HPCE/gitea-pages
HPCE/gitea-pages
0
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Activity

fix some formatting in krb docu

Browse Source
This commit is contained in:
viessm_h 2024-11-21 14:41:12 +01:00
parent 8cf2674d33
commit a7c2d11e95
Signed by: viessm_h
GPG Key ID: 0C24C120CDED56F0
1 changed files with 83 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
pages/merlin7/02-How-To-Use-Merlin/kerberos.md
View File

@ -20,11 +20,11 @@ time is 10 hours. It means than one needs to constantly renew (`krenew` command)
granting tickets, and their validity can not be extended longer than 7 days. At this point, granting tickets, and their validity can not be extended longer than 7 days. At this point,
one needs to obtain new granting tickets. one needs to obtain new granting tickets.
## Obtaining granting tickets with username and password ## Obtaining granting tickets with username and password
As already described above, the most common use case is to obtain Kerberos and AFS granting tickets As already described above, the most common use case is to obtain Kerberos and AFS granting tickets
by introducing username and password: by introducing username and password:
* When login to Merlin through SSH protocol, if this is done with username + password authentication, * When login to Merlin through SSH protocol, if this is done with username + password authentication,
tickets for Kerberos and AFS will be automatically obtained. tickets for Kerberos and AFS will be automatically obtained.
* When login to Merlin through NoMachine, no Kerberos and AFS are granted. Therefore, users need to * When login to Merlin through NoMachine, no Kerberos and AFS are granted. Therefore, users need to
@ -32,26 +32,34 @@ run `kinit` (to obtain a granting Kerberos ticket) followed by `aklog` (to obtai
See further details below. See further details below.
To manually obtain granting tickets, one has to: To manually obtain granting tickets, one has to:
1. To obtain a granting Kerberos ticket, one needs to run `kinit $USER` and enter the PSI password. 1. To obtain a granting Kerberos ticket, one needs to run `kinit $USER` and enter the PSI password.
```bash ```bash
kinit $USER@D.PSI.CH kinit $USER@D.PSI.CH
``` ```
2. To obtain a granting ticket for AFS, one needs to run `aklog`. No password is necessary, but a valid 2. To obtain a granting ticket for AFS, one needs to run `aklog`. No password is necessary, but a valid
Kerberos ticket is mandatory. Kerberos ticket is mandatory.
```bash ```bash
aklog aklog
``` ```
3. To list the status of your granted tickets, users can use the `klist` command. 3. To list the status of your granted tickets, users can use the `klist` command.
```bash ```bash
klist klist
``` ```
4. To extend the validity of existing granting tickets, users can use the `krenew` command. 4. To extend the validity of existing granting tickets, users can use the `krenew` command.
```bash ```bash
krenew krenew
``` ```
* Keep in mind that the maximum lifetime for granting tickets is 7 days, therefore `krenew` can not be used beyond that limit,
and then `kinit** should be used instead.
* Keep in mind that the maximum lifetime for granting tickets is 7 days, therefore `krenew` can not be used beyond that limit,
and then `kinit` should be used instead.
## Obtanining granting tickets with keytab ## Obtanining granting tickets with keytab
@ -66,26 +74,36 @@ other users.
For generating a **keytab**, one has to: For generating a **keytab**, one has to:
1. Load a newer Kerberos ( `krb5/1.20` or higher) from Pmodules: 1. Load a newer Kerberos ( `krb5/1.20` or higher) from Pmodules:
```bash ```bash
module load krb5/1.20 module load krb5/1.20
``` ```
2. Create a private directory for storing the Kerberos **keytab** file 2. Create a private directory for storing the Kerberos **keytab** file
```bash ```bash
mkdir -p ~/.k5 mkdir -p ~/.k5
``` ```
3. Run the `ktutil` utility which comes with the loaded `krb5` Pmodule: 3. Run the `ktutil` utility which comes with the loaded `krb5` Pmodule:
```bash ```bash
ktutil ktutil
``` ```
4. In the `ktutil` console, one has to generate a **keytab** file as follows: 4. In the `ktutil` console, one has to generate a **keytab** file as follows:
```bash ```bash
# Replace $USER by your username # Replace $USER by your username
add_entry -password -k 0 -f -p $USER add_entry -password -k 0 -f -p $USER
wkt /data/user/$USER/.k5/krb5.keytab wkt /data/user/$USER/.k5/krb5.keytab
exit exit
``` ```
Notice that you will need to add your password once. This step is required for generating the **keytab** file. Notice that you will need to add your password once. This step is required for generating the **keytab** file.
5. Once back to the main shell, one has to ensure that the file contains the proper permissions: 5. Once back to the main shell, one has to ensure that the file contains the proper permissions:
```bash ```bash
chmod 0600 ~/.k5/krb5.keytab chmod 0600 ~/.k5/krb5.keytab
``` ```
@ -108,18 +126,25 @@ The steps should be the following:
* Setup `KRB5CCNAME`, which can be used to specify the location of the Kerberos5 credentials (ticket) cache. In general it should point to a shared area * Setup `KRB5CCNAME`, which can be used to specify the location of the Kerberos5 credentials (ticket) cache. In general it should point to a shared area
(`$HOME/.k5` is a good location), and is strongly recommended to generate an independent Kerberos5 credential cache (it is, creating a new credential cache per Slurm job): (`$HOME/.k5` is a good location), and is strongly recommended to generate an independent Kerberos5 credential cache (it is, creating a new credential cache per Slurm job):
```bash ```bash
export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")" export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
``` ```
* To obtain a Kerberos5 granting ticket, run `kinit` by using your keytab: * To obtain a Kerberos5 granting ticket, run `kinit` by using your keytab:
```bash ```bash
kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH
``` ```
* To obtain a granting AFS ticket, run `aklog`: * To obtain a granting AFS ticket, run `aklog`:
```bash ```bash
aklog aklog
``` ```
* At the end of the job, you can remove destroy existing Kerberos tickets. * At the end of the job, you can remove destroy existing Kerberos tickets.
```bash ```bash
kdestroy kdestroy
``` ```
@ -168,7 +193,6 @@ Then, you can run one or multiple jobs scripts (or parallel job with `srun`). `K
job script or to the parallel job, therefore a single credential cache will be shared amongst different Slurm runs. job script or to the parallel job, therefore a single credential cache will be shared amongst different Slurm runs.
```bash ```bash
#!/bin/bash #!/bin/bash
#SBATCH --partition=hourly # Specify 'general' or 'daily' or 'hourly' #SBATCH --partition=hourly # Specify 'general' or 'daily' or 'hourly'
#SBATCH --time=01:00:00 # Strictly recommended when using 'general' partition. #SBATCH --time=01:00:00 # Strictly recommended when using 'general' partition.