[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Condor with kerberized NFS

There is hack that you can do if the execution directory is not under kerberos, like on the local disk of the execution node.

You need a wrapper to condor_submit the will seriLize a ticket, ask condor to transfer it. then on thé execute node, you the job run another wrapper programme the unserialize the ticket and then execute.the real code.

you should encrypt the serialized ticket for security purpose.

You also need a way to renew the serialized.ticket while the job I'd in the queue and maybe when the job run.

One of our done it, but I don't know if I share the code. And even in that case this is probably not well documented code and not necerely easy of use.


On Oct 19, 2011 4:22 PM, "Zachary Miller" <zmiller@xxxxxxxxxxx> wrote:
On Wed, Oct 19, 2011 at 11:50:10AM -0700, David Brodbeck wrote:
> I would really like to move to Kerberos authentication on our NFSv4 servers, to
> get away from some of the limitations of using auth_sys; but my reading so far
> seems to indicate this will not work with Condor because it doesn't forward the
> Kerberos ticket credentials when it runs a job on a remote host.  However, the
> last post I found on this was from 2009, so I'm hoping the situation might have
> changed.  Anyone have any experience with this?

i can tell you that this is still true.

even if condor forwarded the kerb credential to the execute machine, you
run into an additional problem if the execute directory itself is in the
NFSv4-authenticated filesystem.  (same is true if you are using X.509)

the reason for this is that condor currently doesn't support transferring some
files (i.e. security credentials) into a location NOT in the job sandbox so
that those credentials can be used to access the sandbox itself.  also, this
work is not planned for the current development series, so if/when it comes it
is still quite a ways out.


Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting

The archives can be found at: