[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] [HTCondor-Users] SEC_DEFAULT_AUTHENTICATION_METHODS in condor 8.8.5



Hi Vikrant,

I'm not aware of any major changes to default security configuration
between the 8.5.8 and 8.8.5 versions.

Your output indicates you're trying to use GSI authentication, which
to my understanding needs to be explicitly enabled. Do you have extra
security configuration adding this method? If so, what happens when
you try running `grid-proxy-init`?

The default authentication method is CLAIMTOBE.

Can you send some output from your SchedLog showing the error message
when condor_q fails in v8.8.5? It will probably help to set
SCHEDD_DEBUG = D_SECURITY to get some additional information.

Mark


On Wed, Aug 11, 2021 at 8:47 AM <ervikrant06@xxxxxxxxx> wrote:
>
> Hello Experts,
>
> After upgrading from condor 8.5.8 (dev) to 8.8.5 (stable).. we are seeing an issue with Authentication only with DRMAA jobs. We are using Host based authorization, default for authentication.
>
> Following error is reported with default SEC_DEFAULT_AUTHENTICATION_METHODS on 8.8.5
>
> Submitting job(s)
> ERROR: Failed to connect to local queue manager
> AUTHENTICATE:1003:Failed to authenticate with any method
> AUTHENTICATE:1004:Failed to authenticate using GSI
> GSI:5003:Failed to authenticate.  Globus is reporting error (851968:50).  There is probably a problem with your credentials.  (Did you run grid-proxy-init?)
> AUTHENTICATE:1004:Failed to authenticate using KERBEROS
> AUTHENTICATE:1004:Failed to authenticate using FS
>
>
> After reading the documentation I realized that in 8.5.8 version prob different protocol was used: however not sure which one?
>
> Authentication
> Proper identification of a user is accomplished by the process of authentication. It attempts to distinguish between real users and impostors. By default, HTCondor's authentication uses the user id (UID) to determine identity, but HTCondor can choose among a variety of authentication mechanisms, including the stronger authentication methods Kerberos and GSI.
>
> Except CLAIMTOBE nothing helped to make DRMAA job successful on 8.8.5. however adding to condor 8.5.8 makes condor_q fail.
>
> SEC_DEFAULT_AUTHENTICATION_METHODS = CLAIMTOBE, $(SEC_DEFAULT_AUTHENTICATION_METHODS)
>
> From documentation found that DRMAA support is removed from condor 9 series.
>
> Question:
>
> - What was the default authentication method used in condor 8.5.8 and 8.8.5 (KERBEROS and FS?) out of the following list?
>
> GSI Authentication
> SSL Authentication
> Kerberos Authentication
> Password Authentication
> File System Authentication
> File System Remote Authentication
> Windows Authentication
> Claim To Be Authentication
> Anonymous Authentication
>
> - Why does adding CLAIMTOBE make condor_q fail on condor 8.5.8?
>
> we are using OPTIONAL everywhere:
>
> # condor_config_val SEC_DEFAULT_NEGOTIATION
> OPTIONAL
>
> Thanks & Regards,
> Vikrant Aggarwal
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/



-- 
Mark Coatsworth
Systems Programmer
Center for High Throughput Computing
Department of Computer Sciences
University of Wisconsin-Madison