Re: [HTCondor-users] 10.x IDTOKEN not working (10.0 token does)

[Todd Tannenbaum <tannenba@xxxxxxxxxxx>]

On 6/28/2023 3:38 PM, Lee Damon wrote:

I'm working on our new AlmaLinux 9-based OS install. Our existing install is CentOS Stream 8 running 10.0 LTS.

I'm trying to use the same setup for the 10.x install as I have for 10.0 but it's not happy with the idtoken (/etc/condor/tokens.d/condor@mypool) that works just fine for my other hosts. There's no KDC available, let alone involved.

The token is being generated by:
  condor_store_cred -c add
  umask 0077; condor_token_create -identity condor@mypool > /etc/condor/tokens.d/condor@mypool
This is done in the same script as works on our HTCondor 10.0 hosts.

I'm tring to join this test host to an existing 10.0 pool, since that's what is going to happen in production.

    Hi Lee,
    
    In addition to Steve's suggestions, I'll venture a  guess here --
    maybe the TRUST_DOMAIN is different?  To check this:
    
    1. Login to your central manager or any of your old hosts that is
    working fine (running v10.0 LTS), and enter:
       condor_config_val trust_domain
    2. Now login to your new host running Alma 10.x that is not happy,
    and also enter:
       condor_config_val trust_domain
    
    Compare the values for TRUST_DOMAIN displayed in step #1 -vs- step
    #2.
    
    If the trust domain values the same, I guessed wrong, and you can
    ignore the rest of this email :(
    
    If they are different, on your new host, set config know
    TRUST_DOMAIN=XXX, where XXX is the TRUST_DOMAIN value retrieved in
    step #1 above.   Then on the new host remove the token in
    /etc/condor/tokens.d/condor@mypool and rerun your script above to
    generate a new token with a TRUST_DOMAIN that matches what you were
    using previously with your old hosts, and restart HTCondor on your
    new host.
    
    Hope this helps,
    Todd