[Condor-users] KRB5 authentication

["Jonathan D. Proulx" <jon@xxxxxxxxxxxxx>]

Hi All,

I've been running a condor pool for about 2 1/2 years & after teh
recent upgrade to 7.2 I'm thinking of expanding out from the racked
nodes we have on to desktop systems.

We currently use KERBEROS auth which means each node needs a keytab,
which means an Admin needs to manually generate a keytab for each
host.  Ideally I'd like Condor to be part of our default Linux install
but this Keytab requirement hurts as there's not a secure way to
autoamte it.

I'm not terribly worried about rouge systems joining the cluster but I
do want to be sure people running on it have proper kerberos
credentials.  Is there a way to seperate those two so that the daemons
can run without a Kerberos keytab (or can use a common copied keytab
rather than a host specific keytab), but job submission still uses
Kerberos?

here's my base security config:

grep SEC /etc/condor/condor_config
SEC_DEFAULT_AUTHENTICATION      = REQUIRED
SEC_DEFAULT_INTEGRITY           = REQUIRED
SEC_DEFAULT_ENCRYPTION          = OPTIONAL
SEC_READ_AUTHENTICATION = OPTIONAL
SEC_READ_INTEGRITY = OPTIONAL
SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS
SEC_DEFAULT_ENCRYPTION_METHODS = 3DES, BLOWFISH
SEC_CLIENT_AUTHENTICATION       = OPTIONAL
SEC_CLIENT_INTEGRITY            = OPTIONAL
SEC_CLIENT_ENCRYPTION           = OPTIONAL

Thanks,
-Jon