Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Authentication for university/local users - kerberos and mapping user names to ClassAds
- Date: Thu, 7 Aug 2014 08:19:08 -0500
- From: Brian Bockelman <bbockelm@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] Authentication for university/local users - kerberos and mapping user names to ClassAds
Hi Luke,
Maybe try again with D_SECURITY? That should provide much more information about the authentication process and failures.
Brian
On Aug 7, 2014, at 6:06 AM, L Kreczko <L.Kreczko@xxxxxxxxxxxxx> wrote:
> Dear all,
>
> I cannot find a problem with the configuration and I have enabled
> D_FULLDEBUG for one of the schedulers.
> The additional information I get is:
> 08/07/14 12:01:05 DC_AUTHENTICATE: authentication of
> <137.222.79.12:34269> did not result in a valid mapped user name,
> which is required for this command (1112 QMGMT_WRITE_CMD), so
> aborting.
> 08/07/14 12:01:05 DC_AUTHENTICATE: reason for authentication failure:
> AUTHENTICATE:1003:Failed to authenticate with any
> method|AUTHENTICATE:1004:Failed to authenticate using
> KERBEROS|AUTHENTICATE:1004:Failed to authenticate using PASSWORD
> 08/07/14 12:01:07 DC_AUTHENTICATE: authentication of
> <137.222.79.12:39737> did not result in a valid mapped user name,
> which is required for this command (1112 QMGMT_WRITE_CMD), so
> aborting.
> 08/07/14 12:01:07 DC_AUTHENTICATE: reason for authentication failure:
> AUTHENTICATE:1003:Failed to authenticate with any
> method|AUTHENTICATE:1004:Failed to authenticate using
> KERBEROS|AUTHENTICATE:1004:Failed to authenticate using PASSWORD
> 08/07/14 12:01:09 DC_AUTHENTICATE: authentication of
> <137.222.79.12:33654> did not result in a valid mapped user name,
> which is required for this command (1112 QMGMT_WRITE_CMD), so
> aborting.
> 08/07/14 12:01:09 DC_AUTHENTICATE: reason for authentication failure:
> AUTHENTICATE:1003:Failed to authenticate with any
> method|AUTHENTICATE:1004:Failed to authenticate using
> KERBEROS|AUTHENTICATE:1004:Failed to authenticate using PASSWORD
>
> Where does HTCondor try to map the user?
> The kerberos map file does the translation Kerberos realm ->
> UID.domain and the user exists on submission machine, worker node and
> scheduler.
> HTCondor (8.2.1) is running as root (as per manual).
>
> I would be very grateful for any suggestions or hints as to what I am
> doing wrong. According to
> https://lists.cs.wisc.edu/archive/htcondor-users/2014-July/msg00103.shtml
> it should work.
>
> Cheers,
> Luke
>
> On 10 April 2014 17:43, L Kreczko <L.Kreczko@xxxxxxxxxxxxx> wrote:
>> Dear all,
>>
>> I am currently trying to enable our university users to use an HTCondor
>> cluster that is configured for the grid (via ARC CE). The goal is to
>> 1) give local users access to the pool
>> 2) provide fine-grained mapping (user -> AccountingGroup) and therefore
>> quota
>>
>> For this I had a look at the HTCondor documentation for password and
>> kerberos authentication.
>> Password seems easy to set up, but since the local account authentication
>> uses kerberos I wanted to try it first. For this I added [1] in the
>> configuration and [2] on the submitting node as well as the
>> scheduler/negotiator. The values inside '<>' are of course substituted in
>> the actual configs.
>>
>> However, after getting a kerberos ticket (kinit) I still can't authenticate
>> to condor:
>> AUTHENTICATE:1003:Failed to authenticate with any method
>> AUTHENTICATE:1004:Failed to authenticate using KERBEROS
>> AUTHENTICATE:1004:Failed to authenticate using PASSWORD
>> AUTHENTICATE:1004:Failed to authenticate using FS
>>
>> Am I missing something or doing something wrong? What is the best way to
>> debug this?
>>
>>
>> Secondly once the above works I would like to map individual users.
>> Currently I use [4] to fill the AccountingGroup automatically.
>> For the university users I would like to end up with a structure like
>> physics.astro.<user a>
>> physics.particle.<user b>
>> etc.
>> One way to do it is to assign these users to groups like astro, particle,
>> etc and assume the 'physics.' part if they don't have a certificate.
>> However, this is problematic as the primary group for all users is, and has
>> to be for various reasons, "users". Therefore I am looking for an
>> alternative way to make this mapping.
>> I had a look at the Unified Map File, but it does map users to a condor user
>> name. Is there an easy way to create AcctGroup, AcctSubGroup?
>> Ideally I would have one file on the scheduler/negotiator with the content
>> # user_name AcctGroup AcctSubGroup
>> <user a> physics astro
>> <user b> physics particle
>> It is easy to make a script to parse the above, so probably the correct
>> question is:
>> How do I make condor use script (let's say python) in an ifThenElse to fill
>> a ClassAd in [4]?
>>
>> Sorry for the long email and thank you in advance for any help.
>>
>> Cheers,
>> Luke
>>
>>
>> [1]
>> # Authentication
>> SEC_PASSWORD_FILE = /etc/condor/pool_password
>> SEC_DEFAULT_AUTHENTICATION = REQUIRED
>> SEC_READ_AUTHENTICATION = OPTIONAL
>> SEC_CLIENT_AUTHENTICATION = REQUIRED
>> SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD,FS,KERBEROS
>> SCHEDD.SEC_WRITE_AUTHENTICATION_METHODS = FS,PASSWORD,KERBEROS
>> SCHEDD.SEC_DAEMON_AUTHENTICATION_METHODS = FS,PASSWORD,KERBEROS
>> SEC_CLIENT_AUTHENTICATION_METHODS = FS,PASSWORD,CLAIMTOBE,KERBEROS
>> SEC_READ_AUTHENTICATION_METHODS = FS,PASSWORD,KERBEROS,CLAIMTOBE
>> KERBEROS_MAP_FILE = /etc/condor/kerberos.map
>>
>> [2]
>> cat /etc/condor/kerberos.map
>> <Kerberos realm> = <UID domain>
>>
>> [3]
>> [libdefaults]
>> default_realm = <Kerberos realm>
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>>
>> [realms]
>> <Kerberos realm> = {
>> kdc = <server>:88
>> }
>>
>> [domain_realm]
>> <Kerberos realm> = <Kerberos realm>
>> .<Kerberos realm> = <Kerberos realm>
>>
>> [4]
>> AcctSubGroup = \
>> ifThenElse(regexp("prd",Owner), "production",\
>> ifThenElse(regexp("pil",Owner),"pilot",\
>> ifThenElse(regexp("sgm",Owner),"admin",\
>> x509UserProxyVOName)))
>> # This one is not useful for grid sites but is useful if you want to
>> # implement user based quotas:
>> # group_<name>.<subgroup>.<user name>
>> AcctGroup = strcat("group_", x509UserProxyVOName, ".",AcctSubGroup, ".",
>> Owner)
>> # condor uses AcctGroup, but some monitoring scripts use AccountingGroup
>> # let's have both.
>> AccountingGroup = $(AcctGroup)
>> ConcurrencyLimits = strcat(AcctGroup, ",", AcctSubGroup, ",", Owner)
>> SUBMIT_EXPRS = $(SUBMIT_EXPRS) AcctGroup, AcctSubGroup, AccountingGroup,
>> ConcurrencyLimits
>> --
>> *********************************************************
>> Dr Lukasz Kreczko +44 (0)117 928 8724
>> CMS Group
>> School of Physics
>> University of Bristol
>> *********************************************************
>
>
>
> --
> *********************************************************
> Dr Lukasz Kreczko +44 (0)117 928 8724
> CMS Group
> School of Physics
> University of Bristol
> *********************************************************
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/