[Beowulf] Re: Kerberos + HPC
d.love at liverpool.ac.uk
Wed Aug 13 07:15:04 PDT 2008
"Perry E. Metzger" <perry at piermont.com> writes:
> So, you just run kinit in cron as the specified daemon user with the
> appropriate flags and it will renew its own tickets and all is well.
Who says you can even run kinit from cron if it was appropriate?
> I'm not sure why people think this is all so mysterious. Can you
> explain what is hard about this?
That's just hand-waving. Hard things include how you integrate it with
a distributed batch system, for a start. Making it tolerably secure
too. I don't want all users to keep keytabs around everywhere
(synchronized with password changes), even if they were practically
going to solve the problem of having valid credential caches at the
relevant times on the relevant nodes.
>> The canonical tool for daemonic use is
>> <URL:http://www.eyrie.org/~eagle/software/kstart/>, but it's probably
>> not so useful for jobs in a batch system.
> Why bother when kinit will do the job? That's what it is for.
Russ Allbery can doubtless justify it better than I can, if the doc
doesn't help. He's an MIT Kerberos maintainer(?)/contributor and runs a
large Kerberos infrastructure; I don't think he was wasting his time.
More information about the Beowulf