[GE users] sge_security.c errors

Paul Mitchell pmitchel at email.unc.edu
Mon Nov 29 21:53:17 GMT 2004

On Mon, 29 Nov 2004, Shannon V. Davidson wrote:

> If you are only interested in extending AFS tokens, I think there is a
> much simpler way to do it.  There is a little bit of information about
> this in the sge_conf(5) man page under set_token_cmd, pag_cmd, and
> token_extend_time.  I don't have any experience using these, but I
> believe there are those on this lists who use them.

Hello Shannon,
  Thanks for responding.  The information from sge_conf is the same
material I've been over (and under!^) for the last week.  Impossible to
work with since it involves using "forge" which is no longer available, or
constructing a daemon on the AFS server which renews/sets the token and
returns it to the client. Since we've just had a big changeover, the
people runing our AFS servers are no longer in our group and the main
programmer for that staff (who perplexingly is still in our department)
feels that they will not want to construct a daemon to help us here.
This is, unfortunately, a dead end (though I'm still running my concerns
by some of the people who helped develop the code and who now work in NC).

> In spite of what security.html says, the stuff in security/krb isn't
> really usable.  I developed this code many years ago (1997, I think) for
> a customer which required Kerberos security at their site. This was a
> full Kerberos implementation which used the Kerberos libraries for all
> communication between the daemons and clients. However, this  code was
> never put into production and has not been used at any production sites.
> It was not fully tested and it has not been kept up-to-date with the
> many changes that have been put into Grid Engine since that time. The
> Kerberos support compiled into Grid Engine should be considered
> experimental.

I understand.

> However, there is a more recent GSS-API Kerberos implementation that I
> used regularly in my Grid Engine 5.3 development and test environments
> and which is used full-time at least one production site which is
> running Grid Engine 5.3.  This implementation is different in that it is
> not a full Kerberos implementation but uses Kerberos to authenticate
> users submitting jobs and to forward user credentials with the job by
> calling security sub-programs at the appropriate times.  This version
> does not require recompiling Grid Engine.  It consists of some security
> modules which can be compiled separately and are called by Grid Engine
> to do authentication and to forward the Kerberos credentials.  The
> security sub-modules are called by client commands (e.g. qsub) and by
> the Grid Engine daemons (sge_qmaster, sge_execd) at the appropriate
> times to get and store credentials.  The Kerberos modules are used by
> Grid Engine when it is running in Kerberos mode (i.e. For GE 5.3, the
> $SGE_ROOT/default/common/product_mode file contains the string
> "sgeee-kerberos" or "sge-kerberos").  The source code for this
> implementation is located in the directory
> gridengine/source/security/gss.  The source code is not dependent on
> other Grid Engine components or libraries and can be compiled
> stand-alone.  Details on how to use this implementation can be found in
> gridengine/source/security/gss/doc/gss_customer.html.

This document states:

To create and install the security binaries, follow these instructions:

   1. Compile the binaries

      $ cd $SGE_ROOT/security
      $ aimk -gss

There is no aimk in the gridengine/source/security sub-directory (I'm
trying to compile a newer version of gridengine, 6, should I return to

The gss sub-directory has an aimk, but it appears unhappy:

ERROR: Architecture not yet supported by CODINE-aimk

I'll download the 5.3 version and see what I can find.


Paul Mitchell

	Paul Mitchell
	email: pmitchel at email.unc.edu
	phone: (919) 962-9778
	office: I have an office, room 14, Phillips Hall

To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net

More information about the gridengine-users mailing list