[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Condor-users] Kerberos realm mapping problem
- Date: Wed, 10 Dec 2008 13:28:34 +0000
- From: Liam Gretton <L.Gretton@xxxxxxxxxxx>
- Subject: [Condor-users] Kerberos realm mapping problem
I'm having problems mapping a UID domain to a kerberos realm.
The host's FQDN is host.dummy.com. The Kerberos realm is REALM.COM.
I have the following relevant settings in condor_config:
KERBEROS_MAP_FILE = $(RELEASE_DIR)/etc/condor.kmap
CONDOR_SERVER_PRINCIPAL = HOST
UID_DOMAIN = $(FULL_HOSTNAME)
The map file contains the following:
REALM.COM = dummy.com
But as far as I can tell the realm mapping doesn't occur. Here's the
D_SECURITY output from the negotiator's log file:
13:07:56 SECMAN: new session, doing initial authentication.
13:07:56 SECMAN: Auth methods: KERBEROS
13:07:56 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
13:07:56 HANDSHAKE: handshake() - i am the client
13:07:56 HANDSHAKE: sending (methods == 64) to server
13:07:56 HANDSHAKE: server replied (method = 64)
13:07:56 KERBEROS: krb5_unparse_name: host/host.dummy.com@xxxxxxxxx
13:07:56 KERBEROS: no user yet determined, will grab up to slash
13:07:56 KERBEROS: picked user: host
13:07:56 KERBEROS: remapping 'host' to 'condor'
13:07:56 Failed to map principal to user
13:07:56 AUTHENTICATE: method 64 (KERBEROS) failed.
If I simply remove the map file, things actually get a little further;
Condor reports which principal it's trying to use and queries the right
13:15:05 SECMAN: new session, doing initial authentication.
13:15:05 SECMAN: Auth methods: KERBEROS
13:15:05 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
13:15:05 HANDSHAKE: handshake() - i am the client
13:15:05 HANDSHAKE: sending (methods == 64) to server
13:15:05 HANDSHAKE: server replied (method = 64)
13:15:05 KERBEROS: krb5_unparse_name: host/host.dummy.com@xxxxxxxxx
13:15:05 KERBEROS: no user yet determined, will grab up to slash
13:15:05 KERBEROS: picked user: host
13:15:05 KERBEROS: remapping 'host' to 'condor'
13:15:05 unable to open map file /opt/condor/etc/condor.kmap, errno 2
13:15:05 Client is condor@(null)
13:15:05 KERBEROS: Server principal is host/host.dummy.com@xxxxxxxxx
13:15:05 init_daemon: client principal is 'host/host.dummy.com@xxxxxxxxx'
13:15:05 init_daemon: Using default keytab /etc/krb5/krb5.keytab
13:15:05 init_daemon: Trying to get tgt credential for service
13:15:05 AUTH_ERROR: Client not found in Kerberos database
13:15:05 AUTHENTICATE: method 64 (KERBEROS) failed.
So I can tell that the map file is being read in the first case, but
something is going wrong right after that as it appears that Condor
hasn't created the principal correctly.
Any ideas? I'm using v7.0.5 on a CentOS 5 box.
Liam Gretton L.Gretton@xxxxxxxxxxx
IT Services http://www.lboro.ac.uk/
Loughborough University Tel: +44 (0)1509 226048
Leicestershire LE11 3TU