[GE users] SGE+Kerberos support
euro_32 at hotmail.com
Mon Apr 4 13:16:21 BST 2005
I have been trying to install SGE with GSSAPI to forward Kerberos and AFS
Tokens. So far I have not been successfull.
I am following the instructions in
believe you also followed these).
On my first try I did the following:
1- download CVS
2- download comon and bin tar.gz from the site
2.1- mkdir -p /home/sge-6.0u3
3- cd /home/sge-6.0u3
4- tar-xvzf /downloads/sge-6.0u3-common.tar.gz
5- tar-xvzf /downloads/sge-6.0u3-bin-lx24-x86.tar.gz
6- cd /GRID-CVS-SOURCE/gridengine/source
6.5- vi /GRID-CVS-SOURCE/gridengine/source/security/gss/sge_gsslib.c
6.5.1 - delete PROTOTYPE on line 81
7- JAVA_HOME=/usr/share/java; export JAVA_HOME
8- export SGE_ROOT=/home/sge-6.0u3
9- scripts/distinst -local -- sec
10 - cd $SGE_ROOT/security/
11 - vi aimk
11.1 on line 50 add set KRB_HOME = /usr/local/kerberos5
11.2 on line 61 add set CFLAGS = "-DKRB5_EXPORTVAR"
11.3 on line 120 add set ARCH = "*linux"
12- ./aimk -gss
Which fails with erros:
sge_gsslib.o: In function gsslib_put_credentials:
undefined reference to kg_get_context
sge_gsslib.o: In function put_creds_in_ccache:
undefined reference to kg_get_context
On the second try I replaced steps 2 to 5 with
edit line 70 and add KRB_HOME=/usr/local/kerberos5
./aimk -no-secure -spool-classic -no-qmon (-no-qmon because I got the error
related with files for Qmon)
mkdir -p $SGE_ROOT
scripts/distinst -local -noexit -allall lx24-x86
I think I have followed correctly all steps in the previous link.
However, I am not able to compile.
Am I missing something?
I am installing on machines running RedHat 8.0.
I am using MIT krb5-1.4 .
>From: Wolfgang Friebel <Wolfgang.Friebel at desy.de>
>Reply-To: users at gridengine.sunsource.net
>To: users at gridengine.sunsource.net
>Subject: Re: [GE users] SGE+Kerberos support
>Date: Fri, 1 Apr 2005 14:18:27 +0200 (CEST)
>On Thu, 31 Mar 2005, Wolfgang Friebel wrote:
>>On Thu, 31 Mar 2005, Wolfgang Friebel wrote:
>>>On Thu, 31 Mar 2005, Ron Chen wrote:
>>>>I was planning to check the changes into cvs. But if
>>>>you can describe the new way to integrate with krb,
>>>>then may be we can standardize on one method so that
>>>>it would be easier to maintain.
>I achieved a successful compilation and install of SGE including the
>security component gss according to the recipy given.
>I had to add to CFLAGS
>and to LFLAGS
>due to my unusual location of the libraries
>When testing the installation I made the following observations:
>1) I do not get a kerberos ticket: I do see the ticket files on the qmaster
>under /tmp/, e.g:
>-rw------- 1 root root 835 Apr 1 13:32 krb5cc_sge_16
>but not on the exec host. Consequently klist reports:
>klist: No ticket file: /tmp/krb5cc_sge_16
>klist: Can't access ticket file (tf_util)
>The qmaster (in messages) does not report any error
>The execd reports
>04/01/2005 13:32:10|execd|ajax|E|put_cred stderr: WARNING: Credentials were
>04/01/2005 13:32:10|execd|ajax|E|could not store credentials for job 16 -
>command "/opt/products/gridengine/6.0u3/utilbin/lx24-x86/put_cred" failed
>with returncode 3
>2) I can see and extract the credentials part of the job file on the
>execution host as an ordinary user. This seems to me a security problem
>3) I do have questions concerning the correct treatment of the K5
>- if a process (the batch job on the exec host) is started, it does share
> the environment, hence also the AFS token with its childs. To prevent
> that, pagsh must be called prior to setting the AFS token (which happens
> in the case of Heimdal, if you get a K5 ticket). Is there code for that.
>- (At least) In Heimdal renewed tickets cannot be forwarded and forwarded
> tokens cannot be renewed. Therefore I do not see how jobs can wait in a
> queue longer than the default ticket lifetime (25 h in our case) and
> how jobs can last longer than the default lifetime of the ticket.
> What happens if the user sends a job where the ticket is almost expired?
>Could you help me please clarify these points?
>Wolfgang Friebel Deutsches Elektronen-Synchrotron DESY
>Phone/Fax: +49 33762 77372/216 Platanenallee 6
>Mail: Wolfgang.Friebel AT desy.de D-15738 Zeuthen Germany
>To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
>For additional commands, e-mail: users-help at gridengine.sunsource.net
Don?t just search. Find. Check out the new MSN Search!
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net
More information about the gridengine-users