[torqueusers] how is the torque renewal scripts supposed to work?

[Alex Rolfe]

Andreas Davour <davour at pdc.kth.se> writes:

> That was more than I manage to digest in one go.
>
> Let me see if I got this right.
>
> The pbs_server and the pbs_mom need to be started with credentials. This means 
> I have to start them both (for the mom on every node) with this invocation?
>
> $KINIT  -k -t $KEYTAB  $PRINCIPAL pbs_server|pbs_mom 
>
> and then do the same for maui and make sure they all are started in an 
> environment where KRB5CCNAME point to the same cache, or at least a cache 
> containing the same tickets?


No, the server and the moms do not need to be started with valid
tickets; they'll get tickets as needed as long as your kerberos
configuration is setup such that a call to gss_acquire_cred() works (see
pbsgss_server_acquire_creds in src/lib/Libifl/pbsgss.c; I think this is
the equivalent to "kinit -k" from the command line).


The tickets and tokens for a running job are acquired by the mom before
the job is spawned.  We use the prologue script to start a "clientrenew"
script that's just a loop around "kinit -R && aklog".  The epilogue
script then cleans up the ticket cache.  All of the scripts are in
contrib/gssapi, though you'll need to tweak them for your site.



Alex