Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] KERBEROS AUTH erro

Date: Wed, 12 Sep 2007 12:41:23 +0200
From: Arnau Bria <arnau@xxxxxxxxxxxxx>
Subject: [Condor-users] KERBEROS AUTH erro

Hi,

I've used kerberos auth in condor for a long and worked fine.
But after some kerberos packages update, it has stopped working.

Now I get the error: AUTH_ERROR: KDC policy rejects request

[...]
9/12 09:49:28 SECMAN: Auth methods: KERBEROS
9/12 09:49:28 AUTHENTICATE: in authenticate( addr ==
'<193.146.196.45:9618>', methods == 'KERBEROS') 9/12 09:49:28
AUTHENTICATE: can still try these methods: KERBEROS 9/12 09:49:28
HANDSHAKE: in handshake(my_methods = 'KERBEROS') 9/12 09:49:28
HANDSHAKE: handshake() - i am the client 9/12 09:49:28 HANDSHAKE:
sending (methods == 64) to server 9/12 09:49:28 HANDSHAKE: server
replied (method = 64) 9/12 09:49:28 AUTHENTICATE: will try to use 64
(KERBEROS) 9/12 09:49:28 KERBEROS: krb5_unparse_name:
condor/cdf/bcncaf@xxxxxxxx 9/12 09:49:28 KERBEROS: param server princ:
condor/cdf/bcncaf@xxxxxxxx 9/12 09:49:28 KERBEROS: no user yet
determined, will grab up to slash 9/12 09:49:28 KERBEROS: picked user:
condor 9/12 09:49:28 KERBEROS: mapping realm FNAL.GOV to domain
fnal.gov. 9/12 09:49:28 Client is condor@xxxxxxxx
9/12 09:49:28 KERBEROS: Server principal is condor/cdf/bcncaf@xxxxxxxx
9/12 09:49:28 init_daemon: client principal is
'condor/cdf/bcncaf@xxxxxxxx' 9/12 09:49:28 init_daemon: Using default
keytab FILE:/etc/krb5.keytab 9/12 09:49:28 init_daemon: Trying to get
tgt credential for service condor/cdf/bcncaf@xxxxxxxx 9/12 09:49:28
AUTH_ERROR: KDC policy rejects request 9/12 09:49:28 AUTHENTICATE:
method 64 (KERBEROS) failed. 9/12 09:49:28 AUTHENTICATE: can still try
these methods: 9/12 09:49:28 HANDSHAKE: in handshake(my_methods = '')
9/12 09:49:28 HANDSHAKE: handshake() - i am the client
9/12 09:49:28 HANDSHAKE: sending (methods == 0) to server
9/12 09:49:28 HANDSHAKE: server replied (method = 0)
9/12 09:49:28 AUTHENTICATE: no available authentication methods
succeeded, failing! [...]

Which means that I'm asking for a principal forwardable or proxyable
when it is not supposed to be. But looking for the principal I get:

$ klist -f
Ticket cache: /tmp/krb5cc_10155
Default principal: condor/cdf/bcncaf@xxxxxxxx

09/12/07 09:49:01  09/13/07 11:48:54  condor/cdf/bcncaf@xxxxxxxx
        Flags: A

it hasn't any of the "problematic" flags (in fact some of the scripts
requests the principal like: 
kinit -F -k -t /etc/krb5.keytab condor/cdf/bcncaf@xxxxxxxx

but I don't really know what condor does for getting the principal.
Could someone explain me so?
Anyone had similar experience?

$ condor -v
$CondorVersion: 6.8.3 Jan  4 2007 $
$CondorPlatform: I386-LINUX_RHEL3 $

TIA,
Arnau

Prev by Date: [Condor-users] KERBEROS AUTH erro
Next by Date: Re: [Condor-users] Introduce arguments
Previous by thread: [Condor-users] KERBEROS AUTH erro
Next by thread: [Condor-users] Resource Status
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

[Condor-users] KERBEROS AUTH erro