Hello,
Advertising the master falls under ALLOW_DAEMON (or
ALLOW_ADVERTISE_MASTER if set). Double check those settings as well.
Otherwise, I agree with Brian and the first DENIED message would be the
most useful. But if you can’t find that (log rotated or whatever) these
commands might also be useful:
Condor_config_val -dump ALLOW_
condor_config_val UID_DOMAIN
host 131.169.161.34 # looks like it matches *.desy.de to me but maybe
you get something different
Cheers,
-zach
-----Original Message-----
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx>
Date: Tuesday, December 1, 2020 at 10:40 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] pool authorization failing
Hi Thomas,
Can you capture the first instance of the PERMISSION DENIED
message? That'll indicate which domain and IP addresses is being used
by HTCondor for the hostname.
Could be a failure of reverse DNS, for example.
:) In general, I'd nudge on trying out IDTOKENS and not relying on
DNS. A challenge for a different day, however!
Brian
> On Dec 1, 2020, at 10:36 AM, Thomas Hartmann <thomas.hartmann@xxxxxxx
<mailto:thomas.hartmann@xxxxxxx>> wrote:
>
> Hi all,
>
> our collector has started to disallow all remote daemons [1] although
the policy has not changed and should be pretty relaxed with
> ALLOW_WRITE = *.$(UID_DOMAIN)
> ALLOW_READ = *.$(UID_DOMAIN)
>
> The version was recently updated and looks like [2]
>
> Cheers and thanks for any ideas,
> Thomas
>
> [1]
> > /var/log/condor/CollectorLog
> ...
> 12/01/20 17:32:37 Query info: matched=0; skipped=1;
query_time=0.000041; send_time=0.000030; type=Scheduler;
requirements={((Name == "grid-arcce1.desy.de" || Machine ==
"grid-arcce1.desy.de"))}; locate=0; limit=0; from=TOOL;
peer=<131.169.223.111:11673>; projection={Machine Name TotalIdleJobs
TotalRunningJobs}; filter_private_ads=1
> 12/01/20 17:32:37 PERMISSION DENIED to unauthenticated@unmapped from
host 131.169.161.34 for command 2 (UPDATE_MASTER_AD), access level
ADVERTISE_MASTER: reason: cached result for ADVERTISE_MASTER; see first
case for the full reason
> 12/01/20 17:32:37 DC_AUTHENTICATE: Command not authorized, done!
> 12/01/20 17:32:37 PERMISSION DENIED to unauthenticated@unmapped from
host 131.169.163.155 for command 2 (UPDATE_MASTER_AD), access level
ADVERTISE_MASTER: reason: cached result for ADVERTISE_MASTER; see first
case for the full reason
>
>
> [2]
> condor-classads-8.9.10-1.el7.x86_64
> python3-condor-8.9.10-1.el7.x86_64
> condor-8.9.10-1.el7.x86_64
> python2-condor-8.9.10-1.el7.x86_64
> condor-procd-8.9.10-1.el7.x86_64
> condor-externals-8.9.10-1.el7.x86_64
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx
<mailto:htcondor-users-request@xxxxxxxxxxx> with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
<https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users>
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
<https://lists.cs.wisc.edu/archive/htcondor-users/>
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx
<mailto:htcondor-users-request@xxxxxxxxxxx> with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
<https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users>
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
<https://lists.cs.wisc.edu/archive/htcondor-users/>
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}