Re: [Condor-users] KRB5 authentication

["Jonathan D. Proulx" <jon@xxxxxxxxxxxxx>]

That is very helpful.  Knowing I can set an arbitrary and nonunique
principal gives me one workable solution at least.

On Tue, Feb 10, 2009 at 04:13:54PM -0600, Zachary Miller wrote:

:or, if you want to only used host-based authorization between condor daemons
:and use KERBEROS for submitting jobs, you can use all the default config
:options (i.e. remove all the lines you had starting with SEC_) and simply set:
:  SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS
:
:and that will force all condor_submits to be kerberos authenticated.  normally,
:authentication is optional so daemon-to-daemon will not use it.  however, when
:condor_submit talks to the SchedD, authentication is forced whether or not your
:condor_config requires it.

This may be what I'm looking for.  In this case would users (with
kerberos tickets) be able to submit on machine without keytabs?  This
I suppose hinges on what users are authenticating with.  If they
authenticat to the condor daemon on the submit system then I'd guess
no, if they autheticat with teh central manager (which does have a
proper keytab) then yes?

The big carrot for workstations joining the cluster is for user to be
able to submit from their desktops, continuing to require them to use
the existing submit systems is less than optimal and in that case I'd
rather copy a generic condor pincipal around.

Thanks,
-Jon