[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Kerberos realm mapping problem

David McBride wrote:
Liam Gretton wrote:

If I simply remove the map file, things actually get a little further; Condor reports which principal it's trying to use and queries the right keytab file:

13:15:05 SECMAN: new session, doing initial authentication.
13:15:05 SECMAN: Auth methods: KERBEROS
13:15:05 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
13:15:05 HANDSHAKE: handshake() - i am the client
13:15:05 HANDSHAKE: sending (methods == 64) to server
13:15:05 HANDSHAKE: server replied (method = 64)
13:15:05 KERBEROS: krb5_unparse_name: host/host.dummy.com@xxxxxxxxx
13:15:05 KERBEROS: no user yet determined, will grab up to slash
13:15:05 KERBEROS: picked user: host
13:15:05 KERBEROS: remapping 'host' to 'condor'
13:15:05 unable to open map file /opt/condor/etc/condor.kmap, errno 2
13:15:05 Client is condor@(null)
13:15:05 KERBEROS: Server principal is host/host.dummy.com@xxxxxxxxx
13:15:05 init_daemon: client principal is 'host/host.dummy.com@xxxxxxxxx'
13:15:05 init_daemon: Using default keytab /etc/krb5/krb5.keytab
13:15:05 init_daemon: Trying to get tgt credential for service host/host.dummy.com@xxxxxxxxx
13:15:05 AUTH_ERROR: Client not found in Kerberos database
13:15:05 AUTHENTICATE: method 64 (KERBEROS) failed.

"Client not found in Kerberos database" -- this message indicates that the principal "host/host.dummy.com@xxxxxxxxx" doesn't exist in your KDC.

That's right - I'm trying to get it to map the domain dummy.com to the realm REALM.COM, and host/host.dummy.com@xxxxxxxxx is a valid principal. But it's the mapping I can't get to work.

(What kind of Kerberos server are you using? An MIT / Heimdal KDC, a Windows Active Directory, or something else?)

Windows AD.

I've managed to get it to work now for a Linux installation talking to the AD, but only by using the undocumented feature KERBEROS_SERVER_PRINCIPAL.

In case it's helpful, you can review the full top-level configuration
file for my local Kerberos-authenticated Condor pool here:


That's handy, thanks. I see you've got CONDOR_SERVER_PRINCIPAL set to 'host' - see my other post, I don't believe this setting does anything at all.

Liam Gretton                                    L.Gretton@xxxxxxxxxxx
IT Services                                   http://www.lboro.ac.uk/
Loughborough University                       Tel: +44 (0)1509 226048
Leicestershire LE11 3TU
United Kingdom