[torqueusers] how is the torque renewal scripts supposed to work?

Alex Rolfe arolfe at MIT.EDU
Mon Jul 12 08:43:37 MDT 2010


Andreas Davour <davour at pdc.kth.se> writes:

> On Monday, July 12, 2010 16:06:33 Alex Rolfe wrote:
>> Andreas Davour <davour at pdc.kth.se> writes:
>> > That was more than I manage to digest in one go.
>> > 
>> > Let me see if I got this right.
>> > 
>> > The pbs_server and the pbs_mom need to be started with credentials. This
>> > means I have to start them both (for the mom on every node) with this
>> > invocation?
>> > 
>> > $KINIT  -k -t $KEYTAB  $PRINCIPAL pbs_server|pbs_mom
>> > 
>> > and then do the same for maui and make sure they all are started in an
>> > environment where KRB5CCNAME point to the same cache, or at least a cache
>> > containing the same tickets?
>> 
>> No, the server and the moms do not need to be started with valid
>> tickets; they'll get tickets as needed as long as your kerberos
>> configuration is setup such that a call to gss_acquire_cred() works (see
>> pbsgss_server_acquire_creds in src/lib/Libifl/pbsgss.c; I think this is
>> the equivalent to "kinit -k" from the command line).
>
> Good, that means I got it right the first time.  
>
> But maui, that needs to be started with valid tickets, like "kinit -k"?

No, the gssapi code doesn't make any changes to the communication
between maui and the pbs_server.  One *could* do that (in the same way
that one could add gssapi authentication to all communication between
the server and the mom), but it's not been done in the current code.

Alex


More information about the torqueusers mailing list