[Beowulf] Re: Linux cluster authenticating against multiple Active Directory domains

Dave Love d.love at liverpool.ac.uk
Wed Aug 13 07:14:05 PDT 2008


Chris Samuel <csamuel at vpac.org> writes:

> I was the OP. ;-) 

[`Post', not `poster'!]

>> Why do you need to re-authenticate,
>
> If I create a 3 month long Kerberos ticket, and my PBS
> job will run for 3 months but ends up waiting in the
> queue for 2 weeks before it can start due to demand
> then that ticket will have expired before the job can
> complete.

Yes, I realize that, but typically that isn't an issue.  I have operated
a cluster with Kerberos authN to AD (spit), and am about to do
it again (sigh).

> Now, if I don't do anything that requires
> further re-authentication then it'll probably be OK.
> But if I do, then it may not work..

Yes.  That's what I meant in reply to John Hearns, which was ambiguous,
according to mail he sent me.  The problems arise when you need tickets
to access something like AFS (which seems to be much the most common
case), but I'd guess that's a non-issue for the majority of cases.

>> and if you do, surely you need to stash a credential
>> somewhere however you do it?
>
> The GSSAPI branch of Torque will cache the ticket
> for you, but (AFAIK) cannot extend the life of it.

I mean that I don't see the objection to Kerberos per se, because if you
use any other authN mechanism, you have essentially the same problem,
and sure, GSSAPI doesn't solve it.



More information about the Beowulf mailing list