Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Condor, Kerberos, Active Directory and eDirectory

With the kerberos authentification you can run the job with RunAsOwner=True BUT without kerberos ticket. The submitter is authentificated with kerberos, but their is no ticket forwarding anywhere to my knowledge.

I have found many different workaround as we use NFS with kerberos, so our job need the ticket. The easier thing to do is to make an NFS parition that is not protected by kerberos for everything(data/librairies/executable) that is not on the execution host.

The other workaround is to handle yourself the forwarding of the keys... That is the option that we do, but this require the serialisation of the ticket into the executable to be run, the transfert of  the generated executable by condor to the execution host(condor always transfert the executable to the execution host(at least under linux)) then you must use the serialized ticket and lauching the real job... Doing all this safely is not trivial. We do something pretty secure by encrypting the serialized ticket, but their is at least one small know hole somewhere, the code is not audithed, ... Making something distributable take event more time. So we don't publish it as this is more like a complex hack for now as this is not integrated in anyway into condor.

If you want to go in the same route as us, I can guide you. If I have the authorization, maybe we could provide some code for the serialisation/deserialisation of the ticket too, but nothing sure their.

Fred

p.s. please try to keep your answer on the mailing list so that future people who look into the archives will find answer that you receive.

On Mon, Nov 30, 2009 at 1:56 PM, <kschwarz@xxxxxxxxxxxxxx> wrote:

Fred,

What do you mean with "It don't forward the ticket to the jobs"?
Does this mean that you are not running with RunAsOwner=True?

Klaus


Frédéric Bastien <nouiz@xxxxxxxxx>
Sent by: condor-users-bounces@xxxxxxxxxxx

30/11/2009 16:15

Please respond to
Condor-Users Mail List <condor-users@xxxxxxxxxxx>
To
Condor-Users Mail List <condor-users@xxxxxxxxxxx>
cc
Subject
Re: [Condor-users] Condor, Kerberos, Active Directory and eDirectory





Hi,

Condor use kerberos only for authentification. It don't forward the ticket to the jobs, so access to other service like NFS server won't work that way... I don't use kerberos authentification for that reason, so I can't tell you more.

Fred
On Sat, Nov 28, 2009 at 6:01 PM, <kschwarz@xxxxxxxxxxxxxx> wrote:
Hi all,
 
Does anyone have experience using Kerberos authentication method in a Condor pool with Microsoft Active Directory for Condor Windows Execute nodes and Novell eDirectory for Condor Linux/Unix Central Manager nodes and Scheduler nodes, etc.?
 
I want to get guidelines and tips to set it up into our Condor pool environment as I don't have any experience in that subject.
Could someone help me?

Klaus

_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/condor-users/
_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/condor-users/

This message is intended solely for the use of its addressee and may contain privileged or confidential information. All information contained herein shall be treated as confidential and shall not be disclosed to any third party without Embraer’s prior written approval. If you are not the addressee you should not distribute, copy or file this message. In this case, please notify the sender and destroy its contents immediately.
Esta mensagem é para uso exclusivo de seu destinatário e pode conter informações privilegiadas e confidenciais. Todas as informações aqui contidas devem ser tratadas como confidenciais e não devem ser divulgadas a terceiros sem o prévio consentimento por escrito da Embraer. Se você não é o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste caso, por favor, notifique o remetente da mesma e destrua imediatamente a mensagem.