Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] condor_q -analyze & kerberos

On Wed, 21 Jan 2009, Lee Damon wrote:


Hi Steven,

Steven Timm wrote:

On Fri, 16 Jan 2009, Lee Damon wrote:


My condor pool is set up with the goal that users who authenticated to a
system (by logging in) do not need to have a kerberos ticket to interact
with condor but where the systems themselves need one to talk with each
other (so boxes I don't control can't just join the pool).

Without a kerberos ticket jobs are submitted fine.  condor_q shows them
just fine.  However, when a user runs condor_q -better they get back:
   Error:  Could not fetch startd ads


setting
SEC_CLIENT_AUTHENTICATION = OPTIONAL
SEC_READ_AUTHENTICATION = OPTIONAL


Would this compromise the requirement that client _hosts_ authenticate,
or does this only effect users?


It should only affect users.
I am not sure of the demarcation line between CLIENT and READ.
Have asked Zach to document it several times and he's never done it,
but with D_SECURITY on you can see what any given access is
trying to do.

Steve




should let you do condor_q -better without a kerberos principal.
If that doesn't work then

export _CONDOR_TOOL_DEBUG=D_ALL
condor_q -debug -better ....


FS doesn't work because it's a remote query

KERBEROS doesn't work because it's complaining about credentials for the
user. (There aren't any because we're trying to make it so users don't
need them, just hosts).

thanks,
nomad


and see what authentication is going on and why it is failing.
(maybe could get by with D_SECURITY and not D_ALL).

Steve Timm



If the user gets a kerberos ticket they get actual output from condor_q
-better.  It would be preferred if the user never had to get a kerberos
ticket to interact with condor (submitting, queuing, killing, querying,
etc).

All of the systems are running with the following settings:

 ; condor_config_val SEC_DEFAULT_AUTHENTICATION_METHODS
FS, KERBEROS
 ; condor_config_val SCHEDD.SEC_DEFAULT_AUTHENTICATION_METHODS
FS, KERBEROS
 ; condor_config_val TOOL.SEC_DEFAULT_AUTHENTICATION_METHODS
FS, KERBEROS
 ; condor_config_val COLLECTOR.SEC_DEFAULT_AUTHENTICATION_METHODS
FS, KERBEROS

Any hints on what I should be looking at to change the unwanted behavior
would be appreciated.

thanks,
nomad

_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/condor-users/



--
------------------------------------------------------------------
Steven C. Timm, Ph.D  (630) 840-8525
timm@xxxxxxxx  http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Assistant Group Leader.