[GE users] SGE6.2+Kerberos

Jean-Christophe Ducom jc_ducom at nd.edu
Thu Oct 16 15:54:31 BST 2008


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "ISO-8859-10" character set.  ]
    [ Some special characters may be displayed incorrectly. ]

I try to pass kerberos tokens with the SGE6.2 binary
I compiled and tested successfully the programs get_cred,put_cred et al. 
from the sge/security directory.

When a user submits a job, the credential file krb5cc_qmaster_jobid is 
created
I get a file with the same content if I run by hand the following command:
$ get_cred sge > /tmp/cred.out
$ su
# export KRB5CCNAME=FILE:/tmp/krb5cc_qmaster_test
# put_cred -s sge -u jducom  < /tmp/cred.out


However when I submit a job, I get the following error message:
$ qsub test.sh
Unable to run job: job 16 rejected because authentication failed (no 
credentials supplied).
Exiting.


The debugging log shows:
[...]
    431   7109 event_master     deliver event: 80 with where 
filter=false and what filter=false
    432   7109 event_master     Copying event data
    433   7109 scheduler000     passed cancelation point
    434   7109    worker001     worker001 is waiting for packet 
(packet_queue->waiting = 2)
    435   7109 event_master     Copying event
    436   7109 event_master     1 15. EVENT MOD USER jducom
    437   7109 event_master     processing event master request: 3
    438   7109 event_master     Processing event for all clients
    439   7109 event_master     Preparing event for client 1
    440   7109 event_master     processing event master request: 1
    441   7109 event_master     rebuild event mask for client(id): 
scheduler(1)
    442   7109  listener000     uid/username = 82784/jducom, 
gid/groupname = 1313/campus
    443   7109  listener000     listener000 added new packet 
(packet_queue->counter = 1)
    444   7109  listener000     listener000 notifys one worker
    445   7109    worker000     worker000 takes packet from priority 
queue. (packet_queue->counter = 0; packet_queue->waiting = 1)
    446   7109    worker000     GDI ADD job 
(sgeadmina.hpcc.nd.edu/qsub/1) (jducom/82784/campus/1313)
    447   7109    worker000     job has access to queue "all.q"
    448   7109    worker000     user jducom got department 
"defaultdepartment"
    449   7109    worker000     skip expensive verification of 
schedulability
    450   7109    worker000     ../libs/gdi/sge_security.c 930 could not 
store credentials for job 16 - command 
"/opt/sge/utilbin/lx24-amd64/put_cred" failed with return code -1
    451   7109    worker000     ../libs/gdi/sge_security.c 938 job 16 
rejected because authentication failed (no credentials supplied)
    452   7109    worker000     packing SGE_GDI_ADD request
    453   7109    worker000     worker000 is waiting for packet 
(packet_queue->waiting = 2)
    454   7109  signaler000     got signal 2
    455   7109         main     ../daemons/qmaster/sge_thread_jvm.c 195 
jvm thread is not running
    456   7109         main 
../daemons/qmaster/sge_thread_scheduler.c 461 scheduler thread terminated
    457   7109 event_master     processing event master request: 3
    458   7109 event_master     Processing event for all clients
    459   7109 event_master     Preparing event for client 1
    460   7109 event_master     Copying event
[...]

Obviously the main problem comes from ./libs/gdi/sge_security.c
/* set up credentials cache for this job */
       sprintf(ccname, "KRB5CCNAME=FILE:/tmp/krb5cc_qmaster_" sge_u32,
               lGetUlong(jep, JB_job_number));
       env[0] = ccname;
       env[1] = NULL;

       sprintf(binary, "%s/utilbin/%s/put_cred", sge_root, sge_get_arch());

       if (sge_get_token_cmd(binary, NULL) == 0) {
          sprintf(cmd, "%s -s %s -u %s", binary, "sge", lGetString(jep, 
JB_owner));
  command_pid = sge_peopen("/bin/sh", 0, cmd, NULL, env, &fp_in, 
&fp_out, &fp_err, false);
if (command_pid == -1) {
             ERROR((SGE_EVENT, MSG_SEC_NOSTARTCMD4GETCRED_SU,
                    binary, sge_u32c(lGetUlong(jep, JB_job_number))));
          }


Any hints?

Thanks
JC


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list