[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] pool authorization failing



Hi Zach and Brian,

Christoph also brought his big admin hammer and your both noses was right!

  ALLOW_DAEMON = *.desy.de
was missing! :-/

Christoph quick fix [1] made the collector happy again.

Cheers,
  Thomas

[1]
> cat 99test.conf
ALLOW_DAEMON = *.desy.de


On 01/12/2020 17.49, Zach Miller wrote:
Hello,

Advertising the master falls under ALLOW_DAEMON (or ALLOW_ADVERTISE_MASTER if set).  Double check those settings as well.

Otherwise, I agree with Brian and the first DENIED message would be the most useful.  But if you can’t find that (log rotated or whatever) these commands might also be useful:

Condor_config_val -dump ALLOW_

condor_config_val UID_DOMAIN

host 131.169.161.34  # looks like it matches *.desy.de to me but maybe you get something different

Cheers,

-zach

-----Original Message-----
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx>
Date: Tuesday, December 1, 2020 at 10:40 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] pool authorization failing

Hi Thomas,

Can you capture the first instance of the PERMISSION DENIED message?  That'll indicate which domain and IP addresses is being used by HTCondor for the hostname.

Could be a failure of reverse DNS, for example.

:) In general, I'd nudge on trying out IDTOKENS and not relying on DNS.  A challenge for a different day, however!

Brian

> On Dec 1, 2020, at 10:36 AM, Thomas Hartmann <thomas.hartmann@xxxxxxx <mailto:thomas.hartmann@xxxxxxx>> wrote:

 >

 > Hi all,

 >

> our collector has started to disallow all remote daemons [1] although the policy has not changed and should be pretty relaxed with

 >  ALLOW_WRITE = *.$(UID_DOMAIN)

 >  ALLOW_READ  = *.$(UID_DOMAIN)

 >

 > The version was recently updated and looks like [2]

 >

 > Cheers and thanks for any ideas,

 >  Thomas

 >

 > [1]

 > > /var/log/condor/CollectorLog

 > ...

> 12/01/20 17:32:37 Query info: matched=0; skipped=1; query_time=0.000041; send_time=0.000030; type=Scheduler; requirements={((Name == "grid-arcce1.desy.de" || Machine == "grid-arcce1.desy.de"))}; locate=0; limit=0; from=TOOL; peer=<131.169.223.111:11673>; projection={Machine Name TotalIdleJobs TotalRunningJobs}; filter_private_ads=1

> 12/01/20 17:32:37 PERMISSION DENIED to unauthenticated@unmapped from host 131.169.161.34 for command 2 (UPDATE_MASTER_AD), access level ADVERTISE_MASTER: reason: cached result for ADVERTISE_MASTER; see first case for the full reason

 > 12/01/20 17:32:37 DC_AUTHENTICATE: Command not authorized, done!

> 12/01/20 17:32:37 PERMISSION DENIED to unauthenticated@unmapped from host 131.169.163.155 for command 2 (UPDATE_MASTER_AD), access level ADVERTISE_MASTER: reason: cached result for ADVERTISE_MASTER; see first case for the full reason

 >

 >

 > [2]

 > condor-classads-8.9.10-1.el7.x86_64

 > python3-condor-8.9.10-1.el7.x86_64

 > condor-8.9.10-1.el7.x86_64

 > python2-condor-8.9.10-1.el7.x86_64

 > condor-procd-8.9.10-1.el7.x86_64

 > condor-externals-8.9.10-1.el7.x86_64

 >

 > _______________________________________________

 > HTCondor-users mailing list

> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx <mailto:htcondor-users-request@xxxxxxxxxxx> with a

 > subject: Unsubscribe

 > You can also unsubscribe by visiting

> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users <https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users>

 >

 > The archives can be found at:

> https://lists.cs.wisc.edu/archive/htcondor-users/ <https://lists.cs.wisc.edu/archive/htcondor-users/>

_______________________________________________

HTCondor-users mailing list

To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx <mailto:htcondor-users-request@xxxxxxxxxxx> with a

subject: Unsubscribe

You can also unsubscribe by visiting

https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users <https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users>

The archives can be found at:

https://lists.cs.wisc.edu/archive/htcondor-users/ <https://lists.cs.wisc.edu/archive/htcondor-users/>


_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature