From Fedora Project Wiki

Revision as of 17:14, 1 February 2010 by Caiqian (talk | contribs)


This test case is to validates a secure NFSv4 root setup by running the connectathon test suite.

How to test

  1. This test requires at least 3 systems in the same domain. The first one is a Key Distribution Server (KDC) server, the second one is a NFS server, and the third one is a NFS client.
  2. First, configure the KDC server.
  3. Install the Package-x-generic-16.pngkrb5-libs, Package-x-generic-16.pngkrb5-server, and Package-x-generic-16.pngkrb5-workstation if have not done so.
    yum -y install krb5-libs krb5-server krb5-workstation
  4. Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    default_realm = REDHAT.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = yes
    REDHAT.COM = {
    kdc = <KDC server hostname>:88
    admin_server = <KDC server hostname>:749
  5. [domain_realm] = REDHAT.COM = REDHAT.COM
  6. Create the database using the kdb5_util utility from a shell prompt:
    /usr/kerberos/sbin/kdb5_util create -s
  7. You can run both NFS server and client on the same system or use different systems. Configure the server to sync time using NTP to sync the clock for later kerberos communications.
    service ntp restart
  8. If you have not already done so, install Package-x-generic-16.pngkrb5-libs
    yum -y install krb5-libs
  9. Next, configure the NFS server to find the KDC server.
    cp /etc/krb5.conf /etc/krb5.conf.orig
    cat <<EOF >/etc/krb5.conf
    default_realm = GREP.BE
    kdc_timesync = 1
    forwardable = true
    proxiable = true
    GREP.BE = {
    kdc =
    kdc =
    admin_server =
    krb4_convert = false
    krb4_get_tickets = false
  10. Now, use kadmin to create the server principal.
  11. Next, create an NFS export and restart NFS
    cp /etc/exports /etc/exports.orig
    echo '/nfs gss/krb5i(sync,subtree_check,rw)' > /etc/exports
    mkdir /nfs
    service nfs restart
  12. Download the connectathon testsuite
    git clone git://
  13. Run the connectathon testsuite from the client.
    cd cthon04
    ./runcthon --server <server IP> --serverdir /nfs

Expected Results

  1. Step #1 completes without error.
  2. The testsuite finishes without error; no nfs*.error files in /tmp.