Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] authentication error(s)

Hereâs the output from the central manager:

$ condor_config_val -v FULL_HOSTNAME UID_DOMAIN TRUST_DOMAIN
FULL_HOSTNAME = bench9.timehole.org
 # at: <Detected>
 # raw: FULL_HOSTNAME = bench9.timehole.org

UID_DOMAIN = bench9.timehole.org
 # at: <Default>
 # raw: UID_DOMAIN = $(FULL_HOSTNAME)

TRUST_DOMAIN = 192.168.1.197
 # at: /etc/condor/config.d/02-submit.config, line 3, use SECURITY:get_htcondor_idtokens+20
 # raw: TRUST_DOMAIN = $(CONDOR_HOST)


Do I need to explicitly setup IDTOKENS?   

Thanks for the help!

JK



On Sep 16, 2025, at 3:00âPM, Jaime Frey <jfrey@xxxxxxxxxxx> wrote:


      External Email - Use Caution      



HTCondor will attempt KERBEROS authentication if the more typical authentication methods (FS, IDTOKENS) fail.

It looks like you havenât set up strong authentication between your HTCondor machines. I recommend using IDTOKENS.

Before you set that up, Iâd like to know how your configuration ended up with an IP address for TRUST_DOMAIN. Normally, itâs a hostname by default. Can you run the following command and post the output?

condor_config_val -v FULL_HOSTNAME UID_DOMAIN TRUST_DOMAIN

 - Jaime

On Sep 15, 2025, at 11:54âAM, Justin Killebrew via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:

I did not enable KERBEROS.  Is it enabled by default?  How do I know if itâs active?  I only use the /etc/hosts file for name resolution for the condor machines.  


Thanks,
JK


On Sep 12, 2025, at 12:55âPM, Steven Timm <timm@xxxxxxxx> wrote:


      External Email - Use Caution      


It would only be trying to resolve the KDC address if you have KERBEROS authentication enabled.  Do you?
I believe Kerberos requires DNS to work and it appears that the way you are configured it isn't.
(presuming that 192.168.1.197 is the only network that's available on the CM)

Steve

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Justin Killebrew via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Sent: Friday, September 12, 2025 11:40 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Cc: Justin Killebrew <jk@xxxxxxx>
Subject: [HTCondor-users] authentication error(s)
 
[EXTERNAL] â This message is from an external sender

This is a fresh Ubuntu 24.04 install. 1 central manager (CM), 1 execute point (EP).  The CM is bench9.timehole.org, 192.168.1.197.

EP MasterLog errors:
    AUTH_ERROR: Cannot resolve network address for KDC in requested realm
    SECMAN: required authentication with collector bench9.timehole.org failed ...
    ERROR: AUTHENTICATE:1003:Failed to authenticate with any method ...

Another symptom/problem:
on the EP: 
    $ condor_config_val trust_domain
    bench9.timehole.org
but on the CM:
    $ condor_config_val trust_domain
    192.168.1.197

I have added this to the EP /etc/condor/condor_config
    ALLOW_WRITE = *.timehole.org
    TRUST_DOMAIN = 192.168.1.197
    STARTD_DEBUG = D_SECURITY
    
But that does not change the condor_config_val trust_domain.  Is there another way to set the trust_domain to the IP address?  Would that fix the AUTH_ERROR: Cannot resolve network address problem?

Thanks for the help.

JK

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/