Re: [Condor-users] Kerberos realm mapping problem

[Liam Gretton <L.Gretton@xxxxxxxxxxx>]

Liam Gretton wrote:
> I just discovered something else: as far as I can see
> CONDOR_SERVER_PRINCIPAL has no effect whatsoever - whatever I set it to,
> or if I simply comment it out, Condor attempts to create a principal
> host/host.dummy.com@xxxxxxxxxx

Apologies for continuing to reply to myself.

Having spent a good day tearing my hair out trying to get this to work, 
I went through the Condor source code and have found no reference to 
CONDOR_SERVER_PRINCIPAL at all. Instead I found the following 
undocumented configuration settings in condor_auth_kerberos.C:

KERBEROS_SERVER_KEYTAB
KERBEROS_SERVER_PRINCIPAL
KERBEROS_SERVER_USER
KERBEROS_SERVER_SERVICE
KERBEROS_CLIENT_KEYTAB

KERBEROS_SERVER_PRINCIPAL can be set to the explicit principal required, 
but there's no attempt to create a principal in the way that 
CONDOR_SERVER_PRINCIPAL is supposed to.

It seems to me that either the Kerberos handling has changed 
significantly in a recent version, and/or the documentation is in need 
of updating.

http://www.cs.wisc.edu/condor/manual/v7.0/3_6Security.html#SECTION00463300000000000000

Perhaps I've missed something glaringly obvious, but I can't believe I'm 
the only person who's had problems getting Kerberos to work when the 
documentation is so at odds with the implementation?

--
Liam Gretton                                    L.Gretton@xxxxxxxxxxx
IT Services                                   http://www.lboro.ac.uk/
Loughborough University                       Tel: +44 (0)1509 226048
Leicestershire LE11 3TU
United Kingdom