#63 Test KRB5 authenticated NFS in FreeIPA tests
Opened 3 years ago by adamwill. Modified 3 years ago

@simo has asked if we could extend openQA's FreeIPA tests to cover krb5-authenticated NFS. This is a mechanism by which you can set up an NFS share within a domain and have the domain controller authorize access to it.

I think we ought to be able to do this reasonably easily by extending the domain controller role test to configure one or more such shares, and then extend one or more of the client tests to check the access control (make sure a user / machine which should be able to access the storage actually can, make sure one which shouldn't be able to can't, and so on). Alternatively adding an extra client test specifically for this might be useful/necessary, we'll have to try it and see.

@simo says @rharwood should be able to help us with this effort, including monitoring the results and updating the tests in future. @pschindl , @sumantrom , if either of you is interested in working on this, please feel free. I will try and get around to it in future if I can, but I have quite a few other things at higher priority ATM.

One request @simo had is that he would like us to test scenarios involving gssproxy.

For reference, right now I have setup scripts at github/frozencemetery/nfs-vagrant. Testing normal mounting is, as root on nfs-client, service rpc-gssd start && mount -v nfs-server.mivehind.net:/home /mnt/nfs/home -o vers=4.2; testing autofs is something like service autofs start && su - robbie then echo password | kinit && cd /mnt/home/nfs/robbie.

Note on this: I actually have some time right now, but can't practically move forward with this until FreeIPA in Rawhide is actually working. It is not right now because of https://bugzilla.redhat.com/show_bug.cgi?id=1496562 . Until a newer version of FreeIPA is sent to Rawhide to fix that (or some other fix is done), we can't really work on additional FreeIPA-related tests. Thanks!

Metadata Update from @adamwill:
- Issue tagged with: freeipa, newtest

3 years ago

Login to comment on this ticket.