Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Condor-users] Kerberos problem
You're on to something there. After a quick google, I remembered that
I've seen "Error Code 52" before. It's caused by AD needing to return a
particularly large number of groups that a user belongs to, and trying
to switch to TCP instead of UDP because of UDP packet size limits.
Older versions of MIT Kerberos don't like that and give up, but newer
(1.3.1+ I think) are ok.
The kerberos libs on the box in question are 1.3.4 (out of the box from
Fedora Core 1), which should be ok. But a quick ldd on condor_status
(and all the other binaries) shows no sign of requiring any krb
libraries. I'm running the dynamically linked version, but I'm beginning
to suspect that condor has some version of kerberos statically embedded
or something. This is somewhat supported by the output of "strings
condor_submit|grep krb" containing the line
KRB5_BRAND: krb5-1-2-5-final 1.2.5 20020429
So if I had to take a punt, I'd say that Condor was statically linked
with Version 1.2.5 of the (MIT?) kerberos libraries, which means I'm out
of luck getting this working.
Hey, condor team: Any chance of a release of condor built against a
newer version of Kerberos, or will I have to come begging for the source
code and try to build it myself? ;-)
Ta muchly,
Craig
> -----Original Message-----
> From: Kewley, J (John) [mailto:j.kewley@xxxxxxxx]
> Sent: Friday, 26 November 2004 9:04 a.m.
> To: Miskell, Craig
> Subject: RE: [Condor-users] Kerberos problem
>
> Have you checked which Version of Kerberos you are running.
> The Condor version isn't the most recent, and some have had
> this problem in the past.
>
> JK
>
> -----Original Message-----
> From: Miskell, Craig
> To: Condor-Users Mail List
> Sent: 11/25/2004 7:10 PM
> Subject: RE: [Condor-users] Kerberos problem
>
> Kerberos is not supported in the Windows release of Condor,
> yes. What
> I'm doing is running Condor on linux, talking to AD which should in
> theory look pretty much like any other Kerberos running
> anywhere else -
> in practice, of course it's not (hence my slight difficulties).
>
> Craig
>
> > -----Original Message-----
> > From: condor-users-bounces@xxxxxxxxxxx
> > [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of
> > Kewley, J (John)
> > Sent: Thursday, 25 November 2004 11:04 p.m.
> > To: Condor-Users Mail List
> > Subject: RE: [Condor-users] Kerberos problem
> >
> > My understanding is that Kerberos is not supported for
> Windows in the
> > current Condor versions.
> >
> > JK
> >
> > > -----Original Message-----
> > > From: Miskell, Craig [mailto:Craig.Miskell@xxxxxxxxxxxxxxxx]
> > > Sent: 25 November 2004 02:58
> > > To: Condor-Users Mail List
> > > Subject: RE: [Condor-users] Kerberos problem
> > >
> > >
> > > Bad form to reply to onself I know. Isn't always the way
> > > that you only
> > > really read the logs once you've sent them to a mailing
> list? The
> > > obvious clue was:
> > > 11/25 15:17:07 No credentials found with supported
> encryption types
> > >
> > > A quick google on that showed I needed to add:
> > > default_tkt_enctypes = des-cbc-crc des-cbc-md5
> > > default_tgs_enctypes = des-cbc-crc
> > >
> > > To the [libdefaults] section of krb5.conf, in order to obtain an
> > > appropriately encoded ticket from Active Directory.
> > >
> > > It still doesn't work thought. The debug output gives:
> > > 11/25 15:52:02 Acquiring credential for user
> > > 11/25 15:52:02 KRB5 error code 52
> > > And I'm now tracking down error code 52 to see what that
> > shows me - I
> > > may be back with another question later, but I'll be more
> > careful next
> > > time (I promise! ;-))
> > >
> > > Please accept my apologies for wasting your bandwidth and time,
> > >
> > > Craig
> > >
> > >
> > > > -----Original Message-----
> > > > From: condor-users-bounces@xxxxxxxxxxx
> > > > [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of
> > > Miskell, Craig
> > > > Sent: Thursday, 25 November 2004 3:38 p.m.
> > > > To: Condor-Users Mail List
> > > > Subject: [Condor-users] Kerberos problem
> > > >
> > > > Hi,
> > > > I'm starting the rollout of Condor at our site, and
> am trying to
> > > > get the most secure configuration reasonably possible.
> > As such, I'm
> > > > trying to get Kerberos working. Currently, I have only a
> > > single node
> > > > that is my test box - it's the central manager, submit node,
> > > > and single
> > > > execute node. I know that's not a good long term strategy,
> > > but it's a
> > > > nice simple case for initial configuration testing.
> > > >
> > > > The problem: condor_status running as root works, but when
> > > running as
> > > > another non-privileged user, it fails with:
> > > > AUTHENTICATE:1003:Failed to authenticate with any method
> > > > AUTHENTICATE:1004:Failed to authenticate using KERBEROS
> > > ==============================================================
> > > =========
> > > Attention: The information contained in this message and/or
> > > attachments
> > > from AgResearch Limited is intended only for the persons
> or entities
> > > to which it is addressed and may contain confidential and/or
> > > privileged
> > > material. Any review, retransmission, dissemination or other
> > > use of, or
> > > taking of any action in reliance upon, this information by
> > persons or
> > > entities other than the intended recipients is prohibited by
> > > AgResearch
> > > Limited. If you have received this message in error, please
> > notify the
> > > sender immediately.
> > > ==============================================================
> > > =========
> > >
> > > _______________________________________________
> > > Condor-users mailing list
> > > Condor-users@xxxxxxxxxxx
> > > http://lists.cs.wisc.edu/mailman/listinfo/condor-users
> > >
> >
> > _______________________________________________
> > Condor-users mailing list
> > Condor-users@xxxxxxxxxxx
> > http://lists.cs.wisc.edu/mailman/listinfo/condor-users
> >
> ==============================================================
> =========
> Attention: The information contained in this message and/or
> attachments
> from AgResearch Limited is intended only for the persons or entities
> to which it is addressed and may contain confidential and/or
> privileged
> material. Any review, retransmission, dissemination or other
> use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipients is prohibited by
> AgResearch
> Limited. If you have received this message in error, please
> notify the
> sender immediately.
> ==============================================================
> =========
>
> _______________________________________________
> Condor-users mailing list
> Condor-users@xxxxxxxxxxx
> http://lists.cs.wisc.edu/mailman/listinfo/condor-users
>
>
=======================================================================
Attention: The information contained in this message and/or attachments
from AgResearch Limited is intended only for the persons or entities
to which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipients is prohibited by AgResearch
Limited. If you have received this message in error, please notify the
sender immediately.
=======================================================================