[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] HTCondor with kerberized home directories


there is an implementation for handling of security tokens in HTCondor that can be used to integrate HTCondor into a KRB/AFS environment. 

It is available in the development branch (currently 8.7.8) and is currently partly reengineered to become a fully documented and supported feature in the next stable release which will be 8.8. due autumn this year. 

The early version of this implementation is productive at CERN and DESY, here is a talk about it: 


There is another technical talk about it from Zach that is currently not online but should be available through the HTCondor team. 

The current implementation involves a bit of scripting hence if you are not in a hurry it would probably be wise to wait for 8.8 but if you want to start right away I can send you a recipe and would be open for questions ....


Christoph Beyer
DESY Hamburg

Notkestr. 85
Building 02b, Room 009
22607 Hamburg

mail: christoph.beyer@xxxxxxx

----- UrsprÃngliche Mail -----
Von: "Andreas Hirczy" <ahi@xxxxxxxxxxxxx>
An: "Oliver Freyermuth" <freyermuth@xxxxxxxxxxxxxxxxxx>
CC: "htcondor-users" <htcondor-users@xxxxxxxxxxx>
Gesendet: Dienstag, 12. Juni 2018 09:46:52
Betreff: Re: [HTCondor-users] HTCondor with kerberized home directories

Oliver Freyermuth <freyermuth@xxxxxxxxxxxxxxxxxx> writes:

> We have HTCondor installed on our desktop machines for submission, and
> the jobs run on worker nodes in a private network.  The desktops are
> naturally subject to security updates and may be rebooted about once
> per week. The home directories are mounted via NFSv4 with Kerberos 5
> authentication.

We use a similar setup with Kerberos/OpenAFS for home directories.

> How are others solving this? 

I remember there used to be solutions with forwarded and postdated
tickets. see e.g.
A wrapper script with "k5start" might also work.

I never tried those, since it somehow compromises the security gain from
kerberos authentication. Also the setup always appeared a bit hacky and
not really robust.

indicates some new development.

> Is the only way to have some kind of scratch space somewhere, with unix auth? 

We have quite a bit of scratch space; created by utilizing unused disc
capacity from computing nodes with MooseFS <https://moosefs.com/>.

Best regards,
Andreas Hirczy <ahi@xxxxxxxxxxxxx>                  https://itp.tugraz.at/~ahi/
Graz University of Technology                       phone: +43/316/873-   8190
Institute of Theoretical and Computational Physics    fax: +43/316/873-10 8190
Petersgasse 16, A-8010 Graz                        mobile: +43/664/859 23 57
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting

The archives can be found at: