Dear all, to summarise the options for KRB5:
1. I could use the AFS hooks and try to inject KRB5 code there. However, this would require me to reinstall SGE, because I have not configured it for that. 2. I could use arcx. There seems to be explicit support for renewing tickets in SGE, but I did not find the time to thoroughly read the docs. 3. I could use AUKS. From what I understand, AUKS has no built-in SGE support, but you must forward the ticket in a client-side JSV. However, it does not require me to enable afs/kerberos/... in bootstrap, right? 4. I could try to implement a prolog that uses S4U2Self, which is probably less secure. That would also need a renew "hack" like the idea with the load sensors one of you mentioned. 5. The Kerberos integration mentioned in http://arc.liv.ac.uk/repos/darcs/sge/source/security/gss/doc/gss_customer.html: I am not sure whether this describes the integration "that never worked"? Do you have any recommendation, especially wrt. (2) and (3)? From what I know so far, (2) seems to be most widely used. Just for completeness: > -----Ursprüngliche Nachricht----- > Von: [email protected] [mailto:users- > [email protected]] Im Auftrag von [email protected] > Gesendet: Freitag, 5. Oktober 2012 13:16 > An: [email protected] > Betreff: users Digest, Vol 22, Issue 5 > support it, but at the moment, I do not know how I would implement the > client side on Linux. Is that possible at all and do you have any web > resources > about this, too? There is gss_acquire_cred_impersonate_name in GSSAPI to do this, so one could probably write an application that gets the ticket on behalf of the user in the prolog. Nevertheless, I am unsure whether it is a good idea to trust the SGE hosts delegation. And I do not know whether it would work with another KDC than W2k8. Best regards, Christoph _______________________________________________ users mailing list [email protected] https://gridengine.org/mailman/listinfo/users
