Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Issues submitting a job GSI auth

Hi all,
For posterity's sake, I'll answer my own question. Seems that I'd misread some documentation somewhere. I had set the value of the config variable GRIDMAPFILE, when in fact it's supposed to be GRIDMAP. Additionally, it seems that, despite what the condor 6.7 docs suggest here: 
http://www.cs.wisc.edu/condor/manual/v6.7/3_7Security.html#18799
that in fact the GRIDMAP default value of /etc/grid-security/grid- mapfile was not being set. After some re-reading, and research, I found my error, corrected it, and all works now. Hopefully this info can be useful for another newbie someday. ;)> 



On Feb 16, 2006, at 5:04 PM, Adam Lathers wrote:


Hi all,

	I'm SO confused, and really hopeful someone can tell me what I'm
doing wrong.

	I have host A and B.  for all intents and purposes they are separate
pools.  A has a pool of workstations, and b is set to talk to itself
for collector/negotiator.

	From host B, I'd like to submit a job directly to the pool managed
by A, using GSI as my auth mechanism.

	tests:

	if I do a globusrun -a -r hosta (from hostB)
	I get:
	GRAM Authentication test successful

	globus-job-run also works.

	if I try

	condor_submit -pool hostA -r hostA init.submit
	
	I get the following:

	Submitting job(s)
ERROR: Failed to connect to queue manager hostA
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using GSI
GSI:5004:Failed to get authorization from server.  Either the server
does not trust your certificate, or you are not in the server's
authorization file (grid-mapfile)
AUTHENTICATE:1004:Failed to authenticate using KERBEROS
AUTHENTICATE:1004:Failed to authenticate using FS

	in the logs on hostA I see;

2/16 15:34:50 (pid:28064) AUTHENTICATE: no available authentication
methods succeeded, failing!
2/16 15:34:50 (pid:28064) SCHEDD: authentication failed: AUTHENTICATE:
1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed
to authenticate using GSI|GSI:5004:Failed to map MYDNString to a
local user.  Check the grid-mapfile.|AUTHENTICATE:1004:Failed to
authenticate using KERBEROS|AUTHENTICATE:1004:Failed to authenticate
using FS
2/16 15:34:50 (pid:28064) IO: Failed to read packet header


	I made sure that hostA has the following set explicitly in the
global config:
GSI_DAEMON_DIRECTORY      = /etc/grid-security
GSI_DAEMON_CERT           = $(GSI_DAEMON_DIRECTORY)/hostcert.pem
GSI_DAEMON_KEY            = $(GSI_DAEMON_DIRECTORY)/hostkey.pem
GSI_DAEMON_TRUSTED_CA_DIR = $(GSI_DAEMON_DIRECTORY)/certificates
GRIDMAPFILE             = $(GSI_DAEMON_DIRECTORY)/grid-mapfile

	and the signing policy for the CA that issued my cert is in the
certificates directory....I'm now at a loss.  Any ideas?

	Condor 6.7.13, for reference, and globus 4.0.1 on hostB, and 3.2 on
hostA



_______________________________________________________
Adam Lathers
NCMIR: National Center for Microscopy and Imaging Research
Distributed Systems Engineer
phone: (858) 822-0735
fax:   (858) 822-0828
web:   http://ncmir.ucsd.edu


_______________________________________________
Condor-users mailing list
Condor-users@xxxxxxxxxxx
https://lists.cs.wisc.edu/mailman/listinfo/condor-users



_______________________________________________________
Adam Lathers
NCMIR: National Center for Microscopy and Imaging Research
Distributed Systems Engineer
phone: (858) 534-7968
web:   http://ncmir.ucsd.edu