[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Condor-users] Kerberos on Tru64

> -----Original Message-----
> From: condor-users-bounces@xxxxxxxxxxx 
> [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Zachary Miller
> Sent: Saturday, 5 February 2005 9:13 a.m.
> To: Condor-Users Mail List
> Subject: Re: [Condor-users] Kerberos on Tru64
> > 2/4 14:51:42 (fd:2) AUTHENTICATE: will try to use 64 (KERBEROS)
> > 2/4 14:51:42 (fd:2) Failed to build server principal
> > 2/4 14:51:42 (fd:2) AUTHENTICATE: method 64 (KERBEROS) failed.
> hmm.  does your /etc/v5srvtab contain a host principal on the 
> Tru64 box?
I didn't have it as that file (I had it in /etc/krb5.keytab), but moving
krb5.keytab to v5srvtab didn't have any noticeable effect.  However,
truss doesn't report trying to access either of those filenames, which
is a little odd

> > Now I have a KERBEROS_MAP_FILE with the contents:
> > CONDOR.AGRESEARCH.CO.NZ=agresearch.co.nz
> > but the interesting thing is that when I run TRUSS on 
> condor_status, it
> > doesn't show any attempt to access the map file (whereas 
> strace on linux
> > shows that it does).
> right, the process of authentication is being aborted and therefore no
> mapping of realms will occur, and that file wouldn't be read. 
>  the real
> problem is the "Failed to build server principal"
I figured that, I just thought that the MAP file would have been
involved in that process somehow.  For my edification, how does condor
build the server principal?

> can you successfully run something similar to this command on 
> your tru64 box?
>   kinit -k -t /etc/v5srvtab host/tru64.agresearch.co.nz
I didn't have the Tru64 Kerberos stuff installed, so I had to do that
first.  Having done that (the Win2K integration package plus
requirements), I discovered that it puts /etc/krb5.conf in
/krb5/krb.conf (in a completely different format to the MIT version),
and the keytab file similarly goes in /krb5/v5srvtab.  However, having
sorted that out, the above command gives me "Encryption type not
supported".  The keytab file was generated on the linux kerberos server,
so I guess that the encryption types on linux don't match that which
tru64 can handle.  

I'm floundering here, but it doesn't look promising.  Longer term, I
could install the MIT kerb libs and utils (and remove the Tru64
versions), and use them.  However, I think that that is a side issue....
The real problem is that condor (which doesn't use the OS kerb libs?)
isn't setup right.  

Do you have any other suggestions?


Attention: The information contained in this message and/or attachments
from AgResearch Limited is intended only for the persons or entities
to which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipients is prohibited by AgResearch
Limited. If you have received this message in error, please notify the
sender immediately.