Kerberized Grid Engine Release Notes

Kerberized Grid Engine provides for the authentication of Grid Engine users and Grid Engine daemons to ensure a secure queueing environment. Kerberized Grid Engine also supports automatic forwarding and renewal of Kerberos ticket granting tickets (TGTs) on behalf of the user to the execution hosts to ensure that users' jobs will have the proper Kerberos credentials to execute other kerberized applications (e.g. PVM).

Installation Instructions for Kerberized Grid Engine

Kerberized Grid Engine requires Kerberos 5, release 1.0pl1 or later to be installed on all Grid Engine qmaster, shadow, execution, and submit hosts.
You must also define some kerberos principals and add them to the Kerberos database and add some keys to the default keytabs of the qmaster and execution hosts. Detailed instructions for setting up your Kerberos database to execute Kerberized Grid Engine are included below. The instructions below include examples.
In the examples, the Kerberos domain is HPC-TX.COM. The qmaster host is fritz.hpc-tx.com and the execution host is constitution.hpc-tx.com.

Add a principal for the Grid Engine service for each qmaster and shadow host. Specify the qmaster or shadow host as the host portion of the principal.

$ kinit admin/admin
Password for admin/admin@HPC-TX.COM:
$ /usr/krb5/sbin/kadmin
Enter password:
kadmin: addprinc -randkey sge/fritz.hpc-tx.com@HPC-TX.COM
Principal "sge/fritz.hpc-tx.com@HPC-TX.COM" created.
kadmin: quit
$

Add a principal for the sge_qmaster and sge_schedd daemons for the qmaster host and any shadow hosts. Specify the qmaster or shadow host as the host portion of the principal.

$ /usr/krb5/sbin/kadmin
Enter password:
kadmin: addprinc -randkey sge_qmaster/fritz.hpc-tx.com@HPC-TX.COM
Principal "sge_qmaster/fritz.hpc-tx.com@HPC-TX.COM" created.
kadmin: addprinc -randkey sge_schedd/fritz.hpc-tx.com@HPC-TX.COM
Principal "sge_schedd/fritz.hpc-tx.com@HPC-TX.COM" created.
kadmin: quit
$

For each execution host, add a sge_execd principal for the sge_execd daemon which will be executing on the host. Specify the execution host as the host portion of the principal.

$ /usr/krb5/sbin/kadmin
Enter password:
kadmin: addprinc -randkey sge_execd/constitution.hpc-tx.com@HPC-TX.COM
Principal "sge_execd/constitution.hpc-tx.com@HPC-TX.COM" created.
kadmin: quit
$

Add the Grid Engine, sge_qmaster, and sge_schedd principals to the default keytab on the qmaster host and any shadow hosts. (You need to be root to write to the default keytab.)

On each qmaster or shadow host:

$ su
Password:
# /usr/krb5/bin/kinit admin/admin
Password for admin/admin@HPC-TX.COM:
# /usr/krb5/sbin/kadmin
Enter password:
kadmin: ktadd sge/fritz.hpc-tx.com sge_qmaster/fritz.hpc-tx.com sge_schedd/fritz.hpc-tx.com
Entry for principal sge/fritz.hpc-tx.com with kvno 5, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal sge_qmaster/fritz.hpc-tx.com with kvno 5, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal sge_schedd/fritz.hpc-tx.com with kvno 4, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab.
kadmin: quit
#

For each execution host, add the sge_execd principal to the default keytab on the execution host. (You need to be root to write to the default keytab.)

On each execution host:

$ su
Password:
# /usr/krb5/bin/kinit admin/admin
Password for admin/admin@HPC-TX.COM:
# /usr/krb5/sbin/kadmin
Enter password:
kadmin: ktadd sge_execd/constitution.hpc-tx.com
Entry for principal sge_execd/constitution.hpc-tx.com with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab.
kadmin: quit
#

Follow the usual instructions for installing Grid Engine.

Kerberos Error Logging

TGT Forwarding and TGT Renewal

$ kinit -f -r 14d