[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Kerberos realm mapping problem

Liam Gretton wrote:

If I simply remove the map file, things actually get a little further; Condor reports which principal it's trying to use and queries the right keytab file:

13:15:05 SECMAN: new session, doing initial authentication.
13:15:05 SECMAN: Auth methods: KERBEROS
13:15:05 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
13:15:05 HANDSHAKE: handshake() - i am the client
13:15:05 HANDSHAKE: sending (methods == 64) to server
13:15:05 HANDSHAKE: server replied (method = 64)
13:15:05 KERBEROS: krb5_unparse_name: host/host.dummy.com@xxxxxxxxx
13:15:05 KERBEROS: no user yet determined, will grab up to slash
13:15:05 KERBEROS: picked user: host
13:15:05 KERBEROS: remapping 'host' to 'condor'
13:15:05 unable to open map file /opt/condor/etc/condor.kmap, errno 2
13:15:05 Client is condor@(null)
13:15:05 KERBEROS: Server principal is host/host.dummy.com@xxxxxxxxx
13:15:05 init_daemon: client principal is 'host/host.dummy.com@xxxxxxxxx'
13:15:05 init_daemon: Using default keytab /etc/krb5/krb5.keytab
13:15:05 init_daemon: Trying to get tgt credential for service host/host.dummy.com@xxxxxxxxx
13:15:05 AUTH_ERROR: Client not found in Kerberos database
13:15:05 AUTHENTICATE: method 64 (KERBEROS) failed.

"Client not found in Kerberos database" -- this message indicates that the principal "host/host.dummy.com@xxxxxxxxx" doesn't exist in your KDC.

This is a really stupid question, but have you created that principal correctly?

(What kind of Kerberos server are you using? An MIT / Heimdal KDC, a Windows Active Directory, or something else?)

In case it's helpful, you can review the full top-level configuration
file for my local Kerberos-authenticated Condor pool here:


David McBride <dwm@xxxxxxxxxxxx>
Department of Computing, Imperial College, London