Re: [Condor-users] Commands '10' & '49' + LDAP server

[Todd Tannenbaum <tannenba@xxxxxxxxxxx>]

Ralf Auer wrote:
> ---------------------------------------------------------------------
> 5/6 21:39:11 DaemonCore: PERMISSION DENIED to unknown user from host
> <xxx.xxx.xxx.xxx:9168> for command 10 (QUERY_STARTD_PVT_ADS)
> 5/6 21:39:11 DaemonCore: PERMISSION DENIED to unknown user from host
> <xxx.xxx.xxx.xxx:9482> for command 49 (UPDATE_NEGOTIATOR_AD)
> 5/6 21:39:57 (Sending 119 ads in response to query)
> 5/6 21:39:58 Got QUERY_STARTD_PVT_ADS
> 5/6 21:39:58 (Sending 58 ads in response to query)
> 5/6 21:40:06 Accumulating data: Time=1178480406
> 5/6 21:41:06 Accumulating data: Time=1178480466
> 5/6 21:41:07 NegotiatorAd  : Inserting ** "< servername_goes_here >"
> ---------------------------------------------------------------------
>
> I can find these errors for all of my Clients. I have set the
> HOST_ALLOW_READ & HOST_ALLOW_WRITE in the global config-file correctly

Could it just be spelling?  The proper settings are HOSTALLOW_READ etc,
not HOST_ALLOW_READ (note the number of underscores).

One of the errors above is for updating the negotiator ad.  Actually, 
both of those errors are relating to denying access to the 
condor_negotiator process.  What is your setting for 
HOSTALLOW_NEGOTIATOR ?  It should be set to be whatever machine is 
running your central manager.  If it is, then in the above error 
snippet, are the IP addresses those of your central manager?  If not, 
then you are running another instance of the condor_negotiator on 
another machine!!!! (good thing the collector isn't accepting it!).

Also, do you have any ALLOW_READ/ALLOW_WRITE settings (note absence of
"host") settings?

To eliminate possibilities of reverse-lookup with LDAP etc, try using IP
addresses instead of hostnames, e.g. maybe
  HOSTALLOW_WRITE = 144.92.*, 155.22.*
instead of
  HOSTALLOW_WRITE = *.mydomain.com

Just some initial thoughts, hope they help.
Todd