Re: [Condor-users] Kerberos realm mapping problem

[David McBride <dwm@xxxxxxxxxxxx>]

Liam Gretton wrote:

> If I simply remove the map file, things actually get a little further; 
> Condor reports which principal it's trying to use and queries the right 
> keytab file:
>
> 13:15:05 SECMAN: new session, doing initial authentication.
> 13:15:05 SECMAN: Auth methods: KERBEROS
> 13:15:05 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
> 13:15:05 HANDSHAKE: handshake() - i am the client
> 13:15:05 HANDSHAKE: sending (methods == 64) to server
> 13:15:05 HANDSHAKE: server replied (method = 64)
> 13:15:05 KERBEROS: krb5_unparse_name: host/host.dummy.com@xxxxxxxxx
> 13:15:05 KERBEROS: no user yet determined, will grab up to slash
> 13:15:05 KERBEROS: picked user: host
> 13:15:05 KERBEROS: remapping 'host' to 'condor'
> 13:15:05 unable to open map file /opt/condor/etc/condor.kmap, errno 2
> 13:15:05 Client is condor@(null)
> 13:15:05 KERBEROS: Server principal is host/host.dummy.com@xxxxxxxxx
> 13:15:05 init_daemon: client principal is 'host/host.dummy.com@xxxxxxxxx'
> 13:15:05 init_daemon: Using default keytab /etc/krb5/krb5.keytab
> 13:15:05 init_daemon: Trying to get tgt credential for service 
> host/host.dummy.com@xxxxxxxxx
> 13:15:05 AUTH_ERROR: Client not found in Kerberos database
> 13:15:05 AUTHENTICATE: method 64 (KERBEROS) failed.

"Client not found in Kerberos database" -- this message indicates that 
the principal "host/host.dummy.com@xxxxxxxxx" doesn't exist in your KDC.

This is a really stupid question, but have you created that principal 
correctly?

(What kind of Kerberos server are you using?  An MIT / Heimdal KDC, a 
Windows Active Directory, or something else?)

In case it's helpful, you can review the full top-level configuration
file for my local Kerberos-authenticated Condor pool here:

    http://www.doc.ic.ac.uk/condor/config/doc/condor_config.global

Cheers,
David
--
David McBride <dwm@xxxxxxxxxxxx>
Department of Computing, Imperial College, London