[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] condor not forwarding kerberos tokens
- Date: Wed, 18 Jan 2017 00:48:02 +0000
- From: Zach Miller <zmiller@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] condor not forwarding kerberos tokens
Actually, HTCondor has never done this automatically for the user. I suspect your students years and years ago were doing this âmanuallyâ by transferring their krb5cc using file transfer and then setting an environment variable in the job to point to it. (and run aklog as part of the job)
You can still do that. Weâve also made a lot of progress with Kerberos and AFS in the last year which will allow not just AFS access, but also have the ability to have your jobâs log files, stdout/err, etc. in AFS. That is, you can submit and run inside an AFS directory and not do any explicit file transfer. Plus your tickets/tokens can be renewed while the job is running if your krb5 policy allows it.
If you need this working immediately, go with the approach I mentioned first. Or, if you can wait a little while for 8.7 to come out, the AFS support will be much improved.
On 1/17/17, 4:37 PM, "HTCondor-users on behalf of Lee Damon" <htcondor-users-bounces@xxxxxxxxxxx on behalf of nomad@xxxxxxxxxxxxxxxxx> wrote:
In the past (years and years ago) I had some users who were actively
using kerberos tokens with their condor runs. They've left but recently
a new student needs access to kerberos-protected AFS volumes. When he
tries to run he is unable to get access.
It looks like kerberos tickets aren't being forwarded anymore. I'm
running a script that does nothing more than try to get a token. When I
look at the .err output I see the following:
klist: No credentials cache found (filename: /tmp/krb5cc_92096)
Any hints on what I need to do to turn kerberos token passing back on in
condor? Our default is to make all tokens forwardable and ssh works just
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
You can also unsubscribe by visiting
The archives can be found at: