Lustre discuss - Jul 2009 - Lustre kerberos credentials not looking at $KRB5CCNAME

Lustre kerberos does not look at $KRB5CCNAME.  It assumes that your kerberos
ccache is
/etc/krb5cc_N.    This problem affects system which uses kerberos toauthenticate
logins.
The system complains with a log error saying that it cannot find a ccache  and
the user
cannot accessthe lustre filsystem (permission denied with df or any 
attempts for IO).

Workarounds:
    -manually run "unset KRB5CCNAME" then "kinit"
    -or parse $KRB5CCNAME from FILE:/tmp/XYZ and run "cp /tmp/XYZ
/tmp/krb5cc_N" in login scripts

The ideal solution is for lustre kerberos to have something similar to
"afslog" which will
look at $KRB5CCNAME and put lustre credentials somewhere where the system can
find them.

Kudos to Kevin Sullivan (PSC) for helping to identify the problem and providing
the work-around.

This has been filed in bugzilla.lustre under #20253


-josephine

On Thu, Jul 23, 2009 at 07:06:01PM -0400, Josephine Palencia
wrote:
> Lustre kerberos does not look at $KRB5CCNAME.  It assumes that your
> kerberos ccache is /etc/krb5cc_N.    This problem affects system which
> uses kerberos toauthenticate logins.  The system complains with a log
> error saying that it cannot find a ccache  and the user cannot
> accessthe lustre filsystem (permission denied with df or any attempts
> for IO).
Kernel code can''t look at user-land environment variables.

On a kernel with keyrings and recent MIT krb5 code the correct behavior
should be that the system finds and uses the ccache named in the
process'' keyring for krb5.
> The ideal solution is for lustre kerberos to have something similar to
> "afslog" which will look at $KRB5CCNAME and put lustre
credentials
> somewhere where the system can find them.
OpenAFS now does more or less what I mention above.  I''m new to Lustre,
but I''ll take a look and see what''s wron with what
Lustre''s doing.

Nico
--