[Condor-users] Kerberos and Windows

[Liam Gretton <L.Gretton@xxxxxxxxxxx>]

I'm close to having solved all my Condor issues, so that we can roll out 
a secure service. But though my Linux clients successfully authenticate 
against our Windows AD Kerberos service, I can't quite get this working 
with our Windows clients.

The vast majority of our Condor pool will be Windows systems. These 
hosts are part of the Windows AD, and get a Kerberos ticket with the 
principal host/fqdn@REALM when they boot.

Ideally I'd like Condor to recognise this ticket, but I can't see any 
way to do that. Condor's Kerberos support seems to demand a MIT-style 
krb5.ini file and keytab for the principal. The krb5.ini file isn't a 
problem, but getting the keytab into a file is. As far as I can tell 
it's tucked away within the LSA and there's no way of getting to it.

Can anyone suggest a solution to this? If you've managed to get Condor 
authenticating against a MS AD Kerberos service without having to export 
keytabs to the host, I'd be very interested to hear how you've achieved 
this.

--
Liam Gretton                                    L.Gretton@xxxxxxxxxxx
IT Services                                   http://www.lboro.ac.uk/
Loughborough University                       Tel: +44 (0)1509 226048
Leicestershire LE11 3TU
United Kingdom