Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Kerberos client/server authentication failed

Hello Todd,

When I enable that level of debugging. I get the following from the
CollectorLog

01/03/17 15:13:07 KEYCACHE: created: 0x21fe9d0
01/03/17 15:13:07 Setting maximum file descriptors to 10240.
01/03/17 15:13:07 ******************************************************
01/03/17 15:13:07 ** condor_collector (CONDOR_COLLECTOR) STARTING UP
01/03/17 15:13:07 ** /usr/sbin/condor_collector
01/03/17 15:13:07 ** SubsystemInfo: name=COLLECTOR type=COLLECTOR(3)
class=DAEMON(1)
01/03/17 15:13:07 ** Configuration: subsystem:COLLECTOR local:<NONE>
class:DAEMON
01/03/17 15:13:07 ** $CondorVersion: 8.4.10 Dec 13 2016 BuildID: 390598 $
01/03/17 15:13:07 ** $CondorPlatform: x86_64_RedHat7 $
01/03/17 15:13:07 ** PID = 18545
01/03/17 15:13:07 ** Log last touched time unavailable (No such file or
directory)
01/03/17 15:13:07 ******************************************************
01/03/17 15:13:07 Using config source: /etc/condor/condor_config
01/03/17 15:13:07 Using local config sources:
01/03/17 15:13:07    /etc/condor/config.d/00-MasterNode.conf
01/03/17 15:13:07    /etc/condor/config.d/01-Security.conf
01/03/17 15:13:07    /etc/condor/config.d/41-SharedPort.conf
01/03/17 15:13:07    /etc/condor/config.d/50-Ganglia.conf
01/03/17 15:13:07    /etc/condor/config.d/80-DEBUG.conf
01/03/17 15:13:07 config Macros = 222, Sorted = 222, StringBytes = 7102,
TablesBytes = 8072
01/03/17 15:13:07 CLASSAD_CACHING is ENABLED
01/03/17 15:13:07 Daemon Log is logging: D_ALWAYS D_ERROR D_SECURITY
01/03/17 15:13:07 SharedPortEndpoint: waiting for connections to named
socket collector
01/03/17 15:13:07 SECMAN: created non-negotiated security session
929af8d49658321e7a2a9caa1304e456cbc7349547ebf79f for 0 (inf) seconds.
01/03/17 15:13:07 SECMAN: now creating non-negotiated command mappings
01/03/17 15:13:07 IpVerify::PunchHole: opened DAEMON level to condor@parent
01/03/17 15:13:07 IpVerify::PunchHole: opened WRITE level to condor@parent
01/03/17 15:13:07 IpVerify::PunchHole: opened READ level to condor@parent
01/03/17 15:13:07 IpVerify::PunchHole: open count at level READ for
condor@parent now 2
01/03/17 15:13:07 DaemonCore: non-shared command socket at
<192.168.6.12:31001>
01/03/17 15:13:07 Daemoncore: Listening at <0.0.0.0:31001> on TCP
(ReliSock) and UDP (SafeSock).
01/03/17 15:13:07 DaemonCore: command socket at
<192.168.6.12:9618?addrs=192.168.6.12-9618&noUDP&sock=collector>
01/03/17 15:13:07 DaemonCore: private command socket at
<192.168.6.12:9618?addrs=192.168.6.12-9618&noUDP&sock=collector>
01/03/17 15:13:07 In ViewServer::Init()
01/03/17 15:13:07 In CollectorDaemon::Init()
01/03/17 15:13:07 In ViewServer::Config()
01/03/17 15:13:07 In CollectorDaemon::Config()
01/03/17 15:13:07 ABSENT_REQUIREMENTS = None
01/03/17 15:13:07 OfflineCollectorPlugin::configure: no persistent store
was defined for off-line ads.
01/03/17 15:13:07 enable: Creating stats hash table
01/03/17 15:13:07 Enabling CCB Server.
01/03/17 15:13:07 m_reconnect_fname =
/var/lib/condor/spool/192.168.6.12-9618.ccb_reconnect
01/03/17 15:13:07 SECMAN: command 60008 DC_CHILDALIVE to daemon at
<192.168.6.12:9618> from TCP port 39172 (blocking).
01/03/17 15:13:07 SECMAN: using session
929af8d49658321e7a2a9caa1304e456cbc7349547ebf79f for
{<192.168.6.12:9618?addrs=192.168.6.12-9618&noUDP&sock=18518_62de>,<60008>}.
01/03/17 15:13:07 SECMAN: startCommand succeeded.
01/03/17 15:13:07 IPVERIFY: Subsystem COLLECTOR
01/03/17 15:13:07 IPVERIFY: Permission ALLOW
01/03/17 15:13:07 IPVERIFY: Subsystem COLLECTOR
01/03/17 15:13:07 IPVERIFY: Permission READ
01/03/17 15:13:07 IPVERIFY: allow READ: *,  (from config value
ALLOW_READ_COLLECTOR)
01/03/17 15:13:07 IPVERIFY: Subsystem COLLECTOR
01/03/17 15:13:07 IPVERIFY: Permission WRITE
01/03/17 15:13:07 IPVERIFY: allow WRITE: boss.linux.example.com,
192.168.6.12,  (from config value ALLOW_WRITE_COLLECTOR)
01/03/17 15:13:07 IPVERIFY: Subsystem COLLECTOR
01/03/17 15:13:07 IPVERIFY: Permission NEGOTIATOR
01/03/17 15:13:07 IPVERIFY: allow NEGOTIATOR: boss.linux.example.com,
192.168.6.12 (from config value ALLOW_NEGOTIATOR)
01/03/17 15:13:07 IPVERIFY: Subsystem COLLECTOR
01/03/17 15:13:07 IPVERIFY: Permission ADMINISTRATOR
01/03/17 15:13:07 IPVERIFY: allow ADMINISTRATOR: boss.linux.example.com,
192.168.6.12 (from config value ALLOW_ADMINISTRATOR)
01/03/17 15:13:07 IPVERIFY: Subsystem COLLECTOR
01/03/17 15:13:07 IPVERIFY: Permission OWNER
01/03/17 15:13:07 IPVERIFY: allow OWNER: boss.linux.example.com,
boss.linux.example.com, 192.168.6.12 (from config value ALLOW_OWNER)
01/03/17 15:13:07 IPVERIFY: Subsystem COLLECTOR
01/03/17 15:13:07 IPVERIFY: Permission CONFIG
01/03/17 15:13:07 ipverify: CONFIG optimized to deny everyone
01/03/17 15:13:07 IPVERIFY: Subsystem COLLECTOR
01/03/17 15:13:07 IPVERIFY: Permission DAEMON
01/03/17 15:13:07 IPVERIFY: allow DAEMON: boss.linux.example.com,
192.168.6.12,  (from config value ALLOW_WRITE_COLLECTOR)
01/03/17 15:13:07 IPVERIFY: Subsystem COLLECTOR
01/03/17 15:13:07 IPVERIFY: Permission SOAP
01/03/17 15:13:07 ipverify: SOAP optimized to allow anyone
01/03/17 15:13:07 IPVERIFY: Subsystem COLLECTOR
01/03/17 15:13:07 IPVERIFY: Permission DEFAULT
01/03/17 15:13:07 ipverify: DEFAULT optimized to allow anyone
01/03/17 15:13:07 IPVERIFY: Subsystem COLLECTOR
01/03/17 15:13:07 IPVERIFY: Permission CLIENT
01/03/17 15:13:07 ipverify: CLIENT optimized to allow anyone
01/03/17 15:13:07 IPVERIFY: Subsystem COLLECTOR
01/03/17 15:13:07 IPVERIFY: Permission ADVERTISE_STARTD
01/03/17 15:13:07 IPVERIFY: allow ADVERTISE_STARTD:
boss.linux.example.com, 192.168.6.12,  (from config value
ALLOW_WRITE_COLLECTOR)
01/03/17 15:13:07 IPVERIFY: Subsystem COLLECTOR
01/03/17 15:13:07 IPVERIFY: Permission ADVERTISE_SCHEDD
01/03/17 15:13:07 IPVERIFY: allow ADVERTISE_SCHEDD:
boss.linux.example.com, 192.168.6.12,  (from config value
ALLOW_WRITE_COLLECTOR)
01/03/17 15:13:07 IPVERIFY: Subsystem COLLECTOR
01/03/17 15:13:07 IPVERIFY: Permission ADVERTISE_MASTER
01/03/17 15:13:07 IPVERIFY: allow ADVERTISE_MASTER:
boss.linux.example.com, 192.168.6.12,  (from config value
ALLOW_WRITE_COLLECTOR)
01/03/17 15:13:08 CollectorAd  : Inserting ** "< 'HTCondor
Pool'@boss.linux.example.com >"
01/03/17 15:13:08 stats: Inserting new hashent for
'Collector':''HTCondor Pool'@boss.linux.example.com':'192.168.6.12'
01/03/17 15:13:08 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<192.168.6.12:23331>
01/03/17 15:13:08 DC_AUTHENTICATE: generating 3DES key for session
boss:18545:1483477988:0...
01/03/17 15:13:08 SECMAN: new session, doing initial authentication.
01/03/17 15:13:08 Returning to DC while we wait for socket to authenticate.
01/03/17 15:13:08 AUTHENTICATE: setting timeout for (unknown) to 20.
01/03/17 15:13:08 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
01/03/17 15:13:08 HANDSHAKE: handshake() - i am the server
01/03/17 15:13:08 HANDSHAKE: client sent (methods == 64)
01/03/17 15:13:08 HANDSHAKE: i picked (method == 64)
01/03/17 15:13:08 HANDSHAKE: client received (method == 64)
01/03/17 15:13:08 AUTHENTICATE: method 64 (KERBEROS) failed.
01/03/17 15:13:08 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
01/03/17 15:13:08 HANDSHAKE: handshake() - i am the server
01/03/17 15:13:08 HANDSHAKE: client sent (methods == 0)
01/03/17 15:13:08 HANDSHAKE: i picked (method == 0)
01/03/17 15:13:08 HANDSHAKE: client received (method == 0)
01/03/17 15:13:08 DC_AUTHENTICATE: required authentication of
192.168.6.12 failed: AUTHENTICATE:1003:Failed to authenticate with any
method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS
01/03/17 15:13:08 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<192.168.6.12:7160>
01/03/17 15:13:08 DC_AUTHENTICATE: generating 3DES key for session
boss:18545:1483477988:1...
01/03/17 15:13:08 SECMAN: new session, doing initial authentication.
01/03/17 15:13:08 Returning to DC while we wait for socket to authenticate.
01/03/17 15:13:08 AUTHENTICATE: setting timeout for (unknown) to 20.
01/03/17 15:13:08 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
01/03/17 15:13:08 HANDSHAKE: handshake() - i am the server
01/03/17 15:13:08 HANDSHAKE: client sent (methods == 64)
01/03/17 15:13:08 HANDSHAKE: i picked (method == 64)
01/03/17 15:13:08 HANDSHAKE: client received (method == 64)
01/03/17 15:13:08 AUTHENTICATE: method 64 (KERBEROS) failed.
01/03/17 15:13:08 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
01/03/17 15:13:08 HANDSHAKE: handshake() - i am the server
01/03/17 15:13:08 HANDSHAKE: client sent (methods == 0)
01/03/17 15:13:08 HANDSHAKE: i picked (method == 0)
01/03/17 15:13:08 HANDSHAKE: client received (method == 0)
01/03/17 15:13:08 DC_AUTHENTICATE: required authentication of
192.168.6.12 failed: AUTHENTICATE:1003:Failed to authenticate with any
method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS
01/03/17 15:13:11 DC_AUTHENTICATE: received DC_AUTHENTICATE from
<192.168.6.12:5763>
01/03/17 15:13:11 DC_AUTHENTICATE: generating 3DES key for session
boss:18545:1483477991:2...

I'm not sure what the failed handshake means. Should I add more debugging?


On 01/03/2017 01:09 PM, Todd L Miller wrote:
>> Thank you for your feedback. The mapping file has both domains
>> present. And the Kerberos setup currently works throughout the IPA-AD
>> environment. Is there a way I can see what principal/realm the ticket
>> used? I assumed it would use the same realm as the client machine.
>
>     It looks like adding D_SECURITY to the debug level will print out
> the information you're looking for.
>
> - ToddM
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx
> with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
>

-- 
Michael McInerny Murphy
Engineer & Physicist
IERUS Technologies, Inc.
2904 Westcorp Blvd. Ste 210
Huntsville, AL  35805
(256) 319-2026 ext 107