[Beowulf] Re: Linux cluster authenticating against multiple Active Directory domains

[Chris Samuel]

----- "Dave Love" <d.love at liverpool.ac.uk> wrote:

> Chris Samuel <csamuel at vpac.org> writes:
> 
> > My information is that it's NSS that's more the problem
> > here rather than PAm, because of the assumptions it makes.
> 
> Well, the OP only talked about authentication.

I was the OP. ;-)   To clarify, we'd need to both auth
and do NSS lookups against the two AD systems.
 
> > We'd prefer to steer clear of Kerberos, it introduces
> > arbitrary job limitations through ticket lives that
> > are not tolerable for HPC work.
> 
> Why do you need to re-authenticate,

If I create a 3 month long Kerberos ticket, and my PBS
job will run for 3 months but ends up waiting in the
queue for 2 weeks before it can start due to demand
then that ticket will have expired before the job can
complete.  Now, if I don't do anything that requires
further re-authentication then it'll probably be OK.
But if I do, then it may not work..

> and if you do, surely you need to stash a credential
> somewhere however you do it?

The GSSAPI branch of Torque will cache the ticket
for you, but (AFAIK) cannot extend the life of it.
But it's academic anyway as I don't think that
branch is usable in production currently.

cheers,
Chris
-- 
Christopher Samuel - (03) 9925 4751 - Systems Manager
 The Victorian Partnership for Advanced Computing
 P.O. Box 201, Carlton South, VIC 3053, Australia
VPAC is a not-for-profit Registered Research Agency