#1953 KDC Server of Secure NFS Testing during NFSv4 Test Day
Closed: Fixed None Opened 11 years ago by caiqian.

= Project Sponsor =

Project Team (FAS Names):[[BR]]
Infrastructure Sponsor:

= Project Info =

Project Name: NFSv4 Test Day 4 Feb. next Thursday[[BR]]
Target Audience: Fedora users/NFS community[[BR]]
Expiration/Delivery Date (required):2010-02-04 (Test Day date)[[BR]]
Description/Summary: A KDC server with a few accounts so that users can use it to configure their own NFS server and client to use kerberos authentication for secure NFS test cases.[[BR]]
Project plan (Detailed): One of NFSv4 test day's focus is on secure NFS, which requires - a KDC server, NFS server, and NFS client. They all need to have credentials—principals, in Kerberos-terminology—stored in the Kerberos database. Enabling Kerberos authentication in any service usually boils down to four steps:

  1. Creating a Kerberos principal
  2. Storing the Kerberos principal on the server system so that it can access it
  3. Modifying the server’s configuration so that it accepts Kerberos-based authentication
  4. Configuring the client so that it tries Kerberos authentication

To make sure Kerberos likes your network, it’s a good idea to install ntpd which will fix the timing issues. As for the name resolving issues, try ping localhost ; if that returns things like

64 bytes from host.example.com ( icmp_seq=1...

while running hostname --fqdn returns host.example.com, you’re all set. If not, fiddle with /etc/hosts until it does. You should also try to ping your hosts from different machines, and the result should be similar.

With that out of the way, you should now install the server-side Kerberos software on the machine that will serve as the Kerberos server. With that done, run kdb5_util create -s, which will ask you a few questions and then create your Kerberos realm. Next you should create an ACL file for the kdc, which will tell the latter who can create and/or manage Kerberos principals. An easy (and yet safe enough for most cases) ACL file would look like this:

*/admin *

You will need to store that file as /etc/krb5kdc/kadm5.acl. Now it’s time to start the kdc ( /usr/sbin/krb5kdc ) and the admin server ( /usr/sbin/kadmind ). Next, run /usr/sbin/kadmin.local to create the initial principals:


addprinc root/admin@REALM
addprinc wouter@REALM

Both will ask you to enter a password; it’ll be easiest for you to remember if you just use your own password for that. Obviously, you should also replace REALM by the realm name you’ve created.

By now, you have a fully operational Kerberos realm. You can play a bit with kinit, klist and kdestroy (read their manpages). Next will be to set up the different servers so that they support Kerberos authentication, followed by the clients; and to finish it all properly, we should also configure PAM to authenticate against the Kerberos server rather than /etc/passwd.
Goals: Having a centralized server with some pre-populated data to test against, so itwould probably lower the barriers for people having to setup their own server + data[[BR]]

If this can kept from the start of the test day to the next 2 weeks it would be helpful for late participators.

It looks like the test day is over now - can the test machine be removed now?

Replying to [comment:3 ricky]:

It looks like the test day is over now - can the test machine be removed now?

Yes, thank you!

Removed. thank you for shopping with Fedora Infrastructure :) Hope the test day went ok.

Login to comment on this ticket.