[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [condor-users] kerberos in condor 6.6



On Tue, May 04, 2004 at 09:47:42AM -0500, Chris Green wrote:
> Hi,
> 
> So, this is a test. This is only a test. I put:
> 
> KERBEROS_MAP_FILE = $(RELEASE_DIR)/../condor-admin/Config/condor.kmap
> 
> in the main condor_config file, with:
> 
> FNAL.GOV = fnal.gov
> 
> in the map file.
> 
> In maxwell's local config file (maxwell is also the pool manager), I put:
> 
> CONDOR_SERVER_PRINCIPAL=e898-condor/e898-condor

okay, so far so good.


> I can't see any evidence that condor obtained a kerberos ticket: there is
> no credentials file in /tmp that I can see, there is nothing in the log,

there's a couple things to check.

1) did you specifically force condor to use kerberos authentication?  condor
uses a different method (filesystem) by default.  add these lines to your
condor_config:
  SEC_DEFAULT_AUTHENTICATION = REQUIRED
  SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS

2) condor will not show anything in the log unless you turn up the debug
level by adding this line to your condor_config:
  ALL_DEBUG = D_SECURITY


please let me know how that works for you.  and by the way, if something
doesn't work, you will have to manually kill the condor daemons since the
condor_off command won't be able to authenticate you and will thus ignore
your request to turn condor off.  for testing purposes, it's sometimes handy
to actually include filesystem authentication as a backup method like this:
  SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS, FS

then condor will try kerb first and fall back to filesystem if that fails.
once you get your kerb setup working the way you want, you can then remove
FS from the list of allowed methods.


cheers,
-zach

Condor Support Information:
http://www.cs.wisc.edu/condor/condor-support/
To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
unsubscribe condor-users <your_email_address>