kerberos and remote job scheduling/dispatching/perl fork()
Matt Garman
matthew.garman at gmail.com
Fri Aug 17 14:21:44 EDT 2012
We have a simple, home-grown Perl-based job dispatching system. It's
basically a per-user daemon that listens on a socket for job requests.
When it gets a request, it calls fork() to dispatch the job.
What we've found is that the fork()'ed jobs are getting "permission
denied" on NFSv4 mounts using krb5p security. Before the fork,
though, permissions are OK.
I wrote this simple Perl script to demonstrate the problem:
#!/usr/bin/perl
use strict;
my $id = "PARENT";
my $childpid = fork();
if (0 == $childpid)
{
$id = "CHILD";
sleep(5);
}
print "\n--- $id ----\n";
print " pid=$$\n";
print " real_uid=" . getpwuid($<) . "\n";
print " effective_uid=" . getpwuid($>) . "\n";
my $output = `/usr/kerberos/bin/klist -f`;
my $status = $? >> 8;
print "klist status=$status\n";
print "klist output:\n$output\n";
print "\n\n\n";
If I run that locally, I basically prints out a correct klist result
twice. If I ssh into another server and run it, it also works.
But if I do something like this: "ssh other_server ./script.pl", then
the child klist prints nothing, and gives a different return code.
The weird thing is, though, if I change the klist to redirect to
stderr ("...klist -f 2>&1"), then it works!
Hopefully I'm just missing something simple...
Thanks again,
Matt
More information about the Kerberos
mailing list