Overview : Community : Archive : Tools : Showcase

Archives


- Beowulf
- Beowulf Announce
- Scyld-users
- Beowulf on Debian

[Beowulf] Re: Linux cluster authenticating against multiple Active Directory domains

Many of your questions may have already been answered in earlier discussions or in the FAQ. The search results page will indicate current discussions as well as past list serves, articles, and papers.

Search

Prentice Bisbal prentice at ias.edu
Wed Aug 13 06:10:18 PDT 2008 


Perry E. Metzger wrote:
> Dave Love <d.love at liverpool.ac.uk> writes:
>>> We'd prefer to steer clear of Kerberos, it introduces
>>> arbitrary job limitations through ticket lives that
>>> are not tolerable for HPC work.
> 
> Which of course isn't true. If Wall Street firms, which really cannot
> afford to have their trading systems go down even for a second, can
> happily use kerberos in servers, so can anyone.
> 
>>> Say you submit a job that is in the queue for a week
>>> and then will run for 3 months - we don't know if the
>>> AD admins will permit the creation of a 4 month ticket
>>> "just in case"..
>> Why do you need to re-authenticate, and if you do, surely you need to
>> stash a credential somewhere however you do it?
> 
> Indeed, and if you have stashed your key appropriately you can just
> have a cron job kinit as often as you like. The kinit man page
> gives the command line flag for requesting credentials using a key
> taken from a file, ans also lists the flag for setting your ticket
> expiry time. All you do is put one line in a crontab with kinit and
> those two options, say every 24 hours.

Isn't stashing a bunch of user keys on a single system a major security
risk? One could argue that the cluster should be on a private, secured
network so it's okay, but then I'll argue that the node storing the keys
will most likely be the master node, which is often on a "public"
network so users can access it to submit jobs.

I can't imagine an arrangement like this passing the scrutiny of the
local information security officer. And if you're going to use a key
stored on a disk, why not just use SSH keys?

> 
> I keep seeing these messages go by over and over making it sound like
> this is difficult. It is not difficult. I've seen people say "I have
> seen no document with a recipe for how to do it", perhaps because a
> single kinit command in a cron job is too simple for a HOWTO.

Isn't stashing a bunch of user keys on a single system a major security
risk? One could argue that the cluster should be on a private, secured
network so it's okay, but then I'll argue that the node storing the keys
will most likely be the master node, which is often on a "public"
network so users can access it to submit jobs.

I can't imagine an arrangement like this passing the scrutiny of the
local information security officer. And if you're going to use a key
stored on a disk, why not just use SSH keys?

> 
> Maybe some sort of strange myth has been going by so long on this that
> people refuse to believe that the ticket refresh is a single easy
> command?

Maybe you're not reading the questions correctly. In my original
question about how to do this, I asked how to do this using the queuing
system to refresh the keys -- I was asking for an integrated solution.
Above, you describe doing it with a cron job, which does not answer my
question.

-- 
Prentice Bisbal
Linux Software Support Specialist/System Administrator
School of Natural Sciences
Institute for Advanced Study
Princeton, NJ

More information about the Beowulf mailing list

Home | Overview | Community | Archive | Tools | Showcase

Copyright © 2004 Beowulf.org. All Rights Reserved.