[HTCondor-users] Authentication issue

[Pek Daniel <pekdaniel@xxxxxxxxx>]

Hi,

I get this message in my CollectorLog on host a.b.c.d,X.Y.Z every time
after a 'service condor restart' on host:

09/15/14 11:25:20 SECMAN: command 19 UPDATE_COLLECTOR_AD to collector
X.Y.Z from UDP port 59738 (blocking, raw).
09/15/14 11:25:20 ERROR: SECMAN:2009:DENIED authorization of server
'unauthenticated@unmapped/a.b.c.d' (I am acting as the client):
reason: CLIENT authorization policy contains no matching ALLOW entry
for this request; identifiers used for this host: a.b.c.d,X.Y.Z,
hostname size = 1, original ip address = a.b.c.d.
09/15/14 11:25:20 Unable to send UPDATE_COLLECTOR_AD to all configured
collectors


It looks like a locally sent commnd. This message is in the
CollectorLog, and it's an UPDATE_COLLECTOR_AD, so I guess the daemon
sends a command to itself (?).

The strange part is unauthenticated@unmapped. I have these settings on
every nodes:

# Authentication
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_CLIENT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = GSI,KERBEROS
SEC_CLIENT_AUTHENTICATION_METHODS = GSI,KERBEROS

With this certificate_mapfile:
KERBEROS ^([^@/]*)@(.*)$ \1@\2
KERBEROS ^host/([^@]*)@(.*)$ condor-service@\2
GSI /DC=Z/DC=Y/OU=computers/CN=([^/]*).* condor-service@xxx

So I don't understand how is it possible to be mapped to
unauthenticated@unmapped for any daemon/user at all... Authentication
is obligatory, and when it happens, there's no rule which could emit
unauthenticated@xxxxxxxxxxx

Thanks,
Daniel