Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Authentication for university/local users - kerberos and mapping user names to ClassAds
- Date: Fri, 8 Aug 2014 10:15:38 +0100
- From: L Kreczko <L.Kreczko@xxxxxxxxxxxxx>
- Subject: Re: [HTCondor-users] Authentication for university/local users - kerberos and mapping user names to ClassAds
Hi Zach,
On 7 August 2014 18:20, Zachary Miller <zmiller@xxxxxxxxxxx> wrote:
> On Thu, Aug 07, 2014 at 03:32:15PM +0100, L Kreczko wrote:
>> Hi Brian,
>>
>> Thanks again for your answer.
>
> All good suggestions. I would add that you should use debug level "D_ALL:2"
> which will include every debug message. It's *very* verbose but then nothing
> will slip through the cracks.
>
>
>> > The combination of the "_condor_TOOL_DEBUG" env var and "-debug" should cause the same amount of information to be logged to the console.
>> Thanks, that provided some more clues:
>> 08/07/14 15:24:32 KERBEROS: krb5_unparse_name: host/lcgce02.phy.bris.ac.uk@
>
> This line hints at the problem. There is nothing after the '@' sign, which
> seems to mean that the Kerberos realm is somehow not defined. This is what
> is causing the mapping to fail.
I see.
>
> Can you post (or send off-list) any relevant entries from your condor_config
> that specify anything Kerberos related?
Sure:
[1]
# Authentication
SEC_PASSWORD_FILE = /etc/condor/pool_password
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_READ_AUTHENTICATION = OPTIONAL
SEC_CLIENT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD,FS,KERBEROS
SCHEDD.SEC_WRITE_AUTHENTICATION_METHODS = FS,PASSWORD,KERBEROS
SCHEDD.SEC_DAEMON_AUTHENTICATION_METHODS = FS,PASSWORD,KERBEROS
SEC_CLIENT_AUTHENTICATION_METHODS = FS,PASSWORD,CLAIMTOBE,KERBEROS
SEC_READ_AUTHENTICATION_METHODS = FS,PASSWORD,KERBEROS,CLAIMTOBE
KERBEROS_MAP_FILE = /etc/condor/kerberos.map
CERTIFICATE_MAPFILE = /etc/condor/mapfile
[2]
cat /etc/condor/kerberos.map
ADS.BRIS.AC.UK = phy.bris.ac.uk
[3]
cat /etc/condor/mapfile
FS (.*) \1
FS_REMOTE (.*) \1
GSI (.*) GSS_ASSIST_GRIDMAP
SSL (.*) ssl@unmapped
KERBEROS ([^/]*)/?[^@]*@(.*) \1@\2
NTSSPI (.*) \1
CLAIMTOBE (.*) \1
PASSWORD (.*) \1
[4]
[libdefaults]
default_realm = ADS.BRIS.AC.UK
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
ADS.BRIS.AC.UK = {
kdc = ads.bris.ac.uk:88
}
[domain_realm]
ads.bris.ac.uk = ADS.BRIS.AC.UK
.ads.bris.ac.uk = ADS.BRIS.AC.UK
[appdefaults]
validate=false
>
> FYI, this is code that is trying to build the server principal so the client
> knows who is authenticating with. The user will have a user credential,
> typically of the form user@REALM (e.g. zmiller@xxxxxxxxxx) and the daemons will
> typically use principals that exist in a keytab file (e.g.
> host/lcgce02.phy.bris.ac.uk@xxxxxxxxxx)
>
>
>> From the lines above I assume I have to set-up host principals for the
>> schedulers and the workernodes. Is that correct? I thought (based on a
>> previous answer on this mailing list) that they are not needed.
>
> Yes, they are needed. Kerberos does mutual client/server authentication so
> both sides need some credential.
OK. I am in contact with our IT Services to get this sorted out.
Thanks, this wasn't clear to me.
Cheers,
Luke