Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] KERBEROS AUTH erro

Date: Wed, 12 Sep 2007 09:54:32 +0200
From: Arnau Bria <arnau@xxxxxxxxxxxxx>
Subject: [Condor-users] KERBEROS AUTH erro

Hi,

I've used kerberos auth in condor for a long and worked fine.
But after some kerberos packages update, it has stopped working.

Now I get the error: AUTH_ERROR: KDC policy rejects request

[...]
9/12 09:49:28 SECMAN: Auth methods: KERBEROS
9/12 09:49:28 AUTHENTICATE: in authenticate( addr == '<193.146.196.45:9618>', methods == 'KERBEROS')
9/12 09:49:28 AUTHENTICATE: can still try these methods: KERBEROS
9/12 09:49:28 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
9/12 09:49:28 HANDSHAKE: handshake() - i am the client
9/12 09:49:28 HANDSHAKE: sending (methods == 64) to server
9/12 09:49:28 HANDSHAKE: server replied (method = 64)
9/12 09:49:28 AUTHENTICATE: will try to use 64 (KERBEROS)
9/12 09:49:28 KERBEROS: krb5_unparse_name: condor/cdf/bcncaf@xxxxxxxx
9/12 09:49:28 KERBEROS: param server princ: condor/cdf/bcncaf@xxxxxxxx
9/12 09:49:28 KERBEROS: no user yet determined, will grab up to slash
9/12 09:49:28 KERBEROS: picked user: condor
9/12 09:49:28 KERBEROS: mapping realm FNAL.GOV to domain fnal.gov.
9/12 09:49:28 Client is condor@xxxxxxxx
9/12 09:49:28 KERBEROS: Server principal is condor/cdf/bcncaf@xxxxxxxx
9/12 09:49:28 init_daemon: client principal is 'condor/cdf/bcncaf@xxxxxxxx'
9/12 09:49:28 init_daemon: Using default keytab FILE:/etc/krb5.keytab
9/12 09:49:28 init_daemon: Trying to get tgt credential for service condor/cdf/bcncaf@xxxxxxxx
9/12 09:49:28 AUTH_ERROR: KDC policy rejects request
9/12 09:49:28 AUTHENTICATE: method 64 (KERBEROS) failed.
9/12 09:49:28 AUTHENTICATE: can still try these methods: 
9/12 09:49:28 HANDSHAKE: in handshake(my_methods = '')
9/12 09:49:28 HANDSHAKE: handshake() - i am the client
9/12 09:49:28 HANDSHAKE: sending (methods == 0) to server
9/12 09:49:28 HANDSHAKE: server replied (method = 0)
9/12 09:49:28 AUTHENTICATE: no available authentication methods succeeded, failing!
[...]

Which means that I'm asking for a principal forwardable or proxyable
when it is not supposed to be. But looking for the principal I get:

$ klist -f
Ticket cache: /tmp/krb5cc_10155
Default principal: condor/cdf/bcncaf@xxxxxxxx

09/12/07 09:49:01  09/13/07 11:48:54  condor/cdf/bcncaf@xxxxxxxx
        Flags: A

it hasn't any of the "problematic" flags (in fact some of the scripts
requests the principal like: 
kinit -F -k -t /etc/krb5.keytab condor/cdf/bcncaf@xxxxxxxx

but I don't really know what condor does for getting the principal.
Could someone explain me so?
Anyone had similar experience?

$ condor -v
$CondorVersion: 6.8.3 Jan  4 2007 $
$CondorPlatform: I386-LINUX_RHEL3 $

TIA,
Arnau

Prev by Date: [Condor-users] Quill error on Win 2K
Next by Date: [Condor-users] KERBEROS AUTH erro
Previous by thread: [Condor-users] Quill error on Win 2K
Next by thread: [Condor-users] KERBEROS AUTH erro
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

[Condor-users] KERBEROS AUTH erro