[HTCondor-users] HTCondor's Attack on Kerberos

[FB <fbo2@xxxxxxx>]

Hi everyone,

since we use Kerberos for all authentication tasks,
I was happy to see that HTCondor is able to use it
as well. So I added this to my config:

SEC_WRITE_AUTHENTICATION                 = REQUIRED
SEC_WRITE_AUTHENTICATION_METHODS         = KERBEROS
SEC_ADMINISTRATOR_AUTHENTICATION         = REQUIRED
SEC_ADMINISTRATOR_AUTHENTICATION_METHODS = KERBEROS
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = KERBEROS
SEC_COLLECTOR_AUTHENTICATION_METHODS = KERBEROS
SEC_STARTD_AUTHENTICATION_METHODS = KERBEROS
SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = KERBEROS
SEC_ADVERTISE_STARTD_AUTHENTICATION_METHODS = KERBEROS
SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = KERBEROS
SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS
SEC_CLIENT_AUTHENTICATION_METHODS = KERBEROS

... which works but:

My Kerberos-KDCs started to become unresponsive. HTCondor
processes seem not to cache their tickets but to get new
ones for each communication process (i.e. STARTD updating
classads). With a lot of nodes in the pool, this becomes
quite the challenge for Kerberos-KDCs.

Did anyone experience the same problem? Is it ill-advised to
use Kerberos for HTCondor server communication? Is there a
chance to force an on-disk ticket cache for HTCondor processes?

Best regards,

Frank