[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] upgrading from 8.8.x to 9.0.4 - kerberos auth problems



Hi,

Am 18.08.21 um 19:51 schrieb Lee Damon:
After re-reading the HOSTALLOW parts of the upgrade document I ran debug mode on a working 8.8.x host and proved that kerberos isn't being used there. So much for *that* theory. I thought HOSTALLOW_ had been deprecated previously (e.g. were ignored in the config) so was just ignoring them. Turns out they were very much in force.

So, moving on from that as bad data, I see two options:
 Â- go with a kerberos config based on a working 9.0.4 install I have in another lab
 Â- go with theÂIDTOKENS setup

Problem with the first one is I've duplicated it to this lab's setup and am getting the exact same failure.

Problem with the second one is I haven't been able to get it fully automated with puppet. I'm going to see if I can get this working without human intervention but ...

reading that you use Puppet: We are using:
 https://github.com/HEP-Puppet/htcondor
here, which can be used to generate the configuration I cited in my last message. Here's a small excerpt of the authentication-related attributes we set:

 use_kerberos_auth    => true,
 use_cert_map_file    => true,
 cert_map_file_source => "puppet:///modules/${module_name}/...", # Here you have to provide your own file, see mail before.
 use_krb_map_file     => true,
 uid_domain           => 'dom.ain.edu',
 krb_mapfile_entries  => { 'DOM.AIN.EDU' => 'dom.ain.edu' },

The ALLOW_DAEMON rules etc. are created by the module by default.

Cheers and hope this helps,
	Oliver


nomad

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/



--
Oliver Freyermuth
UniversitÃt Bonn
Physikalisches Institut, Raum 1.047
NuÃallee 12
53115 Bonn
--
Tel.: +49 228 73 2367
Fax:  +49 228 73 7869
--

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature