Hi,
I have been looking into the logs in more detail and this is what I
have found.
The StartdLog for a successful task looks like the following.
07/05/16 13:39:39 Authentication was a Success.
07/05/16 13:39:39 ZKM: setting default map to gsi@unmapped
07/05/16 13:39:39 nameGssToLocal returned failure
07/05/16 13:39:39 ZKM: post-map: current user is 'gsi'
07/05/16 13:39:39 ZKM: post-map: current domain is 'unmapped'
07/05/16 13:39:39 ZKM: post-map: current FQU is 'gsi@unmapped'
07/05/16 13:39:39 AUTHENTICATE: Exchanging keys with remote side.
07/05/16 13:39:39 AUTHENTICATE: Result of end of authenticate is 1.
07/05/16 13:39:39 SECMAN: about to enable message authenticator.
07/05/16 13:39:39 SECMAN: successfully enabled message
authenticator!
So instead of getting
07/05/16 13:39:39 SECMAN: about to enable message authenticator.
07/05/16 13:39:39 SECMAN: successfully enabled message
authenticator!
We are getting
06/26/16 14:31:58 SECMAN: enable_mac has no key to use, failing...
06/26/16 14:31:58 ERROR: SECMAN:2006:Failed to establish a crypto
key.|AUTHENTICATE:1004:Failed to authenticate using FS
Does anyone know why we are getting the message "enable_mac has
no key to use, failing..." and what we can do to find out
more information?
Cheers,
Laurence
On 29/06/16 23:13, Laurence Field
wrote:
Hi,
Here are the relevant parts of the StartLog with more verbose
debugging information. Please note that I am certain the
credential on the machine is fine as I am using it to transfer out
the log files.
06/26/16 14:31:38 AUTHENTICATE: will try to use 32 (GSI)
06/26/16 14:31:46 ZKM: VOMS FQAN not present (error 1), ignoring.
06/26/16 14:31:56 valid GSS connection established to
/DC=ch/DC=cern/OU=computers/CN=alicondor01.cern.ch
06/26/16 14:31:56 AUTHENTICATE: auth_status == 32 (GSI)
06/26/16 14:31:56 Authentication was a Success.
06/26/16 14:31:56 ZKM: setting default map to gsi@unmapped
06/26/16 14:31:56 nameGssToLocal returned failure
06/26/16 14:31:56 ZKM: post-map: current user is 'gsi'
06/26/16 14:31:56 ZKM: post-map: current domain is 'unmapped'
06/26/16 14:31:56 ZKM: post-map: current FQU is 'gsi@unmapped'
06/26/16 14:31:58 SECMAN: enable_mac has no key to use, failing...
06/26/16 14:31:58 ERROR: SECMAN:2006:Failed to establish a crypto
key.|AUTHENTICATE:1004:Failed to authenticate using FS
06/26/16 14:31:58 CCBListener: connection to CCB server
alicondor01.cern.ch failed; will try to reconnect in 60 seconds.
06/26/16 14:31:58 HibernationSupportedStates invalid '' in ad from
hibernation plugin /usr/libexec/condor/condor_power_state
06/26/16 14:32:05 VM-gahp server reported an internal error
Cheers,
Laurence
On 21/06/16 22:47, Laurence Field wrote:
Thanks, I have updated the configuration
but it will be at least a day until we get the new logs.
Cheers,
Laurence
On 21/06/16 22:40, Zach Miller wrote:
Sure, in the condor configuration:
STARTD_DEBUG = D_SECURITY:2 D_COMMAND
Or if you want to really go nuts:
STARTD_DEBUG = D_ALL:2
The part that puzzled me in the earlier email was I didn't see
any message about GSI failing, so it appears it wasn't
attempted. The full log should provide evidence one way or
the other.
Cheers,
-zach
-----Original Message-----
From: HTCondor-users
[mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf
Of Laurence Field
Sent: Tuesday, June 21, 2016 3:33 PM
To: HTCondor-Users Mail List
<htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Authentication Errors
Hi Zach,
What confuses me is that we are spawning many identical VMs
with the
same configuration but only a few fail with this error. It
should be
authenticating with GSI. I tested the proxy that should be
there and it
seems fine. It will be difficult to get that output from
affected
machines. Is there anything I can do to add more relevant
information in
the StartLog?
Cheers,
Laurence
On 21/06/16 22:15, Zach Miller wrote:
It's not entirely clear from this
short snippet, but the root problem
seems to be that authentication failed.
If authentication fails, no keys are
exchanged, and so the Integrity and
Encryption will also be doomed to failure.
The FS authentication method only
works locally because it uses the /tmp
directory for file creation. Perhaps you meant to use GSI
authentication?
If you want to take this off-list,
you can email htcondor-
admin@xxxxxxxxxxx and include the output of:
condor_config_val -dump SEC_
And I'll see if I see anything obviously incorrect there.
Cheers,
-zach
-----Original Message-----
From: HTCondor-users
[mailto:htcondor-users-bounces@xxxxxxxxxxx] On
Behalf
Of Laurence Field
Sent: Tuesday, June 21, 2016 3:03 PM
To: HTCondor-Users Mail List
<htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] Authentication Errors
Hi,
At least one of the VMs from vLHC@home is having
authentication
problems. The StartLog is attached and the corresponding
Collector log
is available if needed.
The relevant lines from the StartLog are:
06/19/16 22:49:11 SECMAN: enable_mac has no key to use,
failing...
06/19/16 22:49:11 ERROR: SECMAN:2006:Failed to establish
a crypto
key.|AUTHENTICATE:1004:Failed to authenticate using FS
06/19/16 22:49:11 CCBListener: connection to CCB server
alicondor01.cern.ch failed; will try to reconnect in 60
seconds.
Do you have any ideas why we get "SECMAN: enable_mac has
no key to use,
failing..." ?
Cheers,
Laurence
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to
htcondor-users-request@xxxxxxxxxxx with
a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to
htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to
htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to
htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
|