[GE users] SGE+Kerberos support

Wolfgang Friebel Wolfgang.Friebel at desy.de
Thu Mar 31 13:33:50 BST 2005


On Thu, 31 Mar 2005, Reuti wrote:

> Hi,
>
> the thing I remember is this:
>
> http://gridengine.sunsource.net/servlets/ReadMsg?list=users&msgId=22739
>
> which points to gridengine/source/security/gss/doc/gss_customer.html. And yes,
> get the cvs checkoput, then you have it all.
>
It was designed for SGE 5 and I am unsure whether it still compiles or 
works for SGE 6. The documentation you are mentioning is from Dec, 2001.

We do have a Kerberos 5 based solution where the two neccessary routines 
for AFS and/or Kerberos5 support [g|s]et_token_cmd are used. These 
routines are coming into play if you install the daemons with the -afs 
option.

While we do currently have a dummy get_token_cmd, the set_token_cmd is 
used on the execution host to contact an external daemon. The external 
daemon is based on SASL and accepts authentications supported by SASL
(GSS_API, i.e. Kerberos5, KERBEROS_V4 and others). SGE authenticates
against the daemon using a key (host principal) out of krb5.keytab
and requests a K5 ticket for a user. If the authentication was successful 
and the user is registered for this service then SGE obtains the kerberos 
ticket, which is put into a file and made known to the job environment by 
setting KRB5CCNAME appropriately.

A fairly recent version of the external daemon can be found on
ftp://ftp.ifh.de/pub/unix/gnu/perl/modules (ARCv2, Arc-Command-Kstart, 
Authen-SASL and Authen-SASL-Cyrus)

-- 
Wolfgang Friebel                   Deutsches Elektronen-Synchrotron DESY
Phone/Fax:  +49 33762 77372/216    Platanenallee 6
Mail: Wolfgang.Friebel AT desy.de  D-15738 Zeuthen  Germany

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list