kerberos and remote job scheduling/dispatching/perl fork()
Booker Bense
bbense at gmail.com
Wed Aug 22 11:07:33 EDT 2012
On Fri, Aug 17, 2012 at 11:21 AM, Matt Garman <matthew.garman at gmail.com> wrote:
> We have a simple, home-grown Perl-based job dispatching system. It's
> basically a per-user daemon that listens on a socket for job requests.
> When it gets a request, it calls fork() to dispatch the job.
>
> What we've found is that the fork()'ed jobs are getting "permission
> denied" on NFSv4 mounts using krb5p security. Before the fork,
> though, permissions are OK.
>
> I wrote this simple Perl script to demonstrate the problem:
>
I think your script error is just the result of the differences between
ssh foo.host
> cmd
and
ssh foo.host cmd
In the first you have a tty and in the second you don't.
Your real problem is the hinky way that nfsv4 matches kerberos
credentials to processes. I haven't dinked around
with NFSv4 a lot, but there is a deamon that more or less sits and
watches for krb tgt files in /tmp and attempts
to match them to the appropriate process when the local nfsd needs a
users credentials.
I think what you want is to investigate idmapd or rpcidmapd on your system.
- Booker C. Bense
More information about the Kerberos
mailing list