[Beowulf] Re: Linux cluster authenticating against multiple Active Directory domains
Chris Samuel
csamuel at vpac.org
Tue Aug 12 21:27:40 PDT 2008
----- "Dave Love" <d.love at liverpool.ac.uk> wrote:
> Chris Samuel <csamuel at vpac.org> writes:
>
> > My information is that it's NSS that's more the problem
> > here rather than PAm, because of the assumptions it makes.
>
> Well, the OP only talked about authentication.
I was the OP. ;-) To clarify, we'd need to both auth
and do NSS lookups against the two AD systems.
> > We'd prefer to steer clear of Kerberos, it introduces
> > arbitrary job limitations through ticket lives that
> > are not tolerable for HPC work.
>
> Why do you need to re-authenticate,
If I create a 3 month long Kerberos ticket, and my PBS
job will run for 3 months but ends up waiting in the
queue for 2 weeks before it can start due to demand
then that ticket will have expired before the job can
complete. Now, if I don't do anything that requires
further re-authentication then it'll probably be OK.
But if I do, then it may not work..
> and if you do, surely you need to stash a credential
> somewhere however you do it?
The GSSAPI branch of Torque will cache the ticket
for you, but (AFAIK) cannot extend the life of it.
But it's academic anyway as I don't think that
branch is usable in production currently.
cheers,
Chris
--
Christopher Samuel - (03) 9925 4751 - Systems Manager
The Victorian Partnership for Advanced Computing
P.O. Box 201, Carlton South, VIC 3053, Australia
VPAC is a not-for-profit Registered Research Agency
More information about the Beowulf
mailing list