Problem with kerberos

giuspo1980 · February 15, 2023, 2:17pm

Hello everyone, I’m a new user and I’m having a problem with openpbs 22.05.11.

I’ve compiled openpsb on master and client nodes via config using the --with-krbauth option.

Users have their home exported via nfs on all systems with krb5 authentication.

Jobs submitted with qsub are effectively run only if they have first logged into the client and created a valid ticket (TGT), otherwise they fail to mount their home.

How should openpbs be configured in order to use automatically the kerberos authentication, thus mounting the home automatically on nodes?

Thank you

vchlum · February 21, 2023, 12:22pm

Hi @giuspo1980 !

We also use nfs homes and pbspro with Kerberos. I will try to help you.

First, you must change the environment variables in /etc/pbs.conf similar to this:
```
PBS_AUTH_METHOD=GSS
PBS_SUPPORTED_AUTH_METHODS=GSS,resvport
PBS_ENCRYPT_METHOD=GSS
```
see [1]

Second, you need to configure the server via qmgr similar to this:

set server acl_krb_realm_enable = True
set server acl_krb_realms = *@PBSPRO
set server acl_krb_submit_realms = *@PBSPRO
set server cred_renew_enable = True
set server cred_renew_tool = "/usr/bin/timeout 10 /usr/bin/krb525_renew"
set server cred_renew_period = 12:00:00
set server cred_renew_cache_period = 23:00:00

See [2]
Once you have the pbs.conf configured, you need to use: PBS_AUTH_METHOD=resvport qmgr for admin access or you can add your host principal as the PBS manager.

Third, I noticed a bug in openpbs. To resolve it the pbs_sched must be run (opposed to the rest of server components) with env like this: PBS_AUTH_METHOD=resvport pbs_sched

Using this configuration, you can submit a job (you need a valid kerberos ticket for submitting). A correctly submitted job has the attribute credential_id, which is principal.

Once the job will start, the credentials will be available and the job will have the attribute credential_validity.

Do you use MIT or Heimdal? Your main issue would probably be the cred_renew_tool. Without this tool, the job can not start. This tool is used for providing kerberos tickets to the jobs. It also provides a new ticket before the validation of the job’s ticket expires. Please, see the part Build a PBS renew-tool in [2] You can find an example of the renew tool as part of the openpbs source codes here: /openpbs/src/unsupported/renew-test. The example works with both the MIT and the Heimdal Kerberos. It expects the server keytab to provide all the credentials… just for testing.

I can also help you to configure our proper tool krb525 mentioned in [2]. Unfortunately, the server side of krb525 works only with Heimdal…

Let me know if you need more help.

Vaclav

[1] https://openpbs.atlassian.net/wiki/spaces/PD/pages/1525776385/Allow+multiple+auth+methods+in+PBSPro
[2] https://openpbs.atlassian.net/wiki/spaces/PD/pages/29655043/PP-468+Kerberos+support

Topic		Replies	Views
How to set client host Users/Site Administrators	7	1149	December 7, 2021
PBS daemons are running but connection refused Users/Site Administrators	3	1523	April 10, 2021
Setting up openPBS on only one computer Users/Site Administrators	16	3222	October 27, 2020
OpenPBS won't start Users/Site Administrators	4	609	September 20, 2022
Connection refused qmgr: cannot connect to server Users/Site Administrators	6	329	January 8, 2024

Problem with kerberos

Related Topics