Re: [Condor-users] Kerberos security and startup scripts...

[Todd Tannenbaum <tannenba@xxxxxxxxxxx>]

Re the below:

I think the common solution is to indeed use the host keytab file.  In fact, iirc, Condor will look for it by default if you start the daemons as root.

-Todd

---
Todd Tannenbaum
University of Wisconsin-Madison
<-- Sent from a Palm Treo 680 phone -->

-----Original Message-----

From:  "Jonathan D. Proulx" <jon@xxxxxxxxxxxxx>
Subj:  [Condor-users] Kerberos security and startup scripts...
Date:  Thu May 10, 2007 9:18 am
Size:  1K
To:  condor-users@xxxxxxxxxxx

Hi,

I have a Condor setup using:

SEC_DEFAULT_AUTHENTICATION      = REQUIRED
SEC_READ_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS

I like the relatively strong security this model provides, but I find
that condor won't start on boot because the init script doesn't have a
Kerberos ticket.

Is there a way to allow this, such that root on the local system can
control the local server processes without throwing the doors open to
more things?  The right way may be rewriting the init script to use a
keytab but floating keytabs around to all the systems doesn't seem
like the best idea either, though I suppose I could use the host
keytab, which would atleast make it more easily revocable on a per
host basis...

What do other people do?

-Jon
_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at either
https://lists.cs.wisc.edu/archive/condor-users/
http://www.opencondor.org/spaces/viewmailarchive.action?key=CONDOR