Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] sudo condor_reconfig failing with error about condor@password
- Date: Thu, 24 Jul 2025 16:38:37 +0000
- From: Jaime Frey <jfrey@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] sudo condor_reconfig failing with error about condor@password
Short answer: add condor@* to ALLOW_ADMINISTRATOR. Our standard configuration does this.
Long answer: What identity a root-run tool authenticates as depends on the method used and what token files it has access to. If FS authentication is used (preferred by default when tool and daemon are on the same system), the toolâs identity will be 'condor@$(UID_DOMAIN)'. Why itâs not âroot@$(UID_DOMAIN)â is due to obscure reasons I wonât get into here.
If IDTOKENS authentication is used and the tool can find a suitable token (matches daemonâs TRUST_DOMAIN and signed by a key known to the daemon), then that token is used and the identity is in the token. If the tool canât find a token but has access to a signing key known to the daemon, the tool will create an ephemeral token with identity âcondor@passwordâ.
- Jaime
> On Jul 23, 2025, at 11:11âAM, Lee Damon <lvd@xxxxxx> wrote:
>
> In the past I was able to have puppet issue a 'condor_reconfig' command when I updated a config file. I'm now trying to do the same with ansible and notice that it no longer works for either method.
>
> I tested it manually and yep, fail:
>
> : || root@betty ~ [8] ; sudo condor_reconfig
> ERROR
> SECMAN:2010:Received "DENIED" from server for user condor@password using method IDTOKENS.
> Can't send Reconfig command to local master
>
> while a different host complains about a different condor@ user:
>
> : || lvd@gertrude ~ [1050] ; sudo condor_reconfig
> ERROR
> SECMAN:2010:Received "DENIED" from server for user condor@mypool using method IDTOKENS.
> Can't send Reconfig command to local master
>
> I've verified that "root@*" and "condor@$(TRUST_DOMAIN)" are included in ALLOW_ADMINISTRATOR.
>
> When I add condor@* to ALLOW_ADMIN it works but that seems ... off.
>
> Is there some other way I should be dealing with this or should I just put "condor@*" in and call it good?
>
> thanks,
> nomad
> --
> CHSCC work days are Mondays, Tuesdays, and every other Wednesday.
> BITE work days are Thursdays, Fridays, and the other Wednesdays.
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
>
> The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/