<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7654.12">
<TITLE>RE: [torqueusers] how is the torque renewal scripts supposed towork?</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=2>Andreas,<BR>
maui, pbs_server and pbs_mom all use the same communication and<BR>
connection routines which are in the libtorque.so. maui connects to<BR>
pbs_server the same way as qsub connects to pbs_server. both require a<BR>
"client credential" to connect. pbs_server requires a server /service<BR>
credential to perform mutial authincation. And as noted earler<BR>
gss_aquire_cred is called to get that credential and it is stored and<BR>
"manged". The crential returned form gss_aquire_cred is a bit<BR>
implementation defendant in my experiace . What i have seen is that ,<BR>
the version o kerberos i am using in my linux distribution does not<BR>
return the host/hostname.fqdn@MYREALM as the credential when run as<BR>
root, Other versions ie Hiedmal , newer mit might . When i do the same<BR>
action as root obtaining a key using gsiapi "globus" it does correctly<BR>
give me the host "certificate" . So if your implementation will return<BR>
the host key as root you can use the host/.... for maui to authicate to<BR>
pbs_server , and pbs_server to do the mutual auth as the "service key"<BR>
and for pbs_mom to do the mutual auth when pbs_server sends the job to<BR>
mom to run...<BR>
<BR>
If your implementation doesn't give you a host/xxxx or say you dont<BR>
run maui as root then you will need to provide a credentail for it and<BR>
you need to renew/reinit-it when it expires.<BR>
<BR>
My take<BR>
<BR>
On Mon, 2010-07-12 at 18:52 +0200, Andreas Davour wrote:<BR>
> On Monday, July 12, 2010 16:43:37 Alex Rolfe wrote:<BR>
> > Andreas Davour <davour@pdc.kth.se> writ<BR>
> > > On Monday, July 12, 2010 16:06:33 Alex Rolfe wrote:<BR>
> > >> Andreas Davour <davour@pdc.kth.se> writes:<BR>
> > >> > That was more than I manage to digest in one go.<BR>
> > >> ><BR>
> > >> > Let me see if I got this right.<BR>
> > >> ><BR>
> > >> > The pbs_server and the pbs_mom need to be started with credentials.<BR>
> > >> > This means I have to start them both (for the mom on every node) with<BR>
> > >> > this invocation?<BR>
> > >> ><BR>
> > >> > $KINIT -k -t $KEYTAB $PRINCIPAL pbs_server|pbs_mom<BR>
> > >> ><BR>
> > >> > and then do the same for maui and make sure they all are started in an<BR>
> > >> > environment where KRB5CCNAME point to the same cache, or at least a<BR>
> > >> > cache containing the same tickets?<BR>
> > >><BR>
> > >> No, the server and the moms do not need to be started with valid<BR>
> > >> tickets; they'll get tickets as needed as long as your kerberos<BR>
> > >> configuration is setup such that a call to gss_acquire_cred() works (see<BR>
> > >> pbsgss_server_acquire_creds in src/lib/Libifl/pbsgss.c; I think this is<BR>
> > >> the equivalent to "kinit -k" from the command line).<BR>
> > ><BR>
> > > Good, that means I got it right the first time.<BR>
> > ><BR>
> > > But maui, that needs to be started with valid tickets, like "kinit -k"?<BR>
> ><BR>
> > No, the gssapi code doesn't make any changes to the communication<BR>
> > between maui and the pbs_server. One *could* do that (in the same way<BR>
> > that one could add gssapi authentication to all communication between<BR>
> > the server and the mom), but it's not been done in the current code.<BR>
><BR>
> I realize there's something here which confuse me. The<BR>
> contrib/gssapi/init.pbsserver script start maui using kinit and tickets from a<BR>
> keytab. Is that not necessary then?<BR>
><BR>
> /andreas<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>