Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] [External] - Re: KERBEROS: creds_-> addresses == NULL
- Date: Thu, 30 Jul 2020 20:25:25 +0000
- From: Wesley Taylor <wesley.taylor@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] [External] - Re: KERBEROS: creds_-> addresses == NULL
First Issue:
>This may be difficult without log files but I'm looking at this part first:
>> Success................
>> KERBEROS: creds_->addresses == NULL
>Are those message in that order, consecutively in the log, as part of the
same authentication? >I understand you can't include IP addresses or
hostnames. Can you just replace them with >X.X.X.X? Keeping timestamps
would be helpful as well. Include a line or two before and >after?
I will omit the timestamps since this all happens in less than a second
KERBEROS: Server principal is MACHINE_PRINCIPAL
init_daemon: Client principal is MACHINE_PRINCIPAL
init_daemon: Using default keytab FILE:/etc/krb5.keytab
init_daemon: Trying to get tgt credential for service MACHINE_PRINCIPAL
init_daemon: gic_kt creds_->client is 'MACHINE_PRINCIPAL'
init_daemon: gic_kt creds_->server is 'MACHINE_PRINCIPAL'
Success.................................
KERBEROS: creds_->addresses=NULL
KERBEROS: Could not authenticate!
Followed by the rest of the messages you get from authentication failures
>Is the client authenticating to a local daemon or a remote one? Can you
locally run 'klist' >as a user and 'klist -k' as root and verify that there
are credentials for both?
Yes! I actually just got that working and verified this morning!
MACHINE_PRINCIPAL is set to a value I manually input in order to ensure they
matched what kinit -k would successfully execute with. So
MACHINE_PRINCIPALMACHINE_PRINCIPAL I have verified is Kerberos-friendly.
Second issue:
>> And another that says my mapfile is missing an = separator. However, I
copied the form of >my mapfile from the documentation, are there any
additional rules surrounding spacing that I >need to be aware of?
>Is this in the CERTIFICATE_MAPFILE? Can you point to the documentation
that you started from? >You don't normally need any '=' signs in the
CERTIFICATE_MAPFILE so I'm thinking maybe you are >talking about the
USER_MAPFILE?
I mean the one set by the value KERBEROS_MAP_FILE, as listed here:
https://htcondor.readthedocs.io/en/latest/admin-manual/security.html?highlig
ht=kerberos#kerberos-authentication, if that makes sense
Thanks Zach!
Wes
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.cs.
wisc.edu%2Fmailman%2Flistinfo%2Fhtcondor-users&data=02%7C01%7C%7C9e56651
d3acd45576cff08d834c0ebfe%7Cfae7a2aedf1d444e91bebabb0900b9c2%7C0%7C0%7C63731
7350501526103&sdata=buaXaLJzQZOdnoERXaieEoXarzehFOisb5hIq4NP1iQ%3D&r
eserved=0
The archives can be found at:
https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flists.cs.
wisc.edu%2Farchive%2Fhtcondor-users%2F&data=02%7C01%7C%7C9e56651d3acd455
76cff08d834c0ebfe%7Cfae7a2aedf1d444e91bebabb0900b9c2%7C0%7C0%7C6373173505015
26103&sdata=axH2GXLuzbJtC%2BiY4qC4BgtJzefo8uoicujfzs1EVzc%3D&reserve
d=0
Public Content
Attachment:
smime.p7s
Description: S/MIME cryptographic signature