[GE issues] [Issue 3118] New - Delegate Kerberos credentials for built-in rsh/rlongin methods

ondrej webserv at s3group.cz
Wed Aug 26 10:59:30 BST 2009


http://gridengine.sunsource.net/issues/show_bug.cgi?id=3118
                 Issue #|3118
                 Summary|Delegate Kerberos credentials for built-in rsh/rlongin
                        | methods
               Component|gridengine
                 Version|6.2u3
                Platform|All
                     URL|
              OS/Version|Linux
                  Status|NEW
       Status whiteboard|
                Keywords|
              Resolution|
              Issue type|ENHANCEMENT
                Priority|P3
            Subcomponent|communication
             Assigned to|crei
             Reported by|ondrej






------- Additional comments from ondrej at sunsource.net Wed Aug 26 02:59:27 -0700 2009 -------
When using built-in rsh/rlogin methods, SGE should honor (and forward) user's Kerberos TGT (ticket granting ticket) the same way ssh does by
default.
This is important in environment where fully kerberized NFSv4 is used as access to the NFS share is rejected if no valid TGT is found.
Example:

[victim at dorado_v1 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_999_bV9I5o
Default principal: victim at PRAGUE.AD.S3GROUP.COM

Valid starting     Expires            Service principal
08/26/09 10:06:25  08/26/09 20:06:29  krbtgt/PRAGUE.AD.S3GROUP.COM at PRAGUE.AD.S3GROUP.COM
        renew until 08/27/09 10:06:25
08/26/09 10:23:41  08/26/09 20:06:29  nfs/melnik.prague.s3group.com at PRAGUE.AD.S3GROUP.COM
        renew until 08/27/09 10:06:25


Kerberos 4 ticket cache: /tmp/tkt999
klist: You have no tickets cached
[victim at dorado_v1 ~]$ ls
Desktop  krbtest  monday_press_demo.mpg  test1.txt  test.txt  test.txt2
[victim at dorado_v1 ~]$ qlogin
Your job 212 ("QLOGIN") has been submitted
waiting for interactive job to be scheduled ...
Your interactive job 212 has been successfully scheduled.
Establishing builtin session to host deneb.prague.s3group.com ...
[victim at deneb 212.1]$ cd ~
/home/victim: Permission denied.
[victim at deneb 212.1]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_999)


Kerberos 4 ticket cache: /tmp/tkt999
klist: You have no tickets cached
[victim at deneb 212.1]$

.... As you can see, access to my home directory is forbidden on the remote execution node because my TGT was not forwarded....
Ondrej

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=36&dsMessageId=214344

To unsubscribe from this discussion, e-mail: [issues-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list