Re: [HTCondor-users] Kerberos client/server authentication failed

[Michael Murphy <Michael.Murphy@xxxxxxxxxxxxx>]

Steve,

Thank you for your feedback. The mapping file has both domains present. And the Kerberos setup currently works throughout the IPA-AD environment. Is there a way I can see what principal/realm the ticket used? I assumed it would use the same realm as the client machine.

V/R,

Murphy

On 12/30/2016 05:10 PM, Steven C Timm wrote:

The error "the ticket isn't for us" indicates a mismatch between Kerberos realms between the client 

and the server.  google that error message and you will find more.

Some issue either in your krb5.conf on the clients, or in the condor_mapfile.  Don't have time to look at it more at the moment.  It has been about 10 years since we did kerberos authentication in condor around here, although we were one of the first to request the feature.

Steve Timm

---

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Michael Murphy <Michael.Murphy@xxxxxxxxxxxxx>
Sent: Friday, December 30, 2016 4:40:49 PM
To: HTCondor-Users Mail List
Subject: [HTCondor-users] Kerberos client/server authentication failed

 

Hello,

I am currently trying to run condor on Centos 7.3.1611 machines with
Kerberos authentication. A little info:

1. Two domains are on the local network with a cross-forest trust
established. These domains are listed below

    windows.example.com - All of our windows machines are managed by
Windows AD

    linux.example.com - All of our CentOS 7 machines are managed by a
RHEL 7 Identity Management Sever (FreeIPA)

2. SELinux is enforcing with all condor_<type>_t set to permissive

3. Firewalld is active with port 9618 open for the sharedPort daemon.

4. We are required to run STIG-like security controls on our information
systems; turning them off is not preferred.

5. Both the server (master) and clients have Kerberos keytabs under
/etc/condor/condor.keytab which correspond to
condor/$(FULL_HOSTNAME)@IDM.EXAMPLE.COM. These were obtained using the
ipa-getkeytab available to the linux clients.

6. Reverse DNS lookups work i.e. `dig +short -x <IP_ADDRESS>` returns
the correct FQDN of both the server and client.

7. The IP address of the server (see below) is 192.168.6.12
(boss.linux.example.com) and the client is 192.168.6.40
(fury.linux.example.com)

I can't get the client machines to authenticate against the collector.
>From the collector host's CollectorLog file:

12/30/16 15:55:41 2: Kerberos server authentication error:The ticket
isn't for us
12/30/16 15:55:41 DC_AUTHENTICATE: required authentication of
192.168.6.40 failed: AUTHENTICATE:1003:Failed to authenticate with any
method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS
12/30/16 15:55:42 2: Kerberos server authentication error:The ticket
isn't for us
12/30/16 15:55:42 DC_AUTHENTICATE: required authentication of
192.168.6.40 failed: AUTHENTICATE:1003:Failed to authenticate with any
method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS

>From the client's StartLog:

12/30/16 16:27:24 DC_AUTHENTICATE: required authentication of
192.168.6.40 failed: AUTHENTICATE:1003:Failed to authenticate with any
method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS
12/30/16 16:27:28 KERBEROS: Could not authenticate!
12/30/16 16:27:28 SECMAN: required authentication with collector
boss.linux.example.com failed, so aborting command UPDATE_STARTD_AD.
12/30/16 16:27:28 ERROR: AUTHENTICATE:1003:Failed to authenticate with
any method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS
12/30/16 16:27:28 Failed to start non-blocking update to
<192.168.6.12:9618>.
12/30/16 16:27:29 DC_AUTHENTICATE: required authentication of
192.168.6.40 failed: AUTHENTICATE:1003:Failed to authenticate with any
method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS
12/30/16 16:27:29 KERBEROS: Could not authenticate!
12/30/16 16:27:29 SECMAN: required authentication with collector
boss.linux.example.com failed, so aborting command UPDATE_STARTD_AD.
12/30/16 16:27:29 ERROR: AUTHENTICATE:1003:Failed to authenticate with
any method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS
12/30/16 16:27:29 Failed to start non-blocking update to
<192.168.6.12:9618>.
12/30/16 16:27:34 DC_AUTHENTICATE: required authentication of
192.168.6.40 failed: AUTHENTICATE:1003:Failed to authenticate with any
method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS
12/30/16 16:27:39 DC_AUTHENTICATE: required authentication of
192.168.6.40 failed: AUTHENTICATE:1003:Failed to authenticate with any
method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS

>From the client's MasterLog:

12/30/16 16:27:22 KERBEROS: Could not authenticate!
12/30/16 16:27:22 SECMAN: required authentication with collector
boss.idm.ierustech.com failed, so aborting command UPDATE_MASTER_AD.
12/30/16 16:27:22 ERROR: AUTHENTICATE:1003:Failed to authenticate with
any method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS

I must confess to not being a wizard at Kerberos. I just enjoy it when
it works. The how-to in the manual really wasn't specific about which
machine get's which principal for KERBEROS_CLIENT_PRINCIPAL and
KERBEROS_SERVER_PRINCIPAL.

Is there a checklist that someone could help me with to make sure I have
the kerberos basics covered?

Attached to this are the relevant configuration files for the server. I
didn't want to pollute the email body with it. Thank you beforehand.
This is a complicated problem that I fear I am beyond my skill and
understanding to fix.

--
Michael Murphy
Engineer & Physicist
IERUS Technologies, Inc.
2904 Westcorp Blvd. Ste 210
Huntsville, AL  35805

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/

-- 
Michael McInerny Murphy
Engineer & Physicist
IERUS Technologies, Inc.
2904 Westcorp Blvd. Ste 210
Huntsville, AL  35805
(256) 319-2026 ext 107