Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] Help with authentication and condor mapfile for strong security

Date: Wed, 08 Jul 2020 00:33:31 +0000
From: Wesley Taylor <wesley.taylor@xxxxxxxxxxx>
Subject: [HTCondor-users] Help with authentication and condor mapfile for strong security

Hi all,

I had my Condors hissing and being silent as they should, but then I enabled the Strong security template and as expected, everything stopped working.

I read through the HTCondor documentation with regards to security in its entirety located at: https://htcondor.readthedocs.io/en/stable/admin-manual/security.html?highlight=mapfile#security but I still have a few questions:
1. If I am using realmd to configure Kerberos and sssd to work with an Active Directory server, how do I configure Active Directory to have appropriate properties so that I can use Kerberos authentication with HTCondor? 
2. How can I verify my HTCondor mapfile is correct? It appears below that my condor_schedd is unable to authenticate with the shared port because there is no mapped uid, but based on the documentation, I am a little fuzzy on how to make a correct mapping for my condor_schedd.

Security config:
===================================================
@use SECURITY : Strong
SEC_PASSWORD_FILE = /etc/condor/passwords.d/POOL
SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD
ALLOW_DAEMON = *
ALLOW_NEGOTIATOR = *
===================================================

SchedLog:
===================================================================================================================================================================================================
07/02/20 19:16:19 ******************************************************
07/02/20 19:16:19 ** condor_schedd (CONDOR_SCHEDD) STARTING UP
07/02/20 19:16:19 ** /usr/sbin/condor_schedd
07/02/20 19:16:19 ** SubsystemInfo: name=SCHEDD type=SCHEDD(5) class=DAEMON(1)
07/02/20 19:16:19 ** Configuration: subsystem:SCHEDD local:<NONE> class:DAEMON
07/02/20 19:16:19 ** $CondorVersion: 8.8.9 May 07 2020 BuildID: 503236 PackageID: 8.8.9-1 FIPS $
07/02/20 19:16:19 ** $CondorPlatform: x86_64_CentOS7 $
07/02/20 19:16:19 ** PID = 24136
07/02/20 19:16:19 ** Log last touched time unavailable (No such file or directory)
07/02/20 19:16:19 ******************************************************
07/02/20 19:16:19 Using config source: /etc/condor/condor_config
07/02/20 19:16:19 Using local config sources:
07/02/20 19:16:19    /etc/condor/config.d/49-common
07/02/20 19:16:19    /etc/condor/config.d/50-security
07/02/20 19:16:19    /etc/condor/config.d/51-role-exec
07/02/20 19:16:19    /etc/condor/condor_config.local
07/02/20 19:16:19 config Macros = 71, Sorted = 71, StringBytes = 1922, TablesBytes = 2620
07/02/20 19:16:19 CLASSAD_CACHING is ENABLED
07/02/20 19:16:19 Daemon Log is logging: D_ALWAYS D_ERROR
07/02/20 19:16:19 SharedPortEndpoint: waiting for connections to named socket 24123_f333_3
07/02/20 19:16:19 DaemonCore: command socket at <172.20.0.56:9618?addrs=172.20.0.56-9618&noUDP&sock=24123_f333_3>
07/02/20 19:16:19 DaemonCore: private command socket at <172.20.0.56:9618?addrs=172.20.0.56-9618&noUDP&sock=24123_f333_3>
07/02/20 19:16:19 History file rotation is enabled.
07/02/20 19:16:19   Maximum history file size is: 20971520 bytes
07/02/20 19:16:19   Number of rotated history files is: 2
07/02/20 19:16:19 my_popenv: Failed to exec in child, errno=2 (No such file or directory)
07/02/20 19:16:19 Failed to execute /usr/sbin/condor_shadow.std, ignoring
07/02/20 19:16:19 Reloading job factories
07/02/20 19:16:19 Loaded 0 job factories, 0 were paused, 0 failed to load
07/02/20 19:16:25 TransferQueueManager stats: active up=0/100 down=0/100; waiting up=0 down=0; wait time up=0s down=0s
07/02/20 19:16:25 TransferQueueManager upload 1m I/O load: 0 bytes/s  0.000 disk load  0.000 net load
07/02/20 19:16:25 TransferQueueManager download 1m I/O load: 0 bytes/s  0.000 disk load  0.000 net load
07/02/20 19:16:51 DC_AUTHENTICATE: authentication of <172.20.0.56:41253> did not result in a valid mapped user name, which is required for this command (519 QUERY_JOB_ADS_WITH_AUTH), so aborting.
07/02/20 19:16:51 DC_AUTHENTICATE: reason for authentication failure: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using PASSWORD
===================================================================================================================================================================================================

Thank you all for the help as always,
Wes

Wesley Taylor â Cluster Manager
Numerica Corporation (www.numerica.us)
5042 Technology Parkway #100
Fort Collins, Colorado 80528
âï (970) 207 2233
ð wesley.taylor@xxxxxxxxxxx



Public Content

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Follow-Ups:
- Re: [HTCondor-users] [External] - Help with authentication and condor mapfile for strong security
  - From: Wesley Taylor

Prev by Date: Re: [HTCondor-users] job_transform and preserving requirements
Next by Date: Re: [HTCondor-users] condor_startd restart on some nodes randomly
Previous by thread: Re: [HTCondor-users] worker node job directory names?
Next by thread: Re: [HTCondor-users] [External] - Help with authentication and condor mapfile for strong security
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

[HTCondor-users] Help with authentication and condor mapfile for strong security