Christoph Müller <[email protected]> writes: > I think I got the problem here: The startup scripts for AFS actually > _create_ the user ticket without user intervention when the job starts, > is that correct? From your slides, I understand that I could implement > the same behaviour only using S4SU2Self. As this extension is from > Microsoft, our AD KDC would support it, but at the moment, I do not > know how I would implement the client side on Linux. Is that possible > at all and do you have any web resources about this, too?
In the general (interesting) case you need to mount a filesystem you don't administer with authentication from a KDC you also don't control, administered with unhelpful policies which include not trusting the HPC systems. So you really need either to have stored credentials to renew tickets arbitrarily (oh dear) or explicitly renew them by hand when required. > Furthermore, from a security point of view, S4U2Proxy would be the > better solution - at least, I read that from your slides. This would, > however, require that I grab the users's ticket when he submits the > job, correct? So far, I do not see any possibility to hook into > qsub. Is there any possibility in SGE to do this - except of the > obvious solution of providing a custom wrapper script around qsub? That's what the "GSSAPI" mechanism does. If I recall correctly, invoking the hook in qsub does currently work. -- Community Grid Engine: http://arc.liv.ac.uk/SGE/ _______________________________________________ users mailing list [email protected] https://gridengine.org/mailman/listinfo/users
