Installing gssklog/gssklogd on our cluster
We have user home spaces (including grid "group" accounts) in our AFS cell (atlas.umich.edu). Currently any user trying to submit a globus-job-run command who has homespace in AFS will fail since the gatekeeper can't write to the home space. One solution is described by
Dan Bradley who used Doug Engert's gssklog (see below) to make it work.
Well I have been fighting with building gssklog since yesterday. Building from source
gssklog-0.11 on gate01 or linat03 was not working because of the
OpenSSL 0.9.7 changes (things like des_random_key being renamed DES_random_key and being unable to make the changes AND have the headers match the libraries). I was able to build a Kerberos version that worked but since we need GSI (x509->AFS) this wasn’t useful.
I finally thought to look for RPMS and found Mike Jones' page at:
http://www.hep.man.ac.uk/u/masj/gssklog/ (he has since updated his page to include the 'ktohl_internal' fix below).
I did find a possible 'typo' in gssklogd.h. The version in Doug Engert's source and in the src RPM had 'ktohl' rather than 'ktohl_internal'. This causes the compiler to emit:
./gssklogd_afs.c:551: error: conflicting types for 'ktohl_internal'
./gssklogd_afs.c:551: note: an argument type that has a default promotion can't match an empty parameter name list declaration
./gssklogd_afs.c:319: error: previous implicit declaration of 'ktohl_internal' was here
It compiles after I changed it to 'ktohl_internal'.
So the rpms work! I am install gssklog-server on linat02, linat03 and linat04.
Note: if you want to rebuild from the .src rpm's you will need the static globus libraries. To get this from an OSG installation, setup Pacman and run 'pacman -get VDT:Globus-Base-SDK' from your OSG install directory.
Putting gssklod on the AFS servers
I installed the gssklog-server on linat02, linat03 and linat04 which are our AFS DB and K5 servers.
I obtained 'gssklog' service certificates from the DOE Grids CA for each of these servers and put the resulting certificates and keys in /etc/grid-security/afskey.pem and /etc/grid-security/afscert.pem.
I then added a new bos service on each server via:
bos create linat02 gssklogd simple "/usr/local/sbin/gssklogd -p 751 -d"
The
-d
prevents the gssklogd from detaching (appropriate for a 'bos' service).
I created an
/etc/grid-security/afsgrid-mapfile
with an entry for me:
"/DC=org/DC=doegrids/OU=People/CN=Shawn McKee 83467" smckee
I then logged into linat03 (where I had installed the
gssklog-client
) and did:
unlog
grid-proxy-init
gssklog -port 751 -server linat03.grid.umich.edu
This got me AFS tokens.
To make this work in general I followed Dan Bradley's example page. I setup a cron job on our gatekeeper to update/create a globus-kmapfile.
Details to follow
--
ShawnMcKee - 10 Jun 2006