[OpenAFS] [Fwd: Re: [Globus-discuss] globus & AFS-LSF]
Douglas E. Engert
Fri, 13 Jul 2001 08:51:54 -0500
Other AFS sites might be interested using other authentication systems to
obtain AFS tokens. This is a response to a user who has such a need.
extra comments [...] where included for those who don't know what Globus and GSI are.
-------- Original Message --------
Subject: Re: [Globus-discuss] globus & AFS-LSF
Date: Fri, 13 Jul 2001 08:34:49 -0500
From: "Douglas E. Engert" <firstname.lastname@example.org>
The AFS file system requires one to be authenticated to the file servers in order to
access AFS files. This is normally done with by using the AFS klog command to gets an
AFS token, which is stored in the UNIX kernel. Every access to the AFS file servers uses
the token and the DES encryption key in the token to prove to the file server that it is
you who is requesting access.
The AFS klog command requires you to enter your AFS password. But when authenticating
via GSI and Globus, your AFS password is not available.
We have two solutions for this, which use your GSI proxy credentials to authenticate
to the AFS servers to get you an AFS token: SSLK5 and GSIKLOG.
[GSI is part of Globus, see http://www.globus.org GSI is a GSSAPI implementation using
SSL and X509 certificates. It is built on OpenSSL. The proxy credential is a X509
chain which has been delegated from the client to a server.]
If you have Kerberos V5, DCE or a W2K domain you can use the SSLK5 solution,
which treats the AFS servers as other services in the realm/cell/domain.
The SSLK5 is used to get a Kerberos V5 ticket from the SSLK5D which is run
by the security admins. This K5 ticket is used with the MIT krb524d to get
you an AFS token. The K5 ticket can be used for other K5 services as well,
such as to get a DCE context to access DFS.
If you do not have any of the above or don't want to get a K5 ticket,
you can use the GSIKLOG. This uses your proxy to authenticate to the GSIKLOGD
run by the AFS administrators, which returns an AFS token.
[The GSIKLOG could actually be linked against any GSSAPI for authentication, but
we are using the GSI.]
The Globus gatekeeper can be setup to automatically call the sslk5 or gsiklog
using the delegated proxy for you. It is then upto the job manager and job
scheduler to propagate the token or K5 ticket. (Not all job schedulers may do this
These packages can be found at ftp://achilles.ctd.anl.gov/pub/DEE/
SSLK5 is sslk5-1.2.2-20010521.tar, but also requires modifications
to the MIT Kerberos source, located in ../kerberos.v5/README
The GSIKLOG is gsiklog-0.3.tar The GSIKLOG is still new but much simpler.
Contact me if you are interested in either.
P.S. My home directory is in AFS too.
> I'm trying to use globus software V1.3 on a front-end machine to an AFS-LSF
> network. I configured for 2 job-managers (fork and lsf) and the globus user
> has been mapped to the AFS-LSF authenticated user in the grid-mapfile.I've
> some run-time problems:
> 1) If I send jobs to the F.E. machine using fork jobmanager everything is
> ok if I try to execute shell commands or to execute programs that don't
> have to read/write on the AFS home directory of the F.E. user. If I try
> to do I/O on another directory like /tmp everything is OK ( also I/O of
> files).So am I missing something on Globus configuration? The AFS home permissions
> are OK and so are the files...
> 2)In order to configure globus with LSF I added another job-manager in the
> globus-services.conf file in the deploy dir and I made a sym link from etc/lsf/conf
> to the LSF configuration file.Is there something else to configure ?
> Andrea Parrini
> Abbonati a Tiscali!
> Con VoceViva puoi anche ascoltare ed inviare email al telefono.
> Chiama VoceViva allo 0143 434343
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439