kerberos and remote job scheduling/dispatching/perl fork()

Russ Allbery rra at stanford.edu
Wed Aug 22 14:14:34 EDT 2012


Matt Garman <matthew.garman at gmail.com> writes:

> It appears that the problem has to do with my sshd options.  In
> particular, I had "GSSAPICleanupCredentials" set to yes (the default) in
> /etc/ssh/sshd_config.  So I believe what happens is, after the fork()
> call, my ssh session ends, and removes my /tmp/krb5cc* file.  Which
> leaves my forked process running, but now without a TGT, and hence, no
> NFSv4.

> Setting that sshd option to "no" and restarting sshd so far appears to
> work.  I'm not sure if this is the "best" way to fix this, perhaps
> idmapd and/or rpcidmapd offer a more elegant solution.  I'll have to
> research those.

Another possible solution to this problem is to modify your job scheduling
system to invoke the actual job inside krenew.  krenew is primarily for
renewing Kerberos credentials for long-running jobs, but one of the other
things that it does is that it makes an isolated copy of the current
Kerberos ticket cache on startup precisely to detach the cache from any
other session management that's happening.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list