arla , krb and ntp
Chris Wing
wingc at engin.umich.edu
Wed Mar 29 02:11:59 CEST 2000
Camelia:
> I installed in PC-linux farm arla , kerberos and ntp.
> All three of them run and I get /afs filesystems for cern.ch , rhic and
> desy.de.
> But I still have problems with klog for users.
> If in ThisCell is written cern.ch I get klog only for cern.ch .
> If I chenge and I write in ThisCell desy.de I get klog for desy.de users
> and I don't get for the others and the same with rhic.
> What shall I writte to get klog for all my users into cern.ch desy.de and
> rhic on the same computer ?
You can just run 'klog @cell' to get tokens for a different cell. To
obtain a Kerberos ticket, use 'klog -tmp'. So if you want to get tokens in
all cells, do:
klog @cern.ch
klog @desy.de
klog @rhic
Make sure you are using the patch to make klog work properly:
http://www.engin.umich.edu/caen/systems/Linux/code/misc/arla-klogandgetarg.patch
klog is broken in the current Arla distribution, and basically should not
be used without the above patch. (I'll try to merge the fix as soon as I
have time)
> The second question is :
> if one user has a ticket on one computer to cern.ch (for ex) and submittes
> a job using LSF or PVM ( that looks for available computer that can be
> different from the one with afs ticket) , how this user can take files
> from afs without doing klog on the second computer on which LSF runs his
> job.
Other people have written in noting that there exist patches to various
batch systems which handle this problem. I believe that we are using PBS
here for submitting jobs.
> The third question is what happens if the time for a job exeedes the time
> of the ticket ?
You will have to get new tokens before the old ones expire. This implies
that the Kerberos password will have to be kept around somewhere (or else
a user will have to periodically log in and reauthenticate).
I believe that a Kerberos 5 system can extend the lifetime of tickets
without a password, but this will not help you in dealing with today's
Kerberos 4 based AFS setups.
It's probably a good idea to use non-authenticated local storage for data
while a job is running, if it will take several weeks (months?) to
complete.
-Chris Wing
wingc at engin.umich.edu
More information about the Arla-drinkers
mailing list