Perry E. Metzger wrote: [...] > > Maybe some sort of strange myth has been going by so long on this that > people refuse to believe that the ticket refresh is a single easy > command? > The "myth" is the ability to automatically get a Kerberos ticket on any node in a cluster *especially* for the nodes on which you can neither login nor run cron jobs to renew tickets (which is ugly and likely to be non practical and/or insecure in any but the most simple environment anyway).
That's the point of "kstart" and similar tools, as well as specific modifications/extensions to batch queueing systems used where a Kerberos ticket is required for jobs (including many HEP sites): *transparently* get and renew Kerberos tickets (for the local realm) on *any* node in the cluster without the need to ever enter a password on the computing nodes. The tickets are discarded when the process/job ends (unlike the "kinit" in a cron job thingy). The version of LSF used at CERN is modified to be able to renew and transmit Kerberos tickets in CERN's realm as long as needed (queue time + execution time). AFAIK this is a (non free) extra feature developed by Platform Computing. If I'm not mistaken, the same (also paid for) LSF modification is used at SLAC and BNL. As someone mentionned, DESY (the German HEP organisation) has something similar for SGE, as we (the French HEP organisation) do for our own batch system and others certainly have similar things. Everyday use case example: the user job runs a program binary stored in CERN's AFS cell with input data in our AFS cell and writes its output in BNL's AFS cell (Kerberos tickets for at least two realms/cells required). This is the way things have been routinely going on in the HEP world (where people usually read manuals) during the last decade or so. Loïc. -- | Loïc Tortay <[EMAIL PROTECTED]> - IN2P3 Computing Centre | _______________________________________________ Beowulf mailing list, Beowulf@beowulf.org To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
