Long-running jobs with renewal of krb5 tickets and AFS tokens

Jason Edgecombe jason at rampaginggeek.com
Sat Feb 28 23:40:26 EST 2009


Russ Allbery wrote:
> Jason Edgecombe <jason at rampaginggeek.com> writes:
>
>   
>> We have users who need to run long-running jobs and store their files in
>> AFS during the run.
>>
>> I've read the k5start and k5renew man pages, but I don't see how I can
>> have users type in their password when they start a job and have the
>> tickets and tokens keep being renewed.
>>
>> How can I do this?
>>     
>
> If you're not dealing with a batch environment, where the execution
> happens some time after the user authenticates, then krenew is what you
> want.  It just doesn't do the initial ticket acquisition.
>
> You configure your PAM module and krb5.conf to get renewable tickets by
> default, so that the user already has renewable tickets when they start
> the job.  Then run the job under krenew.  It will make a private copy of
> the existing ticket cache and then keep renewing tickets and tokens until
> either it can't any more or the job ends.
>
> If you *are* dealing with a batch environment, you want Kula's approach.
>   
Sigh,

I guess setting things for renewable tickets longer than 7 days or 
running the jobs in local disk will be easiest.

We have a 7 day normal/renewable lifetime. What length do other sites have?

I might need use the job scheduler approach, but that's a pain. I would 
guess 10-20 people would want that ability. I ether need to modify our 
account maintenance processes or do it all manually.

Has anyone automated the management of user.cron principals? 
unfortunately, I have had to tell people that they can't have an 
infinite ticket lifetime. :P

Thanks for the help!

Thanks,
Jason



More information about the Kerberos mailing list