[GE users] SGE+Kerberos support

Wolfgang Friebel Wolfgang.Friebel at desy.de
Thu Mar 31 16:11:04 BST 2005


On Thu, 31 Mar 2005, Ron Chen wrote:

> Hmm, I was planning to fix some minor bugs in the
> original integration:
>
> I sent this mail to the list in 2003:
> http://gridengine.sunsource.net/servlets/ReadMsg?list=dev&msgId=13732
>
> And late last year (Nov 2004), someone encountered the
> same problem and several others:
> http://gridengine.sunsource.net/servlets/ReadMsg?list=users&msgNo=8441
>
>
> I was planning to check the changes into cvs. But if
> you can describe the new way to integrate with krb,
> then may be we can standardize on one method so that
> it would be easier to maintain.
>

It looks as if others have successfully built the environment you 
described. As we are using Heimdal instead of MIT it could be that is 
where our problems came from. I will try once more to build SGE with GSS 
enabled and do report my findings.

One thing puzzles me however: Both the "jobs" directory and the files 
therein are readable by ordinary users (at least in my case SGE6u3 
compiled with the -afs flag). In the docs I read
     1. qsub/qmon calls get_cred when a job is submitted to get the
        credentials of the user. The tokenized credentials are sent back
        to qsub and are put into the job request.
Therefore I could easily extract the credentials from an arbitrary user 
and use it in the same way (get_cred/put_cred) as the qmaster does. Did I 
misunderstand something here? To be on the safe side I thought that the 
credentials must be stored separately on the qmaster in a root protected 
directory.

If the above mentioned Kerberos integration does also work for us I would 
prefer that solution (as it is integrated into qmaster/execd) instead of 
our "external" solution.

-- 
Wolfgang Friebel                   Deutsches Elektronen-Synchrotron DESY
Phone/Fax:  +49 33762 77372/216    Platanenallee 6
Mail: Wolfgang.Friebel AT desy.de  D-15738 Zeuthen  Germany

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list