[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] Kerberos realm mapping problem

I'm having problems mapping a UID domain to a kerberos realm.

The host's FQDN is host.dummy.com. The Kerberos realm is REALM.COM.

I have the following relevant settings in condor_config:

KERBEROS_MAP_FILE = $(RELEASE_DIR)/etc/condor.kmap


The map file contains the following:

REALM.COM = dummy.com

But as far as I can tell the realm mapping doesn't occur. Here's the D_SECURITY output from the negotiator's log file:

13:07:56 SECMAN: new session, doing initial authentication.
13:07:56 SECMAN: Auth methods: KERBEROS
13:07:56 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
13:07:56 HANDSHAKE: handshake() - i am the client
13:07:56 HANDSHAKE: sending (methods == 64) to server
13:07:56 HANDSHAKE: server replied (method = 64)
13:07:56 KERBEROS: krb5_unparse_name: host/host.dummy.com@xxxxxxxxx
13:07:56 KERBEROS: no user yet determined, will grab up to slash
13:07:56 KERBEROS: picked user: host
13:07:56 KERBEROS: remapping 'host' to 'condor'
13:07:56 Failed to map principal to user
13:07:56 AUTHENTICATE: method 64 (KERBEROS) failed.

If I simply remove the map file, things actually get a little further; Condor reports which principal it's trying to use and queries the right keytab file:

13:15:05 SECMAN: new session, doing initial authentication.
13:15:05 SECMAN: Auth methods: KERBEROS
13:15:05 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
13:15:05 HANDSHAKE: handshake() - i am the client
13:15:05 HANDSHAKE: sending (methods == 64) to server
13:15:05 HANDSHAKE: server replied (method = 64)
13:15:05 KERBEROS: krb5_unparse_name: host/host.dummy.com@xxxxxxxxx
13:15:05 KERBEROS: no user yet determined, will grab up to slash
13:15:05 KERBEROS: picked user: host
13:15:05 KERBEROS: remapping 'host' to 'condor'
13:15:05 unable to open map file /opt/condor/etc/condor.kmap, errno 2
13:15:05 Client is condor@(null)
13:15:05 KERBEROS: Server principal is host/host.dummy.com@xxxxxxxxx
13:15:05 init_daemon: client principal is 'host/host.dummy.com@xxxxxxxxx'
13:15:05 init_daemon: Using default keytab /etc/krb5/krb5.keytab
13:15:05 init_daemon: Trying to get tgt credential for service host/host.dummy.com@xxxxxxxxx
13:15:05 AUTH_ERROR: Client not found in Kerberos database
13:15:05 AUTHENTICATE: method 64 (KERBEROS) failed.

So I can tell that the map file is being read in the first case, but something is going wrong right after that as it appears that Condor hasn't created the principal correctly.

Any ideas? I'm using v7.0.5 on a CentOS 5 box.

Liam Gretton                                    L.Gretton@xxxxxxxxxxx
IT Services                                   http://www.lboro.ac.uk/
Loughborough University                       Tel: +44 (0)1509 226048
Leicestershire LE11 3TU
United Kingdom