Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Authentication for university/local users - kerberos and mapping user names to ClassAds

Date: Thu, 7 Aug 2014 12:06:29 +0100
From: L Kreczko <L.Kreczko@xxxxxxxxxxxxx>
Subject: Re: [HTCondor-users] Authentication for university/local users - kerberos and mapping user names to ClassAds

Dear all,

I cannot find a problem with the configuration and I have enabled
D_FULLDEBUG for one of the schedulers.
The additional information I get is:
08/07/14 12:01:05 DC_AUTHENTICATE: authentication of
<137.222.79.12:34269> did not result in a valid mapped user name,
which is required for this command (1112 QMGMT_WRITE_CMD), so
aborting.
08/07/14 12:01:05 DC_AUTHENTICATE: reason for authentication failure:
AUTHENTICATE:1003:Failed to authenticate with any
method|AUTHENTICATE:1004:Failed to authenticate using
KERBEROS|AUTHENTICATE:1004:Failed to authenticate using PASSWORD
08/07/14 12:01:07 DC_AUTHENTICATE: authentication of
<137.222.79.12:39737> did not result in a valid mapped user name,
which is required for this command (1112 QMGMT_WRITE_CMD), so
aborting.
08/07/14 12:01:07 DC_AUTHENTICATE: reason for authentication failure:
AUTHENTICATE:1003:Failed to authenticate with any
method|AUTHENTICATE:1004:Failed to authenticate using
KERBEROS|AUTHENTICATE:1004:Failed to authenticate using PASSWORD
08/07/14 12:01:09 DC_AUTHENTICATE: authentication of
<137.222.79.12:33654> did not result in a valid mapped user name,
which is required for this command (1112 QMGMT_WRITE_CMD), so
aborting.
08/07/14 12:01:09 DC_AUTHENTICATE: reason for authentication failure:
AUTHENTICATE:1003:Failed to authenticate with any
method|AUTHENTICATE:1004:Failed to authenticate using
KERBEROS|AUTHENTICATE:1004:Failed to authenticate using PASSWORD

Where does HTCondor try to map the user?
The kerberos map file does the translation Kerberos realm ->
UID.domain and the user exists on submission machine, worker node and
scheduler.
HTCondor (8.2.1) is running as root (as per manual).

I would be very grateful for any suggestions or hints as to what I am
doing wrong. According to
https://lists.cs.wisc.edu/archive/htcondor-users/2014-July/msg00103.shtml
it should work.

Cheers,
Luke

On 10 April 2014 17:43, L Kreczko <L.Kreczko@xxxxxxxxxxxxx> wrote:
> Dear all,
>
> I am currently trying to enable our university users to use an HTCondor
> cluster that is configured for the grid (via ARC CE). The goal is to
> 1) give local users access to the pool
> 2) provide fine-grained mapping (user -> AccountingGroup) and therefore
> quota
>
> For this I had a look at the HTCondor documentation for password and
> kerberos authentication.
> Password seems easy to set up, but since the local account authentication
> uses kerberos I wanted to try it first. For this I added [1] in the
> configuration and [2] on the submitting node as well as the
> scheduler/negotiator. The values inside '<>' are of course substituted in
> the actual configs.
>
> However, after getting a kerberos ticket (kinit) I still can't authenticate
> to condor:
> AUTHENTICATE:1003:Failed to authenticate with any method
> AUTHENTICATE:1004:Failed to authenticate using KERBEROS
> AUTHENTICATE:1004:Failed to authenticate using PASSWORD
> AUTHENTICATE:1004:Failed to authenticate using FS
>
> Am I missing something or doing something wrong? What is the best way to
> debug this?
>
>
> Secondly once the above works I would like to map individual users.
> Currently I use [4] to fill the AccountingGroup automatically.
> For the university users I would like to end up with a structure like
> physics.astro.<user a>
> physics.particle.<user b>
> etc.
> One way to do it is to assign these users to groups like astro, particle,
> etc and assume the 'physics.' part if they don't have a certificate.
> However, this is problematic as the primary group for all users is, and has
> to be for various reasons, "users". Therefore I am looking for an
> alternative way to make this mapping.
> I had a look at the Unified Map File, but it does map users to a condor user
> name. Is there an easy way to create AcctGroup, AcctSubGroup?
> Ideally I would have one file on the scheduler/negotiator with the content
> # user_name AcctGroup AcctSubGroup
> <user a> physics astro
> <user b> physics particle
> It is easy to make a script to parse the above, so probably the correct
> question is:
> How do I make condor use script (let's say python) in an ifThenElse to fill
> a ClassAd in [4]?
>
> Sorry for the long email and thank you in advance for any help.
>
> Cheers,
> Luke
>
>
> [1]
> # Authentication
> SEC_PASSWORD_FILE = /etc/condor/pool_password
> SEC_DEFAULT_AUTHENTICATION = REQUIRED
> SEC_READ_AUTHENTICATION = OPTIONAL
> SEC_CLIENT_AUTHENTICATION = REQUIRED
> SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD,FS,KERBEROS
> SCHEDD.SEC_WRITE_AUTHENTICATION_METHODS = FS,PASSWORD,KERBEROS
> SCHEDD.SEC_DAEMON_AUTHENTICATION_METHODS = FS,PASSWORD,KERBEROS
> SEC_CLIENT_AUTHENTICATION_METHODS = FS,PASSWORD,CLAIMTOBE,KERBEROS
> SEC_READ_AUTHENTICATION_METHODS = FS,PASSWORD,KERBEROS,CLAIMTOBE
> KERBEROS_MAP_FILE = /etc/condor/kerberos.map
>
> [2]
> cat /etc/condor/kerberos.map
> <Kerberos realm> = <UID domain>
>
> [3]
> [libdefaults]
>  default_realm = <Kerberos realm>
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>
> [realms]
>  <Kerberos realm> = {
>   kdc = <server>:88
>  }
>
> [domain_realm]
>  <Kerberos realm> = <Kerberos realm>
>  .<Kerberos realm> = <Kerberos realm>
>
> [4]
> AcctSubGroup = \
> ifThenElse(regexp("prd",Owner), "production",\
> ifThenElse(regexp("pil",Owner),"pilot",\
> ifThenElse(regexp("sgm",Owner),"admin",\
> x509UserProxyVOName)))
> # This one is not useful for grid sites but is useful if you want to
> # implement user based quotas:
> # group_<name>.<subgroup>.<user name>
> AcctGroup = strcat("group_", x509UserProxyVOName, ".",AcctSubGroup, ".",
> Owner)
> # condor uses AcctGroup, but some monitoring scripts use AccountingGroup
> # let's have both.
> AccountingGroup = $(AcctGroup)
> ConcurrencyLimits = strcat(AcctGroup, ",", AcctSubGroup, ",", Owner)
> SUBMIT_EXPRS = $(SUBMIT_EXPRS) AcctGroup, AcctSubGroup, AccountingGroup,
> ConcurrencyLimits
> --
> *********************************************************
>   Dr Lukasz Kreczko            +44 (0)117 928 8724
>   CMS Group
>   School of Physics
>   University of Bristol
> *********************************************************



-- 
*********************************************************
  Dr Lukasz Kreczko            +44 (0)117 928 8724
  CMS Group
  School of Physics
  University of Bristol
*********************************************************

Follow-Ups:
- Re: [HTCondor-users] Authentication for university/local users - kerberos and mapping user names to ClassAds
  - From: Brian Bockelman

Prev by Date: Re: [HTCondor-users] condor_write(): Socket closed when trying to write
Next by Date: Re: [HTCondor-users] Authentication for university/local users - kerberos and mapping user names to ClassAds
Previous by thread: Re: [HTCondor-users] condor_write(): Socket closed when trying to write
Next by thread: Re: [HTCondor-users] Authentication for university/local users - kerberos and mapping user names to ClassAds
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [HTCondor-users] Authentication for university/local users - kerberos and mapping user names to ClassAds