[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] condor_q -analyze & kerberos
- Date: Wed, 21 Jan 2009 12:45:51 -0600 (CST)
- From: Steven Timm <timm@xxxxxxxx>
- Subject: Re: [Condor-users] condor_q -analyze & kerberos
On Wed, 21 Jan 2009, Lee Damon wrote:
Steven Timm wrote:
On Fri, 16 Jan 2009, Lee Damon wrote:
My condor pool is set up with the goal that users who authenticated to a
system (by logging in) do not need to have a kerberos ticket to interact
with condor but where the systems themselves need one to talk with each
other (so boxes I don't control can't just join the pool).
Without a kerberos ticket jobs are submitted fine. condor_q shows them
just fine. However, when a user runs condor_q -better they get back:
Error: Could not fetch startd ads
SEC_CLIENT_AUTHENTICATION = OPTIONAL
SEC_READ_AUTHENTICATION = OPTIONAL
Would this compromise the requirement that client _hosts_ authenticate,
or does this only effect users?
It should only affect users.
I am not sure of the demarcation line between CLIENT and READ.
Have asked Zach to document it several times and he's never done it,
but with D_SECURITY on you can see what any given access is
trying to do.
should let you do condor_q -better without a kerberos principal.
If that doesn't work then
condor_q -debug -better ....
FS doesn't work because it's a remote query
KERBEROS doesn't work because it's complaining about credentials for the
user. (There aren't any because we're trying to make it so users don't
need them, just hosts).
and see what authentication is going on and why it is failing.
(maybe could get by with D_SECURITY and not D_ALL).
If the user gets a kerberos ticket they get actual output from condor_q
-better. It would be preferred if the user never had to get a kerberos
ticket to interact with condor (submitting, queuing, killing, querying,
All of the systems are running with the following settings:
; condor_config_val SEC_DEFAULT_AUTHENTICATION_METHODS
; condor_config_val SCHEDD.SEC_DEFAULT_AUTHENTICATION_METHODS
; condor_config_val TOOL.SEC_DEFAULT_AUTHENTICATION_METHODS
; condor_config_val COLLECTOR.SEC_DEFAULT_AUTHENTICATION_METHODS
Any hints on what I should be looking at to change the unwanted behavior
would be appreciated.
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
You can also unsubscribe by visiting
The archives can be found at:
Steven C. Timm, Ph.D (630) 840-8525
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Assistant Group Leader.