Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Condor-users] KERBEROS AUTH erro
- Date: Wed, 12 Sep 2007 09:54:32 +0200
- From: Arnau Bria <arnau@xxxxxxxxxxxxx>
- Subject: [Condor-users] KERBEROS AUTH erro
Hi,
I've used kerberos auth in condor for a long and worked fine.
But after some kerberos packages update, it has stopped working.
Now I get the error: AUTH_ERROR: KDC policy rejects request
[...]
9/12 09:49:28 SECMAN: Auth methods: KERBEROS
9/12 09:49:28 AUTHENTICATE: in authenticate( addr == '<193.146.196.45:9618>', methods == 'KERBEROS')
9/12 09:49:28 AUTHENTICATE: can still try these methods: KERBEROS
9/12 09:49:28 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
9/12 09:49:28 HANDSHAKE: handshake() - i am the client
9/12 09:49:28 HANDSHAKE: sending (methods == 64) to server
9/12 09:49:28 HANDSHAKE: server replied (method = 64)
9/12 09:49:28 AUTHENTICATE: will try to use 64 (KERBEROS)
9/12 09:49:28 KERBEROS: krb5_unparse_name: condor/cdf/bcncaf@xxxxxxxx
9/12 09:49:28 KERBEROS: param server princ: condor/cdf/bcncaf@xxxxxxxx
9/12 09:49:28 KERBEROS: no user yet determined, will grab up to slash
9/12 09:49:28 KERBEROS: picked user: condor
9/12 09:49:28 KERBEROS: mapping realm FNAL.GOV to domain fnal.gov.
9/12 09:49:28 Client is condor@xxxxxxxx
9/12 09:49:28 KERBEROS: Server principal is condor/cdf/bcncaf@xxxxxxxx
9/12 09:49:28 init_daemon: client principal is 'condor/cdf/bcncaf@xxxxxxxx'
9/12 09:49:28 init_daemon: Using default keytab FILE:/etc/krb5.keytab
9/12 09:49:28 init_daemon: Trying to get tgt credential for service condor/cdf/bcncaf@xxxxxxxx
9/12 09:49:28 AUTH_ERROR: KDC policy rejects request
9/12 09:49:28 AUTHENTICATE: method 64 (KERBEROS) failed.
9/12 09:49:28 AUTHENTICATE: can still try these methods:
9/12 09:49:28 HANDSHAKE: in handshake(my_methods = '')
9/12 09:49:28 HANDSHAKE: handshake() - i am the client
9/12 09:49:28 HANDSHAKE: sending (methods == 0) to server
9/12 09:49:28 HANDSHAKE: server replied (method = 0)
9/12 09:49:28 AUTHENTICATE: no available authentication methods succeeded, failing!
[...]
Which means that I'm asking for a principal forwardable or proxyable
when it is not supposed to be. But looking for the principal I get:
$ klist -f
Ticket cache: /tmp/krb5cc_10155
Default principal: condor/cdf/bcncaf@xxxxxxxx
09/12/07 09:49:01 09/13/07 11:48:54 condor/cdf/bcncaf@xxxxxxxx
Flags: A
it hasn't any of the "problematic" flags (in fact some of the scripts
requests the principal like:
kinit -F -k -t /etc/krb5.keytab condor/cdf/bcncaf@xxxxxxxx
but I don't really know what condor does for getting the principal.
Could someone explain me so?
Anyone had similar experience?
$ condor -v
$CondorVersion: 6.8.3 Jan 4 2007 $
$CondorPlatform: I386-LINUX_RHEL3 $
TIA,
Arnau