Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] 10.x IDTOKEN not working (10.0 token does)

3 questions—1—is SEC_DEFAULT_AUTHENTICATION_METHODS really undefined or just going to its default values.
2—did 10.x install dump an extra condor_config file into your directory you weren't counting on
3—do you have the output for D_FULLDEBUG D_SECURITY:2 from the client side


In any case the next thing to do is to dump your idtoken with condor_token_list and make sure that the "iss" field 
matches the current value of TRUST_DOMAIN on the collector.  Also that the signing key matches between the two.. presumably
since you didn't specify one you were signing with the pool password of the collector, need to be sure that's the same.

Steve Timm

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Lee Damon <lvd@xxxxxx>
Sent: Wednesday, June 28, 2023 3:38 PM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] 10.x IDTOKEN not working (10.0 token does)
 
I'm working on our new AlmaLinux 9-based OS install. Our existing install is CentOS Stream 8 running 10.0 LTS.

I'm trying to use the same setup for the 10.x install as I have for 10.0 but it's not happy with the idtoken (/etc/condor/tokens.d/condor@mypool) that works just fine for my other hosts. There's no KDC available, let alone involved.

The token is being generated by:
  condor_store_cred -c add
  umask 0077; condor_token_create -identity condor@mypool > /etc/condor/tokens.d/condor@mypool
This is done in the same script as works on our HTCondor 10.0 hosts.

I'm tring to join this test host to an existing 10.0 pool, since that's what is going to happen in production.

Just like our production hosts, SEC_DEFAULT_AUTHENTICATION_METHODS is undefined.

As is sadly the case far too often, my googlefu is failing to find anything at all relevant.

06/28/23 13:13:23 Sending DC_SET_READY message to master <REDACTED.145:9618?addrs=REDACTED.145-9618+[2001-470-e9e7--2-350]-9618&alias=[REDACTED}&noUDP&sock=master_4455_5682>
06/28/23 13:13:23 TOKEN: No token found.
06/28/23 13:13:23 AUTH_ERROR: Cannot resolve network address for KDC in requested realm
06/28/23 13:13:23 SECMAN: required authentication with collector [REDACTED] failed, so aborting command UPDATE_STARTD_AD.
06/28/23 13:13:23 ERROR: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SCITOKENS|AUTHENTICATE:1004:Failed to authenticate using KERBEROS|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS|AUTHENTICATE:1004:Failed to authenticate using FS
06/28/23 13:13:23 Collector update failed; will try to get a token request for trust domain [REDACTED], identity (default).
06/28/23 13:13:23 Failed to start non-blocking update to <REDACTED.140:9618>.
06/28/23 13:13:23 TOKEN: No token found.
06/28/23 13:13:23 AUTH_ERROR: Cannot resolve network address for KDC in requested realm
06/28/23 13:13:23 SECMAN: required authentication with collector [REDACTED] failed, so aborting command DC_START_TOKEN_REQUEST.
06/28/23 13:13:23 Failed to request a new token: DAEMON:1:failed to start command for token request with remote daemon at '<REDACTED.140:9618?alias=[REDACTED]>'.|AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SCITOKENS|AUTHENTICATE:1004:Failed to authenticate using KERBEROS|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS|AUTHENTICATE:1004:Failed to authenticate using FS
06/28/23 13:13:49 State change: benchmarks completed
06/28/23 13:13:49 slot1: Changing activity: Benchmarking -> Idle
06/28/23 13:13:49 TOKEN: No token found.
06/28/23 13:13:49 AUTH_ERROR: Cannot resolve network address for KDC in requested realm
06/28/23 13:13:49 SECMAN: required authentication with collector [REDACTED] failed, so aborting command UPDATE_STARTD_AD.
06/28/23 13:13:49 ERROR: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SCITOKENS|AUTHENTICATE:1004:Failed to authenticate using KERBEROS|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS|AUTHENTICATE:1004:Failed to authenticate using FS
06/28/23 13:13:49 Collector update failed; will try to get a token request for trust domain [REDACTED], identity (default).
06/28/23 13:13:49 Failed to start non-blocking update to <REDACTED.140:9618>.
06/28/23 13:13:49 TOKEN: No token found.
06/28/23 13:13:49 AUTH_ERROR: Cannot resolve network address for KDC in requested realm
06/28/23 13:13:49 SECMAN: required authentication with collector [REDACTED] failed, so aborting command DC_START_TOKEN_REQUEST.
06/28/23 13:13:49 Failed to request a new token: DAEMON:1:failed to start command for token request with remote daemon at '<REDACTED.140:9618?alias=[REDACTED]>'.|AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SCITOKENS|AUTHENTICATE:1004:Failed to authenticate using KERBEROS|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS|AUTHENTICATE:1004:Failed to authenticate using FS
06/28/23 13:18:23 TOKEN: No token found.
06/28/23 13:18:23 AUTH_ERROR: Cannot resolve network address for KDC in requested realm
06/28/23 13:18:23 SECMAN: required authentication with collector [REDACTED] failed, so aborting command UPDATE_STARTD_AD.
06/28/23 13:18:23 ERROR: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SCITOKENS|AUTHENTICATE:1004:Failed to authenticate using KERBEROS|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS|AUTHENTICATE:1004:Failed to authenticate using FS
06/28/23 13:18:23 Collector update failed; will try to get a token request for trust domain [REDACTED], identity (default).
06/28/23 13:18:23 Failed to start non-blocking update to <REDACTED.140:9618>.
06/28/23 13:18:23 TOKEN: No token found.
06/28/23 13:18:23 AUTH_ERROR: Cannot resolve network address for KDC in requested realm
06/28/23 13:18:23 SECMAN: required authentication with collector [REDACTED] failed, so aborting command DC_START_TOKEN_REQUEST.
06/28/23 13:18:23 Failed to request a new token: DAEMON:1:failed to start command for token request with remote daemon at '<REDACTED.140:9618?alias=[REDACTED]>'.|AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using SCITOKENS|AUTHENTICATE:1004:Failed to authenticate using KERBEROS|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS|AUTHENTICATE:1004:Failed to authenticate using FS


The CONDOR_HOST is the 140 address. This host is the 145 address.

Any hints or pointers would be appreciated.

thanks,
nomad