Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
|
Jaime
Thank you for the update. I was able to update to version 10.9 (Thanks to Tim for the epel/powertools tip).
This 'old' machine is now authenticating and able to run jobs when regular users are submitting.
Now I am trying to get the apache user to submit jobs. The reason for this is that I am running a web-server which submits some long-running jobs (to postgres database) which need to be run locally. This used to be working, but I am struggling with the 10.9
version.
>From the ShedLog on the submitting machine (the old one):
11/30/23 09:37:52 (pid:2826939) DC_AUTHENTICATE: authentication of <...:7365> did not
result in a valid mapped user name, which is required for this command (1112 QMGMT_WRITE_CMD), so aborting.
11/30/23 09:37:52 (pid:2826939) DC_AUTHENTICATE: reason for authentication failure:
AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using PASSWORD
These appear when I try to run the submit via the website. I copied the password file directly from the head-server.
For mye security I have on the old machine:
## Security
SEC_DEFAULT_AUTHENTICATION_METHODS = IDTOKENS, FS, PASSWORD
SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_CLIENT_AUTHENTICATION_METHODS), PASSWORD
SEC_READ_AUTHENTICATION_METHODS = $(SEC_READ_AUTHENTICATION_METHODS), PASSWORD
SEC_WRITE_AUTHENTICATION_METHODS = $(SEC_WRITE_AUTHENTICATION_METHODS), PASSWORD
And on the head node:
SEC_DEFAULT_AUTHENTICATION_METHODS = IDTOKENS, FS, PASSWORD
ALLOW_DAEMON = $(ALLOW_DAEMON), condor_pool@*
SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_CLIENT_AUTHENTICATION_METHODS), PASSWORD
SEC_READ_AUTHENTICATION_METHODS = $(SEC_READ_AUTHENTICATION_METHODS), PASSWORD
What am I missing? Is it possible to add the apache user specifically somewhere perhaps? Peter
From: Jaime Frey <jfrey@xxxxxxxxxxx>
Sent: 22 November 2023 18:28 To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx> Cc: Peter Ellevseth <Peter.Ellevseth@xxxxxxxxxx> Subject: Re: [HTCondor-users] Pool with one old machine That approach assumes that you want PASSWORD to be the only authentication method between daemons in your pool. For your situation, you want to add it to the regular list of authentication methods.
On the old machine and the central manager, you will want to add PASSWORD to all SEC_XXX_AUTHENTICATION_METHODS settings in the configuration files. If SEC_DEFAULT_AUTHENTICATION_METHODS isn’t set in your configuration files, then you’ll want to add this
(which keeps the default list and adds PASSWORD):
SEC_DEFAULT_AUTHENTICATION_METHODS = FS,TOKEN,KERBEROS,SCITOKENS,SSL,PASSWORD
You’ll do a similar modification for ALLOW_DAEMON, adding condor_pool@* to the authorized identities instead of replacing the existing list of authorizations. Add this line to your configuration after any other settings of ALLOW_DAEMON:
ALLOW_DAEMON = $(ALLOW_DAEMON) condor_pool@*
Finally, create the password file with the same contents on the old machine and the central manager, with owner root and permissions 0600, and set SEC_PASSWORD_FILE to point at that file.
A condor_reconfig should be sufficient after these changes, but a restart of the daemons on the old machine and the central manager may be required.
- Jaime
| ||||||||||||||||||||||||||||||||||||||||||||||||||