[HTCondor-users] HTCondor Client Kerberos authentication with Credential Collections

[Oliver Freyermuth <freyermuth@xxxxxxxxxxxxxxxxxx>]

Dear HTCondor experts,

the new default of RHEL 7 is (finally!) to use Credential Collections in the Kernel Keyring facility. 

Making use of those, I can for example have the following:
----------------------------------------------------------------
$ klist -Af
Ticket cache: KEYRING:persistent:12345:krb_ccache_DRlSzTE
Default principal: mycernuser@xxxxxxx

Valid starting       Expires              Service principal
06/19/2018 13:54:33  06/20/2018 13:54:30  krbtgt/CERN.CH@xxxxxxx
        renew until 06/26/2018 13:54:30, Flags: FRIA

Ticket cache: KEYRING:persistent:12345:krb_ccache_J8w9jzh
Default principal: mylocaluser@xxxxxxxxxxx

Valid starting       Expires              Service principal
06/19/2018 16:14:58  06/20/2018 16:14:58  krbtgt/UNI-BONN.DE@xxxxxxxxxxx
        renew until 06/26/2018 16:14:58, Flags: FRIA
----------------------------------------------------------------
This allows me to authenticate against both local ressources and resources at CERN, which is required e.g. to clone a kerberized git repository to a local kerberized filesystem. 

Now, in our local kerberos-mapfile, we map "UNI-BONN.DE = uni-bonn.de" and things work perfectly fine as long as I have only one principal from the UNI-BONN.DE realm
or as long as it is the most recently fetched principal. 

However, in the situation shown above, HTCondor fails to authenticate. It seems only the CERN.CH principal is tried, which we do not map at our site. 

Which config switch am I missing to specify that HTCondor  / condor_submit iterates over all the available credential caches in the collection
and chooses the one matching our realm / tries all the realms to finally end up with the working one? 


Or are credential cache collections not yet supported (they exist since a very long time and are the default in RHEL 7) ? 


Cheers,
	Oliver

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature