RFR - KDC for NFSv4 test day
by James Laska
Greetings,
Apologies, I just noticed that the RFR sent in by Cai for the upcoming
test day wasn't passed along to the list. Cai has been working to
document the setup instructions for running a local KDC to test against.
However, if available, a KDC hosted on a fedora test system would reduce
the start-up cost for testing. Is it too late to make progress on this
ticket?
Ticket filed at
https://fedorahosted.org/fedora-infrastructure/ticket/1953
== Project Sponsor ==
* '''Name''': Qian Cai
* '''Fedora Account Name''': caiqian
* '''Group''': Fedora QA Group
* '''Infrastructure Sponsor''':
== Secondary Contact info ==
* '''Name''': James Laska
* '''Fedora Account Name''': jlaska
* '''Group''': Fedora QA Admin Group
== Project Info ==
* Project Name: NFSv4 Test Day 4 Feb. this Thursday
* Target Audience: Fedora users/NFS community
* Expiration/Delivery Date (required):2010-02-04 (Test Day date)
* Description/Summary:
A KDC server with a few accounts so that users can use it to configure
their own NFS server and client to use kerberos authentication for
secure NFS test cases.
* Project plan (Detailed):
One of NFSv4 test day's focus is on secure NFS, which requires - a KDC
server, NFS server, and NFS client. They all need to have credentials—
principals, in Kerberos-terminology—stored in the Kerberos database.
Enabling Kerberos authentication in any service usually boils down to
four steps:
1. Creating a Kerberos principal
2. Storing the Kerberos principal on the server system so that it
can access it
3. Modifying the server’s configuration so that it accepts
Kerberos-based authentication
4. Configuring the client so that it tries Kerberos authentication
To make sure Kerberos likes your network, it’s a good idea to install
ntpd which will fix the timing issues. As for the name resolving issues,
try ping localhost ; if that returns things like
64 bytes from host.example.com (127.0.0.1): icmp_seq=1...
while running hostname --fqdn returns host.example.com, you’re all set.
If not, fiddle with /etc/hosts until it does. You should also try to
ping your hosts from different machines, and the result should be
similar.
With that out of the way, you should now install the server-side
Kerberos software on the machine that will serve as the Kerberos server.
With that done, run kdb5_util create -s, which will ask you a few
questions and then create your Kerberos realm. Next you should create an
ACL file for the kdc, which will tell the latter who can create and/or
manage Kerberos principals. An easy (and yet safe enough for most cases)
ACL file would look like this:
*/admin *
You will need to store that file as /etc/krb5kdc/kadm5.acl. Now it’s
time to start the kdc ( /usr/sbin/krb5kdc ) and the admin server
( /usr/sbin/kadmind ). Next, run /usr/sbin/kadmin.local to create the
initial principals:
# kadmin.local
addprinc root/admin@REALM
...
addprinc wouter@REALM
...
quit
#
Both will ask you to enter a password; it’ll be easiest for you to
remember if you just use your own password for that. Obviously, you
should also replace REALM by the realm name you’ve created.
By now, you have a fully operational Kerberos realm. You can play a bit
with kinit, klist and kdestroy (read their manpages). Next will be to
set up the different servers so that they support Kerberos
authentication, followed by the clients; and to finish it all properly,
we should also configure PAM to authenticate against the Kerberos server
rather than /etc/passwd.
Goals: Having a centralized server with some pre-populated data to test
against, so itwould probably lower the barriers for people having to
setup their own server + data
14 years, 2 months
RFC: SpamAssassin subject munging considered harmful :)
by Todd Zullinger
I noticed that a number of messages to the users list have been marked
with [Spam] in the subjects since the list migration. This appears to
be due to the Spamassassin settings on bastion. I think this subject
munging is undesirable and would like to see it stopped. Having
legitimate messages sent to list members tagged as [SPAM] serves no
good purpose. If I were a list member I might wonder why my message
was marked or why Fedora is forwarding on mail it thinks is spam.
At the same time, it's worth noting that if the SpamAssassin settings
are marking legitimate list mail as spam, they probably ought to be
tweaked a bit. If these messages had gone through bastion before
hitting Mailman and were to a list with a rule to reject or discard on
X-Spam-Flag (as I know several lists do, websites being one example),
the messages would have been improperly discarded.
This isn't to say I don't appreciate the job that SpamAssassin does
nor the hard work put in by Warren and others upstream. I just want
to ensure that SpamAssassin does not act too aggressively at marking
up the mail that comes through fedoraproject.org.
I've attached an example of a recent users list message which was
marked as spam improperly. The relevant SpamAssassin headers:
X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on
bastion2.fedora.phx.redhat.com
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.6 required=5.0 tests=BAYES_50,SPOOF_COM2COM,
SPOOF_COM2OTH autolearn=no version=3.3.0
X-Spam-Report: * 2.7 SPOOF_COM2OTH URI: URI contains ".com" in middle * 2.0
SPOOF_COM2COM URI: URI contains ".com" in middle and end * 0.8 BAYES_50
BODY: Bayes spam probability is 40 to 60% * [score: 0.5000]
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Life is like a sewer. What you get out of it depends on what you put
into it.
-- Tom Lehrer, quoting Henry
14 years, 2 months
Introduction
by portn0k
Hi, im Ethan, and this is my introduction. my hobbies consist of
programming (C/Perl), snowboarding, and doing security work on networks
I admin. FreeBSD is my favorite server OS. im trying to get my hands
on some cisco gear also to start learning what i need to to get some
certs. i'm a Computer Systems Security major at Colorado Technical
University, and enjoying every minute of my courses.
For quite some time i've wanted to be a part a large project, and the
fedora project seems like it'll do the trick. I cant wait to get
started doing anything i can do to help out.
thanks for reading this.
- Ethan
14 years, 2 months
Introduction
by Sebastian Heid
Hello everyone!
My name is Sebastian Heid and I'm from Regensburg, Germany.
I'm currently working as a sysadmin for a german isp. I have experience in clustering, virtualization and setting up web/mail/dns/other servers. I'm administering linux systems for about 9 years now. At work I am also developing php and shell scripts for various purposes.
I hope I can help you somehow and I hope that I will get an introduction in new technologies like cloudcomputing or anything like that.
Regards,
Sebastian Heid
14 years, 2 months
