Re: [Condor-users] Kerberos: Does Condor break when using cross-realm Kerberos authentication?

[Zachary Miller <zmiller@xxxxxxxxxxx>]

On Wed, Apr 30, 2008 at 09:31:27PM +0100, David McBride wrote:
> Greetings,
> 
> Are there any known issues configuring Condor to use Kerberos for authentication
> in a multi-realm environment?

the authentication itself should work, although i have to admit i have not
tested it.  let's assume it does for now, and if not we will fix it.

i think the main thing to be aware of will be potential username collisions,
unless you have some extra knowledge or umbrella policy that says this will
not happen.

if i have a zmiller@xxxxxxxxxxx principal and a different individual has a
zmiller@xxxxxxxxxxxx principal, and we both submit jobs, condor will by default
map both of these users to the user 'zmiller' when running the job.

to prevent this, you may want to use the condor map file to map users from one
realm to the nobody user (or some other designated user).  you would want to
write a couple rules similar to this in your condor map file:
  KERBEROS (.*)@REALM.MORE.TRUSTED \1
  KERBEROS (.*)@REALM.LESS.TRUSTED nobody

the first rule maps users from that realm to their actual principal name.  the
second maps ALL users from the other realm to 'nobody'.


cheers,
-zach