Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] job submssion fails with SSL in 6.8.4
- Date: Tue, 17 Apr 2007 16:39:29 +0100
- From: "Smith, Ian" <I.C.Smith@xxxxxxxxxxxxxxx>
- Subject: Re: [Condor-users] job submssion fails with SSL in 6.8.4
> -----Original Message-----
> From: condor-users-bounces@xxxxxxxxxxx
> [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Zachary Miller
> Sent: 05 April 2007 22:53
> To: Condor-Users Mail List
> Subject: Re: [Condor-users] job submssion fails with SSL in 6.8.4
>
> > C:\>condor_submit host.sub
> >
> > Submitting job(s)
> > ERROR: Failed to set Owner="smithic" for job 5.0 (0)
> >
> > ERROR: Failed to queue job.
>
> first, let me apologize for the lack of documentation.
>
> the reason it is failing is because condor doesn't know that
> your ssl credentials should be the user 'smithic'. so what
> you need here is a way to map the subject of your SSL
> certificate to a particular user, in this case 'smithic'.
>
> to do this, you need to define CERTIFICATE_MAPFILE in your
> condor_config to point to a file that does the mappings. the
> file format is simple. one line is a rule. each rule has
> three columns:
> AUTHMETHOD REGEX USERNAME
>
> in your case, you'll want:
>
> SSL (.*) smithic
>
>
> the forthcoming 6.9.2 manual has some rudimentary
> documentation on this, which can be found here:
> http://www.cs.wisc.edu/condor/manual/v6.9.2/3_6Security.html#21555
>
>
> note that the above example will map all users to 'smithic'.
> you may need to have several rules if you want different
> users, or use a RegEx to extract the username from the
> certificate subject, if it is the same as in the password file.
>
>
> SSL /C=US/ST=Wisconsin/L=Madison/O=Condor/CN=zachskey zmiller
> SSL /C=US/ST=Wisconsin/L=Madison/O=Condor/CN=ianskey smithic
> SSL /C=US/ST=Wisconsin/L=Madison/O=Condor/CN=(.*) \1
>
>
> again, sorry for the lack of documentation... i am working on it.
> in the meantime, please feel free to ask more questions, as
> my answers will likely become the documentation. also, i
> dislike the name 'CERTIFICATE_MAPFILE' and was hoping to
> change it before this got officially released, so be prepared
> for all of this changing slightly in the future.
>
>
> cheers,
> -zach
I seem to have got the SSL working when I set up a win XP machine
as a standalone Condor pool (i.e. submit/manager/execute host).
When I try the same thing using a Solaris box I get memory faults
when running condor_q and condor_status although the daemons seem to
start OK. The collector and schedulter log files
contain:
4/17 16:22:44 DC_AUTHENTICATE: authenticate failed:
AUTHENTICATE:1005:Failed to securely exchange session key
If I take the mapfile out then condor_status and condor_q work but
I can't submit anything. Back to this error:
ERROR: Failed to set Owner="smithic" for job 1.0 (13)
ERROR: Failed to queue job
So I'm starting to think that the problem is at the (unix) central
manager
end rather than with the (windows) execute host. This seems to be close
to working
but without any documentation to go on it's all guess work really.
regards,
-ian.
>
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to
> condor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
>
> The archives can be found at either
> https://lists.cs.wisc.edu/archive/condor-users/
> http://www.opencondor.org/spaces/viewmailarchive.action?key=CONDOR
>