Re: [HTCondor-users] Error: Could not fetch startd ads

[Zach Miller <zmiller@xxxxxxxxxxx>]

Yes, Christoph is right.  Here are some more specifics and some additional explanation.

On your Central Manager (the CONDOR_HOST) you seem to have authentication for READ operations set to "REQUIRED".  (Or perhaps you set SEC_DEFAULT_AUTHENTICATION)

The "FS" method does not work from one machine to another because it works using the local /tmp directory.

The "PASSWORD" method works when running as root because root can read the credential used for PASSWORD authentication.  However, regular uses cannot (and should not be able to) read that credential.

So that explains the behavior you are seeing.

What I would suggest is that you change these settings on your Central Manager:

SEC_READ_AUTHENTICATION = OPTIONAL
SEC_CLIENT_AUTHENTICATION = OPTIONAL

Have you also turned on ENCRYPTION or INTEGRITY settings?  If so, they will force authentication because they promote the necessity of AUTHENTICATION to their own setting.  For example, if you set ENCRYPTION to REQUIRED, then that also makes AUTHENTICATION required as well.

Please let me know if you have more questions and I would be happy to help.  I could also look at your config file to see if there are other issues.  Feel free to send that to me off-list.  You can use a command like this to get just the important security settings:
	condor_config_val -dump SEC_


Cheers,
-zach


ïOn 3/27/20, 2:59 PM, "HTCondor-users on behalf of Beyer, Christoph" <htcondor-users-bounces@xxxxxxxxxxx on behalf of christoph.beyer@xxxxxxx> wrote:

    Hi,
    
    
    
    you need to check your read authentication on the collector which is presumably your condor_host ...
    
    
    
    
    Best
    
    Christoph
    
    
    
    
    -- 
    Christoph Beyer
    DESY Hamburg
    IT-Department
    
    Notkestr. 85
    Building 02b, Room 009
    22607 Hamburg
    
    phone:+49-(0)40-8998-2317
    mail: christoph.beyer@xxxxxxx
    
    
    
    ________________________________________
    Von: "Perez Fernandez, Antonio" <Antonio.PerezFernandez@xxxxxxxxxx>
    An: "htcondor-users" <htcondor-users@xxxxxxxxxxx>
    Gesendet: Freitag, 27. MÃrz 2020 18:21:41
    Betreff: [HTCondor-users] Error:  Could not fetch startd ads
    
    
    
    Hi
    
    
    I have been trying to fix this issue for a long time. I have a submitter for our local users. Everything works ok but users canât check their jobs with condor_q -better-analyze becase they get this error:
    
    
    -bash-4.2$ condor_q -better-analyze 263 -debug
    03/27/20 17:09:08 getStoredCredential(): read_secure_file(/etc/condor/pool_password) failed!
    03/27/20 17:09:08 getStoredCredential(): read_secure_file(/etc/condor/pool_password) failed!
    03/27/20 17:09:08 SECMAN: required authentication with collector at <10.141.XXX.XXX:9618> failed, so aborting command QUERY_STARTD_ADS.
    03/27/20 17:09:08 ERROR: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using PASSWORD|AUTHENTICATE:1004:Failed to authenticate using FS
    Error:  Could not fetch startd ads
    
    
    
    
    
    condor_q works ok:
    
    
    -bash-4.2$ condor_q
    
    
    
    
    -- Schedd: xxxxxxxxxxxxxxxxxxx : <10.141.XX.XX:9618?... @ 03/27/20 17:14:14
    OWNER  BATCH_NAME    SUBMITTED   DONE   RUN    IDLE  TOTAL JOB_IDS
    aperez ID: 262      3/27 15:56      _      1      _      1 262.0
    aperez ID: 263      3/27 17:06      _      1      _      1 263.0
    
    
    Total for query: 2 jobs; 0 completed, 0 removed, 0 idle, 2 running, 0 held, 0 suspended
    Total for aperez: 2 jobs; 0 completed, 0 removed, 0 idle, 2 running, 0 held, 0 suspended
    Total for all users: 2 jobs; 0 completed, 0 removed, 0 idle, 2 running, 0 held, 0 suspended
    
    
    
    When executing "condor_q -better-analyzeâ under root it works ok. The problem only appears when the command is executed by a local users.
    
    
    I have found some similar problems in internet, however adding the submitter DNS to ALLOW_READ doesnât work. I would appreciate more specific instructions of how I can make QUERY_STARTD_ADS to query the collector successfully. 
    
    
    Thanks in advance.
    
    
    
    
    
    
    
    
    
    Tony.
    Particle Physics IT Support Officer.
    antonio.perezfernandez@xxxxxxxxxx
    
    :wq
    
    
    
    
    
    
    
    This email, its contents and any attachments are intended solely for the addressee and may contain confidential information. In certain circumstances, it may also be subject to legal privilege. Any unauthorised use, disclosure, or copying is not permitted.
     If you have received this email in error, please notify us and immediately and permanently delete it. Any views or opinions expressed in personal emails are solely those of the author and do not necessarily represent those of Royal Holloway, University of
     London. It is your responsibility to ensure that this email and any attachments are virus free.
    
    _______________________________________________
    HTCondor-users mailing list
    To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
    subject: Unsubscribe
    You can also unsubscribe by visiting
    https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
    
    The archives can be found at:
    https://lists.cs.wisc.edu/archive/htcondor-users/