Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
|
01/21/25 13:15:01 HANDSHAKE: in handshake(my_methods = 'NTSSPI,PASSWORD')
01/21/25 13:15:01 HANDSHAKE: handshake() - i am the client 01/21/25 13:15:01 HANDSHAKE: sending (methods == 528) to server 01/21/25 13:15:01 HANDSHAKE: server replied (method = 16)
01/21/25 13:15:01 Authentication was a Success.
01/21/25 13:15:01 AUTHENTICATION: setting default map to (null) 01/21/25 13:15:01 AUTHENTICATION: post-map: current FQU is '(null)'
This shows that NTSSPI (method bit 16) was the authentication method used, but for some reason
the authenticated identity could not be converted to a username. (FQU is fully qualified user. )
I think we need to see the SchedLog, try adding this to your configuration, then reconfig the sched and reproduce the problem.
SCHEDD_DEBUG = $(SCHEDD_DEBUG) D_SECURITY:2
This will produce a lot of output in the SchedLog, but I think we need the detailed logging to give us some clue why NTSSPI authentication is succeeding, but the username ends up being anonymous anyway.
-tj
From: Andy Barr <ajbarr@xxxxxxxxx>
Sent: Tuesday, January 21, 2025 2:56 PM To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx> Cc: John M Knoeller <johnkn@xxxxxxxxxxx> Subject: Re: [HTCondor-users] condor_rm job, Permission denied to force removal Hi John,
What Condor version?
$CondorVersion: 24.2.2 2024-12-04 BuildID: 772905 GitSHA: 2b56256d $
$CondorPlatform: x86_64_Windows10 $
Can you submit new jobs to the schedd?
Yes
Are you logged in to the machine that the SCHEDD is running on? or are you trying to remove jobs from a SCHEDD remotely? Some authorization methods only work locally.
Yes, but I would like to be able to remove jobs from a SCHEDD remotely eventually.
If you are running Condor version 24 or later, you can try
condor_rm 2.0 -debug:D_SECURITY
01/21/25 13:15:01 Win32 sysapi_get_network_device_info_raw() 01/21/25 13:15:01 SECMAN: command 478 ACT_ON_JOBS to <10.29.4.45:9618> from TCP port 49801 (blocking). 01/21/25 13:15:01 SECMAN: new session, doing initial authentication. 01/21/25 13:15:01 SECMAN: Auth methods: NTSSPI,PASSWORD 01/21/25 13:15:01 AUTHENTICATE: setting timeout for <10.29.4.45:9618?addrs=10.29.4.45-9618&alias=node1.company.com&noUDP&sock=schedd_15316_70f8> to 20. 01/21/25 13:15:01 HANDSHAKE: in handshake(my_methods = 'NTSSPI,PASSWORD') 01/21/25 13:15:01 HANDSHAKE: handshake() - i am the client 01/21/25 13:15:01 HANDSHAKE: sending (methods == 528) to server 01/21/25 13:15:01 HANDSHAKE: server replied (method = 16) 01/21/25 13:15:01 Authentication was a Success. 01/21/25 13:15:01 AUTHENTICATION: setting default map to (null) 01/21/25 13:15:01 AUTHENTICATION: post-map: current FQU is '(null)' 01/21/25 13:15:01 AUTHENTICATE: Exchanging keys with remote side. 01/21/25 13:15:01 AUTHENTICATE: Result of end of authenticate is 1. 01/21/25 13:15:01 SECMAN: generating AES key for session with <10.29.4.45:9618>... 01/21/25 13:15:01 SECMAN: successfully enabled encryption! 01/21/25 13:15:01 SECMAN: successfully enabled message authenticator! 01/21/25 13:15:01 SESSION: client duplicated AES to BLOWFISH key for UDP. 01/21/25 13:15:01 SECMAN: added session P01200537:17268:1737483301:11 to cache for 60 seconds (3600s lease). 01/21/25 13:15:01 SECMAN: startCommand succeeded. 01/21/25 13:15:01 DCSchedd:actOnJobs: Action failed On Tue, Jan 21, 2025 at 12:21âPM John M Knoeller via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:
|