On 04/12/2013 11:04 AM, Jason Bishop wrote:

Headnode has keytab, there are also 3 login nodes and they have keytab too.  then there are 100 compute nodes which presently do not.

anonymous is clever idea, but i was hoping to instrument compute nodes such that my user and group filters on headnode sssd config would be in effect.  IE the users and groups the headnode sees the computes also see.

of the two the groups is the tricky one as i need special permissions on my host keytab to actually get that data (its not avail anonymously).

thank you for the help i would really like to get this working.

So do I get it right: you do not want keytabs to be on the nodes but on the other hand you want the nodes to be able to get the same information so they need to be authenticated?
I have a stupid idea...
How about sharing the kerberos ticket cache in some way between the nodes?
I do not know how to do it best to not create security holes.
Have a cron job to copy around or if there is some shared area in the cluster store the ticket cache there and point nodes to it?
In this case cluster nodes would not be able to initiate the communication until the headnode has a ticket. I do not know how SSSD would behave in this situation though...
May be to trick  SSSD one can create a keytab with dummy key. That would probably cause some failure to connect if tried and SSSD would go offline but next time it tries it should see a ready to use kerberos ticket in the shared cache and just use it.


On Fri, Apr 12, 2013 at 1:57 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:
On Thu, Apr 11, 2013 at 10:30:26PM -0700, Jason Bishop wrote:
> hi errbody, i may have an easy question, but i haven't found anything in
> the documentation which describes my use-case exactly.  i hope you can help.
> my environment is kerberos for authentication and kerberos using
> host-keytab for ldap binds.  sssd is working fine for this setup.  the
> wrinkle is that i am trying to get this to work on a (Rocks) hpc cluster
> where i have kerberos running on headnode but not the compute nodes.

Do I get it right that only the head node has a ketab?

> i am hoping that i can use the sssd config with kerberos authentication on
> the head node and have a simpler setup for the compute nodes.  since ssh
> public keys are used for authentication on compute nodes, i really only
> need user and group enumeration working there.  is there a simple way to
> get user list from sssd on head node for use on compute nodes?
> thank u
> jason

Can you just use anonymous LDAP binds on the other nodes?
sssd-users mailing list

sssd-users mailing list

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?