[Beowulf] Re: Linux cluster authenticating against multiple Active Directory domains

[Perry E. Metzger]

Dave Love <d.love at liverpool.ac.uk> writes:
>> We'd prefer to steer clear of Kerberos, it introduces
>> arbitrary job limitations through ticket lives that
>> are not tolerable for HPC work.

Which of course isn't true. If Wall Street firms, which really cannot
afford to have their trading systems go down even for a second, can
happily use kerberos in servers, so can anyone.

>> Say you submit a job that is in the queue for a week
>> and then will run for 3 months - we don't know if the
>> AD admins will permit the creation of a 4 month ticket
>> "just in case"..
>
> Why do you need to re-authenticate, and if you do, surely you need to
> stash a credential somewhere however you do it?

Indeed, and if you have stashed your key appropriately you can just
have a cron job kinit as often as you like. The kinit man page
gives the command line flag for requesting credentials using a key
taken from a file, ans also lists the flag for setting your ticket
expiry time. All you do is put one line in a crontab with kinit and
those two options, say every 24 hours.

I keep seeing these messages go by over and over making it sound like
this is difficult. It is not difficult. I've seen people say "I have
seen no document with a recipe for how to do it", perhaps because a
single kinit command in a cron job is too simple for a HOWTO.

Maybe some sort of strange myth has been going by so long on this that
people refuse to believe that the ticket refresh is a single easy
command?

Perry
-- 
Perry E. Metzger		perry at piermont.com