Christoph Müller <[email protected]> writes: > 3. I could use AUKS. From what I understand, AUKS has no built-in SGE > support, but you must forward the ticket in a client-side > JSV. However, it does not require me to enable afs/kerberos/... in > bootstrap, right?
You have to enable GSSAPI security if you want to use that hook, but it probably needs a dummy to "verify" the "ticket" it should output if you don't use it for authentication -- and if you don't authenticate, credentials can probably be stolen on compute hosts. > 5. The Kerberos integration mentioned in > http://arc.liv.ac.uk/repos/darcs/sge/source/security/gss/doc/gss_customer.html: > I am not sure whether this describes the integration "that never > worked"? No, though I'm not sure how all the hooks for GSSAPI security ever worked reliably. The "Kerberos" support requires linking against a Kerberos library as opposed to running independent sub-programs. I'd forgotten that the security_mode setting for the GSSAPI method is "kerberos" (or, equivalently, "dce"), which is distinct from the non-working attempted "full Kerberos" stuff. For what it's worth, GSSAPI need not use Kerberos (though the shipped programs are somewhat Kerberos/DCE-specific). Also the SGE hooks for it could work for something other than GSSAPI by replacing the distributed versions of get_cred and friends. -- Community Grid Engine: http://arc.liv.ac.uk/SGE/ _______________________________________________ users mailing list [email protected] https://gridengine.org/mailman/listinfo/users
