Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
Hi Chris,
To address the identity mismatch and Job Router errors you're seeing, I would suggest verifying the following configuration points.
First, please ensure that the Job Router on your HTCondor-CE is correctly pointing to the local Batch Schedd and has the necessary permissions to hand off jobs. Check if these are explicitly set in your condor-ce/conf.d:
# HTCondor-CE side
JOB_ROUTER_SCHEDD2_SPOOL = /var/lib/condor/spool
JOB_ROUTER_SCHEDD2_NAME = $(FULL_HOSTNAME)
JOB_ROUTER_SCHEDD2_POOL = $(FULL_HOSTNAME):9618
And on the Local Batch (HTCondor) side, ensure the Schedd allows the CE's routing process to impersonate the job owner:
# Local Batch side (required for mapping [condor@<domain> -> local user(like sgmcms55/this account should be existed on CE, LRMS and WN)])
QUEUE_SUPER_USER_MAY_IMPERSONATE = .*
Regarding the VOMS authentication issues, it is important to note that the way HTCondor handles SSL/Certificate mapping changed significantly between v23 and v24+.
In newer versions, the default behavior for mapping X.509 certificates has become more strict.
It often requires comparing not just the DN, but also additional attributes like VOMS roles.
This change often requires adding commas or specific formatting in your mapfiles that wasn't necessary before.
You can find the detailed requirements and the new mapping logic in this EGI documentation:
Please check if your certificate DNs and roles are being mapped correctly under the new version's rules.
Lastly, out of curiosity, is there a specific reason your site is prioritizing VOMS/SSL over SCITOKENS for this setup?
Since many grid infrastructures are migrating toward tokens, knowing your requirements might help us suggest a more streamlined authentication path.
Hope this helps!
Best regards,
-- Geonmoëëìë : Chris Brew - STFC UKRI via HTCondor-users <htcondor-users@xxxxxxxxxxx>
ëëìë : HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
ìì : Chris Brew - STFC UKRI <chris.brew@xxxxxxxxxx>
ëìëì : 2026-05-07 (ë) 23:07:29
ìë : [HTCondor-users] Authentication Issue between HTCondorCE Schedd and Batch Schedd
Hi,I’’ve still not got anywhere with the VOMS authentication (I’ll post some more info soon), but Token auth seems to be working in that Jobs get into the condor-ce Schedd and are visible withcondor_ce_qhowever they don’t make it as far as the Schedd for the batch system.I just copied the config of that from the config of the Schedd on our existing ArcCEs so it’s possibly it’s missing some necessary config for accepting Jobs from the Job_Router.I’ve got three recurring errors. One in the /var/log/condor-ce/JobRouterLog:05/07/26 14:44:29 Failed to commit job submission :
05/07/26 14:44:29 JobRouter failure (src="" failed to submit jobWhich is matched with this one in /var/log/condor/SchedLog:05/07/26 14:44:29 (pid:923597) (bt:ccbf:13) SetEffectiveOwner: UserRec lookup for owner condor@xxxxxxxxxxx found no match05/07/26 14:44:29 (pid:923597) Owner condor@xxxxxxxxxxx has no JobQueueUserRec05/07/26 14:44:29 (pid:923597) Creating pending JobQueueUserRec for owner condor@xxxxxxxxxxx05/07/26 14:44:29 (pid:923597) Error: MakeUserRec with illegal identifiers: user=condor@xxxxxxxxxxx, os_user=condor05/07/26 14:44:29 (pid:923597) NewCluster(): failed to create new User record for condor@xxxxxxxxxxxAnd then another more frequent one every ten seconds in /var/log/condor-ce/JobRouterLog:05/07/26 14:47:09 Failed to open /var/lib/condor/spool/job_queue.log: errno=13Which looks to me like the JobRouter is trying to put jobs into the queue as (the illegal) user condor rather than the accounts the tokens are mapped to in the condor-ce Schedd (they show up there as the correctly mapped local user).Does anyone have any idea where I should be looking?Thanks,Chris.
