On 22 November 2011 20:05, Chris Dagdigian <d...@sonsorol.org> wrote: > > Hi folks, > > I'm hands-on with a shiny new cluster running Univa's 8.0.1 release and > am having some issues running jobs as a non-root user via an account > that lives in Active Directory. > > The cluster is the standard sort of RHEL 5.7 based system but we are > using Centrify and in particular the Centrify > NIS-gateway-to-ActiveDirectory to service the cluster nodes without > having to license centrify on all nodes in the cluster. > > The user errors I see are familiar ones: > > "can't get password entry for user "x". Either user does not exist or > NIS error!" > > The confusing thing is that I can SSH into compute nodes as the same > user and both password logins and passwordless SSH work perfectly. It's > only when running under SGE that the jobs fail. > > If I had to guess I'd wonder first if SSHD was using Linux /etc/pam.d/ > in a way that "works" while SGE is accessing PAM in some way that we > have not configured properly yet. That's only a guess though. > > Does anyone have examples of SGE running via NIS authentication or via > Centrify? Any examples of PAM configuration that were needed to get NIS > users recognized under SGE? As others have pointed out community support for closed source versions is necessarily limited but nothing stops us from having a go. As Univa and Oracle diverge from the open source versions this will become harder though.
We have a setup where the user accounts are made available via NIS (ie nsswitch.conf points to NIS) with a "*" in the password field. We don't authenticate that way. On our worker nodes we use ssh host based auth (root has a local password) on our login nodes we use pam_ldap. This config is largely historical but allows us to use the college's central authentication services on the login nodes without having to import a lot of other stuff that we don't need. We didn't do anything special as far as setup was concerned. This is with SGE 6.2u3. I'd try running a getent command on the nodes to check that NIS is propogating all the way through to the name service. I think SGE just checks the account is present and not locked in some way. Do you perhaps have enforce_user set to yes in your sge_conf without having defined users? William > > Thanks! > > -Chris > > > _______________________________________________ > users mailing list > users@gridengine.org > https://gridengine.org/mailman/listinfo/users > > > _______________________________________________ users mailing list users@gridengine.org https://gridengine.org/mailman/listinfo/users
