Re: [Condor-users] GSI gridmap fail on 7.6.6

[Steven Timm <timm@xxxxxxxx>]

Looks like you are dealing with some kind of a DNS issue on a public vs. 
private net.
You have ALLOW_DAEMON from hosts that have host names like 
ultralight.org, which are in your gridmap file, but the IP's that you are
showing in the log file don't resolve to ultralight.org, or in
fact to anything at all.

You need to either also include the private net ip's of interest
in your ALLOW list, or use the NETWORK_INTERFACE setting to make
sure all the daemons you need are using the public ultralight.org ip.

Steve Timm


On Thu, 9 Feb 2012, Steven Lo wrote:

> Hi,
>
> We are in the process of testing Condor version 7.6.6 with our existing
> version 7.4.1.  If all go well, we will upgrade all to 7.6.6.
>
> We are having problem with the GSI authentication part.  Looks like
> the gridmap lookup of the host certificate in the gridmap is not
> working properly.
>
> The following is part of the MasterLog:
>
> 02/09/12 09:17:50 This process has a valid certificate & key
> 02/09/12 09:17:50 Adding to resolved authorization table: 
> gsi@unmapped/10.3.255.107: DENY_DAEMON
> 02/09/12 09:17:50 PERMISSION DENIED to gsi@unmapped from host 10.3.255.107 
> for command 60008 (DC_CHILDALIVE), access level DAEMON: reason: DAEMON 
> authorization policy contains no matching ALLOW entry for this request; 
> identifiers used for this host: 
> 10.3.255.107,compute-10-33.local,compute-10-33
> 02/09/12 09:17:50 PERMISSION DENIED to gsi@unmapped from host 10.3.255.107 
> for command 60008 (DC_CHILDALIVE), access level DAEMON: reason: cached result 
> for DAEMON; see first case for the full reason
>
>
> The following is part of the StartLog:
>
> 02/09/12 09:20:23 PERMISSION DENIED to gsi@unmapped from host 10.3.255.168 
> for command 442 (REQUEST_CLAIM), access level DAEMON: reason: DAEMON 
> authorization policy contains no matching ALLOW entry for this request; 
> identifiers used for this host: 10.3.255.168,gatekeeper-13-12.local
>
>
> The following is security section of the condor_config file:
>
> SEC_DAEMON_AUTHENTICATION = REQUIRED
> SEC_DAEMON_INTEGRITY = REQUIRED
> SEC_DAEMON_AUTHENTICATION_METHODS = GSI
> SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
> SEC_NEGOTIATOR_INTEGRITY = REQUIRED
> SEC_NEGOTIATOR_AUTHENTICATION_METHODS = GSISEC_DAEMON_AUTHENTICATION = 
> REQUIRED
> SEC_DAEMON_INTEGRITY = REQUIRED
> SEC_DAEMON_AUTHENTICATION_METHODS = GSI
> SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
> SEC_NEGOTIATOR_INTEGRITY = REQUIRED
> SEC_NEGOTIATOR_AUTHENTICATION_METHODS = GSI
>
> ALLOW_DAEMON = *@ultralight.org/*.ultralight.org
> ALLOW_NEGOTIATOR = *@ultralight.org/*.ultralight.org
>
> GSI_DAEMON_DIRECTORY      = /etc/grid-security
> GSI_DAEMON_CERT           = $(GSI_DAEMON_DIRECTORY)/condorcert.pem
> GSI_DAEMON_KEY            = $(GSI_DAEMON_DIRECTORY)/condorkey.pem
> GSI_DAEMON_TRUSTED_CA_DIR = $(GSI_DAEMON_DIRECTORY)/certificates
> #GSI_DAEMON_TRUSTED_CA_DIR = /etc/grid-security/certificates
> GSI_NEGOTIATOR_TRUSTED_CA_DIR = /etc/grid-security/certificates
> GSI_DAEMON_NAME           = 
> /DC=org/DC=doegrids/OU=Services/CN=compute-10-33.ultralight.org,/DC=org/DC=doegrids/OU=Services/CN=compute-13-1.ultralight.org
> GRIDMAP                   = /etc/grid-security/grid-mapfile
>
>
> The following is the certificate subject for the test host:
>
> Subject: DC=org, DC=doegrids, OU=Services, CN=compute-10-33.ultralight.org
>
>
>
> We've also attached the MasterLog.debug file and the grid-mapfile.
>
>
> Thanks in advance for your help.
>
> Steven Lo
>  Caltech CMS Tier2 Administrator

------------------------------------------------------------------
Steven C. Timm, Ph.D  (630) 840-8525
timm@xxxxxxxx  http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Group Leader.
Lead of FermiCloud project.