[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Authentication for university/local users - kerberos and mapping user names to ClassAds
- Date: Thu, 7 Aug 2014 12:20:52 -0500
- From: Zachary Miller <zmiller@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] Authentication for university/local users - kerberos and mapping user names to ClassAds
On Thu, Aug 07, 2014 at 03:32:15PM +0100, L Kreczko wrote:
> Hi Brian,
> Thanks again for your answer.
All good suggestions. I would add that you should use debug level "D_ALL:2"
which will include every debug message. It's *very* verbose but then nothing
will slip through the cracks.
> > The combination of the "_condor_TOOL_DEBUG" env var and "-debug" should cause the same amount of information to be logged to the console.
> Thanks, that provided some more clues:
> 08/07/14 15:24:32 KERBEROS: krb5_unparse_name: host/lcgce02.phy.bris.ac.uk@
This line hints at the problem. There is nothing after the '@' sign, which
seems to mean that the Kerberos realm is somehow not defined. This is what
is causing the mapping to fail.
Can you post (or send off-list) any relevant entries from your condor_config
that specify anything Kerberos related?
FYI, this is code that is trying to build the server principal so the client
knows who is authenticating with. The user will have a user credential,
typically of the form user@REALM (e.g. zmiller@xxxxxxxxxx) and the daemons will
typically use principals that exist in a keytab file (e.g.
> From the lines above I assume I have to set-up host principals for the
> schedulers and the workernodes. Is that correct? I thought (based on a
> previous answer on this mailing list) that they are not needed.
Yes, they are needed. Kerberos does mutual client/server authentication so
both sides need some credential.