[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] authentication issue after upgrade



Hi Cole,

Thank you for your fast answer! I will change according to you hint.

Best,
Mihai


On 2025-05-22 16:21, Cole Bollig via HTCondor-users wrote:
Hi Mihai,

 There is a known 'gotcha' when upgrading from v23 to v24 dealing with
PASSWORD authentication such that the authenticated identity has
changed from condor_pool@<UID_DOMAIN> to condor@password. You will
have to update all the ALLOW and DENY rules from the former to the
latter.

 You can see the full list of potential gotchas going from v23 to v24
at
https://htcondor.readthedocs.io/en/latest/version-history/upgrading-from-23-0-to-24-0-versions.html
[1]. This particular gotcha is the last one listed.

 Hope this helps,
 Cole Bollig

-------------------------

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of
Mihai Ciubancan <ciubancan@xxxxxxxx>
Sent: Thursday, May 22, 2025 8:06 AM
To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] authentication issue after upgrade

Hello,

I had to upgrade HTCondor from 23.8.1 due to cgroupV2 problems(for the

gird site RO-07-NIPNE). And now I have version 24.7.1.
Unfortunately the authentication between nodes and collector is not
running anymore. I have try all 3 auth methods: recommended_v9_0,
recommended and host_based, and none works(before I used host_based).
I
have created also the token but didn't helped. The error on the WN
side
is:

05/22/25 15:43:29 Daemons::StartAllDaemons all daemons were started
05/22/25 15:43:30 Setting ready state 'Ready' for STARTD
05/22/25 15:43:34 SECMAN: FAILED: Received "DENIED" from server for
user
condor@password using method PASSWORD.
05/22/25 15:43:34 ERROR: SECMAN:2010:Received "DENIED" from server for

user condor@password using method PASSWORD.
05/22/25 15:43:34 Collector update failed; will try to get a token
request for trust domain nipne.ro, identity (default).
05/22/25 15:43:34 Failed to start non-blocking update to
<192.168.181.11:9618>.
05/22/25 15:43:34 Token requested; please ask collector
condor1atlas.nipne.ro admin to approve request ID 8121747.
05/22/25 15:43:39 Token requested not yet approved; please ask
collector
condor1atlas.nipne.ro admin to approve request ID 8121747.
05/22/25 15:43:44 Token requested not yet approved; please ask
collector
condor1atlas.nipne.ro admin to approve request ID 8121747.
05/22/25 15:43:49 Token requested not yet approved; please ask
collector
condor1atlas.nipne.ro admin to approve request ID 8121747.
05/22/25 15:43:54 Token requested not yet approved; please ask
collector
condor1atlas.nipne.ro admin to approve request ID 8121747.
05/22/25 15:43:59 Token requested not yet approved; please ask
collector
condor1atlas.nipne.ro admin to approve request ID 8121747.
05/22/25 15:44:05 Token requested not yet approved; please ask
collector
condor1atlas.nipne.ro admin to approve request ID 8121747.
05/22/25 15:44:10 Token requested not yet approved; please ask
collector
condor1atlas.nipne.ro admin to approve request ID 8121747.

On the Collector side I have:

05/22/25 15:43:30 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<192.168.181.22:35711>
05/22/25 15:43:30 SECMAN: new session, doing initial authentication.
05/22/25 15:43:30 Returning to DC while we wait for socket to
authenticate.
05/22/25 15:43:30 AUTHENTICATE: setting timeout for (unknown) to 20.
05/22/25 15:43:30 HANDSHAKE: in handshake(my_methods = 'PASSWORD,FS')
05/22/25 15:43:30 HANDSHAKE: handshake() - i am the server
05/22/25 15:43:30 HANDSHAKE: client sent (methods == 516)
05/22/25 15:43:30 HANDSHAKE: i picked (method == 512)
05/22/25 15:43:30 HANDSHAKE: client received (method == 512)
05/22/25 15:43:30 Will return to DC because authentication is
incomplete.
05/22/25 15:43:30 AUTHENTICATE: auth would still block
05/22/25 15:43:30 Will return to DC to continue authentication..
05/22/25 15:43:30 Authentication was a Success.
05/22/25 15:43:30 AUTHENTICATION: setting default map to
condor@password
05/22/25 15:43:30 AUTHENTICATION: post-map: current FQU is
'condor@password'
05/22/25 15:43:30 AUTHENTICATE: Exchanging keys with remote side.
05/22/25 15:43:30 AUTHENTICATE: Result of end of authenticate is 1.
05/22/25 15:43:30 DC_AUTHENTICATE: authentication of 192.168.181.22
complete.
05/22/25 15:43:30 DC_AUTHENTICATE: generating AES key for session
condor1atlas:56762:1747917810:476...
05/22/25 15:43:30 DC_AUTHENTICATE: encryption enabled for session
condor1atlas:56762:1747917810:476
05/22/25 15:43:30 DC_AUTHENTICATE: message authenticator enabled with
key id condor1atlas:56762:1747917810:476.
05/22/25 15:43:30 DC_AUTHENTICATE: Success.
05/22/25 15:43:30 PERMISSION DENIED to condor@password from host
192.168.181.22 for command 0 (UPDATE_STARTD_AD), access level
ADVERTISE_STARTD: reason: cached result for ADVERTISE_STARTD; see
first
case for the full reason
05/22/25 15:43:30 DC_AUTHENTICATE: Command not authorized, done!
05/22/25 15:43:30 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<192.168.181.22:39497>
05/22/25 15:43:30 SECMAN: new session, doing initial authentication.
05/22/25 15:43:30 Returning to DC while we wait for socket to
authenticate.
05/22/25 15:43:30 AUTHENTICATE: setting timeout for (unknown) to 20.
05/22/25 15:43:30 HANDSHAKE: in handshake(my_methods = 'PASSWORD,FS')
05/22/25 15:43:30 HANDSHAKE: handshake() - i am the server
05/22/25 15:43:30 HANDSHAKE: client sent (methods == 516)
05/22/25 15:43:30 HANDSHAKE: i picked (method == 512)
05/22/25 15:43:30 HANDSHAKE: client received (method == 512)
05/22/25 15:43:30 Will return to DC because authentication is
incomplete.
05/22/25 15:43:30 AUTHENTICATE: auth would still block
05/22/25 15:43:30 Will return to DC to continue authentication..
05/22/25 15:43:30 Authentication was a Success.
05/22/25 15:43:30 AUTHENTICATION: setting default map to
condor@password
05/22/25 15:43:30 AUTHENTICATION: post-map: current FQU is
'condor@password'
05/22/25 15:43:30 AUTHENTICATE: Exchanging keys with remote side.
05/22/25 15:43:30 AUTHENTICATE: Result of end of authenticate is 1.
05/22/25 15:43:30 DC_AUTHENTICATE: authentication of 192.168.181.22
complete.
05/22/25 15:43:30 DC_AUTHENTICATE: generating AES key for session
condor1atlas:56762:1747917810:477...
05/22/25 15:43:30 DC_AUTHENTICATE: encryption enabled for session
condor1atlas:56762:1747917810:477
05/22/25 15:43:30 DC_AUTHENTICATE: message authenticator enabled with
key id condor1atlas:56762:1747917810:477.
05/22/25 15:43:30 DC_AUTHENTICATE: Success.
05/22/25 15:43:30 SESSION: server duplicated AES to BLOWFISH key for
UDP.
05/22/25 15:43:30 DC_AUTHENTICATE: added incoming session id
condor1atlas:56762:1747917810:477 to cache for 86420 seconds (lease is

3620s, return address is
<192.168.181.22:9618?addrs=192.168.181.22-9618&alias=wn12.nipne.ro&noUDP&sock=startd_3213954_b27e>).

I don't know how to fix this. Maybe you have some ideas.

Best,
Mihai

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx
with a
subject: Unsubscribe

Join us in June at Throughput Computing 25:
https://urldefense.com/v3/__https://osg-htc.org/htc25__;!!Mak6IKo!OCbX-aOqNGo_D9swWxK5V7_t3vLgdXTc-dKpifVpMbruM_yrAnVgHiIPY0JdbskewzysefCx01AB-obR7Ouj$
[2]

The archives can be found at:
https://www-auth.cs.wisc.edu/lists/htcondor-users/ [3]


Links:
------
[1] https://htcondor.readthedocs.io/en/latest/version-history/upgrading-from-23-0-to-24-0-versions.html [2] https://urldefense.com/v3/__https://osg-htc.org/htc25__;!!Mak6IKo!OCbX-aOqNGo_D9swWxK5V7_t3vLgdXTc-dKpifVpMbruM_yrAnVgHiIPY0JdbskewzysefCx01AB-obR7Ouj$
[3] https://www-auth.cs.wisc.edu/lists/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

Join us in June at Throughput Computing 25: https://osg-htc.org/htc25

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/