[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [condor-users] kerberos in condor 6.6



Hi,

So, this is a test. This is only a test. I put:

KERBEROS_MAP_FILE = $(RELEASE_DIR)/../condor-admin/Config/condor.kmap

in the main condor_config file, with:

FNAL.GOV = fnal.gov

in the map file.

In maxwell's local config file (maxwell is also the pool manager), I put:

CONDOR_SERVER_PRINCIPAL=e898-condor/e898-condor

In maxwell's /etc/krb5.keytab, we have:

klist -ktef /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 ftp/maxwell.fnal.gov@xxxxxxxx
   2 host/maxwell.fnal.gov@xxxxxxxx
   2 e898-condor/e898-condor/maxwell.fnal.gov@xxxxxxxx

I then restarted (not reconfigured) condor.

I can't see any evidence that condor obtained a kerberos ticket: there is
no credentials file in /tmp that I can see, there is nothing in the log,
and there is nothing in the KDC's log. This is with condor v6.6.0. I
started a (vanilla) job on maxwell just in case the principal was obtained
only at job start, and nothing happened. I also put a klist into the job 
script:

klist: No credentials cache file found (ticket cache /tmp/krb5cc_8483)

... which is worrying because I'm not being assigned a unique credetials 
file.

Is there anything I'm missing, or haven't done properly, or is there 
something wrong?

Thanks,
Chris.

 On Mon, 3 May 2004, Zachary Miller wrote:

> On Mon, May 03, 2004 at 03:44:46PM -0500, Chris Green wrote:
> > Hi,
> > 
> > Can you tell me how I can tell condor to obtain a particular kerberos 
> > principal? If I make sure, say, that my KDC knows about 
> > e898-condor/e898-condor/maxwell.fnal.gov@xxxxxxxx, and then configure:
> > 
> > CONDOR_SERVER_PRINCIPAL=e898-condor/e898-condor
> > 
> > with 
> > 
> > FNAL.GOV = fnal.gov
> > 
> > in the map file, will this be picked up from /etc/krb5.keytab (which is
> > root-read-only, of course), or do I have to do something else too?
> 
> i think that will work, so i would just try it.  but if you have trouble please
> let me know and we can work out a solution.
> 
> 
> cheers,
> -zach
> 
> Condor Support Information:
> http://www.cs.wisc.edu/condor/condor-support/
> To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
> unsubscribe condor-users <your_email_address>
> 
> 

-- 
Chris Green, MiniBooNE / LANL. Email greenc@xxxxxxxx
Tel: (630) 840-2167. Fax: (630) 840-3867

Condor Support Information:
http://www.cs.wisc.edu/condor/condor-support/
To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
unsubscribe condor-users <your_email_address>