Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] authentication issue after upgrade

Hi Mihai,

There is a known 'gotcha' when upgrading from v23 to v24 dealing with PASSWORD authentication such that the authenticated identity has changed from condor_pool@<UID_DOMAIN> to condor@password. You will have to update all the ALLOW and DENY rules from the former to the latter.

You can see the full list of potential gotchas going from v23 to v24 at https://htcondor.readthedocs.io/en/latest/version-history/upgrading-from-23-0-to-24-0-versions.html. This particular gotcha is the last one listed.

Hope this helps,
Cole Bollig

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Mihai Ciubancan <ciubancan@xxxxxxxx>
Sent: Thursday, May 22, 2025 8:06 AM
To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] authentication issue after upgrade
 
Hello,

I had to upgrade HTCondor from 23.8.1 due to cgroupV2 problems(for the
gird site RO-07-NIPNE). And now I have version 24.7.1.
Unfortunately the authentication between nodes and collector is not
running anymore. I have try all 3 auth methods: recommended_v9_0,
recommended and host_based, and none works(before I used host_based). I
have created also the token but didn't helped. The error on the WN side
is:

05/22/25 15:43:29 Daemons::StartAllDaemons all daemons were started
05/22/25 15:43:30 Setting ready state 'Ready' for STARTD
05/22/25 15:43:34 SECMAN: FAILED: Received "DENIED" from server for user
condor@password using method PASSWORD.
05/22/25 15:43:34 ERROR: SECMAN:2010:Received "DENIED" from server for
user condor@password using method PASSWORD.
05/22/25 15:43:34 Collector update failed; will try to get a token
request for trust domain nipne.ro, identity (default).
05/22/25 15:43:34 Failed to start non-blocking update to
<192.168.181.11:9618>.
05/22/25 15:43:34 Token requested; please ask collector
condor1atlas.nipne.ro admin to approve request ID 8121747.
05/22/25 15:43:39 Token requested not yet approved; please ask collector
condor1atlas.nipne.ro admin to approve request ID 8121747.
05/22/25 15:43:44 Token requested not yet approved; please ask collector
condor1atlas.nipne.ro admin to approve request ID 8121747.
05/22/25 15:43:49 Token requested not yet approved; please ask collector
condor1atlas.nipne.ro admin to approve request ID 8121747.
05/22/25 15:43:54 Token requested not yet approved; please ask collector
condor1atlas.nipne.ro admin to approve request ID 8121747.
05/22/25 15:43:59 Token requested not yet approved; please ask collector
condor1atlas.nipne.ro admin to approve request ID 8121747.
05/22/25 15:44:05 Token requested not yet approved; please ask collector
condor1atlas.nipne.ro admin to approve request ID 8121747.
05/22/25 15:44:10 Token requested not yet approved; please ask collector
condor1atlas.nipne.ro admin to approve request ID 8121747.

On the Collector side I have:

05/22/25 15:43:30 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<192.168.181.22:35711>
05/22/25 15:43:30 SECMAN: new session, doing initial authentication.
05/22/25 15:43:30 Returning to DC while we wait for socket to
authenticate.
05/22/25 15:43:30 AUTHENTICATE: setting timeout for (unknown) to 20.
05/22/25 15:43:30 HANDSHAKE: in handshake(my_methods = 'PASSWORD,FS')
05/22/25 15:43:30 HANDSHAKE: handshake() - i am the server
05/22/25 15:43:30 HANDSHAKE: client sent (methods == 516)
05/22/25 15:43:30 HANDSHAKE: i picked (method == 512)
05/22/25 15:43:30 HANDSHAKE: client received (method == 512)
05/22/25 15:43:30 Will return to DC because authentication is
incomplete.
05/22/25 15:43:30 AUTHENTICATE: auth would still block
05/22/25 15:43:30 Will return to DC to continue authentication..
05/22/25 15:43:30 Authentication was a Success.
05/22/25 15:43:30 AUTHENTICATION: setting default map to condor@password
05/22/25 15:43:30 AUTHENTICATION: post-map: current FQU is
'condor@password'
05/22/25 15:43:30 AUTHENTICATE: Exchanging keys with remote side.
05/22/25 15:43:30 AUTHENTICATE: Result of end of authenticate is 1.
05/22/25 15:43:30 DC_AUTHENTICATE: authentication of 192.168.181.22
complete.
05/22/25 15:43:30 DC_AUTHENTICATE: generating AES key for session
condor1atlas:56762:1747917810:476...
05/22/25 15:43:30 DC_AUTHENTICATE: encryption enabled for session
condor1atlas:56762:1747917810:476
05/22/25 15:43:30 DC_AUTHENTICATE: message authenticator enabled with
key id condor1atlas:56762:1747917810:476.
05/22/25 15:43:30 DC_AUTHENTICATE: Success.
05/22/25 15:43:30 PERMISSION DENIED to condor@password from host
192.168.181.22 for command 0 (UPDATE_STARTD_AD), access level
ADVERTISE_STARTD: reason: cached result for ADVERTISE_STARTD; see first
case for the full reason
05/22/25 15:43:30 DC_AUTHENTICATE: Command not authorized, done!
05/22/25 15:43:30 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<192.168.181.22:39497>
05/22/25 15:43:30 SECMAN: new session, doing initial authentication.
05/22/25 15:43:30 Returning to DC while we wait for socket to
authenticate.
05/22/25 15:43:30 AUTHENTICATE: setting timeout for (unknown) to 20.
05/22/25 15:43:30 HANDSHAKE: in handshake(my_methods = 'PASSWORD,FS')
05/22/25 15:43:30 HANDSHAKE: handshake() - i am the server
05/22/25 15:43:30 HANDSHAKE: client sent (methods == 516)
05/22/25 15:43:30 HANDSHAKE: i picked (method == 512)
05/22/25 15:43:30 HANDSHAKE: client received (method == 512)
05/22/25 15:43:30 Will return to DC because authentication is
incomplete.
05/22/25 15:43:30 AUTHENTICATE: auth would still block
05/22/25 15:43:30 Will return to DC to continue authentication..
05/22/25 15:43:30 Authentication was a Success.
05/22/25 15:43:30 AUTHENTICATION: setting default map to condor@password
05/22/25 15:43:30 AUTHENTICATION: post-map: current FQU is
'condor@password'
05/22/25 15:43:30 AUTHENTICATE: Exchanging keys with remote side.
05/22/25 15:43:30 AUTHENTICATE: Result of end of authenticate is 1.
05/22/25 15:43:30 DC_AUTHENTICATE: authentication of 192.168.181.22
complete.
05/22/25 15:43:30 DC_AUTHENTICATE: generating AES key for session
condor1atlas:56762:1747917810:477...
05/22/25 15:43:30 DC_AUTHENTICATE: encryption enabled for session
condor1atlas:56762:1747917810:477
05/22/25 15:43:30 DC_AUTHENTICATE: message authenticator enabled with
key id condor1atlas:56762:1747917810:477.
05/22/25 15:43:30 DC_AUTHENTICATE: Success.
05/22/25 15:43:30 SESSION: server duplicated AES to BLOWFISH key for
UDP.
05/22/25 15:43:30 DC_AUTHENTICATE: added incoming session id
condor1atlas:56762:1747917810:477 to cache for 86420 seconds (lease is
3620s, return address is
<192.168.181.22:9618?addrs=192.168.181.22-9618&alias=wn12.nipne.ro&noUDP&sock=startd_3213954_b27e>).

I don't know how to fix this. Maybe you have some ideas.

Best,
Mihai

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

Join us in June at Throughput Computing 25: https://urldefense.com/v3/__https://osg-htc.org/htc25__;!!Mak6IKo!OCbX-aOqNGo_D9swWxK5V7_t3vLgdXTc-dKpifVpMbruM_yrAnVgHiIPY0JdbskewzysefCx01AB-obR7Ouj$

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/