Hi Mihai,
There is a known 'gotcha' when upgrading from v23 to v24 dealing with PASSWORD authentication such that the authenticated identity has changed from
condor_pool@<UID_DOMAIN> to condor@password. You will have to update all the ALLOW and DENY rules from the former to the latter.
You can see the full list of potential gotchas going from v23 to v24 at
https://htcondor.readthedocs.io/en/latest/version-history/upgrading-from-23-0-to-24-0-versions.html. This particular gotcha is the last one listed.
Hope this helps,
Cole Bollig
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Mihai Ciubancan <ciubancan@xxxxxxxx>
Sent: Thursday, May 22, 2025 8:06 AM To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx> Subject: [HTCondor-users] authentication issue after upgrade Hello,
I had to upgrade HTCondor from 23.8.1 due to cgroupV2 problems(for the gird site RO-07-NIPNE). And now I have version 24.7.1. Unfortunately the authentication between nodes and collector is not running anymore. I have try all 3 auth methods: recommended_v9_0, recommended and host_based, and none works(before I used host_based). I have created also the token but didn't helped. The error on the WN side is: 05/22/25 15:43:29 Daemons::StartAllDaemons all daemons were started 05/22/25 15:43:30 Setting ready state 'Ready' for STARTD 05/22/25 15:43:34 SECMAN: FAILED: Received "DENIED" from server for user condor@password using method PASSWORD. 05/22/25 15:43:34 ERROR: SECMAN:2010:Received "DENIED" from server for user condor@password using method PASSWORD. 05/22/25 15:43:34 Collector update failed; will try to get a token request for trust domain nipne.ro, identity (default). 05/22/25 15:43:34 Failed to start non-blocking update to <192.168.181.11:9618>. 05/22/25 15:43:34 Token requested; please ask collector condor1atlas.nipne.ro admin to approve request ID 8121747. 05/22/25 15:43:39 Token requested not yet approved; please ask collector condor1atlas.nipne.ro admin to approve request ID 8121747. 05/22/25 15:43:44 Token requested not yet approved; please ask collector condor1atlas.nipne.ro admin to approve request ID 8121747. 05/22/25 15:43:49 Token requested not yet approved; please ask collector condor1atlas.nipne.ro admin to approve request ID 8121747. 05/22/25 15:43:54 Token requested not yet approved; please ask collector condor1atlas.nipne.ro admin to approve request ID 8121747. 05/22/25 15:43:59 Token requested not yet approved; please ask collector condor1atlas.nipne.ro admin to approve request ID 8121747. 05/22/25 15:44:05 Token requested not yet approved; please ask collector condor1atlas.nipne.ro admin to approve request ID 8121747. 05/22/25 15:44:10 Token requested not yet approved; please ask collector condor1atlas.nipne.ro admin to approve request ID 8121747. On the Collector side I have: 05/22/25 15:43:30 DC_AUTHENTICATE: received DC_AUTHENTICATE from <192.168.181.22:35711> 05/22/25 15:43:30 SECMAN: new session, doing initial authentication. 05/22/25 15:43:30 Returning to DC while we wait for socket to authenticate. 05/22/25 15:43:30 AUTHENTICATE: setting timeout for (unknown) to 20. 05/22/25 15:43:30 HANDSHAKE: in handshake(my_methods = 'PASSWORD,FS') 05/22/25 15:43:30 HANDSHAKE: handshake() - i am the server 05/22/25 15:43:30 HANDSHAKE: client sent (methods == 516) 05/22/25 15:43:30 HANDSHAKE: i picked (method == 512) 05/22/25 15:43:30 HANDSHAKE: client received (method == 512) 05/22/25 15:43:30 Will return to DC because authentication is incomplete. 05/22/25 15:43:30 AUTHENTICATE: auth would still block 05/22/25 15:43:30 Will return to DC to continue authentication.. 05/22/25 15:43:30 Authentication was a Success. 05/22/25 15:43:30 AUTHENTICATION: setting default map to condor@password 05/22/25 15:43:30 AUTHENTICATION: post-map: current FQU is 'condor@password' 05/22/25 15:43:30 AUTHENTICATE: Exchanging keys with remote side. 05/22/25 15:43:30 AUTHENTICATE: Result of end of authenticate is 1. 05/22/25 15:43:30 DC_AUTHENTICATE: authentication of 192.168.181.22 complete. 05/22/25 15:43:30 DC_AUTHENTICATE: generating AES key for session condor1atlas:56762:1747917810:476... 05/22/25 15:43:30 DC_AUTHENTICATE: encryption enabled for session condor1atlas:56762:1747917810:476 05/22/25 15:43:30 DC_AUTHENTICATE: message authenticator enabled with key id condor1atlas:56762:1747917810:476. 05/22/25 15:43:30 DC_AUTHENTICATE: Success. 05/22/25 15:43:30 PERMISSION DENIED to condor@password from host 192.168.181.22 for command 0 (UPDATE_STARTD_AD), access level ADVERTISE_STARTD: reason: cached result for ADVERTISE_STARTD; see first case for the full reason 05/22/25 15:43:30 DC_AUTHENTICATE: Command not authorized, done! 05/22/25 15:43:30 DC_AUTHENTICATE: received DC_AUTHENTICATE from <192.168.181.22:39497> 05/22/25 15:43:30 SECMAN: new session, doing initial authentication. 05/22/25 15:43:30 Returning to DC while we wait for socket to authenticate. 05/22/25 15:43:30 AUTHENTICATE: setting timeout for (unknown) to 20. 05/22/25 15:43:30 HANDSHAKE: in handshake(my_methods = 'PASSWORD,FS') 05/22/25 15:43:30 HANDSHAKE: handshake() - i am the server 05/22/25 15:43:30 HANDSHAKE: client sent (methods == 516) 05/22/25 15:43:30 HANDSHAKE: i picked (method == 512) 05/22/25 15:43:30 HANDSHAKE: client received (method == 512) 05/22/25 15:43:30 Will return to DC because authentication is incomplete. 05/22/25 15:43:30 AUTHENTICATE: auth would still block 05/22/25 15:43:30 Will return to DC to continue authentication.. 05/22/25 15:43:30 Authentication was a Success. 05/22/25 15:43:30 AUTHENTICATION: setting default map to condor@password 05/22/25 15:43:30 AUTHENTICATION: post-map: current FQU is 'condor@password' 05/22/25 15:43:30 AUTHENTICATE: Exchanging keys with remote side. 05/22/25 15:43:30 AUTHENTICATE: Result of end of authenticate is 1. 05/22/25 15:43:30 DC_AUTHENTICATE: authentication of 192.168.181.22 complete. 05/22/25 15:43:30 DC_AUTHENTICATE: generating AES key for session condor1atlas:56762:1747917810:477... 05/22/25 15:43:30 DC_AUTHENTICATE: encryption enabled for session condor1atlas:56762:1747917810:477 05/22/25 15:43:30 DC_AUTHENTICATE: message authenticator enabled with key id condor1atlas:56762:1747917810:477. 05/22/25 15:43:30 DC_AUTHENTICATE: Success. 05/22/25 15:43:30 SESSION: server duplicated AES to BLOWFISH key for UDP. 05/22/25 15:43:30 DC_AUTHENTICATE: added incoming session id condor1atlas:56762:1747917810:477 to cache for 86420 seconds (lease is 3620s, return address is <192.168.181.22:9618?addrs=192.168.181.22-9618&alias=wn12.nipne.ro&noUDP&sock=startd_3213954_b27e>). I don't know how to fix this. Maybe you have some ideas. Best, Mihai _______________________________________________ HTCondor-users mailing list To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a subject: Unsubscribe Join us in June at Throughput Computing 25: https://urldefense.com/v3/__https://osg-htc.org/htc25__;!!Mak6IKo!OCbX-aOqNGo_D9swWxK5V7_t3vLgdXTc-dKpifVpMbruM_yrAnVgHiIPY0JdbskewzysefCx01AB-obR7Ouj$ The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/ |