[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] HTCondor Client Kerberos authentication with Credential Collections

Hi Zach,

Am 19.06.2018 um 18:21 schrieb Zach Miller:
> Hi Oliver,
>> Or are credential cache collections not yet supported (they exist since a
>> very long time and are the default in RHEL 7) ?
> Unfortunately, collections are not supported.  There are no condor_config settings allowing a client to pick which realm or principal to use.  For now your only option would be to have separate Credential Caches for each principal, stored in files, and use KRB5CCNAME to point to the one you wish to use.

Many thanks for the confirmation! 
In most cases things will still "work" for our users, since they often only have a single credential cache in use. So the main advice we have to give them now is to use "kinit" again after they have finished using their CERN.CH principal
before using HTCondor again (or we really have to adjust configuration back to not use credential caches, but this has other issues, e.g. our users lose access to local filesystems when getting a CERN.CH principal). 

Apart from that, of course also adjusting KRB5CCNAME on the fly would work, if we go back to a directory / multi-file-based collection cache. We have to think what is best for the meantime. 

> We will have to investigate support for collections... especially if they are the default.  Thanks for the report.

Thanks for letting me know it's not me missing a configuration option ;-) 
I hope it's not too complex to implement, checking the docs, I basically find an iteration API ( krb5_cccol_cursor_new(), krb5_cccol_cursor_next(), and krb5_cccol_cursor_free() )
but I'm not too experienced in the inner workings of the Kerberos library. 

Cheers and many thanks,

> Cheers,
> -zach
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature