Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Kerberos node authentication
Hi Andreas,
Thanks a lot for taking the time.
On 11/14/25 4:51 PM, Andreas Haupt wrote:
The client principal name is build like this (to my knowledge):
$(KERBEROS_SERVER_SERVICE)/<fqdn.of.the.node>@<REALM>
... whereas <REALM> is a callout to the default_realm value in
/etc/krb5.conf
Following your advice (and once I've deleted the principals (and
keytabs!) then re-created them using condor/ instead of host/), I've
simplified the config down to
CONDOR_HOST = htm.dev.example.com
use role:submit
SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS
KERBEROS_CLIENT_KEYTAB = /etc/condor/hts01.dev.example.com.keytab
KERBEROS_SERVER_SERVICE = condor
KERBEROS_MAP_FILE = /etc/condor/condor.kmap
No realm defined nothing added; as you predicted, it picked the realm
from /etc/krb5.conf but... still no luck!
I think in my case the problem is that for some reasons, in
condor_io/condor_auth_kerberos.cpp, Condor_Auth_Kerberos ::
map_kerberos_name(), this part:
[...]
Âif (!map_domain_name(at_sign+1)) {
            return FALSE;
        }
[...]
... returns FALSE and that's because Condor_Auth_Kerberos ::
map_domain_name() in turn returns FALSE at
  if (RealmMap) {
        auto itr = RealmMap->find(domain);
        if (itr != RealmMap->end()) {
            if (IsFulldebug(D_SECURITY)) {
                dprintf (D_SECURITY, "KERBEROS: mapping
realm %s to domain %s.\n",
                    domain, itr->second.c_str());
            }
      setRemoteDomain(itr->second.c_str());
      return TRUE;
    } else {
            // if the map exists, they must be listed. and
they're NOT!
            return FALSE;
        }
  }
I do have a valid mapping file, with the mapping listed yet it still
goes the " // if the map exists, they must be listed. and they're NOT!"
way instead of showing "KERBEROS: mapping realm %s to domain %s.\n". (A
debug message in that code path with a nicely formatted output of
RealmMap's actual value plus a brief note/explanation might have helped... )
The only particular aspect in my configuration is the fact that my
domain is a subdomain of the realm (EXAMPLE.COM --> dev.example.com )
but why would that be relevant?
I'll have a closer look at Condor_Auth_Kerberos :: init_realm_mapping()
.