[torqueusers] how is the torque renewal scripts supposed to work?

Alex Rolfe arolfe at MIT.EDU
Mon Jul 12 08:06:33 MDT 2010

Andreas Davour <davour at pdc.kth.se> writes:

> That was more than I manage to digest in one go.
> Let me see if I got this right.
> The pbs_server and the pbs_mom need to be started with credentials. This means 
> I have to start them both (for the mom on every node) with this invocation?
> $KINIT  -k -t $KEYTAB  $PRINCIPAL pbs_server|pbs_mom 
> and then do the same for maui and make sure they all are started in an 
> environment where KRB5CCNAME point to the same cache, or at least a cache 
> containing the same tickets?

No, the server and the moms do not need to be started with valid
tickets; they'll get tickets as needed as long as your kerberos
configuration is setup such that a call to gss_acquire_cred() works (see
pbsgss_server_acquire_creds in src/lib/Libifl/pbsgss.c; I think this is
the equivalent to "kinit -k" from the command line).

The tickets and tokens for a running job are acquired by the mom before
the job is spawned.  We use the prologue script to start a "clientrenew"
script that's just a loop around "kinit -R && aklog".  The epilogue
script then cleans up the ticket cache.  All of the scripts are in
contrib/gssapi, though you'll need to tweak them for your site.


More information about the torqueusers mailing list