Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] Kerberos realm mapping problem
- Date: Thu, 11 Dec 2008 13:41:51 -0600
- From: Zachary Miller <zmiller@xxxxxxxxxxx>
- Subject: Re: [Condor-users] Kerberos realm mapping problem
On Thu, Dec 11, 2008 at 09:30:10AM +0000, Liam Gretton wrote:
> Liam Gretton wrote:
> > I just discovered something else: as far as I can see
> > CONDOR_SERVER_PRINCIPAL has no effect whatsoever - whatever I set it to,
> > or if I simply comment it out, Condor attempts to create a principal
> > host/host.dummy.com@xxxxxxxxxx
>
> Apologies for continuing to reply to myself.
i apologize for not stepping in to help sooner, i have been out with some form
of the plague.
> Having spent a good day tearing my hair out trying to get this to work,
> I went through the Condor source code and have found no reference to
> CONDOR_SERVER_PRINCIPAL at all. Instead I found the following
> undocumented configuration settings in condor_auth_kerberos.C:
>
> KERBEROS_SERVER_KEYTAB
> KERBEROS_SERVER_PRINCIPAL
> KERBEROS_SERVER_USER
> KERBEROS_SERVER_SERVICE
> KERBEROS_CLIENT_KEYTAB
correct.
> KERBEROS_SERVER_PRINCIPAL can be set to the explicit principal required,
> but there's no attempt to create a principal in the way that
> CONDOR_SERVER_PRINCIPAL is supposed to.
actually, KERBEROS_SERVER_SERVICE should do exactly that.
> It seems to me that either the Kerberos handling has changed
> significantly in a recent version, and/or the documentation is in need
> of updating.
nothing has changed recently. the sad fact is, the documentation has
apparently always been woefully incorrect.
it seems you've already figured most of this out, but here's a quick'n'dirty
summary of each of the above knobs. i'll work on the documentation in the
manual, but hopefully these help:
> KERBEROS_SERVER_KEYTAB
the file that holds the principals and associated keys. default on most
systems these days is /etc/v5srvtab
> KERBEROS_SERVER_PRINCIPAL
the exact principal to use. default is host/<hostname>@<realm>
> KERBEROS_SERVER_USER
the username that the server principal will map to after authentication.
default is 'condor'.
> KERBEROS_SERVER_SERVICE
the kerberos service name. this string is prepended with a slash to the
hostname to construct the server principal. (like CONDOR_SERVER_PRINCIPAL
is documented as doing in the manual)
> KERBEROS_CLIENT_KEYTAB
what keytab file the client side should use.
> CONDOR_SERVER_PRINCIPAL
never existed, does nothing.
cheers,
-zach