Looks like you are dealing with some kind of a DNS issue on a public
vs.
private net.
You have ALLOW_DAEMON from hosts that have host names like
ultralight.org, which are in your gridmap file, but the IP's that
you are
showing in the log file don't resolve to ultralight.org, or in
fact to anything at all.
You need to either also include the private net ip's of interest
in your ALLOW list, or use the NETWORK_INTERFACE setting to make
sure all the daemons you need are using the public ultralight.org ip.
Steve Timm
On Thu, 9 Feb 2012, Steven Lo wrote:
Hi,
We are in the process of testing Condor version 7.6.6 with our
existing
version 7.4.1. If all go well, we will upgrade all to 7.6.6.
We are having problem with the GSI authentication part. Looks like
the gridmap lookup of the host certificate in the gridmap is not
working properly.
The following is part of the MasterLog:
02/09/12 09:17:50 This process has a valid certificate & key
02/09/12 09:17:50 Adding to resolved authorization table:
gsi@unmapped/10.3.255.107: DENY_DAEMON
02/09/12 09:17:50 PERMISSION DENIED to gsi@unmapped from host
10.3.255.107 for command 60008 (DC_CHILDALIVE), access level DAEMON:
reason: DAEMON authorization policy contains no matching ALLOW entry
for this request; identifiers used for this host:
10.3.255.107,compute-10-33.local,compute-10-33
02/09/12 09:17:50 PERMISSION DENIED to gsi@unmapped from host
10.3.255.107 for command 60008 (DC_CHILDALIVE), access level DAEMON:
reason: cached result for DAEMON; see first case for the full reason
The following is part of the StartLog:
02/09/12 09:20:23 PERMISSION DENIED to gsi@unmapped from host
10.3.255.168 for command 442 (REQUEST_CLAIM), access level DAEMON:
reason: DAEMON authorization policy contains no matching ALLOW entry
for this request; identifiers used for this host:
10.3.255.168,gatekeeper-13-12.local
The following is security section of the condor_config file:
SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_INTEGRITY = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = GSI
SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
SEC_NEGOTIATOR_INTEGRITY = REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = GSISEC_DAEMON_AUTHENTICATION =
REQUIRED
SEC_DAEMON_INTEGRITY = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = GSI
SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
SEC_NEGOTIATOR_INTEGRITY = REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = GSI
ALLOW_DAEMON = *@ultralight.org/*.ultralight.org
ALLOW_NEGOTIATOR = *@ultralight.org/*.ultralight.org
GSI_DAEMON_DIRECTORY = /etc/grid-security
GSI_DAEMON_CERT = $(GSI_DAEMON_DIRECTORY)/condorcert.pem
GSI_DAEMON_KEY = $(GSI_DAEMON_DIRECTORY)/condorkey.pem
GSI_DAEMON_TRUSTED_CA_DIR = $(GSI_DAEMON_DIRECTORY)/certificates
#GSI_DAEMON_TRUSTED_CA_DIR = /etc/grid-security/certificates
GSI_NEGOTIATOR_TRUSTED_CA_DIR = /etc/grid-security/certificates
GSI_DAEMON_NAME =
/DC=org/DC=doegrids/OU=Services/CN=compute-10-33.ultralight.org,/DC=org/DC=doegrids/OU=Services/CN=compute-13-1.ultralight.org
GRIDMAP = /etc/grid-security/grid-mapfile
The following is the certificate subject for the test host:
Subject: DC=org, DC=doegrids, OU=Services,
CN=compute-10-33.ultralight.org
We've also attached the MasterLog.debug file and the grid-mapfile.
Thanks in advance for your help.
Steven Lo
Caltech CMS Tier2 Administrator
------------------------------------------------------------------
Steven C. Timm, Ph.D (630) 840-8525
timm@xxxxxxxx http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Group Leader.
Lead of FermiCloud project.
_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx
with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/condor-users/
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}