Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
|
Can we see the first failure for this message?
08/20/24 13:22:23 PERMISSION DENIED to condor@xxxxxxxxxxxxxxxxxxxx from host 10.20.53.16 for command 2 (UPDATE_MASTER_AD), access level ADVERTISE_MASTER: reason: cached result for ADVERTISE_MASTER; see first case for the full reason
I suspect the problem is that a MASTER or STARTD which is running as a user does not have access the token or token signing key that a MASTER or STARTD running as a service is able to use.
Looking in the MasterLog or StartLog of the htcondor instance running as a domain users should make this clearer, especially if you add
MASTER_DEBUG = D_SECURITY:1 $(MASTER_DEBUG)
STARTD_DEBUG = D_SECURITY:1 $(STARTD_DEBUG)
to the configuration of that instance of HTCondor.
-tj
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Leon Thielen <L.Thielen@xxxxxxxxxxxx>
Sent: Tuesday, August 20, 2024 6:42 AM To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx> Subject: Re: [HTCondor-users] [EXTERNAL] Re: Run htcondor as domain user on Windows Hi Cole,
Many thanks for your help.
·
Is your pool only Windows or is it a mix of Windows/Linux?
Is set ALL_DEBUG = D_SECURITY The CollectorLog on CM 08/20/24 13:21:51 PERMISSION GRANTED to condor@family from host 10.20.49.82 for command 77 (UPDATE_ACCOUNTING_AD), access level NEGOTIATOR: reason: NEGOTIATOR authorization has been made automatic for condor@family 08/20/24 13:22:23 DC_AUTHENTICATE: received DC_AUTHENTICATE from <10.20.53.16:65281> 08/20/24 13:22:23 SECMAN: new session, doing initial authentication. 08/20/24 13:22:23 Returning to DC while we wait for socket to authenticate. 08/20/24 13:22:23 AUTHENTICATE: setting timeout for (unknown) to 20. 08/20/24 13:22:23 HANDSHAKE: in handshake(my_methods = 'TOKEN') 08/20/24 13:22:23 HANDSHAKE: handshake() - i am the server 08/20/24 13:22:23 HANDSHAKE: client sent (methods == 2048) 08/20/24 13:22:23 HANDSHAKE: i picked (method == 2048) 08/20/24 13:22:23 HANDSHAKE: client received (method == 2048) 08/20/24 13:22:23 Will return to DC because authentication is incomplete. 08/20/24 13:22:23 getTokenSigningKey(): for id=POOL, pool=1 v84mode=0 reading /etc/condor/passwords.d/POOL 08/20/24 13:22:23 AUTHENTICATE: auth would still block 08/20/24 13:22:23 Will return to DC to continue authentication.. 08/20/24 13:22:23 Authentication was a Success. 08/20/24 13:22:23 AUTHENTICATION: setting default map to condor@xxxxxxxxxxxxxxxxxxxx 08/20/24 13:22:23 AUTHENTICATION: post-map: current FQU is 'condor@xxxxxxxxxxxxxxxxxxxx' 08/20/24 13:22:23 AUTHENTICATE: Exchanging keys with remote side. 08/20/24 13:22:23 AUTHENTICATE: Result of end of authenticate is 1. 08/20/24 13:22:23 DC_AUTHENTICATE: authentication of 10.20.53.16 complete. 08/20/24 13:22:23 DC_AUTHENTICATE: generating AES key for session asrv0de148:3531561:1724152943:9... 08/20/24 13:22:23 DC_AUTHENTICATE: encryption enabled for session asrv0de148:3531561:1724152943:9 08/20/24 13:22:23 DC_AUTHENTICATE: message authenticator enabled with key id asrv0de148:3531561:1724152943:9. 08/20/24 13:22:23 DC_AUTHENTICATE: Success. 08/20/24 13:22:23 PERMISSION DENIED to condor@xxxxxxxxxxxxxxxxxxxx from host 10.20.53.16 for command 2 (UPDATE_MASTER_AD), access level ADVERTISE_MASTER: reason: cached result for ADVERTISE_MASTER; see first case for the full reason 08/20/24 13:22:23 DC_AUTHENTICATE: Command not authorized, done! 08/20/24 13:22:23 DC_AUTHENTICATE: received DC_AUTHENTICATE from <10.20.53.16:65282> 08/20/24 13:22:23 SECMAN: new session, doing initial authentication. 08/20/24 13:22:23 Returning to DC while we wait for socket to authenticate. 08/20/24 13:22:23 AUTHENTICATE: setting timeout for (unknown) to 20. 08/20/24 13:22:23 HANDSHAKE: in handshake(my_methods = 'TOKEN') 08/20/24 13:22:23 HANDSHAKE: handshake() - i am the server 08/20/24 13:22:23 HANDSHAKE: client sent (methods == 2048) 08/20/24 13:22:23 HANDSHAKE: i picked (method == 2048) 08/20/24 13:22:23 HANDSHAKE: client received (method == 2048) 08/20/24 13:22:23 Will return to DC because authentication is incomplete. 08/20/24 13:22:23 getTokenSigningKey(): for id=POOL, pool=1 v84mode=0 reading /etc/condor/passwords.d/POOL 08/20/24 13:22:23 AUTHENTICATE: auth would still block 08/20/24 13:22:23 Will return to DC to continue authentication.. 08/20/24 13:22:23 Authentication was a Success. 08/20/24 13:22:23 AUTHENTICATION: setting default map to condor@xxxxxxxxxxxxxxxxxxxx 08/20/24 13:22:23 AUTHENTICATION: post-map: current FQU is 'condor@xxxxxxxxxxxxxxxxxxxx' 08/20/24 13:22:23 AUTHENTICATE: Exchanging keys with remote side. 08/20/24 13:22:23 AUTHENTICATE: Result of end of authenticate is 1. 08/20/24 13:22:23 DC_AUTHENTICATE: authentication of 10.20.53.16 complete. 08/20/24 13:22:23 DC_AUTHENTICATE: generating AES key for session asrv0de148:3531561:1724152943:10... 08/20/24 13:22:23 DC_AUTHENTICATE: encryption enabled for session asrv0de148:3531561:1724152943:10 08/20/24 13:22:23 DC_AUTHENTICATE: message authenticator enabled with key id asrv0de148:3531561:1724152943:10. 08/20/24 13:22:23 DC_AUTHENTICATE: Success. 08/20/24 13:22:23 Checking limit in token (ADVERTISE_MASTER) for permission ALLOW 08/20/24 13:22:23 SESSION: server duplicated AES to BLOWFISH key for UDP. 08/20/24 13:22:23 DC_AUTHENTICATE: added incoming session id asrv0de148:3531561:1724152943:10 to cache for 86420 seconds (lease is 3620s, return address is <10.20.53.16:9618?addrs=10.20.53.16-9618&alias=AWS0DE227.corpdir.zz&noUDP&sock=master_8708_df30>). Gruß Leon
International MAGMA User Meeting 2024 - October 9-11 | RADISSON BLU - Frankfurt MAGMA Gießereitechnologie GmbH | Kackertstraße 16-18, 52072 Aachen, Germany | Legal form: GmbH, Register court: Aachen HRB 3912, Value added tax identification number: DE121745780 | Management: Dr. Marc C. Schneider (CEO and President), Dipl.-Ing. Mathieu Weber (Managing Director)
Von: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx>
Im Auftrag von Cole Bollig via HTCondor-users
Hi Leon,
You should be able to piece together specifically why the daemons are being denied during authorization from the logs. You can build a complete picture by looking at the other/server side of the conversation (Collector in this case). I do also have some questions about your setup:
-Cole Bollig
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx>
on behalf of Leon Thielen <L.Thielen@xxxxxxxxxxxx>
Hi, We have been working successfully with HTCondor 8.x for many years. We also use HTCondor 8.x to carry out GUI tests. With the program QF-Test we can test our application automatically. An open desktop is required.
I know: “Running the HTCondor services as any other account (such as a domain user) is not supported and could be problematic.”
But for us the following worked: HTCondor 8.8.15 use SECURITY : HOST_BASED 1. autologin as test-user 2. start condor_master as test-user So we can perform 24x7 GUI test.
But with the change to 23.012 there are problems.
All services start but the hosts are not in the cluster (condor_status does not list the hosts) and therefore do not receive any jobs.
In the MasterLog : 08/15/24 09:30:10 Setting ready state 'Ready' for STARTD 08/15/24 09:30:10 SECMAN: FAILED: Received "DENIED" from server for user condor@xxxxxxxxxxxxxxx using method IDTOKENS. 08/15/24 09:30:10 ERROR: SECMAN:2010:Received "DENIED" from server for user condor@xxxxxxxxxxxxxxx using method IDTOKENS. 08/15/24 09:30:10 Collector update failed; will try to get a token request for trust domain cmhost, identity (default). 08/15/24 09:30:10 Failed to start non-blocking update to <10.20.49.82:9618>.
Can anyone help me with the solution?
Thanks for your help in advance Leon
| |||||
