Re: [Condor-users] kerberos auth problems...

[Steven Timm <timm@xxxxxxxx>]

On Fri, 1 Sep 2006, Arnau Bria wrote:

Arnau--you don't say what condor version you are running.  Some of the
recent developer versions had bugs in the kerberos authentication.

Steve Timm



> Hello,
>
> I'm finding next messages in our NegotiatorLog file:
>
> STARTCOMMAND: starting 440 to <193.X.X.X:33124> on UDP port 33702.
> SECMAN: command 440 to <193.X.X.X:33124> on UDP port 33702.
> SECMAN: command 60010 to <193.X.X.X:33124> on TCP port 33166.
> SECMAN: new session, doing initial authentication.
> SECMAN: Auth methods: KERBEROS
> HANDSHAKE: in handshake(my_methods = 'KERBEROS')
> HANDSHAKE: handshake() - i am the client
> HANDSHAKE: sending (methods == 64) to server
> HANDSHAKE: server replied (method = 64)
> ZKM: krb5_unparse_name: condor/cdf/bcncaf@xxxxxxxx
> ZKM: param server princ: condor/cdf/bcncaf@xxxxxxxx
> ZKM: no user yet determined, will grab up to slash
> ZKM: picked user: condor
> Client is condor@xxxxxxxx
> ZKM: Server principal is condor/cdf/bcncaf@xxxxxxxx
> Trying to get credential
> Success..........................
> KERBEROS: Could not authenticate!
> AUTHENTICATE: method 64 (KERBEROS) failed.
> HANDSHAKE: in handshake(my_methods = '')
> HANDSHAKE: handshake() - i am the client
> HANDSHAKE: sending (methods == 0) to server
> condor_write(): Socket closed when trying to write buffer, fd is 10
> Buf::write(): condor_write() failed
> AUTHENTICATE: handshake failed!
> Authentication was a FAILURE.
> SECMAN: unable to start session via TCP, failing.
> ERROR: SECMAN:2004:Failed to start a session with TCP|AUTHENTICATE:1002:Failure performing handshake|AUTHENTICATE:1004:Failed to authenticate using KERBEROS
> condor_write(): Socket closed when trying to write buffer, fd is 6
> Buf::write(): condor_write() failed
>       Could not send PERMISSION
>   Error: Ignoring schedd for this cycle
>
> And similar messages in MasterLog:
> KERBEROS: Could not authenticate!
> AUTHENTICATE: method 64 (KERBEROS) failed.
> HANDSHAKE: in handshake(my_methods = '')
> HANDSHAKE: handshake() - i am the client
> HANDSHAKE: sending (methods == 0) to server
> condor_write(): timed out writing buffer
> Buf::write(): condor_write() failed
> AUTHENTICATE: handshake failed!
> Authentication was a FAILURE.
> SECMAN: unable to start session via TCP, failing.
> ERROR: SECMAN:2004:Failed to start a session with TCP|AUTHENTICATE:1002:Failure performing handshake|AUTHENTICATE:1004:Failed to authenticate using KERBEROS
>
> I've been checking my kerberos conf and seems all ok. Jobs keeps in
> Idle for ever...
>
> My kerberos sttings from condor_condifg:
>
> SEC_DEFAULT_AUTHENTICATION = REQUIRED
> #SEC_DEFAULT_AUTHENTICATION = OPTIONAL
> SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS
> SEC_DEFAULT_ENCRYPTION = OPTIONAL
> SEC_DEFAULT_INTEGRITY = PREFERRED
>
> SEC_READ_AUTHENTICATION = OPTIONAL
> SEC_CLIENT_AUTHENTICATION = OPTIONAL
> SEC_READ_ENCRYPTION = OPTIONAL
> SEC_CLIENT_ENCRYPTION = OPTIONAL
> SEC_READ_INTEGRITY = OPTIONAL
> SEC_CLIENT_INTEGRITY = OPTIONAL
>
> and I have a correct kerberos_map_file....
>
>
> What could happen with condor_write()?¿
> Why is kerberos aUth failling?
>
> Thanks in advance.
>
> Arnau
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
>
> The archives can be found at either
> https://lists.cs.wisc.edu/archive/condor-users/
> http://www.opencondor.org/spaces/viewmailarchive.action?key=CONDOR

--
------------------------------------------------------------------
Steven C. Timm, Ph.D  (630) 840-8525  timm@xxxxxxxx  http://home.fnal.gov/~timm/
Fermilab Computing Div/Core Support Services Dept./Scientific Computing Section
Assistant Group Leader, Farms and Clustered Systems Group
Lead of Computing Farms Team