Re: [HTCondor-users] upgrading from 8.8.x to 9.0.4 - kerberos auth problems

[Lee Damon <nomad@xxxxxxxxxxxxxxxxx>]

Hi Jaime,

Here's all the changes I've made to the condor config between 8.8.13 and 9.0.4:

add:

  ALLOW_DAEMON          Â= $(ALLOW_WRITE)

remove:

 HOSTALLOW_ADMINISTRATOR = $(CONDOR_HOST)

 HOSTALLOW_READ = *.dom.ain.edu
 HOSTALLOW_WRITE = *.dom.ain.edu
 HOSTALLOW_NEGOTIATOR = $(CONDOR_HOST)
 HOSTALLOW_NEGOTIATOR_SCHEDD = $(CONDOR_HOST)

I've also tried adding a KERBEROS_MAP_FILE but that didn't seem to help (and I'm not even sure what to put in it. The other (working) 9.0.x install I have has a clear need to map a different dom.ain.) Plus, my currently working 8.8.x install doesn't use a map file.Â

I first tried having the 9.0.4 client talk with the existing 8.8.13 pool but when these errors showed up I built a test collector host using 9.0.4. The errors are exactly the same regardless of which collector host is used.

The error is showing up in MasterLog, SchedLog, and StartdLog. Here's what I find in SchedLog, the other two are exactly the same.

I've redacted host & domain & IP but maintained case.

08/18/21 08:13:43 HANDSHAKE: in handshake(my_methods = 'KERBEROS')
08/18/21 08:13:43 HANDSHAKE: handshake() - i am the client
08/18/21 08:13:43 HANDSHAKE: sending (methods == 64) to server
08/18/21 08:13:43 HANDSHAKE: server replied (method = 64)
08/18/21 08:13:43 KERBEROS: get remote server principal for "host/server.dom.ain.edu"
08/18/21 08:13:43 KERBEROS: krb5_unparse_name: host/server.dom.ain.edu@xxxxxxxxxxx
08/18/21 08:13:43 KERBEROS: no user yet determined, will grab up to slash
08/18/21 08:13:43 KERBEROS: picked user: host
08/18/21 08:13:43 KERBEROS: remapping 'host' to 'condor'
08/18/21 08:13:43 Client is condor@xxxxxxxxxxx
08/18/21 08:13:43 init_daemon: client principal is 'host/client.dom.ain.edu@xxxxxxxxxxx'
08/18/21 08:13:43 init_daemon: Using default keytab FILE:/etc/krb5.keytab
08/18/21 08:13:43 init_daemon: Trying to get tgt credential for service host/server.dom.ain.edu@xxxxxxxxxxx
08/18/21 08:13:43 AUTH_ERROR: Client not found in Kerberos database
08/18/21 08:13:43 AUTHENTICATE: method 64 (KERBEROS) failed.
08/18/21 08:13:43 HANDSHAKE: in handshake(my_methods = '')
08/18/21 08:13:43 HANDSHAKE: handshake() - i am the client
08/18/21 08:13:43 HANDSHAKE: sending (methods == 0) to server
08/18/21 08:13:43 HANDSHAKE: server replied (method = 0)
08/18/21 08:13:43 SECMAN: required authentication with collector server.dom.ain.edu failed, so aborting command DC_START_TOKEN_REQUEST.
08/18/21 08:13:43 Failed to request a new token: DAEMON:1:failed to start command for token request with remote daemon at '<[IP-REDACTED]:9618?alias=server.dom.ain.edu>'.|AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS|AUTHENTICATE:1004:Failed to authenticate using FS

nomad