Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor 8.x and authentication woes

Date: Tue, 02 Jul 2019 07:27:11 -0400
From: Keith Brown <keith6014@xxxxxxxxx>
Subject: Re: [HTCondor-users] condor 8.x and authentication woes

I managed to get further. The collector is able to startd from r2.

Now, when I submit my job
Submitting job(s)
ERROR: Failed to connect to local queue manager
AUTHENTICATE:1003:Failed to authenticate with any method

I copied and pased "condor" in mapped file to "usera"

SSL /C=US/ST=MI/L=Madison/O=University of Wisconsin
--Madison/O=Computer Sciences Department/OU=HTCondor
Project/CN=Service condor
SSL /C=US/ST=MI/L=Madison/O=University of Wisconsin
--Madison/O=Computer Sciences Department/OU=HTCondor
Project/CN=Service usera


The schedd log looks like this
Return from Handler <SecManStartCommand::WaitForSocketCallback
UPDATE_SCHEDD_AD> 0.016881s
07/02/19 07:24:45 Calling Handler <DaemonCommandProtocol::WaitForSocketData> (6)
07/02/19 07:24:45 Return from Handler
<DaemonCommandProtocol::WaitForSocketData> 0.000222s
07/02/19 07:24:45 Calling Handler <DaemonCommandProtocol::WaitForSocketData> (6)
07/02/19 07:24:45 DC_AUTHENTICATE: authentication of
<192.168.56.101:8342> did not result in a valid mapped user name,
which is required for this command (1112 QMGMT_WRITE_CMD), so
aborting.
07/02/19 07:24:45 DC_AUTHENTICATE: reason for authentication failure:
AUTHENTICATE:1003:Failed to authenticate with any method
07/02/19 07:24:45 Return from Handler
<DaemonCommandProtocol::WaitForSocketData> 0.000109s

Any ideas?



On Tue, Jul 2, 2019 at 7:16 AM Keith Brown <keith6014@xxxxxxxxx> wrote:
>
> ok. i will go back to PASSWORD but still want to take a crack at the SSL.
>
> I keep seeing this in my StartLog
>
> Error parsing line 1 of /var/lib/condor/map.  (Method=ssl)
> (Principal=/C=US/ST=MI/L=Madison/O=University of Wisconsin
> --Madison/O=Computer Sciences Department/OU=HTCondor
> Project/CN=Serviceâ condor
> SECMAN: FAILED: Received "DENIED" from server for user ssl@unmapped
> using method SSL.
> ERROR: SECMAN:2010:Received "DENIED" from server for user ssl@unmapped
> using method SSL.
>
> Here is how the file looks like
> cat /var/lib/condor/map
> SSL "/C=US/ST=MI/L=Madison/O=University of Wisconsin
> --Madison/O=Computer Sciences Department/OU=HTCondor
> Project/CN=Serviceâ condor
> md5sum, 9b82fb04fe6fd2e7ac1c422d70926003
>
> Also, if I have 3 users do I need to have the map file like this. I
> changed the CN to reflect the user:
> SSL "/C=US/ST=MI/L=Madison/O=University of Wisconsin
> --Madison/O=Computer Sciences Department/OU=HTCondor
> Project/CN=Serviceâ condor
> SSL "/C=US/ST=MI/L=Madison/O=University of Wisconsin
> --Madison/O=Computer Sciences Department/OU=HTCondor Project/CN=UserAâ
> usera
> SSL "/C=US/ST=MI/L=Madison/O=University of Wisconsin
> --Madison/O=Computer Sciences Department/OU=HTCondor Project/CN=UserBâ
> userb
>
>
>
> On Mon, Jul 1, 2019 at 10:52 PM Tim Theisen <tim@xxxxxxxxxxx> wrote:
> >
> > I put together a short presentation for HTCondor Week which gives
> > example directions and a configuration to install a pool using PASSWORD
> > authentication. Hopefully, you will find this useful.
> >
> > https://agenda.hep.wisc.edu/event/1325/session/16/contribution/41
> >
> > ...Tim
> >
> > On 7/1/19 9:41 PM, Bockelman, Brian wrote:
> > >
> > >> On Jul 1, 2019, at 9:15 PM, Keith Brown <keith6014@xxxxxxxxx> wrote:
> > >>
> > >> Hi.
> > >>
> > >> I went with SSL because its a standard protocol used in HTTPs. Didn't
> > >> think it was this hard.
> > >>
> > > Ah - on the server-side, yes.  Have you ever setup client X509 auth though with a private CA?  Not particularly fun....
> > >
> > >> Here is my setup, BTW
> > >> SEC_DAEMON_AUTHENTICATION = REQUIRED
> > >> SEC_DAEMON_AUTHENTICATION_METHODS = SSL
> > > Ah - both the client and server must have the same protocol enabled (from the error message below, it appears there was no mutually agreed-upon protocol).  You have set the protocol for "DAEMON" (on the server) but not at the client.
> > >
> > > At least the first step to configuring is this:
> > >
> > > SEC_CLIENT_AUTHENTICATION_METHODS = SSL
> > >
> > > When the startd is advertising to the collector, for example, the startd refers to the "client" list and the the collector uses the "daemon" authentication list.
> > >
> > > (NOTE: adding "D_SECURITY,D_FULLDEBUG" to the daemon's logging configuration often helps with the debugging security problems.)
> > >
> > >>
> > >> AUTH_SSL_CLIENT_CAFILE = /var/lib/condor/cndrsrvc.crt
> > >> AUTH_SSL_CLIENT_CERTFILE = /var/lib/condor/cndrsrvc.crt
> > >> AUTH_SSL_CLIENT_KEYFILE = /var/lib/condor/cndrsrvc.key
> > >> AUTH_SSL_SERVER_CAFILE = /var/lib/condor/cndrsrvc.crt
> > >> AUTH_SSL_SERVER_CERTFILE = /var/lib/condor/cndrsrvc.crt
> > >> AUTH_SSL_SERVER_KEYFILE = /var/lib/condor/cndrsrvc.key
> > >> CERTIFICATE_MAPFILE = /var/lib/condor/map
> > >>
> > >> The map file is simple
> > >> SSL "/C=US/ST=MI/L=Madison/O=University of Wisconsin
> > >> --Madison/O=Computer Sciences Department/OU=HTCondor
> > >> Project/CN=Serviceâ condor
> > >>
> > >> I am hoping the map file is the issue. I am open to troubleshooting this.
> > >>
> > >> But, for now I like the password option.
> > >>
> > > Yup - honestly, we can probably figure out the SSL setup but PASSWORD seems more appropriate here.
> > >
> > > Brian
> > >
> > > _______________________________________________
> > > HTCondor-users mailing list
> > > To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> > > subject: Unsubscribe
> > > You can also unsubscribe by visiting
> > > https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> > >
> > > The archives can be found at:
> > > https://lists.cs.wisc.edu/archive/htcondor-users/
> >
> > --
> > Tim Theisen
> > Release Manager
> > HTCondor & Open Science Grid
> > Center for High Throughput Computing
> > Department of Computer Sciences
> > University of Wisconsin - Madison
> > 4261 Computer Sciences and Statistics
> > 1210 W Dayton St
> > Madison, WI 53706-1685
> > +1 608 265 5736
> >
> >
> >
> > _______________________________________________
> > HTCondor-users mailing list
> > To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> > subject: Unsubscribe
> > You can also unsubscribe by visiting
> > https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> >
> > The archives can be found at:
> > https://lists.cs.wisc.edu/archive/htcondor-users/

Follow-Ups:
- Re: [HTCondor-users] condor 8.x and authentication woes
  - From: Bockelman, Brian

References:
- [HTCondor-users] condor 8.x and authentication woes
  - From: Keith Brown
- Re: [HTCondor-users] condor 8.x and authentication woes
  - From: Bockelman, Brian
- Re: [HTCondor-users] condor 8.x and authentication woes
  - From: Keith Brown
- Re: [HTCondor-users] condor 8.x and authentication woes
  - From: Bockelman, Brian
- Re: [HTCondor-users] condor 8.x and authentication woes
  - From: Tim Theisen
- Re: [HTCondor-users] condor 8.x and authentication woes
  - From: Keith Brown

Prev by Date: Re: [HTCondor-users] condor 8.x and authentication woes
Next by Date: Re: [HTCondor-users] condor 8.x and authentication woes
Previous by thread: Re: [HTCondor-users] condor 8.x and authentication woes
Next by thread: Re: [HTCondor-users] condor 8.x and authentication woes
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [HTCondor-users] condor 8.x and authentication woes