[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] Kerberos realm mapping problem
- Date: Thu, 11 Dec 2008 12:40:47 +0000
- From: David McBride <dwm@xxxxxxxxxxxx>
- Subject: Re: [Condor-users] Kerberos realm mapping problem
Liam Gretton wrote:
If I simply remove the map file, things actually get a little further;
Condor reports which principal it's trying to use and queries the right
13:15:05 SECMAN: new session, doing initial authentication.
13:15:05 SECMAN: Auth methods: KERBEROS
13:15:05 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
13:15:05 HANDSHAKE: handshake() - i am the client
13:15:05 HANDSHAKE: sending (methods == 64) to server
13:15:05 HANDSHAKE: server replied (method = 64)
13:15:05 KERBEROS: krb5_unparse_name: host/host.dummy.com@xxxxxxxxx
13:15:05 KERBEROS: no user yet determined, will grab up to slash
13:15:05 KERBEROS: picked user: host
13:15:05 KERBEROS: remapping 'host' to 'condor'
13:15:05 unable to open map file /opt/condor/etc/condor.kmap, errno 2
13:15:05 Client is condor@(null)
13:15:05 KERBEROS: Server principal is host/host.dummy.com@xxxxxxxxx
13:15:05 init_daemon: client principal is 'host/host.dummy.com@xxxxxxxxx'
13:15:05 init_daemon: Using default keytab /etc/krb5/krb5.keytab
13:15:05 init_daemon: Trying to get tgt credential for service
13:15:05 AUTH_ERROR: Client not found in Kerberos database
13:15:05 AUTHENTICATE: method 64 (KERBEROS) failed.
"Client not found in Kerberos database" -- this message indicates that
the principal "host/host.dummy.com@xxxxxxxxx" doesn't exist in your KDC.
This is a really stupid question, but have you created that principal
(What kind of Kerberos server are you using? An MIT / Heimdal KDC, a
Windows Active Directory, or something else?)
In case it's helpful, you can review the full top-level configuration
file for my local Kerberos-authenticated Condor pool here:
David McBride <dwm@xxxxxxxxxxxx>
Department of Computing, Imperial College, London