2 # -*- mode: Bash; tab-width: 4; indent-tabs-mode: t; -*-
3 # vim:shiftwidth=4:softtabstop=4:tabstop=4:
6 # setup_kerberos.sh - setup the Kerberos environment on Lustre cluster
9 # * Only one KDC involved, no slave KDC.
10 # * Only one Kerberos realm involved, no multiple Kerberos realms.
12 ###############################################################################
17 Usage: $(basename $0) <KDC_distro> <KDC_node> <MGS_node> <MDS_node>[:MDS_node:...]
18 <OSS_node>[:OSS_node:...] <CLIENT_node>[:CLIENT_node:...]
20 This script is used to setup the Kerberos environment on Lustre cluster.
22 KDC_distro distribution on the KDC node (rhel5 or sles10)
23 KDC_node KDC node name
24 MGS_node Lustre MGS node name
25 MDS_node Lustre MDS node name
26 OSS_node Lustre OSS node name
27 CLIENT_node Lustre client node name
29 e.g.: $(basename $0) rhel5 scsi2 scsi2 sata2 sata3 client5
30 e.g.: $(basename $0) sles10 scsi2 scsi2 scsi2 sata3:sata5 client2:client3
31 e.g.: $(basename $0) rhel5 scsi2 scsi2 scsi2 scsi2 scsi2
34 1) The script will destroy all the old Kerberos settings by default. If you
35 want to reserve the original krb5.conf and KDC configuration, please set
38 2) The script will create principals for some runas users and add them into
39 the Kerberos database by default. The UIDs of the runas users specified in
40 "LOCAL_UIDS" variable need exist on KDC, MDS and Client nodes. If you do not
41 need runas users, please set "CFG_RUNAS=false".
46 # ************************ Parameters and Variables ************************ #
54 # translate to lower case letters
55 MY_KDC_DISTRO=$(echo $MY_KDC_DISTRO | tr '[A-Z]' '[a-z]')
57 if [ -z "$MY_KDC_DISTRO" -o -z "$MY_KDCNODE" -o -z "$MY_MDSNODES" -o \
58 -z "$MY_OSSNODES" -o -z "$MY_CLIENTNODES" -o -z "$MY_MGSNODE" ]; then
63 LUSTRE=${LUSTRE:-$(cd $(dirname $0)/..; echo $PWD)}
64 . $LUSTRE/tests/test-framework.sh
66 . ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
69 ACCEPTOR_PORT=${ACCEPTOR_PORT:-988}
71 # check and configure runas users
72 CFG_RUNAS=${CFG_RUNAS:-true}
73 # uids for local users
74 LOCAL_UIDS=${LOCAL_UIDS:-"500 501"}
76 # remove the original Kerberos and KDC settings
77 RESET_KDC=${RESET_KDC:-true}
79 # generate unique keytab for each client node
80 SPLIT_KEYTAB=${SPLIT_KEYTAB:-true}
82 # encryption types for generating keytab
83 MDS_ENCTYPE=${MDS_ENCTYPE:-"aes128-cts"}
84 MGS_ENCTYPE=${MGS_ENCTYPE:-"$MDS_ENCTYPE"}
85 OSS_ENCTYPE=${OSS_ENCTYPE:-"aes128-cts"}
86 CLIENT_ENCTYPE=${CLIENT_ENCTYPE:-"aes128-cts"}
88 # configuration file for Kerberos
89 KRB5_CONF=${KRB5_CONF:-"/etc/krb5.conf"}
90 KRB5_KEYTAB=${KRB5_KEYTAB:-"/etc/krb5.keytab"}
91 KRB5_TICKET_LIFETIME=${KRB5_TICKET_LIFETIME:-"24h"}
93 # configuration files for libgssapi and keyutils
94 GSSAPI_MECH_CONF=${GSSAPI_MECH_CONF:-"/etc/gssapi_mech.conf"}
95 REQUEST_KEY_CONF=${REQUEST_KEY_CONF:-"/etc/request-key.conf"}
98 KRB5_REALM=${KRB5_REALM:-"CO.CFS"}
99 KRB5_DOMAIN=$(echo $KRB5_REALM | tr '[A-Z]' '[a-z]')
101 MY_MDSNODES=${MY_MDSNODES//:/ }
102 MY_OSSNODES=${MY_OSSNODES//:/ }
103 MY_CLIENTNODES=${MY_CLIENTNODES//:/ }
105 # set vars according to the KDC distribution
106 KRB5PKG_SVR="krb5-server"
107 KRB5PKG_DEV="krb5-devel"
108 case $MY_KDC_DISTRO in
110 KRB5PKG_CLI="krb5-workstation"
111 KRB5PKG_LIB="krb5-libs"
112 KDC_CONF_DIR="/var/kerberos/krb5kdc"
115 KRB5PKG_CLI="krb5-client"
117 KDC_CONF_DIR="/var/lib/kerberos/krb5kdc"
120 echo "Unsupported KDC distro: $MY_KDC_DISTRO!"
123 KDC_CONF="$KDC_CONF_DIR/kdc.conf"
124 KDC_ACL="$KDC_CONF_DIR/kadm5.acl"
126 # ******************************** Functions ******************************** #
132 if [ -z "$name" -o -z "$list" ]; then
137 if [[ " $list " == *\ $name\ * ]]; then
149 local nodename=${node%.$KRB5_DOMAIN}
150 do_node $node "PATH=\$PATH:/usr/kerberos/sbin:/usr/kerberos/bin:\
151 /usr/lib/mit/sbin:/usr/lib/mit/bin $@" | sed "s/^${nodename}: //"
152 return ${PIPESTATUS[0]}
157 output=$(my_do_node "$@" 2>&1)
158 return ${PIPESTATUS[0]}
162 my_do_node $MY_KDCNODE "$@"
163 return ${PIPESTATUS[0]}
167 do_node_mute $MY_KDCNODE "$@"
168 return ${PIPESTATUS[0]}
172 # convert a space-delimited node name list to a canonical name list
175 local nodename_list="$@"
181 for name in $nodename_list; do
182 fqdn=$(do_kdc "gethostip -n $name 2>&1")
184 if [ $rc -ne 0 ]; then
185 echo "Can not get the FQDN of node $name: $fqdn"
188 [ -z "$fqdn_list" ] && fqdn_list="$fqdn" \
189 || fqdn_list="$fqdn_list $fqdn"
198 # convert MDS/OSS nodes to their canonical name, it required by
199 # kerberos. we also convert kdc and client too in order to make
200 # node name comparison easier
206 MY_KDCNODE=$(get_fqdn $MY_KDCNODE)
208 if [ $rc -ne 0 ]; then
214 MY_MGSNODE=$(get_fqdn $MY_MGSNODE)
216 if [ $rc -ne 0 ]; then
222 MY_MDSNODES=$(get_fqdn $MY_MDSNODES)
224 if [ $rc -ne 0 ]; then
230 MY_OSSNODES=$(get_fqdn $MY_OSSNODES)
232 if [ $rc -ne 0 ]; then
238 MY_CLIENTNODES=$(get_fqdn $MY_CLIENTNODES)
240 if [ $rc -ne 0 ]; then
249 # verify remote shell works on all nodes
255 echo "+++ Checking remote shell"
257 for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES
259 is_part_of $node $checked && continue
261 echo -n "Checking remote shell on $node..."
262 do_node_mute $node true || return ${PIPESTATUS[0]}
265 checked="$checked $node"
270 # verify the entropy (random numbers) on the KDC node, which is
271 # used by kdb5_util to create Kerberos database
277 echo "+++ Checking the entropy on the KDC"
279 echo -n "Checking $MY_KDCNODE..."
280 avail=$(do_kdc "sysctl -n kernel.random.entropy_avail")
281 local rc=${PIPESTATUS[0]}
282 if [ $rc -eq 0 ]; then
283 if [ $avail -lt $limit ]; then
284 echo -e "\nWarning: The entropy on the KDC node is only $avail, \
285 which is not enough for kdb5_util to create Kerberos database! \
286 Let's use /dev/urandom!"
287 do_kdc "rm -f /dev/random.bak && mv /dev/random{,.bak} && \
288 mknod /dev/random c 1 9"
289 return ${PIPESTATUS[0]}
292 echo "Can not get the entropy on the KDC node!"
299 # verify runas users and groups
307 echo "+++ Checking users and groups"
309 for node in $MY_KDCNODE $MY_MGSNODE $MY_MDSNODES $MY_CLIENTNODES; do
310 is_part_of $node $checked && continue
312 for id in $LOCAL_UIDS; do
313 echo -n "Checking uid/gid $id/$id on $node..."
314 user=$(my_do_node $node getent passwd | grep :$id:$id: | cut -d: -f1)
315 if [ -z "$user" ]; then
316 echo -e "\nPlease set LOCAL_UIDS to some users \
317 which exist on KDC, MDS and client or add user/group $id/$id on these nodes."
322 checked="$checked $node"
331 echo -n "Checking $dev mount on $node..."
332 if do_node_mute $node "grep -q $dir' ' /proc/mounts"; then
337 if ! do_node_mute $node "grep -q ^$dev /etc/fstab"; then
338 my_do_node $node "echo '$dev $dir $dev defaults 0 0' >> /etc/fstab" || \
339 return ${PIPESTATUS[0]}
341 my_do_node $node "mkdir -p $dir && mount $dir" || true
343 if ! do_node_mute $node "grep -q $dir' ' /proc/mounts"; then
344 echo "Failed to mount fs $dev at $dir!"
351 # configure nfsd mount on MDS and OSS nodes
357 echo "+++ Configuring nfsd mount"
359 for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES; do
360 is_part_of $node $checked && continue
361 cfg_mount $node nfsd /proc/fs/nfsd || return ${PIPESTATUS[0]}
362 checked="$checked $node"
370 my_do_node $node "rpm -q $pkg 2>&1" | tail -n1
371 return ${PIPESTATUS[0]}
378 my_do_node $node cat /etc/SuSE-release 2>/dev/null | \
379 grep -q 'Enterprise Server 10'
380 if [ ${PIPESTATUS[1]} -eq 0 ]; then
382 cli) echo "krb5-client";;
387 cli) echo "krb5-workstation";;
388 lib) echo "krb5-libs";;
397 echo "+++ Checking KDC installation"
399 echo -n "Checking $MY_KDCNODE..."
400 pkg=$(get_pkgname $MY_KDCNODE $KRB5PKG_SVR)
402 if [ $rc -ne 0 ]; then
403 echo -e "\nCan not find $KRB5PKG_SVR package on $MY_KDCNODE: $pkg"
415 echo "+++ Checking Kerberos 5 installation"
416 for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
417 is_part_of $node $checked && continue
419 echo -n "Checking $node..."
420 krb5pkg_cli=$(get_krb5pkgname $node cli)
422 pkg=$(get_pkgname $node $krb5pkg_cli)
424 if [ $rc -ne 0 ]; then
425 echo -e "\nCan not find $krb5pkg_cli package on $node: $pkg"
429 checked="$checked $node"
439 echo "+++ Checking libgssapi installation"
441 LIBGSSAPI=$(get_pkgname $MY_KDCNODE libgssapi)
443 if [ $rc -ne 0 ]; then
444 echo "Can not find libgssapi package on $MY_KDCNODE: $LIBGSSAPI"
448 for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
449 is_part_of $node $checked && continue
451 echo -n "Checking $node..."
452 pkg=$(get_pkgname $node libgssapi)
454 if [ $rc -ne 0 ]; then
455 echo -e "\nCan not find libgssapi package on $node: $pkg"
459 checked="$checked $node"
464 # check and update the /etc/gssapi_mech.conf file on each node
465 # We only support MIT Kerberos 5 GSS-API mechanism.
475 echo "+++ Updating $GSSAPI_MECH_CONF"
477 for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES
479 is_part_of $node $checked && continue
481 krb5pkg_lib=$(get_krb5pkgname $node lib)
482 pkg=$(get_pkgname $node $krb5pkg_lib)
484 if [ $rc -ne 0 ]; then
485 echo -e "\nCan not find $krb5pkg_lib package on $node: $pkg"
489 krb5_lib=$(my_do_node $node "rpm -ql $pkg" | \
490 grep libgssapi_krb5.so | head -n1)
492 if ! do_node_mute $node \
493 "egrep -q \\\"^$krb5_lib|^$(basename $krb5_lib)\\\" $GSSAPI_MECH_CONF"; then
495 "echo '$krb5_lib mechglue_internal_krb5_init' >> $GSSAPI_MECH_CONF"
497 checked="$checked $node"
503 # check and update the /etc/request-key.conf file on each MDS and client node
510 echo "+++ Updating $REQUEST_KEY_CONF"
512 for node in $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
513 is_part_of $node $checked && continue
514 lgss_keyring=$(my_do_node $node "which lgss_keyring") || \
515 return ${PIPESTATUS[0]}
517 if ! do_node_mute $node \
518 "grep -q \\\"^create.*$lgss_keyring\\\" $REQUEST_KEY_CONF"; then
520 "echo 'create lgssc * * $lgss_keyring %o %k %t %d %c %u %g %T %P %S' \
521 >> $REQUEST_KEY_CONF"
523 checked="$checked $node"
532 echo -n "Creating service principal lustre_$type/$fqdn@$KRB5_REALM..."
533 do_kdc_mute "kadmin.local -r $KRB5_REALM <<EOF
534 addprinc -randkey lustre_$type/$fqdn@$KRB5_REALM
536 local rc=${PIPESTATUS[0]}
537 [ $rc -ne 0 ] && echo "Failed!" || echo "OK!"
542 add_svc_princ_root() {
543 echo -n "Creating service principal lustre_root@$KRB5_REALM..."
544 do_kdc_mute "kadmin.local -r $KRB5_REALM <<EOF
545 addprinc -randkey lustre_root@$KRB5_REALM
547 local rc=${PIPESTATUS[0]}
548 [ $rc -ne 0 ] && echo "Failed!" || echo "OK!"
556 echo -n "Creating user principal $user@$KRB5_REALM..."
557 do_kdc_mute "kadmin.local -r $KRB5_REALM <<EOF
558 addprinc -pw $user $user@$KRB5_REALM
560 local rc=${PIPESTATUS[0]}
561 [ $rc -ne 0 ] && echo "Failed!" || echo "OK!"
566 add_test_princ_id() {
570 user=$(do_kdc getent passwd $id | cut -d: -f1)
571 if [ -z "$user" ]; then
572 echo "Can not find the user with uid $id on the KDC!"
576 add_user_princ $user || return ${PIPESTATUS[0]}
580 # create principals for the client, MDS, OSS, runas users and add them to
581 # the Kerberos database
586 add_svc_princ $MY_MGSNODE mgs || return ${PIPESTATUS[0]}
588 for node in $MY_MDSNODES; do
589 add_svc_princ $node mds || return ${PIPESTATUS[0]}
592 for node in $MY_OSSNODES; do
593 add_svc_princ $node oss || return ${PIPESTATUS[0]}
596 for node in $MY_CLIENTNODES; do
597 if $SPLIT_KEYTAB; then
598 add_svc_princ $node root || return ${PIPESTATUS[0]}
600 add_svc_princ_root || return ${PIPESTATUS[0]}
604 if ! $SPLIT_KEYTAB; then
605 add_user_princ lustre_root || return ${PIPESTATUS[0]}
607 add_user_princ bin || return ${PIPESTATUS[0]}
608 add_user_princ daemon || return ${PIPESTATUS[0]}
609 add_user_princ games || return ${PIPESTATUS[0]}
612 for uid in $LOCAL_UIDS; do
613 add_test_princ_id $uid || return ${PIPESTATUS[0]}
619 # create and install the KDC configuration file kdc.conf on the KDC, which
620 # will destroy the old KDC setting
623 local tmpdir="$TMP/krb5_cfg_tmp_$UID"
624 local tmpcfg=$tmpdir/kdc.conf
625 local tmpacl=$tmpdir/kadm5.acl
627 echo "+++ Configuring KDC on $MY_KDCNODE"
628 echo "Warning: old KDC setting on $MY_KDCNODE will be destroied!!!"
630 echo -n "Checking the existence of KDC config dir..."
631 do_kdc_mute "[ -d $KDC_CONF_DIR ]"
632 if [ ${PIPESTATUS[0]} -ne 0 ]; then
633 echo -e "\nUnrecognized krb5 distribution!"
640 do_kdc_mute "/etc/init.d/krb5kdc stop < /dev/null" || true
642 echo -n "Removing old KDC configurations..."
643 do_kdc_mute "rm -f $KDC_CONF_DIR/*"
646 # create kdc.conf locally
648 mkdir -p $tmpdir || return ${PIPESTATUS[0]}
655 master_key_type = aes128-cts
656 supported_enctypes = des3-hmac-sha1:normal aes128-cts:normal aes256-cts:normal des-cbc-md5:normal
660 # install kdc.conf remotely
661 echo -n "Installing kdc.conf on $MY_KDCNODE..."
662 $SCP $tmpcfg root@$MY_KDCNODE:$KDC_CONF || return ${PIPESTATUS[0]}
665 # initialize KDC database
666 echo -n "Creating Kerberos database on $MY_KDCNODE..."
667 do_kdc_mute "kdb5_util create -r $KRB5_REALM -s -P 111111"
668 local rc=${PIPESTATUS[0]}
669 if [ $rc -ne 0 ]; then
676 # create ACL file locally & install remotely
678 */admin@$KRB5_REALM *
681 echo -n "Installing kadm5.acl on $MY_KDCNODE..."
682 $SCP $tmpacl root@$MY_KDCNODE:$KDC_ACL || return ${PIPESTATUS[0]}
684 rm -rf $tmpdir || true
687 do_kdc "/etc/init.d/krb5kdc restart < /dev/null" || return ${PIPESTATUS[0]}
691 # create and install the Kerberos configuration file krb5.conf on the KDC,
692 # client, MDS and OSS
695 local tmpdir="$TMP/krb5_cfg_tmp_$UID"
696 local tmpcfg="$tmpdir/krb5.conf"
699 echo "+++ Installing krb5.conf on all nodes"
701 # create krb5.conf locally
703 mkdir -p $tmpdir || return ${PIPESTATUS[0]}
706 default_realm = $KRB5_REALM
707 dns_lookup_realm = false
708 dns_lookup_kdc = false
709 ticket_lifetime = $KRB5_TICKET_LIFETIME
715 admin_server = $MY_KDCNODE:749
716 default_domain = $KRB5_DOMAIN
720 .$KRB5_DOMAIN = $KRB5_REALM
721 $KRB5_DOMAIN = $KRB5_REALM
734 # install krb5.conf remotely
735 for node in $MY_KDCNODE $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES
737 is_part_of $node $checked && continue
739 echo -n "Installing krb5.conf on $node..."
740 $SCP $tmpcfg root@$node:$KRB5_CONF || return ${PIPESTATUS[0]}
743 checked="$checked $node"
745 rm -rf $tmpdir || true
753 do_kdc_mute "kadmin.local -r $KRB5_REALM <<EOF
754 ktadd -k $tab -e $enctype:normal $princ@$KRB5_REALM
764 add_keytab $tab lustre_$type/$fqdn $enctype
771 add_keytab $tab lustre_root $enctype
778 $SCP $tab root@$node:$tab || return ${PIPESTATUS[0]}
779 do_node_mute $node "ktutil <<EOF
782 EOF" || return ${PIPESTATUS[0]}
786 # create and install the keytab file krb5.keytab on the client, MDS and OSS
789 local tmptab="$TMP/keytab.tmp"
792 echo "+++ Generating keytabs"
795 echo -n "Deleting old keytabs on all nodes..."
796 for node in $MY_MGSNODE $MY_OSSNODES $MY_MDSNODES $MY_CLIENTNODES; do
797 do_node_mute $node "rm -f $KRB5_KEYTAB $TMP/krb5cc*"
801 # install for MDS nodes
802 for node in $MY_MDSNODES; do
803 echo -n "Preparing for MDS $node..."
804 do_kdc_mute "rm -f $tmptab"
805 add_keytab_svc $tmptab $node mds $MDS_ENCTYPE || return ${PIPESTATUS[0]}
807 if is_part_of $node $MY_MGSNODE; then
808 echo -n "also be an MGS..."
809 add_keytab_svc $tmptab $node mgs $MGS_ENCTYPE || \
810 return ${PIPESTATUS[0]}
813 if is_part_of $node $MY_OSSNODES; then
814 echo -n "also be an OSS..."
815 add_keytab_svc $tmptab $node oss $OSS_ENCTYPE || \
816 return ${PIPESTATUS[0]}
820 echo -n "Installing krb5.keytab on $node..."
821 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
822 $SCP $tmptab root@$node:$KRB5_KEYTAB || return ${PIPESTATUS[0]}
827 # install for MGS node
828 echo -n "Preparing for MGS $MY_MGSNODE..."
829 if ! is_part_of $MY_MGSNODE $MY_MDSNODES; then
830 do_kdc_mute "rm -f $tmptab"
831 add_keytab_svc $tmptab $MY_MGSNODE mgs $MGS_ENCTYPE || \
832 return ${PIPESTATUS[0]}
834 if is_part_of $MY_MGSNODE $MY_OSSNODES; then
835 echo -n "also be an OSS..."
836 add_keytab_svc $tmptab $MY_MGSNODE oss $OSS_ENCTYPE || \
837 return ${PIPESTATUS[0]}
841 echo -n "Installing krb5.keytab on $MY_MGSNODE..."
842 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
843 $SCP $tmptab root@$MY_MGSNODE:$KRB5_KEYTAB || return ${PIPESTATUS[0]}
847 echo "also be an MDS, already done, skip"
850 # install for OSS nodes
851 for node in $MY_OSSNODES; do
852 echo -n "Preparing for OSS $node..."
853 if is_part_of $node $MY_MDSNODES; then
854 echo "also be an MDS, already done, skip"
855 elif is_part_of $node $MY_MGSNODE; then
856 echo "also be an MGS, already done, skip"
858 do_kdc_mute "rm -f $tmptab"
859 add_keytab_svc $tmptab $node oss $OSS_ENCTYPE || \
860 return ${PIPESTATUS[0]}
863 echo -n "Installing krb5.keytab on $node..."
864 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
865 $SCP $tmptab root@$node:$KRB5_KEYTAB || return ${PIPESTATUS[0]}
871 # install for client nodes
872 do_kdc_mute "rm -f $tmptab"
873 if ! $SPLIT_KEYTAB; then
874 echo -n "Preparing for client..."
875 add_keytab_root $tmptab $CLIENT_ENCTYPE || return ${PIPESTATUS[0]}
876 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
879 for node in $MY_CLIENTNODES; do
880 echo -n "Preparing for client $node..."
881 # don't generate keytabs if it's also an MDS
882 if is_part_of $node $MY_MDSNODES; then
883 echo "also be an MDS, already done, skip"
887 add_keytab_svc $tmptab $node root $CLIENT_ENCTYPE || \
888 return ${PIPESTATUS[0]}
889 $SCP root@$MY_KDCNODE:$tmptab $tmptab || return ${PIPESTATUS[0]}
893 for node in $MY_CLIENTNODES; do
894 echo -n "Installing krb5.keytab on client $node..."
896 # don't install if it's also an MDS
897 if is_part_of $node $MY_MDSNODES; then
898 echo "also be an MDS, already done, skip"
902 # merge keytab if it's also an MGS
903 if is_part_of $node $MY_MGSNODE; then
904 echo -n "also be an MGS, merging keytab..."
905 merge_keytab $tmptab $node || return ${PIPESTATUS[0]}
910 # merge keytab if it's also an OSS
911 if is_part_of $node $MY_OSSNODES; then
912 echo -n "also be an OSS, merging keytab..."
913 merge_keytab $tmptab $node || return ${PIPESTATUS[0]}
918 # simply install otherwise
919 $SCP $tmptab root@$node:$KRB5_KEYTAB || return ${PIPESTATUS[0]}
922 rm -f $tmptab || true
925 check_acceptor_port() {
929 if [ -z "$port" ]; then
930 echo "Missing acceptor port!"
936 while [ $WAIT -lt $MAX_WAIT ]; do
938 my_do_node $node "netstat -tpan" | grep -q ":$port .*TIME_WAIT"
939 if [ ${PIPESTATUS[1]} -ne 0 ]; then
945 echo "LNET acceptor port $port is in use on node $node!"
956 # get the fqdn of the local host
957 local_fqdn=$(get_fqdn $HOSTNAME)
959 if [ $rc -ne 0 ]; then
964 for node in $MY_CLIENTNODES; do
965 my_do_node $node lsmod | grep -q lnet || \
966 my_do_node $node "modprobe lnet" || {
967 if [ "$node" = "$local_fqdn" ]; then
968 lsmod | grep -q lnet || load_modules
970 echo "Failed to load lnet module on node $node!"
975 check_acceptor_port $node $ACCEPTOR_PORT || return ${PIPESTATUS[0]}
977 nid=$(set +x; my_do_node $node \
978 "$LCTL net up 1>/dev/null && $LCTL list_nids" 2>&1 | head -n1
979 exit ${PIPESTATUS[0]})
981 if [ $rc -ne 0 ]; then
982 echo "Failed to get the nid for node $node: $nid"
985 [ -z "$client_nids" ] && client_nids="$nid" \
986 || client_nids="$client_nids $nid"
988 my_do_node $node "$LCTL net down 1>/dev/null" || true
995 # ******************************** Main Flow ******************************** #
996 normalize_names || exit ${PIPESTATUS[0]}
997 check_rsh || exit ${PIPESTATUS[0]}
998 check_entropy || exit ${PIPESTATUS[0]}
1001 check_users || exit ${PIPESTATUS[0]}
1004 check_kdc || exit ${PIPESTATUS[0]}
1005 check_krb5 || exit ${PIPESTATUS[0]}
1006 check_libgssapi || exit ${PIPESTATUS[0]}
1008 echo "===================================================================="
1009 echo " Configure Kerberos testing environment for Lustre"
1010 echo " KDC: $MY_KDCNODE"
1011 echo " realm: $KRB5_REALM, domain: $KRB5_DOMAIN"
1012 echo " Using gssapi package: $LIBGSSAPI"
1016 for i in $MY_OSSNODES; do echo " $i"; done
1018 for i in $MY_MDSNODES; do echo " $i"; done
1019 echo " CLIENT nodes:"
1020 for i in $MY_CLIENTNODES; do echo " $i"; done
1021 echo "===================================================================="
1023 cfg_nfs_mount || exit ${PIPESTATUS[0]}
1024 cfg_libgssapi || exit ${PIPESTATUS[0]}
1025 cfg_keyutils || exit ${PIPESTATUS[0]}
1028 cfg_krb5_conf || exit ${PIPESTATUS[0]}
1029 cfg_kdc || exit ${PIPESTATUS[0]}
1032 cfg_kdc_princs || exit ${PIPESTATUS[0]}
1033 cfg_keytab || exit ${PIPESTATUS[0]}
1035 echo "Complete successfully!"