I have an existing pool of CentOS Stream 8 hosts running 8.8.13 successfully using:
 SEC_DEFAULT_AUTHENTICATION_METHODS = FS, KERBEROS
 SCHEDD.SEC_DEFAULT_AUTHENTICATION_METHODS = FS, KERBEROS
 TOOL.SEC_DEFAULT_AUTHENTICATION_METHODS = FS, KERBEROS
 COLLECTOR.SEC_DEFAULT_AUTHENTICATION_METHODS = FS, KERBEROS
for authentication. When I try to use the same config for 9.0.4 it fails with
 AUTH_ERROR: Client not found in Kerberos database
We're using AD as our Kerberos server.
There are valid host/ entries in the /etc/krb5.keytab files.
I have another cluster in a different lab that is successfullyÂrunning 9.0 against Kerberos. In both cases I've made no changes toÂ/etc/condor/config.d/00-htcondor-9.0.config. Oddly enough, that cluster is running without theÂALLOW_DAEMON = $(ALLOW_WRITE) setting, though I've added that to the cluster that's failing.
I'd prefer not to go through the bother of converting to the new tokens system as I don't really want to have to manually type a password on every host. (It wouldn't be so bad if I could just have puppet drop a commonÂ/etc/condor/tokens.d/condor@mypool file in place but that doesn't seem to be sufficient, instead emitting "TOKEN: No token found." error.)
Anyway, getting back on track, any pointers on where I should be looking to see why the kerberos config that works in 8.8.x doesn't work in 9?
I tried running condor_check_config but:
sudo condor_check_config
Traceback (most recent call last):
 File "/bin/condor_check_config", line 92, in <module>
  main()
 File "/bin/condor_check_config", line 84, in main
  message = check_dead_allow_write()
 File "/bin/condor_check_config", line 62, in check_dead_allow_write
  if len(allow_write) :
UnboundLocalError: local variable 'allow_write' referenced before assignment
thanks,
nomad
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}