TWiki> LinuxSupport Web>LinuxSupportInternals>FeatureListForSLC4>KerberosMigrationTests (2006-07-03, JanIven) EditAttachPDF

Kerberos client checklist

List of things that should get checked whenever we bricolage with kerberos5 configs, ssh, PAM etc.

Test setup description:

Hostname ________________
OS _________________
Date _________________
What changed? ____________________________________________________________________________________________________

Testname Description How to test Result
Local tests
login login at the system console use username + password, check #klist __
gdm login via GDM display manager use username + password, check #klist (in a terminal window)] __
#kdm login via KDM display manager use username + password, check #klist (in a terminal window)] __
defaultkinit get fresh credentials in a running session, via password destroy existing (kdestroy;unlog), use kinit and your AFS password, check #klist __
defaultkinit-r get fresh credentials in a running session, via renewal while you have a valid TGT, use kinit -R, check that your credentials have a longer validity __
mitkinit use MIT: get fresh credentials in a running session, via password destroy existing (kdestroy;unlog), use /usr/kerberos/bin/kinit and your AFS password, check #klist (will not get AFS token) __
mitkinit-r use MIT: get fresh credentials in a running session, via renewal while you have a valid TGT, use /usr/kerberos/bin/kinit -R, check that your credentials have a longer validity (except for AFS token) __
heimdalkinit use Heimdal: get fresh credentials in a running session, via password destroy existing (kdestroy;unlog), use /usr/heimdal/bin/kinit and your AFS password, check #klist __
heimdalkinit-r use Heimdal: get fresh credentials in a running session, via renewal while you have a valid TGT, use /usr/heimdal/bin/kinit -R, check that your credentials have a longer validity __
xscreensaver get fresh credentials via GNOME/xscreensaver check #klist, note validity, lock screen (via GNOME-lock button or xsreensaver-command --lock), unlock via password, check #klist again for longer validity __
kdescreensaver get fresh credentials via KDE screensaver check #klist, note validity, lock screen (KDE-lock button), unlock via password, check #klist again for longer validity __
remote tests - from outside into the test machine
ssh-1 kerberos5 use a valid Krb5 credential to log in via ssh protocol 1 ssh -1 -v host, look for "Kerberos v5 authentication accepted.", check remote for #klist except that Krb5 TGT will not be forwardable __
ssh-1 kerberos4 use a valid Krb4 credential to log in via ssh protocol 1 KRB5CCNAME=/dev/null ssh -1 -v host, look for "Kerberos v4 authentication accepted.", check remote for #klist except that no Krb5 TGT will exist __
ssh-2 kerberos5/gssapi use a valid Krb5 credential to log in via ssh protocol 2 ssh -2 -v host, look for "Authentication succeeded (gssapi-with-mic).", check remote for #klist except that Krb5 TGT will not be forwardable __
remote tests - from test machine to outside
ssh-1 kerberos5 use a valid Krb5 credential to log in via ssh protocol 1 ssh -1 -v host, look for "Kerberos v5 authentication accepted.", check remote for #klist except that Krb5 TGT will not be forwardable __
ssh-1 kerberos4 use a valid Krb4 credential to log in via ssh protocol 1 KRB5CCNAME=/dev/null ssh -1 -v host, look for "Kerberos v4 authentication accepted.", check remote for #klist except that no Krb5 TGT will exist __
ssh-2 kerberos5/gssapi use a valid Krb5 credential to log in via ssh protocol 2 ssh -2 -v host, look for "Authentication succeeded (gssapi-with-mic).", check remote for #klist except that Krb5 TGT will not be forwardable __

#klist
  1. check tokens;klist -f output for valid AFS, Kerberos 4, Kerberos 5 credentials
  2. check that you are not getting the "default" ticket file locations (/tmp/krb5cc_$id and /tmp/tkt$id, need KRBCCNAME and KRBTKTFILE env variables)
  3. check that your Kerberos 5 TGTs are forwardable (F) and renewable (R)
  4. check that your AFS token works - touch ~/foo a file in your home directory

#kdm
  1. edit /etc/sysconfig/desktop, put in WINDOWMANAGER=KDE
  2. telinit 3; telinit 5
  3. remember to choose KDE as a session on login..
Debugging output in case something doesn't work as expected:
Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2006-07-03 - JanIven
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LinuxSupport All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright &© 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback