Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Problem setting up VOMS authentication on a new CondorCE

This looks like either the client didnât present a certificate or the sever failed to authenticate the clientâs certificate.

Add or modify SCHEDD_DEBUG=D_SECURITY:2, try again, and me the resulting SchedLog segment.

 - Jaime

On May 4, 2026, at 12:36âPM, Chris Brew - STFC UKRI via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:

Hi All,

Weâre trying to set up some new CondorCEs to replace our ArcCEs but am having some issues getting VOMS Authentication to work (unfortunately, I think itâs still needed for now for some of the VOs we support).

If I put a very basic:

SSL /.*/ cms001

Mapping into the map file, I can run condor_ce_traceâ and get a job into the condor_ce_schedd and  job_router as expected and the x509UserProxy.* ClassAds are all populated with the values I expect.

However, if I put any more complex regex in there, the mapping fails. Eventually in desperation, I tried a mapping of:

SSL /(.*)/ \1

Hoping that the error would tell me something about the format of the VOMS FQDN I was trying to match. It sort of did, condor_ce_traceâ failed as expected with this line in the stack trace:

htcondor2_impl.HTCondorException: Failed to create new cluster.SCHEDD:28:AP user has OS user value unauthenticated, which is not a valid OS account.

Iâm guessing that Iâve missed switching some knob on to enable VOMS mapping but cannot figure out which one.

This is Condor CE 25.7.0 on AlmaLinux 10:

# condor_ce_version
$HTCondorCEVersion: 25.7.0 $
$CondorVersion: 25.8.2 2026-04-15 BuildID: 896299 PackageID: 25.8.2-1 GitSHA: 37a36d5f $
$CondorPlatform: x86_64_AlmaLinux10 $

Any ideas?

Thanks,
Chris.


# condor_ce_config_val -dump | grep -E 'SSL|VOMS'
AUTH_SSL_ALLOW_CLIENT_PROXY = True
AUTH_SSL_AUTOGENERATE_CERTFILE = $(ETC)/hostcert.pem
AUTH_SSL_AUTOGENERATE_KEYFILE = $(ETC)/hostkey.pem
AUTH_SSL_CLIENT_CADIR = /etc/grid-security/certificates
AUTH_SSL_CLIENT_CAFILE =
AUTH_SSL_CLIENT_CERTFILE = /etc/grid-security/hostcert.pem
AUTH_SSL_CLIENT_KEYFILE = /etc/grid-security/hostkey.pem
AUTH_SSL_CLIENT_USE_DEFAULT_CAS = true
AUTH_SSL_REQUIRE_CLIENT_CERTIFICATE = false
AUTH_SSL_REQUIRE_CLIENT_MAPPING = True
AUTH_SSL_SERVER_CADIR = /etc/grid-security/certificates
AUTH_SSL_SERVER_CAFILE =
AUTH_SSL_SERVER_CERTFILE = /etc/grid-security/hostcert.pem
AUTH_SSL_SERVER_KEYFILE = /etc/grid-security/hostkey.pem
AUTH_SSL_SERVER_USE_DEFAULT_CAS = true
AUTH_SSL_USE_CLIENT_PROXY_ENV_VAR = True
AUTH_SSL_USE_VOMS_IDENTITY = true
BOOTSTRAP_SSL_SERVER_TRUST = false
BOOTSTRAP_SSL_SERVER_TRUST_PROMPT_USER = true
COLLECTOR.SEC_ADVERTISE_STARTD_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL
COLLECTOR.SEC_READ_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL
COLLECTOR.SEC_WRITE_AUTHENTICATION_METHODS = FS,TOKEN,SCITOKENS,SSL
COLLECTOR_BOOTSTRAP_SSL_CERTIFICATE = false
GAHP_SSL_CADIR =
GAHP_SSL_CAFILE =
SCHEDD.SEC_READ_AUTHENTICATION_METHODS = FS,SCITOKENS,SSL
SCHEDD.SEC_WRITE_AUTHENTICATION_METHODS = FS,SCITOKENS,SSL
SEC_CLIENT_AUTHENTICATION_METHODS = FS, TOKEN, SCITOKENS, SSL
SSL_SKIP_HOST_CHECK = false
USE_VOMS_ATTRIBUTES = True

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/