[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Kerberos and Windows



> The vast majority of our Condor pool will be Windows systems. These 
> hosts are part of the Windows AD, and get a Kerberos ticket with the 
> principal host/fqdn@REALM when they boot.
> 
> Ideally I'd like Condor to recognise this ticket, but I can't see any 
> way to do that. Condor's Kerberos support seems to demand a MIT-style 
> krb5.ini file and keytab for the principal. The krb5.ini file isn't a 
> problem, but getting the keytab into a file is. As far as I can tell 
> it's tucked away within the LSA and there's no way of getting to it.

i will take a look at exactly how condor locates the ticket for the client to
use, but i am guessing you are out of luck on windows at present.  we will
probably either need to add some code to extract the ticket from the secure
LSA area (or find the proper windows API to access it).

kerb support was definitely added with only UNIX in mind.  it was tested
against an AD server, and quite a while ago i believe it was tested on
windows using a keytab file, but never using windows' native key storage.


> Can anyone suggest a solution to this? If you've managed to get Condor 
> authenticating against a MS AD Kerberos service without having to export 
> keytabs to the host, I'd be very interested to hear how you've achieved 
> this.

same here! :)

like i said, we the condor team will take a closer look at it, and if it is
not currently possible we'll add it to the list for the 7.3 series.


cheers,
-zach