Hi Michael, thank you for all the information. It is very helpful. In the meantime, I found some time thinking about it...
> -----Ursprüngliche Nachricht----- > Von: Michael Weiser [mailto:[email protected]] > Gesendet: Dienstag, 2. Oktober 2012 09:50 > An: Christoph Müller > Cc: [email protected] > Betreff: Re: [gridengine users] SGE with KRB5 > Also, these hooks are not meant to actually forward user credentials to the > exection hosts. Instead they are supposed to somehow obtain them on the > exection host. For AFS this is done by having a daemon that has access to the > AFS cell's cryptographic key that essentially forges users' credentials. I think I got the problem here: The startup scripts for AFS actually _create_ the user ticket without user intervention when the job starts, is that correct? From your slides, I understand that I could implement the same behaviour only using S4SU2Self. As this extension is from Microsoft, our AD KDC would support it, but at the moment, I do not know how I would implement the client side on Linux. Is that possible at all and do you have any web resources about this, too? Furthermore, from a security point of view, S4U2Proxy would be the better solution - at least, I read that from your slides. This would, however, require that I grab the users's ticket when he submits the job, correct? So far, I do not see any possibility to hook into qsub. Is there any possibility in SGE to do this - except of the obvious solution of providing a custom wrapper script around qsub? > There was a longer paper published in the conference proceedings as well. > There was no real resonance however which is why I couldn't get any traction > to actually implement some software. So, as of now there is no software for > actually doing what is proposed in the talk. > Implementing a proof-of-concept using shell or python scripts should > however be a matter of man hours, not months. Obviously, I will try something like that, but I am not yet sure what the best/the working solution is... > There are patches for OpenSSH to extend Kerberos support > (http://www.sxw.org.uk/computing/patches/openssh.html). I'm not up-to- > date on how much of them ever made it into mainline OpenSSH. IIRC these > patches include support for re-forwarding the TGT when the ticket cache on > the originating host changes, i.e. the set_token_cmd has obtained a new > ticket for the user (options GssapiRenewalForcesRekey and > GssapiStoreCredentialsOnRekey). According to the manpage, it is supported on latest RHEL releases. However, I did not actually try it yet... Thanks again, Christoph _______________________________________________ users mailing list [email protected] https://gridengine.org/mailman/listinfo/users
