Re: [HTCondor-users] host based authentication for condor_submit -remote

[Brian Bockelman <bbockelm@xxxxxxxxxxx>]

> On Jul 27, 2016, at 2:14 PM, Fox, Kevin M <Kevin.Fox@xxxxxxxx> wrote:
> 
> Bummer. Ok.
> 
> I ran into some issues trying FS-REMOTE with LDAP. wasn't working correctly. Couldn't resolve the uid for some reason. but worked fine with a getent passwd username
> 

That’s worth debugging.  It’s certainly expected to work.

Try setting the debug on the client side and schedd side to D_FULLDEBUG|D_SECURITY, then sending it here or the support email address (the support email address keeps the debug logs private, but then I won’t be able to help...).

> Is there any way with host based to limit it to just a few specific users at least, rather then giving access to all users?
> 
> I did try and make a quick ssl ca for users to test some things, but I haven't figured out how to do revocations. Any ideas there?
> 
> I'm trying to keep things relatively simple to support remote job submission, and full blown gsi seems like overkill, but may be the only way to actually secure the channel?

I think GSI is common in the communities that already do GSI heavily (for example, in the HEP or LHC communities).

In general, I suspect KRB5 for authentication is more widespread.

Brian