Problem with kerberos

Hello everyone, I’m a new user and I’m having a problem with openpbs 22.05.11.

I’ve compiled openpsb on master and client nodes via config using the --with-krbauth option.

Users have their home exported via nfs on all systems with krb5 authentication.

Jobs submitted with qsub are effectively run only if they have first logged into the client and created a valid ticket (TGT), otherwise they fail to mount their home.

How should openpbs be configured in order to use automatically the kerberos authentication, thus mounting the home automatically on nodes?

Thank you

Hi @giuspo1980 !

We also use nfs homes and pbspro with Kerberos. I will try to help you.

  • First, you must change the environment variables in /etc/pbs.conf similar to this:


    see [1]

  • Second, you need to configure the server via qmgr similar to this:

    set server acl_krb_realm_enable = True
    set server acl_krb_realms = *@PBSPRO
    set server acl_krb_submit_realms = *@PBSPRO
    set server cred_renew_enable = True
    set server cred_renew_tool = "/usr/bin/timeout 10 /usr/bin/krb525_renew"
    set server cred_renew_period = 12:00:00
    set server cred_renew_cache_period = 23:00:00

    See [2]
    Once you have the pbs.conf configured, you need to use: PBS_AUTH_METHOD=resvport qmgr for admin access or you can add your host principal as the PBS manager.

  • Third, I noticed a bug in openpbs. To resolve it the pbs_sched must be run (opposed to the rest of server components) with env like this: PBS_AUTH_METHOD=resvport pbs_sched

Using this configuration, you can submit a job (you need a valid kerberos ticket for submitting). A correctly submitted job has the attribute credential_id, which is principal.

Once the job will start, the credentials will be available and the job will have the attribute credential_validity.

Do you use MIT or Heimdal? Your main issue would probably be the cred_renew_tool. Without this tool, the job can not start. This tool is used for providing kerberos tickets to the jobs. It also provides a new ticket before the validation of the job’s ticket expires. Please, see the part Build a PBS renew-tool in [2] You can find an example of the renew tool as part of the openpbs source codes here: /openpbs/src/unsupported/renew-test. The example works with both the MIT and the Heimdal Kerberos. It expects the server keytab to provide all the credentials… just for testing.

I can also help you to configure our proper tool krb525 mentioned in [2]. Unfortunately, the server side of krb525 works only with Heimdal…

Let me know if you need more help.



1 Like