Re: [Condor-users] KRB5 authentication

[Zachary Miller <zmiller@xxxxxxxxxxx>]

> I'm not terribly worried about rouge systems joining the cluster but I
> do want to be sure people running on it have proper kerberos
> credentials.  Is there a way to seperate those two so that the daemons
> can run without a Kerberos keytab (or can use a common copied keytab
> rather than a host specific keytab), but job submission still uses
> Kerberos?

at the very least, you will need a keytab file for your submit machine.
kerberos performs mutual authentication, so both client and server need
credentials just to make the authentication succeed.

given that, you can do either of your two options.

to use a common copied keytab file rather than a host specific keytab, specify
the KERBEROS_SERVER_PRINCIPAL in your condor_config file and condor will use
whatever you tell it, rather than attempting to use the default with has the
form host/<actual.host.name>/<REALM>.

for example:
  KERBEROS_SERVER_PRINCIPAL = condor@REALM
or
  KERBEROS_SERVER_PRINCIPAL = condor/your.domain@REALM

(of course, you need to create a principal with the same name in the keytab
 file you are using)


or, if you want to only used host-based authorization between condor daemons
and use KERBEROS for submitting jobs, you can use all the default config
options (i.e. remove all the lines you had starting with SEC_) and simply set:
  SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS

and that will force all condor_submits to be kerberos authenticated.  normally,
authentication is optional so daemon-to-daemon will not use it.  however, when
condor_submit talks to the SchedD, authentication is forced whether or not your
condor_config requires it.

let me know if that helps!


cheers,
-zach