Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] User based authentication in Condor
- Date: Tue, 07 Jun 2011 22:53:43 +0200
- From: Felix Wolfheimer <f.wolfheimer@xxxxxxxxxxxxxx>
- Subject: Re: [Condor-users] User based authentication in Condor
Dear Cathrin,
thanks for pointing me to this key again. It seems I just forgot it in
my local config file (shame on me). I'll try to set it (after reading
the section in the manual again ;-)) and hope that the setup will work
afterwards. Thanks a lot for pointing me in the right direction!
Am Montag, den 06.06.2011, 15:39 -0500 schrieb Cathrin Weiss:
> Felix,
>
> "unauthenticated@unmapped" means that no authentication takes place.
> Have you looked into your authentication settings as well (you didn't
> post any)? I am, for example, thinking of the
>
> SEC_CLIENT_AUTHENTICATION_METHODS = ...
>
> setting (also see the section on credd setup:
> http://www.cs.wisc.edu/condor/manual/v7.6/6_2Microsoft_Windows.html#SECTION00725000000000000000
> )
>
>
> Thanks,
> Cathrin
>
>
> On 06/03/2011 10:21 AM, Felix Wolfheimer wrote:
> > Hi,
> >
> > I'm currently testing the user based authentication as I want to
> > replace our previous host based authentication. I'm facing some issues
> > (probably caused by my limited understanding about how to set this up
> > properly). I started with a single machine (central
> > manager/submit/execute host) as testbed for the new mechanism (Windows
> > Server 2003 R2). This is what I've done:
> >
> > 1. Inserted the following settings into the local config file:
> >
> > # All users in our domain should be allowed to query the pool and submit jobs
> > ALLOW_READ = *@<our_domain>/*.$(UID_DOMAIN)
> > ALLOW_WRITE = *@<our_domain>/*.$(UID_DOMAIN)
> > # only I have admin and owner rights
> > ALLOW_ADMINISTRATOR = FelixWolfheimer@<our_domain>/*.$(UID_DOMAIN)
> > ALLOW_CONFIG = FelixWolfheimer@<our_domain>/*.$(UID_DOMAIN)
> > ALLOW_OWNER = FelixWolfheimer@<our_domain>/*.$(UID_DOMAIN)
> > ALLOW_DAEMON = condor_pool@$(UID_DOMAIN)/*.$(UID_DOMAIN)
> > ALLOW_NEGOTIATOR = condor_pool@$(UID_DOMAIN)/$(HOSTNAME)
> >
> > 2. Registered the shared secret using condor_store_cred -c add (worked OK)
> >
> > 3. Restarted Condor
> >
> > Now, the daemons can't communicate with the master and in the master
> > log I can see:
> >
> > 06/03/11 17:13:04 Adding to resolved authorization table:
> > unauthenticated@unmapped/10.2.10.7: DENY_DAEMON
> > 06/03/11 17:13:04 PERMISSION DENIED to unauthenticated@unmapped from
> > host 10.2.10.7 for command 60008 (DC_CHILDALIVE), access level DAEMON:
> > reason: DAEMON authorization policy contains no matching ALLOW entry
> > for this request; identifiers used for this host:
> > 10.2.10.7,<our_machine_name>
> >
> > Any idea what could cause this? I've read the section 3.6 of the
> > manual carefully and found domething about a "map file". Is it
> > necessary to somehow map the "unauthenticated@unmapped" to something
> > meaningful using the map file (To be honest I did not fully understand
> > what the map file does)?
> >
> > Thanks for your help!
>