David McBride wrote:
Can you get by without any kind of Condor-specific domain-to-Realm mapping, and simply let the Kerberos libraries use the defaults in /etc/krb5.conf?
I've done it now by ignoring the apparently broken CONDOR_SERVER_PRINCIPAL and doing the following:
KERBEROS_SERVER_PRINCIPAL = host/$(FULL_HOSTNAME)@REALM.COMSo finally I got our Linux hosts to authenticate with the AD without having to use the map file at all.
But now I've hit another major problem when trying to get the Windows Condor clients to do the same... it looks like Condor for Windows is linked to MIT's Kerberos libraries rather than using the MS Kerberos interface, and of course our Windows systems don't have a krb5.ini or keytab file (and that's not something I'm going to be able to change).
-- Liam Gretton L.Gretton@xxxxxxxxxxx Computing Services http://www.lboro.ac.uk/ Loughborough University Tel: +44 (0)1509 228431 Leicestershire LE11 3TU United Kingdom