| blob | 5684131f671b139f8c4638ac360927fa465c27e8 |
1 import ../make-test-python.nix ({ pkgs, lib, ... }:
3 with lib;
5 let
6 krb5 =
7 { enable = true;
8 domain_realm."nfs.test" = "NFS.TEST";
9 libdefaults.default_realm = "NFS.TEST";
10 realms."NFS.TEST" =
11 { admin_server = "server.nfs.test";
12 kdc = "server.nfs.test";
13 };
14 };
16 hosts =
17 ''
18 192.168.1.1 client.nfs.test
19 192.168.1.2 server.nfs.test
20 '';
22 users = {
23 users.alice = {
24 isNormalUser = true;
25 name = "alice";
26 uid = 1000;
27 };
28 };
30 in
32 {
33 name = "nfsv4-with-kerberos";
35 nodes = {
36 client = { lib, ... }:
37 { inherit krb5 users;
39 networking.extraHosts = hosts;
40 networking.domain = "nfs.test";
41 networking.hostName = "client";
43 virtualisation.fileSystems =
44 { "/data" = {
45 device = "server.nfs.test:/";
46 fsType = "nfs";
47 options = [ "nfsvers=4" "sec=krb5p" "noauto" ];
48 };
49 };
50 };
52 server = { lib, ...}:
53 { inherit krb5 users;
55 networking.extraHosts = hosts;
56 networking.domain = "nfs.test";
57 networking.hostName = "server";
59 networking.firewall.allowedTCPPorts = [
60 111 # rpc
61 2049 # nfs
62 88 # kerberos
63 749 # kerberos admin
64 ];
66 services.kerberos_server.enable = true;
67 services.kerberos_server.realms =
68 { "NFS.TEST".acl =
69 [ { access = "all"; principal = "admin/admin"; } ];
70 };
72 services.nfs.server.enable = true;
73 services.nfs.server.createMountPoints = true;
74 services.nfs.server.exports =
75 ''
76 /data *(rw,no_root_squash,fsid=0,sec=krb5p)
77 '';
78 };
79 };
81 testScript =
82 ''
83 server.succeed("mkdir -p /data/alice")
84 server.succeed("chown alice:users /data/alice")
86 # set up kerberos database
87 server.succeed(
88 "kdb5_util create -s -r NFS.TEST -P master_key",
89 "systemctl restart kadmind.service kdc.service",
90 )
91 server.wait_for_unit("kadmind.service")
92 server.wait_for_unit("kdc.service")
94 # create principals
95 server.succeed(
96 "kadmin.local add_principal -randkey nfs/server.nfs.test",
97 "kadmin.local add_principal -randkey nfs/client.nfs.test",
98 "kadmin.local add_principal -pw admin_pw admin/admin",
99 "kadmin.local add_principal -pw alice_pw alice",
100 )
102 # add principals to server keytab
103 server.succeed("kadmin.local ktadd nfs/server.nfs.test")
104 server.succeed("systemctl start rpc-gssd.service rpc-svcgssd.service")
105 server.wait_for_unit("rpc-gssd.service")
106 server.wait_for_unit("rpc-svcgssd.service")
108 client.wait_for_unit("network-online.target")
110 # add principals to client keytab
111 client.succeed("echo admin_pw | kadmin -p admin/admin ktadd nfs/client.nfs.test")
112 client.succeed("systemctl start rpc-gssd.service")
113 client.wait_for_unit("rpc-gssd.service")
115 with subtest("nfs share mounts"):
116 client.succeed("systemctl restart data.mount")
117 client.wait_for_unit("data.mount")
119 with subtest("permissions on nfs share are enforced"):
120 client.fail("su alice -c 'ls /data'")
121 client.succeed("su alice -c 'echo alice_pw | kinit'")
122 client.succeed("su alice -c 'ls /data'")
124 client.fail("su alice -c 'echo bla >> /data/foo'")
125 client.succeed("su alice -c 'echo bla >> /data/alice/foo'")
126 server.succeed("test -e /data/alice/foo")
128 with subtest("uids/gids are mapped correctly on nfs share"):
129 ids = client.succeed("stat -c '%U %G' /data/alice").split()
130 expected = ["alice", "users"]
131 assert ids == expected, f"ids incorrect: got {ids} expected {expected}"
132 '';
133 })