Re: [Condor-users] Condor with kerberized NFS

[Zachary Miller <zmiller@xxxxxxxxxxx>]

On Wed, Oct 19, 2011 at 11:50:10AM -0700, David Brodbeck wrote:
> I would really like to move to Kerberos authentication on our NFSv4 servers, to
> get away from some of the limitations of using auth_sys; but my reading so far
> seems to indicate this will not work with Condor because it doesn't forward the
> Kerberos ticket credentials when it runs a job on a remote host.  However, the
> last post I found on this was from 2009, so I'm hoping the situation might have
> changed.  Anyone have any experience with this?

i can tell you that this is still true.

even if condor forwarded the kerb credential to the execute machine, you
run into an additional problem if the execute directory itself is in the
NFSv4-authenticated filesystem.  (same is true if you are using X.509)

the reason for this is that condor currently doesn't support transferring some
files (i.e. security credentials) into a location NOT in the job sandbox so
that those credentials can be used to access the sandbox itself.  also, this
work is not planned for the current development series, so if/when it comes it
is still quite a ways out.


cheers,
-zach