[GE users] SGE+Kerberos support

Manel Euro euro_32 at hotmail.com
Mon Apr 4 13:16:21 BST 2005


I have been trying to install SGE with GSSAPI to forward Kerberos and AFS 
Tokens. So far I have not been successfull.
I am following the instructions in 
http://gridengine.sunsource.net/servlets/ReadMsg?list=users&msgNo=8441 (I 
believe you also followed these).

On my first try I did the following:

1- download CVS
2- download comon and bin tar.gz from the site
2.1- mkdir -p /home/sge-6.0u3
3- cd /home/sge-6.0u3
4- tar-xvzf /downloads/sge-6.0u3-common.tar.gz
5- tar-xvzf /downloads/sge-6.0u3-bin-lx24-x86.tar.gz
6-  cd /GRID-CVS-SOURCE/gridengine/source
6.5- vi /GRID-CVS-SOURCE/gridengine/source/security/gss/sge_gsslib.c
6.5.1 - delete PROTOTYPE on line 81
7- JAVA_HOME=/usr/share/java; export JAVA_HOME
8- export SGE_ROOT=/home/sge-6.0u3
9- scripts/distinst -local -- sec
10 -  cd $SGE_ROOT/security/
11 - vi aimk
11.1 on line 50 add set KRB_HOME = /usr/local/kerberos5
11.2 on line 61 add set CFLAGS = "-DKRB5_EXPORTVAR"
11.3 on line 120 add set ARCH = "*linux"
12-  ./aimk -gss
Which fails with erros:
sge_gsslib.o: In function gsslib_put_credentials:
undefined reference to kg_get_context
sge_gsslib.o: In function put_creds_in_ccache:
undefined reference to kg_get_context

On the second try I replaced steps 2 to 5 with
vi aimk.site
  edit line 70 and add KRB_HOME=/usr/local/kerberos5
./aimk -only-depend
./aimk depend
./aimk -no-secure -spool-classic -no-qmon (-no-qmon because I got the error 
related with files for Qmon)
./aimk -mankv
export SGE_ROOT=/home/sge-6.0u3
mkdir -p $SGE_ROOT
scripts/distinst -local -noexit -allall lx24-x86

I think I have followed correctly all steps in the previous link.
However, I am not able to compile.

Am I missing something?
I am installing on machines running RedHat 8.0.
I am using MIT krb5-1.4 .

Thank you,


>From: Wolfgang Friebel <Wolfgang.Friebel at desy.de>
>Reply-To: users at gridengine.sunsource.net
>To: users at gridengine.sunsource.net
>Subject: Re: [GE users] SGE+Kerberos support
>Date: Fri, 1 Apr 2005 14:18:27 +0200 (CEST)
>On Thu, 31 Mar 2005, Wolfgang Friebel wrote:
>>On Thu, 31 Mar 2005, Wolfgang Friebel wrote:
>>>On Thu, 31 Mar 2005, Ron Chen wrote:
>>>>I was planning to check the changes into cvs. But if
>>>>you can describe the new way to integrate with krb,
>>>>then may be we can standardize on one method so that
>>>>it would be easier to maintain.
>I achieved a successful compilation and install of SGE including the 
>security component gss according to the recipy given.
>I had to add to CFLAGS
>and to LFLAGS
>-L/opt/products/krb5/1.3.3/lib -Wl,-rpath,/opt/products/krb5/1.3.3/lib
>due to my unusual location of the libraries
>When testing the installation I made the following observations:
>1) I do not get a kerberos ticket: I do see the ticket files on the qmaster 
>under /tmp/, e.g:
>-rw-------    1 root     root          835 Apr  1 13:32 krb5cc_sge_16
>but not on the exec host. Consequently klist reports:
>klist: No ticket file: /tmp/krb5cc_sge_16
>klist: Can't access ticket file (tf_util)
>The qmaster (in messages) does not report any error
>The execd reports
>04/01/2005 13:32:10|execd|ajax|E|put_cred stderr: WARNING: Credentials were 
>not forwarded
>04/01/2005 13:32:10|execd|ajax|E|could not store credentials for job 16 - 
>command "/opt/products/gridengine/6.0u3/utilbin/lx24-x86/put_cred" failed 
>with returncode 3
>2) I can see and extract the credentials part of the job file on the 
>execution host as an ordinary user. This seems to me a security problem
>3) I do have questions concerning the correct treatment of the K5 
>tickets/AFS tokens:
>- if a process (the batch job on the exec host) is started, it does share
>   the environment, hence also the AFS token with its childs. To prevent
>   that, pagsh must be called prior to setting the AFS token (which happens
>   in the case of Heimdal, if you get a K5 ticket). Is there code for that.
>- (At least) In Heimdal renewed tickets cannot be forwarded and forwarded
>   tokens cannot be renewed. Therefore I do not see how jobs can wait in a
>   queue longer than the default ticket lifetime (25 h in our case) and
>   how jobs can last longer than the default lifetime of the ticket.
>   What happens if the user sends a job where the ticket is almost expired?
>Could you help me please clarify these points?
>Wolfgang Friebel                   Deutsches Elektronen-Synchrotron DESY
>Phone/Fax:  +49 33762 77372/216    Platanenallee 6
>Mail: Wolfgang.Friebel AT desy.de  D-15738 Zeuthen  Germany
>To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
>For additional commands, e-mail: users-help at gridengine.sunsource.net

Don?t just search. Find. Check out the new MSN Search! 

To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net

More information about the gridengine-users mailing list