Long-running jobs with renewal of krb5 tickets and AFS tokens
Jason Edgecombe
jason at rampaginggeek.com
Sat Feb 28 23:40:26 EST 2009
Russ Allbery wrote:
> Jason Edgecombe <jason at rampaginggeek.com> writes:
>
>
>> We have users who need to run long-running jobs and store their files in
>> AFS during the run.
>>
>> I've read the k5start and k5renew man pages, but I don't see how I can
>> have users type in their password when they start a job and have the
>> tickets and tokens keep being renewed.
>>
>> How can I do this?
>>
>
> If you're not dealing with a batch environment, where the execution
> happens some time after the user authenticates, then krenew is what you
> want. It just doesn't do the initial ticket acquisition.
>
> You configure your PAM module and krb5.conf to get renewable tickets by
> default, so that the user already has renewable tickets when they start
> the job. Then run the job under krenew. It will make a private copy of
> the existing ticket cache and then keep renewing tickets and tokens until
> either it can't any more or the job ends.
>
> If you *are* dealing with a batch environment, you want Kula's approach.
>
Sigh,
I guess setting things for renewable tickets longer than 7 days or
running the jobs in local disk will be easiest.
We have a 7 day normal/renewable lifetime. What length do other sites have?
I might need use the job scheduler approach, but that's a pain. I would
guess 10-20 people would want that ability. I ether need to modify our
account maintenance processes or do it all manually.
Has anyone automated the management of user.cron principals?
unfortunately, I have had to tell people that they can't have an
infinite ticket lifetime. :P
Thanks for the help!
Thanks,
Jason
More information about the Kerberos
mailing list