[GE users] sge_security.c errors

Eric Andresen eandres at mars.asu.edu
Mon Nov 29 22:56:42 GMT 2004

Here's my notes regarding the GSSAPI support in SGE 6.0 (though I
believe it's also valid for 5.3):

See last message for patching details for krb5/gss support.

SGE 6 build instructions:
  # Fix all paths
  vim aimk.site
  vim scripts/distinst.site
  # Remove DBARCH from BERKELEYDBBASE paths
  vim scripts/distinst
  ./aimk -only-depend
  ./aimk depend
  ./aimk -mankv
  export SGE_ROOT=/home/sge-6.0u1
  mkdir -p $SGE_ROOT
  scripts/distinst -local -noexit -allall lx24-x86

  # KerberosV TGT forwarding:
  scripts/distinst -local -- sec
  cd $SGE_ROOT/security/
  add arch type 'lx24-x86' to aimk
  ./aimk -gss
  ./aimk install
  Add 'kerberos' to the 'security_mode' paramater in

NOTE: Ensure that the version of bdb that 'distinst' copied matches the
used by your system. On RedHat based systems with nptl support, it will
have copied the wrong version into $SGE_ROOT/lib; simply replace the
version with the appropriate version.


I did run into a bug in the code that tries to delete the credentials
when a
job finishes. The problem is in the source file:
The routine store_sec_cred2() writes the credentials cache to a file
with a
name of the form of:
while the routine  delete_credentials()  looks for the file as:
Looking at the code, I believe the latter was the orignial naming
(it exists that way in cache_sec_cred() as well) and was changed when
store_sec_cred2() was created.  Anyway, I changed the code in
delete_credentials() to use "sge"  in the name and that resolved the

Additionally modify store_sec_cred() to use 'sge' rather than 'qmaster'

>   I've been playing with getting SGE 6.0 and the security/gss module
> play nice. So far, I've got TGT forwarding working correctly for qrsh
> and qsh, but qsub doesn't play nice. From what I can see, this is
> because qsub was converted to make use of JAPI / DRMAA.
>   Is there an easy way that I can make qsub do the regular calls to
> so that get_cred and friends get called as they do for qrsh and qsh?

Add the code:
   ** security hook
   if (set_sec_cred(job) != 0) {
      fprintf(stderr, MSG_SEC_SETJOBCRED);

immediately following the call to cull_parse_job_parameter() in qsub's
main() function. Everything was then happy.

The things I've done to allow SGE 6.0 to provide TGT forwarding for all
jobs are:

  - Add the call to set_sec_cred() to qsub following the call to
  - Change all instances of /tmp/krb5cc_qmaster_ in libs/gdi/ to
/tmp/krb5cc_sge_ so that calls to delete_cred will works correctly for
both the qmaster and execd. The only problem I can see with this change
is if the qmaster is also an execd host.
  - Remove the 'PROTOTYPE' macro wrapper around
security/gss/sge_gsslib.c line 78 (kg_get_context) as it is not defined
  - Add '-DKRB5_EXPORTVAR' to the CFLAGS for '-gss' in
security/gss/aimk. (This is required at least for krb5-1.3.x, not sure
about others)
  - Compile SGE as normal, and install
  - export SGE_ROOT and run 'scripts/distinst -local -- sec' to install
the gss module to $SGE_ROOT/security/
  - Go to $SGE_ROOT/security directory, add arch type 'lx24-x86' to
aimk, run './aimk -DKRB5_EXPORTVAR -gss' and './aimk install'
  - Add 'kerberos' to the 'security_mode' paramater in

To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net

More information about the gridengine-users mailing list