Hi Jaime
Thanks for the suggestion. I added the setting to the global condor.conf of the XP machine, restarted it and submitted a new job, but nothing changed. Weâre still getting the same error: âDC_AUTHENTICATE: attempt to open invalid session ...â.
06/03/24 13:30:41 DC_AUTHENTICATE: received UDP packet from <192.168.1.157:1645>.
06/03/24 13:30:41 DC_AUTHENTICATE: received DC_AUTHENTICATE from <192.168.1.157:1645>
06/03/24 13:30:41 DC_AUTHENTICATE: received following ClassAd:
User = "unauthenticated@unmapped"
AuthMethodsList = "NTSSPI,KERBEROS"
MyRemoteUserName = "unauthenticated@unmapped"
UseSession = "YES"
Integrity = "NO"
CurrentTime = time()
AuthCommand = 427
RemoteVersion = "$CondorVersion: 8.0.4 Oct 19 2013 BuildID: 189770 $"
ServerCommandSock = "<192.168.1.157:1155>"
Subsystem = "KBDD"
Command = 427
SessionDuration = "86400"
Encryption = "NO"
Authentication = "NO"
SessionLease = 3600
ValidCommands = "60002,60003,60011,60014,427"
OutgoingNegotiation = "PREFERRED"
CryptoMethods = "3DES,BLOWFISH"
Enact = "YES"
AuthMethods = "NTSSPI"
Sid = "executor:128:1717413696:1"
06/03/24 13:30:41 DC_AUTHENTICATE: resuming session id executor:128:1717413696:1 with return address <192.168.1.157:1155>:
06/03/24 13:30:41 DC_AUTHENTICATE: Cached Session:
Enact = "YES"
Encryption = "NO"
Integrity = "NO"
AuthMethodsList = "NTSSPI,KERBEROS"
ServerPid = 2864
AuthMethods = "NTSSPI"
Sid = "executor:128:1717413696:1"
Subsystem = "KBDD"
CryptoMethods = "3DES,BLOWFISH"
SessionDuration = "86400"
SessionLease = 3600
Authentication = "NO"
RemoteVersion = "$CondorVersion: 8.0.4 Oct 19 2013 BuildID: 189770 $"
ServerCommandSock = "<192.168.1.157:1155>"
CurrentTime = time()
User = "unauthenticated@unmapped"
ValidCommands = "60002,60003,60011,60014,427"
06/03/24 13:30:41 DC_AUTHENTICATE: Success.
06/03/24 13:30:41 PERMISSION GRANTED to unauthenticated@unmapped from host 192.168.1.157 for command 427 (X_EVENT_NOTIFICATION),
access level ALLOW: reason:
06/03/24 13:30:41 DC_AUTHENTICATE: received DC_AUTHENTICATE from <192.168.1.30:55133>
06/03/24 13:30:41 DC_AUTHENTICATE: received following ClassAd:
Sid = "<192.168.1.157:1222>#1717413607#1"
RemoteVersion = "$CondorVersion: 23.0.4 2024-02-08 BuildID: 712251 $"
CryptoMethods = "AES"
UseSession = "YES"
ServerCommandSock = "<192.168.1.30:9618?addrs=192.168.1.30-9618&alias=submitter&noUDP&sock=schedd_6028_e840>"
ResumeResponse = false
Nonce = "+r15r8qQxCoUpWMHBWIJtN1f13fXS4cIOwzzysnPTQML"
ConnectSinful = "<192.168.1.157:1222>"
Command = 442
CurrentTime = time()
06/03/24 13:30:41 DC_AUTHENTICATE: attempt to open invalid session <192.168.1.157:1222>#1717413607#1, failing; this
session was requested by <192.168.1.30:55133> with return address <192.168.1.30:9618?addrs=192.168.1.30-9618&alias=submitter&noUDP&sock=schedd_6028_e840>
06/03/24 13:30:41 SECMAN: command 60014 DC_INVALIDATE_KEY to daemon at <192.168.1.30:9618> from TCP port 1647 (non-blocking,
raw).
06/03/24 13:30:41 SECMAN: waiting for TCP connection to daemon at <192.168.1.30:9618>.
06/03/24 13:30:41 SECMAN: resuming command 60014 DC_INVALIDATE_KEY to daemon at <192.168.1.30:9618> from TCP port 1647
(non-blocking, raw).
06/03/24 13:30:41 SECMAN: no cached key for {<192.168.1.30:9618?addrs=192.168.1.30-9618&alias=submitter&noUDP&sock=schedd_6028_e840>,<60014>}.
06/03/24 13:30:41 SECMAN: Security Policy:
NewSession = "YES"
SessionDuration = "86400"
ServerPid = 128
Enact = "NO"
OutgoingNegotiation = "NEVER"
ParentUniqueID = "executor:1244:1717413606"
Encryption = "NEVER"
SessionLease = 3600
Authentication = "NEVER"
Integrity = "NEVER"
AuthMethods = "NTSSPI,KERBEROS"
Subsystem = "STARTD"
CryptoMethods = "3DES,BLOWFISH"
CurrentTime = time()
06/03/24 13:30:41 SECMAN: not negotiating, just sending command (60014)
06/03/24 13:30:41 Authorizing server 'unauthenticated@unmapped/192.168.1.30'.
06/03/24 13:30:41 Completed DC_INVALIDATE_KEY to daemon at <192.168.1.30:9618>
Regards,
Pascal
From: Jaime
Frey <jfrey@xxxxxxxxxxx>
Sent: Friday, 31 May 2024 22:45
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Cc: Pascal Schweizer <schweizer@xxxxxxxxxxxxxxx>
Subject: Re: [HTCondor-users] Condor 8.0.4 & 23.0.4 compatibility
There are some strange things going on with the pre-negotiated security session during scheddâs attempt to start a job on this machine.
Try setting this on your old XP machine:
SEC_ENABLE_MATCH_PASSWORD_AUTHENTICATION = False
That will side-step the current failure indicated in the log.
- Jaime
I set STARTD_DEBUG = D_SECURITY:2, restarted condor and submitted a new job for that executor.
I attached the StartLog from when condor was restarted + ~3min.
Can you set D_SECURITY:2 for STARTD_DEBUG and send us the Start log for that and we can get a lot more information on what is happening. It seems like some security issues are happening
with this large of a version difference.
We have a submitter node running Condor 23.0.4 and are trying to run jobs on an old Windows XP machine running Condor 8.0.4 (please donât
ask why).
Weâre using 8.0.4 because thatâs the most recent binary that we managed to get running on the Windows XP machine. Other executor nodes in
the pool are running Condor 8.8 or newer without any problems.
Our problem with the 8.0.4 machine is that itâs not running any jobs, even though they match. The machine is listed when using condor_status
and commands like condor_restart also work. But when submitting a job for that specific machine, it doesnât get picked up.
As a general question: Are Condor 8.0.4 and 23.0.4 compatible and this setup should theoretically work if configured correctly?
Here are some logs/errors we see every few minutes (negotiation cycle) after submitting a job for this machine.
It looks like a communication/authentication error. Does anyone know what could be causing those?
Security wise, weâre using a very basic config that shouldnât cause any problems:
use SECURITY : HOST_BASED
DC_AUTHENTICATE: attempt to open invalid session <192.168.1.157:1076>#1716304270#1, failing; this session was requested by <192.168.1.30:64664>
with return address <192.168.1.30:9618?addrs=192.168.1.30-9618&alias=submitter&noUDP&sock=schedd_5816_9e76>
---------- Started Negotiation Cycle ----------
Phase 1: Obtaining ads from collector ...
Getting Scheduler, Submitter and Machine ads ...
condor_read() failed: recv(fd=448) returned -1, errno = 10054 , reading 5 bytes from collector at <192.168.1.30:9618>.
IO: Failed to read packet header
Couldn't fetch ads: communication error
Aborting negotiation cycle
---------- Started Negotiation Cycle ----------
Phase 1: Obtaining ads from collector ...
Getting Scheduler, Submitter and Machine ads ...
Getting startd private ads ...
condor_write(): Socket closed when trying to write 87 bytes to collector at <192.168.1.30:9618>, fd is 580
Buf::write(): condor_write() failed
Couldn't fetch ads: communication error
Aborting negotiation cycle
(pid:6336) Negotiating for owner: a@submitter
(pid:6336) condor_read(): Socket closed abnormally when trying to read 5 bytes from startd slot1@executor <192.168.1.157:1587> for p, errno=10054
(pid:6336) Response problem from startd when requesting claim slot1@executor <192.168.1.157:1587> for p 2071.0.
(pid:6336) Failed to send REQUEST_CLAIM to startd slot1@executor <192.168.1.157:1587> for p: CEDAR:6004:failed reading from socket
(pid:6336) Match record (slot1@executor <192.168.1.157:1587> for p, 2071.0) deleted
---------- Started Negotiation Cycle ----------
Phase 1: Obtaining ads from collector ...
Not considering preemption, therefore constraining idle machines with ifThenElse((State == "Claimed"&&PartitionableSlot=!=true),"Name MyType
State Activity StartdIpAddr AccountingGroup Owner RemoteUser Requirements SlotWeight ConcurrencyLimits","")
Getting startd private ads ...
Getting Scheduler, Submitter and Machine ads ...
Got ads: 19 public and 17 private
Public ads include 2 submitter, 17 startd
Phase 2: Performing accounting ...
Phase 3: Sorting submitter ads by priority ...
Starting prefetch round; 2 potential prefetches to do.
Starting prefetch negotiation for p@submitter.
Got NO_MORE_JOBS; schedd has no more requests
Starting prefetch negotiation for a@submitter.
Got NO_MORE_JOBS; schedd has no more requests
Prefetch summary: 2 attempted, 2 successful.
Phase 4.1: Negotiating with schedds ...
Negotiating with p@submitter at <192.168.1.30:9618?addrs=192.168.1.30-9618&alias=submitter&noUDP&sock=schedd_5816_9e76>
0 seconds so far for this submitter
0 seconds so far for this schedd
Request 02071.00000: autocluster 487 (request count 1 of 15)
Matched 2071.0 p@submitter <192.168.1.30:9618?addrs=192.168.1.30-9618&alias=submitter&noUDP&sock=schedd_5816_9e76> preempting none
<192.168.1.157:1587> slot1@executor
Successfully matched with slot1@executor
Request 02071.00000: autocluster 487 (request count 2 of 15)
Rejected 2071.0 p@submitter <192.168.1.30:9618?addrs=192.168.1.30-9618&alias=submitter&noUDP&sock=schedd_5816_9e76>: no match found
Negotiating with a@submitter at <192.168.1.30:9618?addrs=192.168.1.30-9618&alias=submitter&noUDP&sock=schedd_5816_9e76>
0 seconds so far for this submitter
0 seconds so far for this schedd
Reached submitter resource limit: 0.000000 ... stopping <------- donât think this has anything to do with this problem,
but weâre not seeing this line for jobs submitted for other nodes and donât know what it means
Starting prefetch round; 1 potential prefetches to do.
Starting prefetch negotiation for a@submitter.
Got NO_MORE_JOBS; schedd has no more requests
Prefetch summary: 1 attempted, 1 successful.
Phase 4.2: Negotiating with schedds ...
Negotiating with a@submitter at <192.168.1.30:9618?addrs=192.168.1.30-9618&alias=submitter&noUDP&sock=schedd_5816_9e76>
0 seconds so far for this submitter
0 seconds so far for this schedd
Request 02069.00624: autocluster 1 (request count 1 of 142)
Rejected 2069.624 a@submitter <192.168.1.30:9618?addrs=192.168.1.30-9618&alias=submitter&noUDP&sock=schedd_5816_9e76>: no match found
negotiateWithGroup resources used submitterAds length 0
---------- Finished Negotiation Cycle ----------
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}