Re: [HTCondor-users] Authentication for university/local users - kerberos and mapping user names to ClassAds

[Zachary Miller <zmiller@xxxxxxxxxxx>]

On Thu, Aug 07, 2014 at 03:32:15PM +0100, L Kreczko wrote:
> Hi Brian,
> 
> Thanks again for your answer.

All good suggestions.  I would add that you should use debug level "D_ALL:2"
which will include every debug message.  It's *very* verbose but then nothing
will slip through the cracks.


> > The combination of the "_condor_TOOL_DEBUG" env var and "-debug" should cause the same amount of information to be logged to the console.
> Thanks, that provided some more clues:
> 08/07/14 15:24:32 KERBEROS: krb5_unparse_name: host/lcgce02.phy.bris.ac.uk@

This line hints at the problem.  There is nothing after the '@' sign, which
seems to mean that the Kerberos realm is somehow not defined.  This is what
is causing the mapping to fail.

Can you post (or send off-list) any relevant entries from your condor_config
that specify anything Kerberos related?

FYI, this is code that is trying to build the server principal so the client
knows who is authenticating with.  The user will have a user credential,
typically of the form user@REALM (e.g. zmiller@xxxxxxxxxx) and the daemons will
typically use principals that exist in a keytab file (e.g.
host/lcgce02.phy.bris.ac.uk@xxxxxxxxxx)


> From the lines above I assume I have to set-up host principals for the
> schedulers and the workernodes. Is that correct? I thought (based on a
> previous answer on this mailing list) that they are not needed.

Yes, they are needed.  Kerberos does mutual client/server authentication so
both sides need some credential.


Cheers,
-zach