then, configure the NFS server to find the KDC server.

  12. If you have not already done so, install Package-x-generic-16.pngkrb5-libs first.
     yum -y install krb5-libs 
  13. Configure the NFS server to sync time using NTP to sync the clock for later kerberos communications.
     service ntpd restart
  14. Backup the original krb5.conf, and use the same krb5.conf as the above.
  15. Now, use kadmin to create the server principal - password is "testday" for the pre-configured KDC server.
     kadmin root/admin
     kadmin: addprinc -randkey nfs/<NFS server hostname>
     kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/<NFS server hostname>
     kadmin: quit
     cp /etc/krb5.keytab /etc/krb5.keytab.orig
     cp /tmp/keytab /etc/krb5.keytab
  16. Change /etc/sysconfig/nfs to uncomment or add the following line.
     SECURE_NFS="yes"
  17. Next, create an NFS export and restart NFS daemon.
     cp /etc/exports /etc/exports.orig
     echo '/nfs *(sec=sys:krb5:krb5i:krb5p,rw)' >/etc/exports
     mkdir /nfs
     service rpcsvcgssd restart
     service nfs restart
  18. Create test tree structure on the server.
     git clone git://fedorapeople.org/~steved/cthon04
     cd cthon04
     ./runcthon --mkdirs /nfs
     chmod 777 -R /nfs
  19. Make sure the server's firewall allow kerberos communication, or turn of the firewall temporarily.
    iptables -F

    Finally, start the test from the client.

  20. Setup the connectathon testsuite from client by root.
     git clone git://fedorapeople.org/~steved/cthon04
     cd cthon04
     make
     mkdir /mnt
     chmod 777 /mnt
  21. Run the testsuite by root.
     ./runcthon --server <NFS server IP> --serverdir /nfs --onlyv4 --onlykrb5
  22. Save the output from the tests to TESTOUT.log, copy /var/log/messages from both the server and client, and then tar and compress them together with /tmp/nfs*.error if any to upload it to the wiki. Please include a link to the uploaded file in your test day results.
     mkdir log
     scp root@<server hostname>:/var/log/messages messages.server
     cp TESTOUT.log messages.server /var/log/messages /tmp/nfs*.error log/
     tar czvf /tmp/nfs_connectathon-results-<fedora user name>.tgz log/

Expected Results

  1. Step #1 completes without error.
  2. The testsuite finishes without error; no nfs*.error files in /tmp.
  3. Step #3 completes without error.