[torqueusers] how is the torque renewal scripts supposed towork?

Mike Coyne Mike.Coyne at PACCAR.com
Mon Jul 12 18:06:25 MDT 2010


Andreas,
maui, pbs_server and pbs_mom all use the same communication and
connection routines which are in the libtorque.so. maui connects to
pbs_server the same way as qsub connects to pbs_server. both require a
"client credential" to connect.  pbs_server requires a server /service
credential to perform mutial authincation.  And as noted earler
gss_aquire_cred is called to get that credential and it is stored and
"manged". The crential returned form gss_aquire_cred is a bit
implementation defendant in my experiace . What i have seen is that ,
the version o kerberos i am using in my linux distribution does not
return the host/hostname.fqdn at MYREALM as the credential when run as
root, Other versions ie Hiedmal , newer mit might . When i do the same
action as root obtaining a key using gsiapi "globus" it does correctly
give me the host "certificate" . So if your implementation will return
the host key as root you can use the host/.... for maui to authicate to
pbs_server , and pbs_server to do the mutual auth as the "service key"
and for pbs_mom to do the mutual auth when pbs_server sends the job to
mom to run...

If your implementation doesn't  give you a  host/xxxx or say you dont
run maui as root then you will need to provide a credentail for it and
you need to renew/reinit-it when it expires. 

My take 

On Mon, 2010-07-12 at 18:52 +0200, Andreas Davour wrote:
> On Monday, July 12, 2010 16:43:37 Alex Rolfe wrote:
> > Andreas Davour <davour at pdc.kth.se> writ
> > > On Monday, July 12, 2010 16:06:33 Alex Rolfe wrote:
> > >> Andreas Davour <davour at pdc.kth.se> writes:
> > >> > That was more than I manage to digest in one go.
> > >> > 
> > >> > Let me see if I got this right.
> > >> > 
> > >> > The pbs_server and the pbs_mom need to be started with credentials.
> > >> > This means I have to start them both (for the mom on every node) with
> > >> > this invocation?
> > >> > 
> > >> > $KINIT  -k -t $KEYTAB  $PRINCIPAL pbs_server|pbs_mom
> > >> > 
> > >> > and then do the same for maui and make sure they all are started in an
> > >> > environment where KRB5CCNAME point to the same cache, or at least a
> > >> > cache containing the same tickets?
> > >> 
> > >> No, the server and the moms do not need to be started with valid
> > >> tickets; they'll get tickets as needed as long as your kerberos
> > >> configuration is setup such that a call to gss_acquire_cred() works (see
> > >> pbsgss_server_acquire_creds in src/lib/Libifl/pbsgss.c; I think this is
> > >> the equivalent to "kinit -k" from the command line).
> > > 
> > > Good, that means I got it right the first time.
> > > 
> > > But maui, that needs to be started with valid tickets, like "kinit -k"?
> > 
> > No, the gssapi code doesn't make any changes to the communication
> > between maui and the pbs_server.  One *could* do that (in the same way
> > that one could add gssapi authentication to all communication between
> > the server and the mom), but it's not been done in the current code.
> 
> I realize there's something here which confuse me. The 
> contrib/gssapi/init.pbsserver script start maui using kinit and tickets from a 
> keytab. Is that not necessary then?
> 
> /andreas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.supercluster.org/pipermail/torqueusers/attachments/20100712/7a09a0d7/attachment-0001.html 


More information about the torqueusers mailing list