ESP Workload Automation

 View Only

  • 1.  Kerboros credentials on Linux

    Posted Mar 25, 2020 08:29 AM
    Morning All,

    Hope everyone out there is well.

    Is anyone using Kerboros authentication to access applications on Linux.  We're standing up a new application that is migrating from Windows to Linux.  The issue we currently have is that a Linux WOB does not logon like a Windows WOB, no password is used, it's using SETUID.  This does not result in Kerboros credentials to be generated.

    Is there anyway for a Linux job to generate the credentials at run time.  Is a keytab file the only option in this instance?  If a keytab file is used, who is in charge of populating and maintaining it, is it the application team or is that an operational support function.

    Any help would be appreciated.  Our scheduling manager is ESP so there may be differences for other managers but any feedback would be great.

    Thanks,
    Len

    ------------------------------
    System Engineer
    Progressive
    OH
    ------------------------------


  • 2.  RE: Kerboros credentials on Linux

    Broadcom Employee
    Posted Mar 26, 2020 09:32 AM

    Hi Len,

    I did google and wonder if you really mean Kerberos. If yes, hope you may find following post helpful:

    https://community.broadcom.com/mainframesoftware/communities/community-home/digestviewer/viewthread?MessageKey=b04ad909-f2e7-4d25-8313-00127ac0cf0c&CommunityKey=a63272f0-fb9f-44be-b0ff-9657f904076e&tab=digestviewer#bmb04ad909-f2e7-4d25-8313-00127ac0cf0c

    Thank you,

    Lucy


    Original Message


  • 3.  RE: Kerboros credentials on Linux

    Posted Mar 26, 2020 10:25 AM
    Lucy,

    Thanks for that.  It definitely has to do with the logon process the agent uses, 'setuid' vs 'su' type logon.  If it used 'su' then kerboros would work.  This only comes into play on data sources that require kerboros.  If I run this application (SAS) against a data source that does not require kerboros then ESP handles it with no issue.

    I'm hoping some other users have faced the same thing and have some insight.  In Windows it's never been an issue since there is an actual user logon, including a password.  

    But as always, I value your input.

    ------------------------------
    System Engineer
    Progressive
    OH
    ------------------------------

    Original Message


  • 4.  RE: Kerboros credentials on Linux

    Broadcom Employee
    Posted Mar 26, 2020 10:33 AM
    Hi Len,

    Sorry for my misunderstanding. I have done search earlier and couldn't find any post about Kerboros.

    I will ask our agent expert for their input. Another option is that you can open a support ticket.

    Thank you,

    Lucy
    Original Message


  • 5.  RE: Kerboros credentials on Linux

    Broadcom Employee
    Posted Mar 26, 2020 10:34 AM
    Hi Len, 
    Take a look at the note below. 
    The kerberos requies a tikcet to be generated by the user. Which allows you to authenticagte. To get the ticket/token (every 24 hours or so) you need to enter the password. This can be done with password less login and then there is no need to enter the password. See this link here:     https://uz.sns.it/~enrico/site/posts/kerberos/password-less-ssh-login-with-kerberos.html

    If they can get this working then customer can setup a job to generate the ticket every so often like once a day and run their normal jobs after that token has been generated. They will need to script this and test it. Let me know if you have any questions
    Original Message


  • 6.  RE: Kerboros credentials on Linux

    Posted Mar 27, 2020 07:49 AM
    Thanks Don,

    Nitin did share that site with me earlier.  Looks like it could be an option.

    ------------------------------
    System Engineer
    Progressive
    OH
    ------------------------------

    Original Message