[Beowulf] Re: Linux cluster authenticating against multiple
Active Directory domains
csamuel at vpac.org
Thu Jul 31 22:37:12 PDT 2008
----- "Dave Love" <d.love at liverpool.ac.uk> wrote:
> Having completely separate ADs for staff and students seems odd...
Yeah, I think they're wishing they'd not done that now.. :-)
> Why doesn't it work to have two `sufficient' cases
> of pam_ldap with different `config' args pointing
> to different servers?
My information is that it's NSS that's more the problem
here rather than PAm, because of the assumptions it makes.
> However, LDAP isn't an authentication protocol. Use
> Kerberos for authentication.
We'd prefer to steer clear of Kerberos, it introduces
arbitrary job limitations through ticket lives that
are not tolerable for HPC work.
Say you submit a job that is in the queue for a week
and then will run for 3 months - we don't know if the
AD admins will permit the creation of a 4 month ticket
"just in case"..
There's also the fact that Torque doesn't have GSSAPI
support in the mainline versions yet and what I hear
about the GSSAPI branch implies that it is just for
testing and development at present.
Christopher Samuel - (03) 9925 4751 - Systems Manager
The Victorian Partnership for Advanced Computing
P.O. Box 201, Carlton South, VIC 3053, Australia
VPAC is a not-for-profit Registered Research Agency
More information about the Beowulf