Re: [HTCondor-users] Authentication issue

[Pek Daniel <pekdaniel@xxxxxxxxx>]

Hi Zachary,

Extra piece of info:

# condor_versionÂ

$CondorVersion: 8.1.6 May 14 2014 BuildID: 247684 $

$CondorPlatform: x86_64_RedHat6 $

2014-09-15 13:32 GMT+02:00 Zachary Miller <zmiller@xxxxxxxxxxx>:

On Mon, Sep 15, 2014 at 11:43:03AM +0200, Pek Daniel wrote:
> Hi,
>
> I get this message in my CollectorLog on host a.b.c.d,X.Y.Z every time
> after a 'service condor restart' on host:

First question: During "normal operation" (i.e. before a restart) do
you see this in the log at all? If you run "condor_status -collector"
do you see an ad for the Collector?

No, only once after restarting condor. No, there's no collector ad in the output.

Â

> It looks like a locally sent commnd. This message is in the
> CollectorLog, and it's an UPDATE_COLLECTOR_AD, so I guess the daemon
> sends a command to itself (?).
>
> The strange part is unauthenticated@unmapped. I have these settings on
> every nodes:

For some special cases, including when a daemon sends commands to itself, it
does so using a differnt mechanism than the normal security methods. This is
why it's not using GSI or KERBEROS, and likely why you are ending up with the
unauthenticated@unmapped canonical name. However, the same authorization
policies are still being applied.

I don't know if it helps, I tried to set ALLOW_CLIENT = * (of course, it's not an acceptable policy, just out of curiousity, before it was: ALLOW_CLIENT = *@$(UID_DOMAIN)/*.$(DEFAULT_DOMAIN_NAME), then the collector ad is there, and I got this in the CollectorLog:

09/15/14 13:43:14 SECMAN: command 19 UPDATE_COLLECTOR_AD to collector X.Y.Z from UDP port 55406 (blocking, raw).

09/15/14 13:43:14 DC_AUTHENTICATE: received UDP packet from <a.b.c.d:55406>.

09/15/14 13:43:14 DaemonCore received UNAUTHENTICATED command 19 UPDATE_COLLECTOR_AD.

09/15/14 13:43:14 PERMISSION GRANTED to unauthenticated user from host a.b.c.d for command 19 (UPDATE_COLLECTOR_AD), access level ALLOW: reason:Â

09/15/14 13:43:14 Received UDP command 19 (UPDATE_COLLECTOR_AD) from Â<a.b.c.d:55406>, access level ALLOW

09/15/14 13:43:14 Calling HandleReq <receive_update> (0) for command 19 (UPDATE_COLLECTOR_AD) from unauthenticated@unmapped <a.b.c.d:55406>

09/15/14 13:43:14 CollectorAd Â: Inserting ** "< name@xxxxx >"

09/15/14 13:43:14 stats: Inserting new hashent for 'Collector':'name@xxxxx':'a.b.c.d'

09/15/14 13:43:14 Return from HandleReq <receive_update> (handler: 0.000s, sec: 0.000s, payload: 0.000s)

The good news is in this particular case, it probably isn't really a problem
and is just noise in the log, but it is definitely something I need to look
into. Thanks for the report... I will investigate, make a ticket, and get back
to you.

Thanks,

Daniel

Â

Cheers,
-zach

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/