[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] Kerberos and Windows

I'm close to having solved all my Condor issues, so that we can roll out a secure service. But though my Linux clients successfully authenticate against our Windows AD Kerberos service, I can't quite get this working with our Windows clients.

The vast majority of our Condor pool will be Windows systems. These hosts are part of the Windows AD, and get a Kerberos ticket with the principal host/fqdn@REALM when they boot.

Ideally I'd like Condor to recognise this ticket, but I can't see any way to do that. Condor's Kerberos support seems to demand a MIT-style krb5.ini file and keytab for the principal. The krb5.ini file isn't a problem, but getting the keytab into a file is. As far as I can tell it's tucked away within the LSA and there's no way of getting to it.

Can anyone suggest a solution to this? If you've managed to get Condor authenticating against a MS AD Kerberos service without having to export keytabs to the host, I'd be very interested to hear how you've achieved this.

Liam Gretton                                    L.Gretton@xxxxxxxxxxx
IT Services                                   http://www.lboro.ac.uk/
Loughborough University                       Tel: +44 (0)1509 226048
Leicestershire LE11 3TU
United Kingdom