[Beowulf] Re: Linux cluster authenticating against multiple Active Directory domains

Chris Samuel csamuel at vpac.org
Thu Jul 31 22:37:12 PDT 2008

----- "Dave Love" <d.love at liverpool.ac.uk> wrote:

> Having completely separate ADs for staff and students seems odd... 

Yeah, I think they're wishing they'd not done that now.. :-)

> Why doesn't it work to have two `sufficient' cases
> of pam_ldap with different `config' args pointing
> to different servers?

My information is that it's NSS that's more the problem
here rather than PAm, because of the assumptions it makes.

> However, LDAP isn't an authentication protocol.  Use
> Kerberos for authentication.

We'd prefer to steer clear of Kerberos, it introduces
arbitrary job limitations through ticket lives that
are not tolerable for HPC work.

Say you submit a job that is in the queue for a week
and then will run for 3 months - we don't know if the
AD admins will permit the creation of a 4 month ticket
"just in case"..

There's also the fact that Torque doesn't have GSSAPI
support in the mainline versions yet and what I hear
about the GSSAPI branch implies that it is just for
testing and development at present.

Christopher Samuel - (03) 9925 4751 - Systems Manager
 The Victorian Partnership for Advanced Computing
 P.O. Box 201, Carlton South, VIC 3053, Australia
VPAC is a not-for-profit Registered Research Agency

More information about the Beowulf mailing list