[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Authentication Errors



Hi,

I have been looking into the logs in more detail and this is what I have found.

The StartdLog for a successful task looks like the following.

07/05/16 13:39:39 Authentication was a Success.
07/05/16 13:39:39 ZKM: setting default map to gsi@unmapped
07/05/16 13:39:39 nameGssToLocal returned failure
07/05/16 13:39:39 ZKM: post-map: current user is 'gsi'
07/05/16 13:39:39 ZKM: post-map: current domain is 'unmapped'
07/05/16 13:39:39 ZKM: post-map: current FQU is 'gsi@unmapped'
07/05/16 13:39:39 AUTHENTICATE: Exchanging keys with remote side.
07/05/16 13:39:39 AUTHENTICATE: Result of end of authenticate is 1.
07/05/16 13:39:39 SECMAN: about to enable message authenticator.
07/05/16 13:39:39 SECMAN: successfully enabled message authenticator!

So instead of getting

07/05/16 13:39:39 SECMAN: about to enable message authenticator.
07/05/16 13:39:39 SECMAN: successfully enabled message authenticator!

We are getting

06/26/16 14:31:58 SECMAN: enable_mac has no key to use, failing...
06/26/16 14:31:58 ERROR: SECMAN:2006:Failed to establish a crypto key.|AUTHENTICATE:1004:Failed to authenticate using FS

Does anyone know why we are getting the message "enable_mac has no key to use, failing..." and what we can do to find out more information?

Cheers,

Laurence



On 29/06/16 23:13, Laurence Field wrote:
Hi,

Here are the relevant parts of the StartLog with more verbose debugging information. Please note that I am certain the credential on the machine is fine as I am using it to transfer out the log files.

06/26/16 14:31:38 AUTHENTICATE: will try to use 32 (GSI)
06/26/16 14:31:46 ZKM: VOMS FQAN not present (error 1), ignoring.
06/26/16 14:31:56 valid GSS connection established to /DC=ch/DC=cern/OU=computers/CN=alicondor01.cern.ch
06/26/16 14:31:56 AUTHENTICATE: auth_status == 32 (GSI)
06/26/16 14:31:56 Authentication was a Success.
06/26/16 14:31:56 ZKM: setting default map to gsi@unmapped
06/26/16 14:31:56 nameGssToLocal returned failure
06/26/16 14:31:56 ZKM: post-map: current user is 'gsi'
06/26/16 14:31:56 ZKM: post-map: current domain is 'unmapped'
06/26/16 14:31:56 ZKM: post-map: current FQU is 'gsi@unmapped'
06/26/16 14:31:58 SECMAN: enable_mac has no key to use, failing...
06/26/16 14:31:58 ERROR: SECMAN:2006:Failed to establish a crypto key.|AUTHENTICATE:1004:Failed to authenticate using FS
06/26/16 14:31:58 CCBListener: connection to CCB server alicondor01.cern.ch failed; will try to reconnect in 60 seconds.
06/26/16 14:31:58 HibernationSupportedStates invalid '' in ad from hibernation plugin /usr/libexec/condor/condor_power_state
06/26/16 14:32:05 VM-gahp server reported an internal error

Cheers,

Laurence


On 21/06/16 22:47, Laurence Field wrote:
Thanks, I have updated the configuration but it will be at least a day until we get the new logs.

Cheers,

Laurence

On 21/06/16 22:40, Zach Miller wrote:
Sure, in the condor configuration:

   STARTD_DEBUG  = D_SECURITY:2 D_COMMAND

Or if you want to really go nuts:

   STARTD_DEBUG =  D_ALL:2


The part that puzzled me in the earlier email was I didn't see any message about GSI failing, so it appears it wasn't attempted.  The full log should provide evidence one way or the other.


Cheers,
-zach



-----Original Message-----
From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf
Of Laurence Field
Sent: Tuesday, June 21, 2016 3:33 PM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Authentication Errors

Hi Zach,

What confuses me is that we are spawning many identical VMs with the
same configuration but only a few fail with this error. It should be
authenticating with GSI. I tested the proxy that should be there and it
seems fine. It will be difficult to get that output from affected
machines. Is there anything I can do to add more relevant information in
the StartLog?

Cheers,

Laurence

On 21/06/16 22:15, Zach Miller wrote:
It's not entirely clear from this short snippet, but the root problem
seems to be that authentication failed.
If authentication fails, no keys are exchanged, and so the Integrity and
Encryption will also be doomed to failure.
The FS authentication method only works locally because it uses the /tmp
directory for file creation.  Perhaps you meant to use GSI authentication?
If you want to take this off-list, you can email htcondor-
admin@xxxxxxxxxxx and include the output of:
    condor_config_val -dump SEC_

And I'll see if I see anything obviously incorrect there.


Cheers,
-zach


-----Original Message-----
From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On
Behalf
Of Laurence Field
Sent: Tuesday, June 21, 2016 3:03 PM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] Authentication Errors

Hi,

At least one of the VMs from vLHC@home is having authentication
problems. The StartLog is attached and the corresponding Collector log
is available if needed.

The relevant lines from the StartLog are:

06/19/16 22:49:11 SECMAN: enable_mac has no key to use, failing...
06/19/16 22:49:11 ERROR: SECMAN:2006:Failed to establish a crypto
key.|AUTHENTICATE:1004:Failed to authenticate using FS
06/19/16 22:49:11 CCBListener: connection to CCB server
alicondor01.cern.ch failed; will try to reconnect in 60 seconds.


Do you have any ideas why we get "SECMAN: enable_mac has no key to use,
failing..." ?

Cheers,

Laurence
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with
a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/