Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[condor-users] More condor / kerberos trouble.

Date: Mon, 24 May 2004 11:07:28 -0500 (CDT)
From: Chris Green <greenc@xxxxxxxx>
Subject: [condor-users] More condor / kerberos trouble.

Hi,

So I'm still trying to move forward on getting our condor cluster kerberos-aware, and I've run into a troubling problem.

The relevant lines of my condor_config are:

CONDOR_SERVER_PRINCIPAL = host
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS, FS

In addition to our normal accounts on the condor cluster, which are kerberos-authenticated and have matching AFS principals (eg greenc@xxxxxxxx -> greenc) we have a couple of service accounts which are not directly related to kerberos principals. People log into this account, e898, based on the .k5login file, and will need to submit jobs as the e898 user. Unfortunately, with the above configuration in effect, we get:

clark.fnal.gov> $BOONE_CONDOR/bin/real/condor_submit sleep.sh_20040524_100217_1.cmd
Submitting job(s)
ERROR: Failed to set Owner="e898" for job 10384.0

ERROR: Failed to queue job.

From the log, we get:


5/24 10:11:23 Reading request object
5/24 10:11:23 SetAttribute security violation: setting owner to "e898" when active owner is "greenc"
5/24 10:11:45 Activity on stashed negotiator socket
5/24 10:11:45 Socket activated, but could not read command
5/24 10:11:45 (Negotiator probably invalidated cached socket)

Useful information:

<kingery.fnal.gov> whoami
e898
<kingery.fnal.gov> klist -f
Ticket cache: /tmp/krb5cc_3557_t4uz1n
Default principal: greenc@xxxxxxxx

Valid starting     Expires            Service principal
05/24/04 10:48:42  05/25/04 10:37:24  krbtgt/FNAL.GOV@xxxxxxxx
        renew until 05/25/04 12:24:04, Flags: FfPRA
05/24/04 10:48:42  05/25/04 10:37:24  afs@xxxxxxxx
        renew until 05/25/04 12:24:04, Flags: FfPRA
05/24/04 10:48:47  05/25/04 10:37:24  host/cdcvs0.fnal.gov@xxxxxxxx
        renew until 05/25/04 12:24:04, Flags: FfPRA
<kingery.fnal.gov> tokens

Tokens held by the Cache Manager:

User's (AFS ID 8483) tokens for afs@xxxxxxxx [Expires May 25 14:00]
   --End of list--

Given that we need to move to kerberos authentication to allow Condor jobs to access other machines, what is the best way to proceed? Prior to submitting the job, the user can, if required, obtain a machine principal of the type e898/e898/machine.fnal.gov@xxxxxxxx, but it's unclear what Condor would do with this.

I'd be grateful for any help. Let me know if I can provide any other information on or off-list.

Thanks for your time,
Chris.

--
Chris Green, MiniBooNE / LANL. Email greenc@xxxxxxxx
Tel: (630) 840-2167. Fax: (630) 840-3867
Condor Support Information:
http://www.cs.wisc.edu/condor/condor-support/
To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
unsubscribe condor-users <your_email_address>

Follow-Ups:
- Re: [condor-users] More condor / kerberos trouble.
  - From: Zachary Miller

Prev by Date: Re: [condor-users] How to configure more Condor VMs than actual CPUs?
Next by Date: Re: [condor-users] More condor / kerberos trouble.
Previous by thread: [condor-users] Tricks to Queue_super_user
Next by thread: Re: [condor-users] More condor / kerberos trouble.
Index(es):
- Date
- Thread

Mailing List Archives

Authenticated access

[condor-users] More condor / kerberos trouble.