Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] condor_q -analyze & kerberos

Date: Wed, 21 Jan 2009 10:39:28 -0800
From: Lee Damon <nomad@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [Condor-users] condor_q -analyze & kerberos

Hi Steven,

Steven Timm wrote:
> On Fri, 16 Jan 2009, Lee Damon wrote:
> 
>> My condor pool is set up with the goal that users who authenticated to a
>> system (by logging in) do not need to have a kerberos ticket to interact
>> with condor but where the systems themselves need one to talk with each
>> other (so boxes I don't control can't just join the pool).
>>
>> Without a kerberos ticket jobs are submitted fine.  condor_q shows them
>> just fine.  However, when a user runs condor_q -better they get back:
>>    Error:  Could not fetch startd ads
> 
> setting
> SEC_CLIENT_AUTHENTICATION = OPTIONAL
> SEC_READ_AUTHENTICATION = OPTIONAL

Would this compromise the requirement that client _hosts_ authenticate,
or does this only effect users?

> should let you do condor_q -better without a kerberos principal.
> If that doesn't work then
> 
> export _CONDOR_TOOL_DEBUG=D_ALL
> condor_q -debug -better ....

FS doesn't work because it's a remote query

KERBEROS doesn't work because it's complaining about credentials for the
user. (There aren't any because we're trying to make it so users don't
need them, just hosts).

thanks,
nomad

> and see what authentication is going on and why it is failing.
> (maybe could get by with D_SECURITY and not D_ALL).
> 
> Steve Timm
> 
> 
>> If the user gets a kerberos ticket they get actual output from condor_q
>> -better.  It would be preferred if the user never had to get a kerberos
>> ticket to interact with condor (submitting, queuing, killing, querying,
>> etc).
>>
>> All of the systems are running with the following settings:
>>
>>  ; condor_config_val SEC_DEFAULT_AUTHENTICATION_METHODS
>> FS, KERBEROS
>>  ; condor_config_val SCHEDD.SEC_DEFAULT_AUTHENTICATION_METHODS
>> FS, KERBEROS
>>  ; condor_config_val TOOL.SEC_DEFAULT_AUTHENTICATION_METHODS
>> FS, KERBEROS
>>  ; condor_config_val COLLECTOR.SEC_DEFAULT_AUTHENTICATION_METHODS
>> FS, KERBEROS
>>
>> Any hints on what I should be looking at to change the unwanted behavior
>> would be appreciated.
>>
>> thanks,
>> nomad

Follow-Ups:
- Re: [Condor-users] condor_q -analyze & kerberos
  - From: Steven Timm

References:
- [Condor-users] condor_q -analyze & kerberos
  - From: Lee Damon
- Re: [Condor-users] condor_q -analyze & kerberos
  - From: Steven Timm

Prev by Date: [Condor-users] condor_start error
Next by Date: Re: [Condor-users] condor_q -analyze & kerberos
Previous by thread: Re: [Condor-users] condor_q -analyze & kerberos
Next by thread: Re: [Condor-users] condor_q -analyze & kerberos
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [Condor-users] condor_q -analyze & kerberos