[GE users] SGE+Kerberos support

Wolfgang Friebel Wolfgang.Friebel at desy.de
Fri Apr 1 13:18:27 BST 2005

On Thu, 31 Mar 2005, Wolfgang Friebel wrote:

> On Thu, 31 Mar 2005, Wolfgang Friebel wrote:
>> On Thu, 31 Mar 2005, Ron Chen wrote:
>>> I was planning to check the changes into cvs. But if
>>> you can describe the new way to integrate with krb,
>>> then may be we can standardize on one method so that
>>> it would be easier to maintain.
I achieved a successful compilation and install of SGE including the 
security component gss according to the recipy given.

I had to add to CFLAGS

and to LFLAGS
-L/opt/products/krb5/1.3.3/lib -Wl,-rpath,/opt/products/krb5/1.3.3/lib

due to my unusual location of the libraries

When testing the installation I made the following observations:

1) I do not get a kerberos ticket: I do see the ticket files on the 
qmaster under /tmp/, e.g:
-rw-------    1 root     root          835 Apr  1 13:32 krb5cc_sge_16
but not on the exec host. Consequently klist reports:

klist: No ticket file: /tmp/krb5cc_sge_16
klist: Can't access ticket file (tf_util)

The qmaster (in messages) does not report any error
The execd reports

04/01/2005 13:32:10|execd|ajax|E|put_cred stderr: WARNING: Credentials 
were not forwarded
04/01/2005 13:32:10|execd|ajax|E|could not store credentials for job 16 - 
command "/opt/products/gridengine/6.0u3/utilbin/lx24-x86/put_cred" failed 
with returncode 3

2) I can see and extract the credentials part of the job file on the 
execution host as an ordinary user. This seems to me a security problem

3) I do have questions concerning the correct treatment of the K5 
tickets/AFS tokens:
- if a process (the batch job on the exec host) is started, it does share
   the environment, hence also the AFS token with its childs. To prevent
   that, pagsh must be called prior to setting the AFS token (which happens
   in the case of Heimdal, if you get a K5 ticket). Is there code for that.

- (At least) In Heimdal renewed tickets cannot be forwarded and forwarded
   tokens cannot be renewed. Therefore I do not see how jobs can wait in a
   queue longer than the default ticket lifetime (25 h in our case) and
   how jobs can last longer than the default lifetime of the ticket.
   What happens if the user sends a job where the ticket is almost expired?

Could you help me please clarify these points?

Wolfgang Friebel                   Deutsches Elektronen-Synchrotron DESY
Phone/Fax:  +49 33762 77372/216    Platanenallee 6
Mail: Wolfgang.Friebel AT desy.de  D-15738 Zeuthen  Germany

To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net

More information about the gridengine-users mailing list