[30779] in Kerberos
Re: Long-running jobs with renewal of krb5 tickets and AFS tokens
daemon@ATHENA.MIT.EDU (Jason Edgecombe)
Sat Feb 28 23:41:49 2009
Message-ID: <49AA11BA.3060509@rampaginggeek.com>
Date: Sat, 28 Feb 2009 23:40:26 -0500
From: Jason Edgecombe <jason@rampaginggeek.com>
MIME-Version: 1.0
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <874oyeb0er.fsf@windlord.stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ Allbery wrote:
> Jason Edgecombe <jason@rampaginggeek.com> writes:
>
>
>> We have users who need to run long-running jobs and store their files in
>> AFS during the run.
>>
>> I've read the k5start and k5renew man pages, but I don't see how I can
>> have users type in their password when they start a job and have the
>> tickets and tokens keep being renewed.
>>
>> How can I do this?
>>
>
> If you're not dealing with a batch environment, where the execution
> happens some time after the user authenticates, then krenew is what you
> want. It just doesn't do the initial ticket acquisition.
>
> You configure your PAM module and krb5.conf to get renewable tickets by
> default, so that the user already has renewable tickets when they start
> the job. Then run the job under krenew. It will make a private copy of
> the existing ticket cache and then keep renewing tickets and tokens until
> either it can't any more or the job ends.
>
> If you *are* dealing with a batch environment, you want Kula's approach.
>
Sigh,
I guess setting things for renewable tickets longer than 7 days or
running the jobs in local disk will be easiest.
We have a 7 day normal/renewable lifetime. What length do other sites have?
I might need use the job scheduler approach, but that's a pain. I would
guess 10-20 people would want that ability. I ether need to modify our
account maintenance processes or do it all manually.
Has anyone automated the management of user.cron principals?
unfortunately, I have had to tell people that they can't have an
infinite ticket lifetime. :P
Thanks for the help!
Thanks,
Jason
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
