[Condor-users] Problems with GSI authentication / grid-mapfile

[Jan Ploski <Jan.Ploski@xxxxxxxx>]

Hello,

I have a remark about GSI authentication and a related question:

I was trying to perform GSI authentication when submitting a job to Condor 
6.8.4. I noticed that despite condor_reconfig (and condor_reconfig 
-schedd) it ignored the configuration variable GRIDMAP, and that it did 
not look in $(GSI_DAEMON_DIRECTORY)/grid-mapfile either (even though 
condor_config_val reported correct values for these configuration 
variables). Instead, it looked for /opt/condor/.gridmap, which I was only 
able to figure out by stracing the condor_schedd process. This caused 
failed authentication and produced the error message "Failed to map <DN> 
to a local user" in SchedLog. A solution to this problem was to restart 
the schedd daemon using condor_off -schedd, condor_on -schedd. The 
documentation should definitely mention that this step is necessary. It 
would have saved me some debugging hours...

Now to the question: why do I get an error when the Unix user on the 
schedd machine is different than the Unix user on the condor_submit 
machine? Everything works when I both submit and map my DN to "jploski" in 
the grid-mapfile, but not when when I map to "dgws0006". From 
condor_submit I then get:

ERROR: Failed to set Owner="jploski" for job 1295.0 (13)

ERROR: Failed to queue job.

and in SchedLog:

4/19 15:20:38 SetAttribute security violation: setting owner to "jploski" 
when active owner is "dgws0006"

I expected the job to be simply submitted as user 'dgws0006'. Why doesn't 
it work that way?

Best regards -
Jan Ploski

--
Dipl.-Inform. (FH) Jan Ploski
OFFIS
Betriebliches Informationsmanagement
Escherweg 2  - 26121 Oldenburg - Germany
Fon: +49 441 9722 - 184 Fax: +49 441 9722 - 202
E-Mail: Jan.Ploski@xxxxxxxx - URL: http://www.offis.de