2 # vim:expandtab:shiftwidth=4:softtabstop=4:tabstop=4:
5 # setup_kerberos.sh - setup the Kerberos environment on Lustre cluster
8 # * Only one KDC involved, no slave KDC.
9 # * Only one Kerberos realm involved, no multiple Kerberos realms.
11 ###############################################################################
16 Usage: $(basename $0) <KDC_distro> <KDC_node> <MGS_node> <MDS_node>[:MDS_node:...]
17 <OSS_node>[:OSS_node:...] <CLIENT_node>[:CLIENT_node:...]
19 This script is used to setup the Kerberos environment on Lustre cluster.
21 KDC_distro distribution on the KDC node (rhel5 or sles10)
22 KDC_node KDC node name
23 MGS_node Lustre MGS node name
24 MDS_node Lustre MDS node name
25 OSS_node Lustre OSS node name
26 CLIENT_node Lustre client node name
28 e.g.: $(basename $0) rhel5 scsi2 scsi2 sata2 sata3 client5
29 e.g.: $(basename $0) sles10 scsi2 scsi2 scsi2 sata3:sata5 client2:client3
30 e.g.: $(basename $0) rhel5 scsi2 scsi2 scsi2 scsi2 scsi2
33 1) The script will destroy all the old Kerberos settings by default. If you
34 want to reserve the original krb5.conf and KDC configuration, please set
37 2) The script will create principals for some runas users and add them into
38 the Kerberos database by default. The UIDs of the runas users specified in
39 "LOCAL_UIDS" variable need exist on KDC, MDS and Client nodes. If you do not
40 need runas users, please set "CFG_RUNAS=false".
42 3) The script will create idmap.conf and perm.conf under /etc/lustre dir on
43 MDS node for remote ACL by default. If you do not need remote ACL, please
44 set "CFG_IDMAP=false".
49 # ************************ Parameters and Variables ************************ #
57 # translate to lower case letters
58 MY_KDC_DISTRO=$(echo $MY_KDC_DISTRO | tr '[A-Z]' '[a-z]')
60 if [ -z "$MY_KDC_DISTRO" -o -z "$MY_KDCNODE" -o -z "$MY_MDSNODES" -o \
61 -z "$MY_OSSNODES" -o -z "$MY_CLIENTNODES" -o -z "$MY_MGSNODE" ]; then
66 LUSTRE=${LUSTRE:-$(cd $(dirname $0)/..; echo $PWD)}
67 . $LUSTRE/tests/test-framework.sh
69 . ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
72 ACCEPTOR_PORT=${ACCEPTOR_PORT:-988}
74 # check and configure runas users
75 CFG_RUNAS=${CFG_RUNAS:-true}
76 # uids for local and remote users
77 LOCAL_UIDS=${LOCAL_UIDS:-"500 501"}
78 REMOTE_UIDS=${REMOTE_UIDS:-"500 501"} # for remote ACL testing
80 # remove the original Kerberos and KDC settings
81 RESET_KDC=${RESET_KDC:-true}
83 # generate unique keytab for each client node
84 SPLIT_KEYTAB=${SPLIT_KEYTAB:-true}
86 # encryption types for generating keytab
87 MDS_ENCTYPE=${MDS_ENCTYPE:-"aes128-cts"}
88 MGS_ENCTYPE=${MGS_ENCTYPE:-"$MDS_ENCTYPE"}
89 OSS_ENCTYPE=${OSS_ENCTYPE:-"aes128-cts"}
90 CLIENT_ENCTYPE=${CLIENT_ENCTYPE:-"aes128-cts"}
92 # configuration file for Kerberos
93 KRB5_CONF=${KRB5_CONF:-"/etc/krb5.conf"}
94 KRB5_KEYTAB=${KRB5_KEYTAB:-"/etc/krb5.keytab"}
95 KRB5_TICKET_LIFETIME=${KRB5_TICKET_LIFETIME:-"24h"}
97 # configuration files for libgssapi and keyutils
98 GSSAPI_MECH_CONF=${GSSAPI_MECH_CONF:-"/etc/gssapi_mech.conf"}
99 REQUEST_KEY_CONF=${REQUEST_KEY_CONF:-"/etc/request-key.conf"}
101 # create configuration files for remote ACL testing
102 CFG_IDMAP=${CFG_IDMAP:-true}
103 LUSTRE_CONF_DIR=${LUSTRE_CONF_DIR:-"/etc/lustre"}
104 IDMAP_CONF=$LUSTRE_CONF_DIR/idmap.conf
105 PERM_CONF=$LUSTRE_CONF_DIR/perm.conf
107 # krb5 realm & domain
108 KRB5_REALM=${KRB5_REALM:-"CO.CFS"}
109 KRB5_DOMAIN=$(echo $KRB5_REALM | tr '[A-Z]' '[a-z]')
111 MY_MDSNODES=${MY_MDSNODES//:/ }
112 MY_OSSNODES=${MY_OSSNODES//:/ }
113 MY_CLIENTNODES=${MY_CLIENTNODES//:/ }
115 # set vars according to the KDC distribution
116 KRB5PKG_SVR="krb5-server"
117 KRB5PKG_DEV="krb5-devel"
118 case $MY_KDC_DISTRO in
120 KRB5PKG_CLI="krb5-workstation"
121 KRB5PKG_LIB="krb5-libs"
122 KDC_CONF_DIR="/var/kerberos/krb5kdc"
125 KRB5PKG_CLI="krb5-client"
127 KDC_CONF_DIR="/var/lib/kerberos/krb5kdc"
130 echo "Unsupported KDC distro: $MY_KDC_DISTRO!"
133 KDC_CONF="$KDC_CONF_DIR/kdc.conf"
134 KDC_ACL="$KDC_CONF_DIR/kadm5.acl"
136 # ******************************** Functions ******************************** #
142 if [ -z "$name" -o -z "$list" ]; then
147 if [[ " $list " == *\ $name\ * ]]; then
159 local nodename=${node%.$KRB5_DOMAIN}
160 do_node $node "PATH=\$PATH:/usr/kerberos/sbin:/usr/kerberos/bin:\
161 /usr/lib/mit/sbin:/usr/lib/mit/bin $@" | sed "s/^${nodename}: //"
162 return ${PIPESTATUS[0]}
167 output=$(my_do_node "$@" 2>&1)
168 return ${PIPESTATUS[0]}
172 my_do_node $MY_KDCNODE "$@"
173 return ${PIPESTATUS[0]}
177 do_node_mute $MY_KDCNODE "$@"
178 return ${PIPESTATUS[0]}
182 # convert a space-delimited node name list to a canonical name list
185 local nodename_list="$@"
191 for name in $nodename_list; do
192 fqdn=$(do_kdc "gethostip -n $name 2>&1")
194 if [ $rc -ne 0 ]; then
195 echo "Can not get the FQDN of node $name: $fqdn"
198 [ -z "$fqdn_list" ] && fqdn_list="$fqdn" \
199 || fqdn_list="$fqdn_list $fqdn"
208 # convert MDS/OSS nodes to their canonical name, it required by
209 # kerberos. we also convert kdc and client too in order to make
210 # node name comparison easier
216 MY_KDCNODE=$(get_fqdn $MY_KDCNODE)
218 if [ $rc -ne 0 ]; then
224 MY_MGSNODE=$(get_fqdn $MY_MGSNODE)
226 if [ $rc -ne 0 ]; then
232 MY_MDSNODES=$(get_fqdn $MY_MDSNODES)
234 if [ $rc -ne 0 ]; then
240 MY_OSSNODES=$(get_fqdn $MY_OSSNODES)
242 if [ $rc -ne 0 ]; then
248 MY_CLIENTNODES=$(get_fqdn $MY_CLIENTNODES)
250 if [ $rc -ne 0 ]; then
259 # verify remote shell works on all nodes
265 echo "+++ Checking remote shell"
267 for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES
269 is_part_of $node $checked && continue
271 echo -n "Checking remote shell on $node..."
272 do_node_mute $node true || return ${PIPESTATUS[0]}
275 checked="$checked $node"
280 # verify the entropy (random numbers) on the KDC node, which is
281 # used by kdb5_util to create Kerberos database
287 echo "+++ Checking the entropy on the KDC"
289 echo -n "Checking $MY_KDCNODE..."
290 avail=$(do_kdc "sysctl -n kernel.random.entropy_avail")
291 local rc=${PIPESTATUS[0]}
292 if [ $rc -eq 0 ]; then
293 if [ $avail -lt $limit ]; then
294 echo -e "\nWarning: The entropy on the KDC node is only $avail, \
295 which is not enough for kdb5_util to create Kerberos database! \
296 Let's use /dev/urandom!"
297 do_kdc "rm -f /dev/random.bak && mv /dev/random{,.bak} && \
298 mknod /dev/random c 1 9"
299 return ${PIPESTATUS[0]}
302 echo "Can not get the entropy on the KDC node!"
309 # verify runas users and groups
317 echo "+++ Checking users and groups"
319 for node in $MY_KDCNODE $MY_MGSNODE $MY_MDSNODES $MY_CLIENTNODES; do
320 is_part_of $node $checked && continue
322 for id in $LOCAL_UIDS; do
323 echo -n "Checking uid/gid $id/$id on $node..."
324 user=$(my_do_node $node getent passwd | grep :$id:$id: | cut -d: -f1)
325 if [ -z "$user" ]; then
326 echo -e "\nPlease set LOCAL_UIDS and REMOTE_UIDS to some users \
327 which exist on KDC, MDS and client or add user/group $id/$id on these nodes."
332 checked="$checked $node"
341 echo -n "Checking $dev mount on $node..."
342 if do_node_mute $node "grep -q $dir' ' /proc/mounts"; then
347 if ! do_node_mute $node "grep -q ^$dev /etc/fstab"; then
348 my_do_node $node "echo '$dev $dir $dev defaults 0 0' >> /etc/fstab" || \
349 return ${PIPESTATUS[0]}
351 my_do_node $node "mkdir -p $dir && mount $dir" || true
353 if ! do_node_mute $node "grep -q $dir' ' /proc/mounts"; then
354 echo "Failed to mount fs $dev at $dir!"
361 # configure nfsd mount on MDS and OSS nodes
367 echo "+++ Configuring nfsd mount"
369 for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES; do
370 is_part_of $node $checked && continue
371 cfg_mount $node nfsd /proc/fs/nfsd || return ${PIPESTATUS[0]}
372 checked="$checked $node"
380 my_do_node $node "rpm -q $pkg 2>&1" | tail -n1
381 return ${PIPESTATUS[0]}
388 my_do_node $node cat /etc/SuSE-release 2>/dev/null | \
389 grep -q 'Enterprise Server 10'
390 if [ ${PIPESTATUS[1]} -eq 0 ]; then
392 cli) echo "krb5-client";;
397 cli) echo "krb5-workstation";;
398 lib) echo "krb5-libs";;
407 echo "+++ Checking KDC installation"
409 echo -n "Checking $MY_KDCNODE..."
410 pkg=$(get_pkgname $MY_KDCNODE $KRB5PKG_SVR)
412 if [ $rc -ne 0 ]; then
413 echo -e "\nCan not find $KRB5PKG_SVR package on $MY_KDCNODE: $pkg"
425 echo "+++ Checking Kerberos 5 installation"
426 for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
427 is_part_of $node $checked && continue
429 echo -n "Checking $node..."
430 krb5pkg_cli=$(get_krb5pkgname $node cli)
432 pkg=$(get_pkgname $node $krb5pkg_cli)
434 if [ $rc -ne 0 ]; then
435 echo -e "\nCan not find $krb5pkg_cli package on $node: $pkg"
439 checked="$checked $node"
449 echo "+++ Checking libgssapi installation"
451 LIBGSSAPI=$(get_pkgname $MY_KDCNODE libgssapi)
453 if [ $rc -ne 0 ]; then
454 echo "Can not find libgssapi package on $MY_KDCNODE: $LIBGSSAPI"
458 for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
459 is_part_of $node $checked && continue
461 echo -n "Checking $node..."
462 pkg=$(get_pkgname $node libgssapi)
464 if [ $rc -ne 0 ]; then
465 echo -e "\nCan not find libgssapi package on $node: $pkg"
469 checked="$checked $node"
474 # check and update the /etc/gssapi_mech.conf file on each node
475 # We only support MIT Kerberos 5 GSS-API mechanism.
485 echo "+++ Updating $GSSAPI_MECH_CONF"
487 for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES
489 is_part_of $node $checked && continue
491 krb5pkg_lib=$(get_krb5pkgname $node lib)
492 pkg=$(get_pkgname $node $krb5pkg_lib)
494 if [ $rc -ne 0 ]; then
495 echo -e "\nCan not find $krb5pkg_lib package on $node: $pkg"
499 krb5_lib=$(my_do_node $node "rpm -ql $pkg" | \
500 grep libgssapi_krb5.so | head -n1)
502 if ! do_node_mute $node \
503 "egrep -q \\\"^$krb5_lib|^$(basename $krb5_lib)\\\" $GSSAPI_MECH_CONF"; then
505 "echo '$krb5_lib mechglue_internal_krb5_init' >> $GSSAPI_MECH_CONF"
507 checked="$checked $node"
513 # check and update the /etc/request-key.conf file on each MDS and client node
520 echo "+++ Updating $REQUEST_KEY_CONF"
522 for node in $MY_MGSNODE $MY_MDSNODES $MY_CLIENTNODES; do
523 is_part_of $node $checked && continue
524 lgss_keyring=$(my_do_node $node "which lgss_keyring") || \
525 return ${PIPESTATUS[0]}
527 if ! do_node_mute $node \
528 "grep -q \\\"^create.*$lgss_keyring\\\" $REQUEST_KEY_CONF"; then
530 "echo 'create lgssc * * $lgss_keyring %o %k %t %d %c %u %g %T %P %S' \
531 >> $REQUEST_KEY_CONF"
533 checked="$checked $node"
542 echo -n "Creating service principal lustre_$type/$fqdn@$KRB5_REALM..."
543 do_kdc_mute "kadmin.local -r $KRB5_REALM <<EOF
544 addprinc -randkey lustre_$type/$fqdn@$KRB5_REALM
546 local rc=${PIPESTATUS[0]}
547 [ $rc -ne 0 ] && echo "Failed!" || echo "OK!"
552 add_svc_princ_root() {
553 echo -n "Creating service principal lustre_root@$KRB5_REALM..."
554 do_kdc_mute "kadmin.local -r $KRB5_REALM <<EOF
555 addprinc -randkey lustre_root@$KRB5_REALM
557 local rc=${PIPESTATUS[0]}
558 [ $rc -ne 0 ] && echo "Failed!" || echo "OK!"
566 echo -n "Creating user principal $user@$KRB5_REALM..."
567 do_kdc_mute "kadmin.local -r $KRB5_REALM <<EOF
568 addprinc -pw $user $user@$KRB5_REALM
570 local rc=${PIPESTATUS[0]}
571 [ $rc -ne 0 ] && echo "Failed!" || echo "OK!"
576 add_test_princ_id() {
580 user=$(do_kdc getent passwd $id | cut -d: -f1)
581 if [ -z "$user" ]; then
582 echo "Can not find the user with uid $id on the KDC!"
586 add_user_princ $user || return ${PIPESTATUS[0]}
590 # create principals for the client, MDS, OSS, runas users and add them to
591 # the Kerberos database
596 add_svc_princ $MY_MGSNODE mgs || return ${PIPESTATUS[0]}
598 for node in $MY_MDSNODES; do
599 add_svc_princ $node mds || return ${PIPESTATUS[0]}
602 for node in $MY_OSSNODES; do
603 add_svc_princ $node oss || return ${PIPESTATUS[0]}
606 for node in $MY_CLIENTNODES; do
607 if $SPLIT_KEYTAB; then
608 add_svc_princ $node root || return ${PIPESTATUS[0]}
610 add_svc_princ_root || return ${PIPESTATUS[0]}
614 if ! $SPLIT_KEYTAB; then
615 add_user_princ lustre_root || return ${PIPESTATUS[0]}
617 add_user_princ bin || return ${PIPESTATUS[0]}
618 add_user_princ daemon || return ${PIPESTATUS[0]}
619 add_user_princ games || return ${PIPESTATUS[0]}
622 for uid in $LOCAL_UIDS; do
623 add_test_princ_id $uid || return ${PIPESTATUS[0]}
629 # create and install the KDC configuration file kdc.conf on the KDC, which
630 # will destroy the old KDC setting
633 local tmpdir="$TMP/krb5_cfg_tmp_$UID"
634 local tmpcfg=$tmpdir/kdc.conf
635 local tmpacl=$tmpdir/kadm5.acl
637 echo "+++ Configuring KDC on $MY_KDCNODE"
638 echo "Warning: old KDC setting on $MY_KDCNODE will be destroied!!!"
640 echo -n "Checking the existence of KDC config dir..."
641 do_kdc_mute "[ -d $KDC_CONF_DIR ]"
642 if [ ${PIPESTATUS[0]} -ne 0 ]; then
643 echo -e "\nUnrecognized krb5 distribution!"
650 do_kdc_mute "/etc/init.d/krb5kdc stop < /dev/null" || true
652 echo -n "Removing old KDC configurations..."
653 do_kdc_mute "rm -f $KDC_CONF_DIR/*"
656 # create kdc.conf locally
658 mkdir -p $tmpdir || return ${PIPESTATUS[0]}
665 master_key_type = aes128-cts
666 supported_enctypes = des3-hmac-sha1:normal aes128-cts:normal aes256-cts:normal des-cbc-md5:normal
670 # install kdc.conf remotely
671 echo -n "Installing kdc.conf on $MY_KDCNODE..."
672 $SCP $tmpcfg root@$MY_KDCNODE:$KDC_CONF || return ${PIPESTATUS[0]}
675 # initialize KDC database
676 echo -n "Creating Kerberos database on $MY_KDCNODE..."
677 do_kdc_mute "kdb5_util create -r $KRB5_REALM -s -P 111111"
678 local rc=${PIPESTATUS[0]}
679 if [ $rc -ne 0 ]; then
686 # create ACL file locally & install remotely
688 */admin@$KRB5_REALM *
691 echo -n "Installing kadm5.acl on $MY_KDCNODE..."
692 $SCP $tmpacl root@$MY_KDCNODE:$KDC_ACL || return ${PIPESTATUS[0]}
694 rm -rf $tmpdir || true
697 do_kdc "/etc/init.d/krb5kdc restart < /dev/null" || return ${PIPESTATUS[0]}
701 # create and install the Kerberos configuration file krb5.conf on the KDC,
702 # client, MDS and OSS
705 local tmpdir="$TMP/krb5_cfg_tmp_$UID"
706 local tmpcfg="$tmpdir/krb5.conf"
709 echo "+++ Installing krb5.conf on all nodes"
711 # create krb5.conf locally
713 mkdir -p $tmpdir || return ${PIPESTATUS[0]}
716 default_realm = $KRB5_REALM
717 dns_lookup_realm = false
718 dns_lookup_kdc = false
719 ticket_lifetime = $KRB5_TICKET_LIFETIME
725 admin_server = $MY_KDCNODE:749
726 default_domain = $KRB5_DOMAIN
730 .$KRB5_DOMAIN = $KRB5_REALM
731 $KRB5_DOMAIN = $KRB5_REALM
744 # install krb5.conf remotely
745 for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES
747 is_part_of $node $checked && continue
749 echo -n "Installing krb5.conf on $node..."
750 $SCP $tmpcfg root@$node:$KRB5_CONF || return ${PIPESTATUS[0]}
753 checked="$checked $node"
755 rm -rf $tmpdir || true
763 do_kdc_mute "kadmin.local -r $KRB5_REALM <<EOF
764 ktadd -k $tab -e $enctype:normal $princ@$KRB5_REALM
774 add_keytab $tab lustre_$type/$fqdn $enctype
781 add_keytab $tab lustre_root $enctype
788 $SCP $tab root@$node:$tab || return ${PIPESTATUS[0]}
789 do_node_mute $node "ktutil <<EOF
792 EOF" || return ${PIPESTATUS[0]}
796 # create and install the keytab file krb5.keytab on the client, MDS and OSS
799 local tmptab="$TMP/keytab.tmp"
802 echo "+++ Generating keytabs"
805 echo -n "Deleting old keytabs on all nodes..."
806 for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
807 do_node_mute $node "rm -f $KRB5_KEYTAB $TMP/krb5cc*"
811 # install for MDS nodes
812 for node in $MY_MDSNODES; do
813 echo -n "Preparing for MDS $node..."
814 do_kdc_mute "rm -f $tmptab"
815 add_keytab_svc $tmptab $node mds $MDS_ENCTYPE || return ${PIPESTATUS[0]}
817 if is_part_of $node $MY_MGSNODE; then
818 echo -n "also be an MGS..."
819 add_keytab_svc $tmptab $node mgs $MGS_ENCTYPE || \
820 return ${PIPESTATUS[0]}
823 if is_part_of $node $MY_OSSNODES; then
824 echo -n "also be an OSS..."
825 add_keytab_svc $tmptab $node oss $OSS_ENCTYPE || \
826 return ${PIPESTATUS[0]}
830 echo -n "Installing krb5.keytab on $node..."
831 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
832 $SCP $tmptab root@$node:$KRB5_KEYTAB || return ${PIPESTATUS[0]}
837 # install for MGS node
838 echo -n "Preparing for MGS $MY_MGSNODE..."
839 if ! is_part_of $MY_MGSNODE $MY_MDSNODES; then
840 do_kdc_mute "rm -f $tmptab"
841 add_keytab_svc $tmptab $MY_MGSNODE mgs $MGS_ENCTYPE || \
842 return ${PIPESTATUS[0]}
844 if is_part_of $MY_MGSNODE $MY_OSSNODES; then
845 echo -n "also be an OSS..."
846 add_keytab_svc $tmptab $MY_MGSNODE oss $OSS_ENCTYPE || \
847 return ${PIPESTATUS[0]}
851 echo -n "Installing krb5.keytab on $MY_MGSNODE..."
852 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
853 $SCP $tmptab root@$MY_MGSNODE:$KRB5_KEYTAB || return ${PIPESTATUS[0]}
857 echo "also be an MDS, already done, skip"
860 # install for OSS nodes
861 for node in $MY_OSSNODES; do
862 echo -n "Preparing for OSS $node..."
863 if is_part_of $node $MY_MDSNODES; then
864 echo "also be an MDS, already done, skip"
865 elif is_part_of $node $MY_MGSNODE; then
866 echo "also be an MGS, already done, skip"
868 do_kdc_mute "rm -f $tmptab"
869 add_keytab_svc $tmptab $node oss $OSS_ENCTYPE || \
870 return ${PIPESTATUS[0]}
873 echo -n "Installing krb5.keytab on $node..."
874 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
875 $SCP $tmptab root@$node:$KRB5_KEYTAB || return ${PIPESTATUS[0]}
881 # install for client nodes
882 do_kdc_mute "rm -f $tmptab"
883 if ! $SPLIT_KEYTAB; then
884 echo -n "Preparing for client..."
885 add_keytab_root $tmptab $CLIENT_ENCTYPE || return ${PIPESTATUS[0]}
886 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
889 for node in $MY_CLIENTNODES; do
890 echo -n "Preparing for client $node..."
891 # don't generate keytabs if it's also an MDS
892 if is_part_of $node $MY_MDSNODES; then
893 echo "also be an MDS, already done, skip"
897 add_keytab_svc $tmptab $node root $CLIENT_ENCTYPE || \
898 return ${PIPESTATUS[0]}
899 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
903 for node in $MY_CLIENTNODES; do
904 echo -n "Installing krb5.keytab on client $node..."
906 # don't install if it's also an MDS
907 if is_part_of $node $MY_MDSNODES; then
908 echo "also be an MDS, already done, skip"
912 # merge keytab if it's also an MGS
913 if is_part_of $node $MY_MGSNODE; then
914 echo -n "also be an MGS, merging keytab..."
915 merge_keytab $tmptab $node || return ${PIPESTATUS[0]}
920 # merge keytab if it's also an OSS
921 if is_part_of $node $MY_OSSNODES; then
922 echo -n "also be an OSS, merging keytab..."
923 merge_keytab $tmptab $node || return ${PIPESTATUS[0]}
928 # simply install otherwise
929 $SCP $tmptab root@$node:$KRB5_KEYTAB || return ${PIPESTATUS[0]}
932 rm -f $tmptab || true
935 check_acceptor_port() {
939 if [ -z "$port" ]; then
940 echo "Missing acceptor port!"
946 while [ $WAIT -lt $MAX_WAIT ]; do
948 my_do_node $node "netstat -tpan" | grep -q ":$port .*TIME_WAIT"
949 if [ ${PIPESTATUS[1]} -ne 0 ]; then
955 echo "LNET acceptor port $port is in use on node $node!"
966 # get the fqdn of the local host
967 local_fqdn=$(get_fqdn $HOSTNAME)
969 if [ $rc -ne 0 ]; then
974 for node in $MY_CLIENTNODES; do
975 my_do_node $node lsmod | grep -q lnet || \
976 my_do_node $node "modprobe lnet" || {
977 if [ "$node" = "$local_fqdn" ]; then
978 lsmod | grep -q lnet || load_modules
980 echo "Failed to load lnet module on node $node!"
985 check_acceptor_port $node $ACCEPTOR_PORT || return ${PIPESTATUS[0]}
987 nid=$(set +x; my_do_node $node \
988 "$LCTL net up 1>/dev/null && $LCTL list_nids" 2>&1 | head -n1
989 exit ${PIPESTATUS[0]})
991 if [ $rc -ne 0 ]; then
992 echo "Failed to get the nid for node $node: $nid"
995 [ -z "$client_nids" ] && client_nids="$nid" \
996 || client_nids="$client_nids $nid"
998 my_do_node $node "$LCTL net down 1>/dev/null" || true
1006 # create and install idmap.conf on the MDS
1009 local tmpcfg="$TMP/idmap.conf"
1013 local client_nids client_nid
1016 echo "+++ Installing idmap.conf on MDS"
1017 echo "Getting Client NID..."
1018 client_nids=$(get_client_nids)
1020 if [ $rc -ne 0 ]; then
1026 if $SPLIT_KEYTAB; then
1027 for fqdn in $MY_CLIENTNODES; do
1028 echo "lustre_root/$fqdn@$KRB5_REALM * 0" >> $tmpcfg
1031 echo "lustre_root@$KRB5_REALM * 0" >> $tmpcfg
1033 cat <<EOF >> $tmpcfg
1035 daemon@$KRB5_REALM * 2
1036 games@$KRB5_REALM * 12
1039 for node in $MY_MDSNODES; do
1040 for uid in $LOCAL_UIDS; do
1041 user=$(my_do_node $node getent passwd $uid | cut -d: -f1)
1042 for client_nid in $client_nids; do
1043 echo "$user@$KRB5_REALM $client_nid $uid" >> $tmpcfg
1048 for node in $MY_MDSNODES; do
1049 my_do_node $node "mkdir -p $LUSTRE_CONF_DIR" || return ${PIPESTATUS[0]}
1050 $SCP $tmpcfg root@$node:$IDMAP_CONF || return ${PIPESTATUS[0]}
1057 # create and install perm.conf on the MDS for remote ACL testing
1060 local tmpcfg="$TMP/perm.conf"
1063 echo "+++ Installing perm.conf on MDS"
1066 for node in $MY_MDSNODES; do
1067 my_do_node $node "mkdir -p $LUSTRE_CONF_DIR" || return ${PIPESTATUS[0]}
1069 for uid in $LOCAL_UIDS $REMOTE_UIDS; do
1070 if ! grep -q " $uid " $tmpcfg 2>/dev/null; then
1071 echo "* $uid rmtacl" >> $tmpcfg
1075 echo "* 0 setgid" >> $tmpcfg
1077 $SCP $tmpcfg root@$node:$PERM_CONF || return ${PIPESTATUS[0]}
1083 # ******************************** Main Flow ******************************** #
1084 normalize_names || exit ${PIPESTATUS[0]}
1085 check_rsh || exit ${PIPESTATUS[0]}
1086 check_entropy || exit ${PIPESTATUS[0]}
1089 check_users || exit ${PIPESTATUS[0]}
1090 elif $CFG_IDMAP; then
1091 echo "Remote ACL operations need local and remote users!"
1095 check_kdc || exit ${PIPESTATUS[0]}
1096 check_krb5 || exit ${PIPESTATUS[0]}
1097 check_libgssapi || exit ${PIPESTATUS[0]}
1099 echo "===================================================================="
1100 echo " Configure Kerberos testing environment for Lustre"
1101 echo " KDC: $MY_KDCNODE"
1102 echo " realm: $KRB5_REALM, domain: $KRB5_DOMAIN"
1103 echo " Using gssapi package: $LIBGSSAPI"
1107 for i in $MY_OSSNODES; do echo " $i"; done
1109 for i in $MY_MDSNODES; do echo " $i"; done
1110 echo " CLIENT nodes:"
1111 for i in $MY_CLIENTNODES; do echo " $i"; done
1112 echo "===================================================================="
1114 cfg_nfs_mount || exit ${PIPESTATUS[0]}
1115 cfg_libgssapi || exit ${PIPESTATUS[0]}
1116 cfg_keyutils || exit ${PIPESTATUS[0]}
1119 cfg_krb5_conf || exit ${PIPESTATUS[0]}
1120 cfg_kdc || exit ${PIPESTATUS[0]}
1123 cfg_kdc_princs || exit ${PIPESTATUS[0]}
1124 cfg_keytab || exit ${PIPESTATUS[0]}
1127 cfg_idmap_conf || exit ${PIPESTATUS[0]}
1128 cfg_perm_conf || exit ${PIPESTATUS[0]}
1131 echo "Complete successfully!"