[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] Schedd and kerberos



I'm setting up a Condor pool which consists of a single Central Manager,
a number of execute hosts and a much smaller number of separate submit
hosts (all running Condor 7.0.5).

I need to treat the submit hosts as untrusted to some extent, and I'm
trying to use Kerberos to authenticate job submissions.

All the submit hosts have a host principal in the Kerberos database,
and valid users also pick up a ticket when they log in to the submit
host (which is typically their own desktop PC).

What I can't work out from the Condor security documentation is on
which host I need to set the Kerberos features. I've created a condor
service principal (condor/hostname@REALM) in Kerberos and have set
the following security options on the Central Manager:

KERBEROS_MAP_FILE = /opt/condor/etc/condor.kmap

CONDOR_SERVER_PRINCIPAL = condor

SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = KERBEROS
SEC_ADVERTISE_SCHEDD_AUTHENTICATION = REQUIRED

...but that's not helping. I've tried the same settings on the submit
host too. I'm obviously barking up the wrong tree as the Schedd log
records the following entries when the submit host's Condor starts:

<date time> AUTHENTICATE: no available authentication methods succeeded, failing!
<date time> ERROR: SECMAN:2004:Failed to start a session to <central manager:9618> with TCP|AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS
<date time> Failed to start non-blocking update to <central_manager:9618>.

I'd be very grateful for any pointers to where I'm going wrong.

--
Liam Gretton                                    L.Gretton@xxxxxxxxxxx
IT Services                                   http://www.lboro.ac.uk/
Loughborough University                       Tel: +44 (0)1509 226048
Leicestershire LE11 3TU
United Kingdom