[torquedev] Quesion about the way torque works

Sergio Gelato Sergio.Gelato at astro.su.se
Sat May 10 14:59:56 MDT 2008

* Brock Palen [2008-05-09 16:07:39 -0400]:
> At what point with GSSAPI does torque decide which principle it  
> should copy?
> I can't find how torque is populating:
> svr_conn[preq->rq_conn].creds,
> svr_conn[preq->rq_conn].principal

It happens in req_gssauthenuser(), using data returned by
pbsgss_server_establish_context(). The .principal is simply the result
of gss_display_name() on the client structure returned by
gss_accept_sec_context(), so it's ultimately derived from the Kerberos
service ticket the connection was authenticated with. The .creds are
the forwarded client credentials, also from gss_accept_sec_context().

> Could our problem be that we have two AFS systems?  And the one we  
> want to use with troque is not the defaul_realm in /etc/krb5.conf ?

Please leave AFS out of this; what matters here is only Kerberos.

Even if you have two Kerberos realms, as long as cross-realm
authentication has been correctly set up things should Just Work.

If you have two realms without cross-realm trust, then you get to
explain to your users how to deal with this; basically they need to
authenticate to the right realm and arrange for qsub to use the 
corresponding credentials cache (typically by setting the
environment variable KRB5CCNAME to the right value). Try to avoid this
situation if you can (sometimes politics get in the way).

More information about the torquedev mailing list