Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Trying to set up High-Availability Cluster - Issues with IDTOKENS

Hi Cole,

That was exactly the solution. Thanks for your help. :-)

Best,

Daniel


On 12.08.2024 20:28, Cole Bollig via HTCondor-users wrote:
Hi Daniel,

Looks like the TRUST_DOMAIN is being set by the configuration template SECURITY:get_htcondor_idtokens set in 02-submitter-host.config. This is happening because the configuration directory files are parsed in lexicographical order (02-submitter-host.config is parsed after 01-central-manager.config) and the last value wins. So, either set TRUST_DOMAIN after the configuration template in 02-submitter-host.config or add the configuration to a different file that is parsed later i.e. 03-new-file.config

Cheers,
Cole Bollig

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Daniel BrÃckner <daniel.brueckner@xxxxxxxxxxxxxxxxxx>
Sent: Monday, August 12, 2024 12:27 PM
To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Trying to set up High-Availability Cluster - Issues with IDTOKENS
Â
Hmm. Nah. :-(

####
condor_config_val -v TRUST_DOMAIN
TRUST_DOMAIN = cm1.domain.name, cm2.domain.name
Â# at: /etc/condor/config.d/02-submitter-host.config, line 1, use SECURITY:get_htcondor_idtokens+42
Â# raw: TRUST_DOMAIN = $(CONDOR_HOST)
####

####
cat /etc/condor/config.d/02-submitter-host.config
use role : get_htcondor_submit
####

Does one of the predefined roles ( like "use role : get_htcondor_submit" or "use role:get_htcondor_central_manager") cause this behavior? Is the setting "use security:recommended_v9_0" deprecated?

Best regards,

Daniel


On 12.08.2024 17:11, John M Knoeller via HTCondor-users wrote:
You can run

 Âcondor_config_val -v TRUST_DOMAIN

to see what file this variable is set in. Â

Most likely it is set in a later config file then the one you changed.Â

-tj
From:ÂHTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Daniel BrÃckner <daniel.brueckner@xxxxxxxxxxxxxxxxxx>
Sent:ÂMonday, August 12, 2024 8:08 AM
To:ÂHTCondor-Users Mail List <HTCondor-users@xxxxxxxxxxx>
Subject:ÂRe: [HTCondor-users] Trying to set up High-Availability Cluster - Issues with IDTOKENS
Â
I got the hint to set the macro "TRUST_DOMAIN" manually, since it's default is TRUST_DOMAIN = $(CONDOR_HOST). But unfortunately I'm not able to change this macro. After restarting the service it shows the default value, again.

####
condor_config_val TRUST_DOMAIN
cm1.test.de, cm2.test.de
####


####
condor_config_val -dump TRUST
# Configuration from machine: cm1.domain.name

# Parameters with names that match TRUST:
BOOTSTRAP_SSL_SERVER_TRUST = false
BOOTSTRAP_SSL_SERVER_TRUST_PROMPT_USER = true
QUEUE_ALL_USERS_TRUSTED = false
TRUST_DOMAIN = $(CONDOR_HOST)
TRUST_DOMAIN_CAFILE = /etc/condor/trust_domain_ca.pem
TRUST_DOMAIN_CAKEY = /etc/condor/trust_domain_ca_privkey.pem
TRUST_LOCAL_UID_DOMAIN = true
TRUST_UID_DOMAIN =
# Contributing configuration file(s):
# Â Â Â /etc/condor/condor_config
# Â Â Â /etc/condor/config.d/00-htcondor-9.0.config
# Â Â Â /etc/condor/config.d/01-central-manager.config
# Â Â Â /etc/condor/config.d/02-submiter-host.config
# Â Â Â /etc/condor/config.d/10-stash-plugin.conf
# Â Â Â /etc/condor/condor_config.local
####


####
grep -rnwi /etc/condor/ -e "TRUST_DOMAIN"
/etc/condor/config.d/01-central-manager.config:2:TRUST_DOMAIN = "domain.name"
####

Any ideas?

Best regards,

Daniel


On 12.08.2024 11:59, Daniel BrÃckner wrote:
Hello,

I'm trying to set up a high availability central manager pool following this steps described here:

https://htcondor.readthedocs.io/en/lts/admin-manual/high-availability.html

I installed two identical nodes, but they are not able to communicate.

######

08/12/24 11:41:56 DC_AUTHENTICATE: required authentication of x.x.x.3 failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using FS|FS:1004:Unable to lstat(/tmp/FS_XXXwWFJF8)|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS

######

Even my computing nodes are not able to connect to any of the CMs using this configuration:


######
08/12/24 11:45:04 DC_AUTHENTICATE: required authentication of x.x.x.70 failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using FS|FS:1004:Unable to lstat(/tmp/FS_XXXHdRQPA)|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS
08/12/24 11:45:04 DC_AUTHENTICATE: required authentication of x.x.x.70 failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using FS|FS:1004:Unable to lstat(/tmp/FS_XXXNHZucb)|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS
08/12/24 11:45:13 DC_AUTHENTICATE: required authentication of x.x.x.66 failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using FS|FS:1004:Unable to lstat(/tmp/FS_XXXzHgGgP)|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS
08/12/24 11:45:13 DC_AUTHENTICATE: required authentication of x.x.x.66 failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using FS|FS:1004:Unable to lstat(/tmp/FS_XXXmqwPKw)|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS
08/12/24 11:45:18 DC_AUTHENTICATE: required authentication of x.x.x.66 failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using FS|FS:1004:Unable to lstat(/tmp/FS_XXXG0Kexg)|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS
08/12/24 11:45:18 DC_AUTHENTICATE: required authentication of x.x.x.66 failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using FS|FS:1004:Unable to lstat(/tmp/FS_XXXh1xYgK)|AUTHENTICATE:1004:Failed to authenticate using IDTOKENS
######

I'm using this configuration macro:

CENTRAL_MANAGER1 = cm1.domain.name
CENTRAL_MANAGER2 = cm2.domain.name
CONDOR_HOST = $(CENTRAL_MANAGER1),$(CENTRAL_MANAGER2)


When I changed CONDOR_HOST to a single host entry, everything works fine:

"CONDOR_HOST = $(CENTRAL_MANAGER1)" or "CONDOR_HOST = $(CENTRAL_MANAGER2)"

While setting up a token for my 2nd CM, I got this error:

#####
condor_token_create -identity condor@xxxxxxxxxxxxxxx
Failed to generate a token.
PASSWD:1:Issuer namespace may not contain spaces or commas
#####

After changing to "CONDOR_HOST = $(CENTRAL_MANAGER2)" I was able to create this token.

I guess there's an issue using the macro "CONDOR_HOST" with two or more hosts when using Tokens. Can anybody confirm this? How can I change my configuration to get things working?

Thanks for your help,

Daniel




_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/




_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/


_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/



Attachment: smime.p7s
Description: S/MIME Cryptographic Signature