[Beowulf] Re: Linux cluster authenticating against multiple Active Directory domains
Perry E. Metzger
perry at piermont.com
Wed Aug 13 10:16:52 PDT 2008
Dave Love <d.love at liverpool.ac.uk> writes:
> "Perry E. Metzger" <perry at piermont.com> writes:
>> I keep seeing these messages go by over and over making it sound like
>> this is difficult. It is not difficult. I've seen people say "I have
>> seen no document with a recipe for how to do it", perhaps because a
>> single kinit command in a cron job is too simple for a HOWTO.
>
> How about commenting on the DESY paper I linked to and pointing out
> exactly how they were wasting their time?
I didn't see that link. Please re-forward it.
>> Maybe some sort of strange myth has been going by so long on this
>> that people refuse to believe that the ticket refresh is a single
>> easy command?
>
> Because it simply isn't, in the context of typical Beowulf batch
> systems, especially if you're not going to pretty well chuck out the
> Kerberos security model. (Those of us who've contributed to a Kerberos
> implementation -- particularly the documentation -- know all about
> kinit, obviously.)
Maybe I'm not getting the problem domain here.
There are, as I see it, two contexts in which you want kerberos
tickets: you want to authenticate access to compute nodes, in which
case the remote server is doing nothing that kerberized services
haven't done for 20 years to get its tickets, and you may need user
credentials to get resources for the user process once it is running
on the cluster node. The latter isn't an issue in the average cluster
which runs on a segregated network and isn't trying to mount the
user's home file system or what have you. If it were a real issue, I
would give the user a new instance just for remote jobs so that you
could restrict the permissions for that particular instance down to
what was absolutely needed, and forward the tickets at intervals from
his trusted machine to the compute nodes. This is, after all, more or
less what forwarding credentials were made for.
--
Perry E. Metzger perry at piermont.com
More information about the Beowulf
mailing list