Kerberos support in OnDemand authentication

I’ve been setting up Open OnDemand in our computational center and through installation and configuration I’ve encountered problem with Kerberos authentication.
I’ve started a discussion on Github:

however, it was suggested that I should start conversation also here.
I am pasting some of the most reliable lines from github:

For authentication, we are using Kerberos, not LDAP. Authenticating works but we are unable to get path to cached Kerberos ticket from the environment variables. This prevents users from submitting jobs (qmgr really needs to verify that there exists krb ticket under right user ownership and 0600 permissions). We are using mod_auth_kerb which is Apache Module for Kerberos. We know that the ticket is created as it is shown in /tmp, also using cgi script we can print the ENV value of KRB5CCNAME. In the ood YAML config, we set KrbSaveCredentials to On and we use Ruby regex parser for getting user name . At this point, it would be nice if we had this KRB5 ENV variable. However, there are no ENV variables like that at all present in whole ENV variables, it seems as the information about the ticket is somehow deleted from the environment, so basically I can not get them.


You may be able to pass the KRB5CCNAME env variable down to PUN. See these docs on custom env variables.

that really didn’t work, my reply:

The tickets should be present while the user is logged in and in KRB5CCNAME env varible should be present path to that cached ticket (with right ownership - owner is user and group is user group - and right permissions 0600). However,this variable also isn’t shown in available ENV variables.
Actually, the problem might also be connected with the fact that the Kerberos credentials are created under user Apache a this user can never create file owned by somebody else.

We have created a small C script that copies the content of the created ticket and places it with right permissions and ownership somewhere to /tmp (I think it was the default location which is searched when looking for the ticket). This script is executed in vim ood_auth_map.regex , jus when the user is fund in the map file.
Anyway, this has many drawbacks such as it is not secure at all because well, whole ticket is copied and then it is not deleted (this is our problem, we should fix this but how would you know that the user has already logged off for today?). Apart from that, it is just an ad-hoc solution and I think there must be a more elegant way to address this.

If you have any interest in this topic or feature, feel free to contribute to this problem. I will be very grateful.

1 Like