[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Question about kerberos authentication - keytab required?



It all depends on how you have your security parameters
configured.  If you are using kerberos authentication you can choose
to require authentication on submit, or not.
In my cluster (which doesn't use kerberos but GSI)
we have
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_CLIENT_AUTHENTICATION = OPTIONAL
SEC_READ_AUTHENTICATION = OPTIONAL

There are several other levels of authentication that
are configurable.. in this configuration you still need
authentication to submit but not to do condor_status or condor_q.
You could also consider allowing

SEC_DEFAULT_AUTHENTICATION_METHODS=FS,KERBEROS

That way someone could submit remotely using kerberos principal
but if logged into the submit host itself could submit using
FS authentication.

Steve Timm





On Thu, 31 Jul 2014, L Kreczko wrote:

Dear HTCondor experts,

I understand that HTCondor is capable of using the keytab as hinted by
the parameter KERBEROS_SERVER_PRINCIPAL.

However, since it is not explicitly said in the documentation:
Does kerberos authentication for a user submitting jobs require a keytab?

Cheers,
Luke
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/


------------------------------------------------------------------
Steven C. Timm, Ph.D  (630) 840-8525
timm@xxxxxxxx  http://home.fnal.gov/~timm/
Fermilab Scientific Computing Division, Scientific Computing Services Quad.
Grid and Cloud Services Dept., Associate Dept. Head for Cloud Computing