[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] [Condor-devel] information regarding ticket 1264




On Thu, 2010-07-08 at 08:35 -0500, Timothy St. Clair wrote:
> 
> On Thu, 2010-07-08 at 10:33 +0200, Alexandre Fayolle wrote:
> > On Wednesday 07 July 2010 18:06:51 Timothy St. Clair wrote:
> > >         In looking through the handshake your credd is trying you auth with
> > > only PASSWORD, but the master is responding with NTSSPI, KERBEROS which
> > > is failing authentication b/c there are no matching auth methods.   
> > > 
> > > You may want to try changing your condor_config.local file to:
> > > CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS="NTSSPI,PASSWORD" and give that
> > > a whirl.  
> > 
> > This worked indeed. Many thanks. I have a few of additional questions and 
> > suggestions:
> > 
> > 1. Reading 
> > http://www.cs.wisc.edu/condor/manual/v7.4/3_6Security.html#SECTION00463000000000000000 
> > seem to suggest that the following configuration line should have worked too, 
> > but when I tested it, it did not:
> > 
> > CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD 
> > 
> > The only syntax which works is the one you provided (quotes around the value 
> > and no space after the coma). I have noticed issues with some configuration 
> > instructions which would not work if there was no space after the comma 
> > (notably the ALLOW_READ/WRITE/etc stanzas). The documentation (or the config 
> > file parser) could be updated, because this is very confusing. 
> 
> Sadly this is true, and I've noticed this as well, hence the reason for
> the "," w/o spaces.  

So I should elaborate... I've seen this before in the windows env only,
but this is not the correct behavior, and I will promptly file a
ticket.  

> Once you have a wiki account it might be worth
> while to chime in on
> https://condor-wiki.cs.wisc.edu/index.cgi/tktview?tn=988.  As not all
> params are evaluated the same.  
> 
> > 
> > 2. Does the addition of "PASSWORD" to CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS 
> > have other implications with regard to the "storing credentials" part of 
> > CREDD*
> > 
> > 3. if there is an agreement that this is the way to go to allow a clean 
> > shutdown of the service, I suggest fixing the condor_config.local.credd example 
> > file mentionned in the documentation, since the change is in the "CREDD expert 
> > settings" sections with various warning about changes only to be made by über 
> > condor wizards, which is quite intimidating for the newcommer.
> 
> I will have to review the 2 & 3 and get back to you.  
> 
> >  
> > 
> > Again thanks a lot for looking into this and providing a fix. 
> > 
> 
> No prob ;-) 
> 
> 
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> 
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/condor-users/