[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] host based authentication for condor_submit -remote

Hi Alexei,

So, there are two related concepts here:
- Authentication: Establishing the identity of the client
- Authorization: Specifying what the authenticated client is allowed to do.

ALLOW_READ / ALLOW_WRITE specifies an authorization.  Once the client has been authenticated, these are applied.

>From the message you receive, it appears that there is a failure in authentication: it looks like it has tried GSI, KERBEROS, and FS.

If you just want host-based authentication, you probably want to enable the CLAIMTOBE mode: that allows the client to simply assert an identity, and the server will believe it.

Likely, this means adding the following to the server config:

And this to the client config:

Hereâs some further reading on the security configuration:


Of course, for systems not on dedicated networks, CLAIMTOBE is fairly weak.  Further, even on dedicated networks, having stronger authentication methods is part of a good defense-in-depth strategy.

Hope this helps!


> On Jul 18, 2016, at 11:00 AM, Alexei Dvoretskii <advoretskii@xxxxxxxxxxxxxxxxxx> wrote:
> Hi.
> Is there an easy way to configure HTCondor to allow user.mycompany.com to submit jobs to the schedd running on submit.mycompany.com?
> When I run:
> [user] $ condor_submit -pool master.mycompany.com -remote submit.mycompany.com job.submit
> I get something like:
> ERROR: Failed to connect to queue manager submit.companyname.com AUTHENTICATE:1003:Failed to authenticate with any method AUTHENTICATE:1004:Failed to authenticate using GSI GSI:5003:Failed to authenticate.  Globus is reporting error (851968:50).  There is probably a problem with your credentials. (Did you run grid-proxy-init?) AUTHENTICATE:1004:Failed to authenticate using KERBEROS AUTHENTICATE:1004:Failed to authenticate using FS
> /etc/condor/condor_config on submit.mycompany.com has:
> ALLOW_READ = *.mycompany.com
> ALLOW_WRITE = *.mycompany.com
> is there some other kind of ALLOW_ parameter that needs to be set? Or is it that host-based security must always go with some kind of certificate based authentication scheme?
> Thank you.
> Alexei.
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/