Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor 8.x and authentication woes

Date: Tue, 02 Jul 2019 07:16:22 -0400
From: Keith Brown <keith6014@xxxxxxxxx>
Subject: Re: [HTCondor-users] condor 8.x and authentication woes

ok. i will go back to PASSWORD but still want to take a crack at the SSL.

I keep seeing this in my StartLog

Error parsing line 1 of /var/lib/condor/map.  (Method=ssl)
(Principal=/C=US/ST=MI/L=Madison/O=University of Wisconsin
--Madison/O=Computer Sciences Department/OU=HTCondor
Project/CN=Serviceâ condor
SECMAN: FAILED: Received "DENIED" from server for user ssl@unmapped
using method SSL.
ERROR: SECMAN:2010:Received "DENIED" from server for user ssl@unmapped
using method SSL.

Here is how the file looks like
cat /var/lib/condor/map
SSL "/C=US/ST=MI/L=Madison/O=University of Wisconsin
--Madison/O=Computer Sciences Department/OU=HTCondor
Project/CN=Serviceâ condor
md5sum, 9b82fb04fe6fd2e7ac1c422d70926003

Also, if I have 3 users do I need to have the map file like this. I
changed the CN to reflect the user:
SSL "/C=US/ST=MI/L=Madison/O=University of Wisconsin
--Madison/O=Computer Sciences Department/OU=HTCondor
Project/CN=Serviceâ condor
SSL "/C=US/ST=MI/L=Madison/O=University of Wisconsin
--Madison/O=Computer Sciences Department/OU=HTCondor Project/CN=UserAâ
usera
SSL "/C=US/ST=MI/L=Madison/O=University of Wisconsin
--Madison/O=Computer Sciences Department/OU=HTCondor Project/CN=UserBâ
userb



On Mon, Jul 1, 2019 at 10:52 PM Tim Theisen <tim@xxxxxxxxxxx> wrote:
>
> I put together a short presentation for HTCondor Week which gives
> example directions and a configuration to install a pool using PASSWORD
> authentication. Hopefully, you will find this useful.
>
> https://agenda.hep.wisc.edu/event/1325/session/16/contribution/41
>
> ...Tim
>
> On 7/1/19 9:41 PM, Bockelman, Brian wrote:
> >
> >> On Jul 1, 2019, at 9:15 PM, Keith Brown <keith6014@xxxxxxxxx> wrote:
> >>
> >> Hi.
> >>
> >> I went with SSL because its a standard protocol used in HTTPs. Didn't
> >> think it was this hard.
> >>
> > Ah - on the server-side, yes.  Have you ever setup client X509 auth though with a private CA?  Not particularly fun....
> >
> >> Here is my setup, BTW
> >> SEC_DAEMON_AUTHENTICATION = REQUIRED
> >> SEC_DAEMON_AUTHENTICATION_METHODS = SSL
> > Ah - both the client and server must have the same protocol enabled (from the error message below, it appears there was no mutually agreed-upon protocol).  You have set the protocol for "DAEMON" (on the server) but not at the client.
> >
> > At least the first step to configuring is this:
> >
> > SEC_CLIENT_AUTHENTICATION_METHODS = SSL
> >
> > When the startd is advertising to the collector, for example, the startd refers to the "client" list and the the collector uses the "daemon" authentication list.
> >
> > (NOTE: adding "D_SECURITY,D_FULLDEBUG" to the daemon's logging configuration often helps with the debugging security problems.)
> >
> >>
> >> AUTH_SSL_CLIENT_CAFILE = /var/lib/condor/cndrsrvc.crt
> >> AUTH_SSL_CLIENT_CERTFILE = /var/lib/condor/cndrsrvc.crt
> >> AUTH_SSL_CLIENT_KEYFILE = /var/lib/condor/cndrsrvc.key
> >> AUTH_SSL_SERVER_CAFILE = /var/lib/condor/cndrsrvc.crt
> >> AUTH_SSL_SERVER_CERTFILE = /var/lib/condor/cndrsrvc.crt
> >> AUTH_SSL_SERVER_KEYFILE = /var/lib/condor/cndrsrvc.key
> >> CERTIFICATE_MAPFILE = /var/lib/condor/map
> >>
> >> The map file is simple
> >> SSL "/C=US/ST=MI/L=Madison/O=University of Wisconsin
> >> --Madison/O=Computer Sciences Department/OU=HTCondor
> >> Project/CN=Serviceâ condor
> >>
> >> I am hoping the map file is the issue. I am open to troubleshooting this.
> >>
> >> But, for now I like the password option.
> >>
> > Yup - honestly, we can probably figure out the SSL setup but PASSWORD seems more appropriate here.
> >
> > Brian
> >
> > _______________________________________________
> > HTCondor-users mailing list
> > To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> > subject: Unsubscribe
> > You can also unsubscribe by visiting
> > https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> >
> > The archives can be found at:
> > https://lists.cs.wisc.edu/archive/htcondor-users/
>
> --
> Tim Theisen
> Release Manager
> HTCondor & Open Science Grid
> Center for High Throughput Computing
> Department of Computer Sciences
> University of Wisconsin - Madison
> 4261 Computer Sciences and Statistics
> 1210 W Dayton St
> Madison, WI 53706-1685
> +1 608 265 5736
>
>
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/

Follow-Ups:
- Re: [HTCondor-users] condor 8.x and authentication woes
  - From: Keith Brown

References:
- [HTCondor-users] condor 8.x and authentication woes
  - From: Keith Brown
- Re: [HTCondor-users] condor 8.x and authentication woes
  - From: Bockelman, Brian
- Re: [HTCondor-users] condor 8.x and authentication woes
  - From: Keith Brown
- Re: [HTCondor-users] condor 8.x and authentication woes
  - From: Bockelman, Brian
- Re: [HTCondor-users] condor 8.x and authentication woes
  - From: Tim Theisen

Prev by Date: [HTCondor-users] DaemonCore: PERMISSION DENIED for 519 QUERY_JOB_ADS_WITH_AUTH
Next by Date: Re: [HTCondor-users] condor 8.x and authentication woes
Previous by thread: Re: [HTCondor-users] condor 8.x and authentication woes
Next by thread: Re: [HTCondor-users] condor 8.x and authentication woes
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [HTCondor-users] condor 8.x and authentication woes