Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
Thankyou MaartenOn Wed, Jul 31, 2024 at 9:50âAM Maarten Litmaath <Maarten.Litmaath@xxxxxxx> wrote:_______________________________________________Hi Rita,also mind the double quote characters: they need to be ASCII(they look alright in your example, but not in Ben's).
Have you tried bumping the log levels of the startd (and possiblythe other side) to get more details about the mapping machinery?
Something like this:
STARTD_DEBUG = D_FULLDEBUG D_SECURITY:2 D_ALWAYS:2 D_CAT
From:ÂHTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Ben Jones <ben.dylan.jones@xxxxxxxxx>
Sent:ÂWednesday, July 31, 2024 2:10 PM
To:ÂHTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject:ÂRe: [HTCondor-users] SSL Authentication fails for remote submissionÂHave you tried a mapfile that looks like:
SSL â/CN=centralmanagerâ usera
Not sure about either the whitespace in yours, nor having the UID_DOMAIN in the user. But this is just the principle of making your mapfile look more like mine that is working, than knowing that it _will_ work.
On 31 Jul 2024, at 13:33, Rita <rmorgan466@xxxxxxxxx> wrote:
anyone? ;-)
On Tue, Jul 30, 2024 at 12:34âPM Rita <rmorgan466@xxxxxxxxx> wrote:Thanks Maarteen.Â
In my StartdLog, I seeauthenticationÂof <hosta> did not result in a valid mapped user name, which is required for this command (1112 QMGMT_WRITE_CMD), so abortingreason for authentication failure: AUTHENTICATE:1003:Failed to authenticate with any method|Failed to authenticate using SSL
My mapfile looks like thisSSLÂ Â "/CN = centralmanager"Â Âusera@xxxxxxxxxx
I get the middle from doing openssl x509 -text -noout -in cert.cer | grep Subject
On Tue, Jul 30, 2024 at 8:20âAM Maarten Litmaath <Maarten.Litmaath@xxxxxxx> wrote:Hi Rita,a proxy ought not be necessary. In fact, Jaime Frey needed to makemajor modifications to allow proxies to work with the SSL method.Presumably it still works for plain certificates as well.I have seen evidenceÂfor that with v9.0.20.
From:ÂHTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Rita <rmorgan466@xxxxxxxxx>
Sent:ÂTuesday, July 30, 2024 2:05 PM
To:ÂHTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject:ÂRe: [HTCondor-users] SSL Authentication fails for remote submissionÂinteresting. I didn't know I needed a proxy to get this working. Is that necessary?
On Mon, Jul 29, 2024 at 11:51âAM Maarten Litmaath <Maarten.Litmaath@xxxxxxx> wrote:Hi Rita,steps 2 and later on this page may point you in the right direction:
Depending on your environment, you may not need the varioussettings referring to contents of the /etc/grid-security directory.
From:ÂHTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Rita <rmorgan466@xxxxxxxxx>
Sent:ÂMonday, July 29, 2024 2:09 PM
To:ÂHTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject:Â[HTCondor-users] SSL Authentication fails for remote submissionÂIs there a configuration I can refer to for remote job submissions where my authentication method is SSL?
I am able to submit when I have CLAIMTOBE. When I enable SSL, I see this on the remote ScheddLog
SSL Auth: SSL Authentication fails; client status is -1; server status is 0; terminating.
On the submission host I seeERROR: Failed to connect to queue manager queueserverAUTHENTICATE:1003:Failed to authenticate with any methodAUTHENTICATE:1004:Failed to authenticate using SSL
I have ALL_DEBUG = D_SECURITY:2 in both servers.
Any other suggestions?
----- Get your facts first, then you can distort them as you please.--_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxxÂwith a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
--Â---ÂGet your facts first, then you can distort them as you please.--_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxxÂwith a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
--Â---ÂGet your facts first, then you can distort them as you please.--
--Â
---ÂGet your facts first, then you can distort them as you please.--_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxxÂwith a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/----- Get your facts first, then you can distort them as you please.--