From Fedora Project Wiki

Line 28: Line 28:
 
#:  admin_server = <KDC server hostname>:749
 
#:  admin_server = <KDC server hostname>:749
 
#:  }
 
#:  }
#
+
#:
 
#: [domain_realm]
 
#: [domain_realm]
 
#:  .redhat.com = REDHAT.COM
 
#:  .redhat.com = REDHAT.COM

Revision as of 17:15, 1 February 2010

Description

This test case is to validates a secure NFSv4 root setup by running the connectathon test suite.


How to test

  1. This test requires at least 3 systems in the same domain. The first one is a Key Distribution Server (KDC) server, the second one is a NFS server, and the third one is a NFS client.
  2. First, configure the KDC server.
  3. Install the Package-x-generic-16.pngkrb5-libs, Package-x-generic-16.pngkrb5-server, and Package-x-generic-16.pngkrb5-workstation if have not done so.
    yum -y install krb5-libs krb5-server krb5-workstation
  4. Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com.
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    [libdefaults]
    default_realm = REDHAT.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = yes
    [realms]
    REDHAT.COM = {
    kdc = <KDC server hostname>:88
    admin_server = <KDC server hostname>:749
    }
    [domain_realm]
    .redhat.com = REDHAT.COM
    redhat.com = REDHAT.COM
  5. Create the database using the kdb5_util utility from a shell prompt:
    /usr/kerberos/sbin/kdb5_util create -s
  6. You can run both NFS server and client on the same system or use different systems. Configure the server to sync time using NTP to sync the clock for later kerberos communications.
    service ntp restart
  7. If you have not already done so, install Package-x-generic-16.pngkrb5-libs
    yum -y install krb5-libs
  8. Next, configure the NFS server to find the KDC server.
    cp /etc/krb5.conf /etc/krb5.conf.orig
    cat <<EOF >/etc/krb5.conf
    [libdefaults]
    default_realm = GREP.BE
    kdc_timesync = 1
    forwardable = true
    proxiable = true
    [realms]
    GREP.BE = {
    kdc = kdc.grep.be
    kdc = kdc-1.grep.be
    admin_server = kdc.grep.be
    }
    [login]
    krb4_convert = false
    krb4_get_tickets = false
    EOF
  9. Now, use kadmin to create the server principal.
    kadmin
  10. Next, create an NFS export and restart NFS
    cp /etc/exports /etc/exports.orig
    echo '/nfs gss/krb5i(sync,subtree_check,rw)' > /etc/exports
    mkdir /nfs
    service nfs restart
  11. Download the connectathon testsuite
    git clone git://fedorapeople.org/~steved/cthon04
  12. Run the connectathon testsuite from the client.
    cd cthon04
    make
    ./runcthon --server <server IP> --serverdir /nfs

Expected Results

  1. Step #1 completes without error.
  2. The testsuite finishes without error; no nfs*.error files in /tmp.