Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Kerberos node authentication

Date: Wed, 12 Nov 2025 09:55:57 +0100
From: Andreas Haupt <andreas.haupt@xxxxxxx>
Subject: Re: [HTCondor-users] Kerberos node authentication

Hi,

On Wed, 2025-11-12 at 08:52 +0200, CMV wrote:
> Hello everyone,
> 
> I'm trying to bring up a lab setup of a minimal htcondor using Alma 9.6 
> VMs. Condor is installed from official RPM repos and I fully control 
> both the DNS (which was made authoritative for the domains involved) and 
> the (MIT) Kerberos server.
> 
> Initially I used IDTOKENS and it went OK I could see the manager 
> mtm.dev.example.com accepting htx and hts nodes.I then deleted the 
> tokens and changed the configuration(s) in order to make the manager and 
> one of the submit nodes use Kerberos authentication instead but I 
> haven't been able to make it work.
> 
> hts01.dev.example.com (the node) configuration

[...]

> KERBEROS_MAP_FILE = /etc/condor/condor.kmap

What's the content of the mapping file?

> # KERBEROS_SERVER_PRINCIPAL = host/hts01.dev.example.com@xxxxxxxxxxx
> KERBEROS_CLIENT_PRINCIPAL = host/hts01.dev.example.com@xxxxxxxxxxx

That's most likely the default.

> 11/12/25 08:21:58 (fd:10) (pid:9048) (D_SECURITY) KERBEROS: get remote 
> server principal for "host/htm.dev.example.com"
> 11/12/25 08:21:58 (fd:10) (pid:9048) (D_SECURITY) KERBEROS: 
> krb5_unparse_name: host/htm.dev.example.com@

This looks weird: the realm part is missing. Does the domain->realm
mapping really work?

Could be a red herring, though.

> 11/12/25 08:17:02 DC_AUTHENTICATE: required authentication of 
> 192.168.10.61 failed: AUTHENTICATE:1003:Failed to authenticate with any 
> method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS
> 
> Any ideas would be greatly appreciated as I ran out of them.

I would also check KDC logs for wrong KRBTGT or TGT requests. The usual
things that break kerberos authentication are:

 * clients build up principal names in the wrong way
 * keys with wrong kvno in keytab


Kerberos works flawlessly here, settings are kept more or less to the
minimum:

---
KERBEROS_MAP_FILE = /etc/condor/kerberos.map
KERBEROS_SERVER_KEYTAB = /etc/condor/krb5.keytab
KERBEROS_SERVER_SERVICE = condor
SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS,IDTOKENS
---

Maybe just take out most of the kerberos configuration from the
HTCondor config and keep system-wide stuff in /etc/krb5.conf only?

Cheers,
Andreas
-- 
| Andreas Haupt | E-Mail: andreas.haupt@xxxxxxx | DESY, Zeuthen | WWW:
http://www.zeuthen.desy.de/~ahaupt | Platanenallee 6 | Phone:
+49/33762/7-7359 | D-15738 Zeuthen |

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Follow-Ups:
- Re: [HTCondor-users] Kerberos node authentication
  - From: CMV

References:
- [HTCondor-users] Kerberos node authentication
  - From: CMV

Prev by Date: [HTCondor-users] Kerberos node authentication
Next by Date: [HTCondor-users] Official documentation on interaction between quotas and (user) priorities?
Previous by thread: [HTCondor-users] Kerberos node authentication
Next by thread: Re: [HTCondor-users] Kerberos node authentication
Index(es):
- Date
- Thread

Mailing List Archives

Authenticated access

Re: [HTCondor-users] Kerberos node authentication