Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Condor-users] ALLOW_DAEMON & PERMISSION DENIED to unknown user for command 60011 (DC_NOP)
- Date: Wed, 06 Jun 2007 18:34:51 +0200
- From: Rob de Graaf <rob@xxxxxxxxxxxxxxxxxx>
- Subject: [Condor-users] ALLOW_DAEMON & PERMISSION DENIED to unknown user for command 60011 (DC_NOP)
Hello,
I'm having some problems with kerberos authorization for my condor pool.
On my Windows XP execute node, the StarterLog contains following line:
6/6 16:54:38 DaemonCore: PERMISSION DENIED to unknown user from host
<10.92.25.28:1884> for command 60011 (DC_NOP)
Jobs run fine, but these messages bother me. The given IP is that of the
execute node itself. Through playing with access levels in
condor_config, I've managed to trace the error to the ALLOW_DAEMON
parameter used for inter-daemon communication. The manual suggests
setting it to authorize only the user under which condor daemons run, so
I set it like this:
ALLOW_DAEMON = condor@$(UID_DOMAIN)/*.mydomain.tld
This results in "PERMISSION DENIED to unknown user" errors. Everything
is fine when I have daemon level access wide open:
ALLOW_DAEMON = */*
That would be bad security practise though.. :) What should I set the
ALLOW_DAEMON parameter to, and why is condor doing inter-daemon
communication as "unknown user"? Also, I couldn't find a list of condor
command codes to look up what exactly command 60011 (DC_NOP) does.. is
there such a list?
Condor version on both the server and the clients is 6.8.5, and the pool
is set up to do kerberos authentication with clients using their
"host/fqdn" principal in a local keytab. Condor seems to remap kerb5's
"host/fqdn" principal to "condor@xxxxxxxxxx <https://webmail.erasmusmc.nl/squirrelmail/src/compose.php?send_to=condor%40domain.tld>" for authenticating its
daemons.. There is no actual "condor" principal in the kerberos
database. Part of the configuration relevant to security:
##--------------------------------------------------------------------
## Security negotiation
##--------------------------------------------------------------------
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_ENCRYPTION = REQUIRED
SEC_DEFAULT_INTEGRITY = REQUIRED
SEC_DEFAULT_NEGOTIATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS
SEC_DEFAULT_CRYPTO_METHODS = 3DES
##--------------------------------------------------------------------
## Kerberos map file
##--------------------------------------------------------------------
KERBEROS_MAP_FILE = $(LOCAL_DIR)/kerberos
##--------------------------------------------------------------------
## Access levels
##--------------------------------------------------------------------
ALLOW_READ = *@$(UID_DOMAIN)/*.mydomain.tld
ALLOW_WRITE = *@$(UID_DOMAIN)/*.mydomain.tld
ALLOW_ADMINISTRATOR = root@$(UID_DOMAIN)/$(CONDOR_HOST)
ALLOW_CONFIG = root@$(UID_DOMAIN)/$(CONDOR_HOST)
ALLOW_NEGOTIATOR = condor@$(UID_DOMAIN)/$(CONDOR_HOST)
ALLOW_DAEMON = condor@$(UID_DOMAIN)/*.mydomain.tld
(I have no HOSTALLOW_<level> parameters confined.)
I'd appreciate if someone could give an explanation of authentication on
the daemon access level so that I may understand what it's trying to do
and get rid of the PERMISSION DENIED errors without compromising security.
Thanks in advance,
Rob de Graaf