Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [condor-users] kerberos in condor 6.6
- Date: Tue, 04 May 2004 13:23:19 -0500 (CDT)
- From: Chris Green <greenc@xxxxxxxx>
- Subject: Re: [condor-users] kerberos in condor 6.6
Hi,
So, the maxwell.local configuration now has:
CONDOR_SERVER_PRINCIPAL = e898-condor/e898-condor
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS, FS
ALL_DEBUG = $(ALL_DEBUG) D_SECURITY
in addition to the setup already described. Things pretty much croak a
few seconds after restarting. MasterLog says:
5/4 13:14:51 KEYCACHE: created: 8283558
5/4 13:14:51 ******************************************************
5/4 13:14:51 ** condor_master (CONDOR_MASTER) STARTING UP
5/4 13:14:51 ** $CondorVersion: 6.6.0 Nov 13 2003 $
5/4 13:14:51 ** $CondorPlatform: INTEL-LINUX-GLIBC22 $
5/4 13:14:51 ** PID = 28177
5/4 13:14:51 ******************************************************
5/4 13:14:51 Using config file: /home/condor/condor_config
5/4 13:14:51 Using local config files: /afs/fnal.gov/files/code/e898/code/14/condor/../condor-admin/Config/Local/maxwell.local
5/4 13:14:51 DaemonCore: Command Socket at <131.225.54.225:57250>
5/4 13:14:51 KEYCACHE: created: 8283558
5/4 13:14:51 Started DaemonCore process "/afs/fnal.gov/files/code/e898/code/14/condor/sbin/condor_collector", pid and pgroup = 2818
1
5/4 13:14:51 Started DaemonCore process "/afs/fnal.gov/files/code/e898/code/14/condor/sbin/condor_negotiator", pid and pgroup = 281
82
5/4 13:14:51 Started DaemonCore process "/afs/fnal.gov/files/code/e898/code/14/condor/sbin/condor_startd", pid and pgroup = 28183
5/4 13:14:51 Started DaemonCore process "/afs/fnal.gov/files/code/e898/code/14/condor/sbin/condor_schedd", pid and pgroup = 28185
5/4 13:14:51 The SCHEDD (pid 28185) died due to signal 11
5/4 13:14:51 Sending obituary for "/afs/fnal.gov/files/code/e898/code/14/condor/sbin/condor_schedd"
5/4 13:14:51 restarting /afs/fnal.gov/files/code/e898/code/14/condor/sbin/condor_schedd in 10 seconds
5/4 13:14:51 STARTCOMMAND: starting 2 to <131.225.54.225:9618> on UDP port 35309.
5/4 13:14:51 SECMAN: command 2 to <131.225.54.225:9618> on UDP port 35309.
5/4 13:14:51 getDefCryptoMeth -> 3DES,BLOWFISH
5/4 13:14:51 ad->Insert(OutgoingNegotiation="REQUIRED")
5/4 13:14:51 SECMAN: command 60010 to <131.225.54.225:9618> on TCP port 57255.
5/4 13:14:51 getDefCryptoMeth -> 3DES,BLOWFISH
5/4 13:14:51 ad->Insert(OutgoingNegotiation="REQUIRED")
5/4 13:14:51 SECMAN: Command=60010
5/4 13:14:51 SECMAN: AuthCommand=2
5/4 13:14:51 SECMAN: Auth methods: KERBEROS,FS
5/4 13:14:51 HANDSHAKE: in handshake(my_methods = 'KERBEROS,FS')
5/4 13:14:51 HANDSHAKE: handshake() - i am the client
5/4 13:14:51 HANDSHAKE: sending (methods == 68) to server
5/4 13:14:51 HANDSHAKE: server replied (method = 64)
5/4 13:14:51 Failed to build server principal
SchedLog says:
5/4 13:14:51 KEYCACHE: created: 832f0d0
5/4 13:14:51 ******************************************************
5/4 13:14:51 ** condor_schedd (CONDOR_SCHEDD) STARTING UP
5/4 13:14:51 ** $CondorVersion: 6.6.0 Nov 13 2003 $
5/4 13:14:51 ** $CondorPlatform: INTEL-LINUX-GLIBC22 $
5/4 13:14:51 ** PID = 28185
5/4 13:14:51 ******************************************************
5/4 13:14:51 Using config file: /home/condor/condor_config
5/4 13:14:51 Using local config files: /afs/fnal.gov/files/code/e898/code/14/condor/../condor-admin/Config/Local/maxwell.local
5/4 13:14:51 DaemonCore: Command Socket at <131.225.54.225:57252>
5/4 13:14:51 KEYCACHE: created: 832f0d0
5/4 13:14:51 "/afs/fnal.gov/files/code/e898/code/14/condor/sbin/condor_shadow.pvm -classad" did not produce any output, ignoring
5/4 13:14:51 STARTCOMMAND: starting 1 to <131.225.54.225:9618> on UDP port 35307.
5/4 13:14:51 SECMAN: command 1 to <131.225.54.225:9618> on UDP port 35307.
5/4 13:14:51 getDefCryptoMeth -> 3DES,BLOWFISH
5/4 13:14:51 ad->Insert(OutgoingNegotiation="REQUIRED")
5/4 13:14:51 SECMAN: command 60010 to <131.225.54.225:9618> on TCP port 57254.
5/4 13:14:51 getDefCryptoMeth -> 3DES,BLOWFISH
5/4 13:14:51 ad->Insert(OutgoingNegotiation="REQUIRED")
5/4 13:14:51 SECMAN: Command=60010
5/4 13:14:51 SECMAN: AuthCommand=1
5/4 13:14:51 SECMAN: Auth methods: KERBEROS,FS
5/4 13:14:51 HANDSHAKE: in handshake(my_methods = 'KERBEROS,FS')
5/4 13:14:51 HANDSHAKE: handshake() - i am the client
5/4 13:14:51 HANDSHAKE: sending (methods == 68) to server
5/4 13:14:51 HANDSHAKE: server replied (method = 64)
5/4 13:14:51 Failed to build server principal
Help!
Note that the "system" keytab /etc/krb5.keytab is the one that contains
the correct key:
# ls -l /etc/krb5.keytab
-rw------- 1 root root 204 May 4 09:12 /etc/krb5.keytab
# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 ftp/maxwell.fnal.gov@xxxxxxxx
2 host/maxwell.fnal.gov@xxxxxxxx
2 e898-condor/e898-condor/maxwell.fnal.gov@xxxxxxxx
Note also that there are *two* kinit, klist, etc suites on this system
(a Fermilab peculiarity, I'm afraid), with the one that actually works
being in /usr/krb5/bin/. Although this should be in the path first
provided /etc/profile.d script fragments are sourced, it would help to
know which one was being called.
Thanks for your help,
Chris.
On Tue, 4 May 2004, Zachary Miller wrote:
> On Tue, May 04, 2004 at 09:47:42AM -0500, Chris Green wrote:
> > Hi,
> >
> > So, this is a test. This is only a test. I put:
> >
> > KERBEROS_MAP_FILE = $(RELEASE_DIR)/../condor-admin/Config/condor.kmap
> >
> > in the main condor_config file, with:
> >
> > FNAL.GOV = fnal.gov
> >
> > in the map file.
> >
> > In maxwell's local config file (maxwell is also the pool manager), I put:
> >
> > CONDOR_SERVER_PRINCIPAL=e898-condor/e898-condor
>
> okay, so far so good.
>
>
> > I can't see any evidence that condor obtained a kerberos ticket: there is
> > no credentials file in /tmp that I can see, there is nothing in the log,
>
> there's a couple things to check.
>
> 1) did you specifically force condor to use kerberos authentication? condor
> uses a different method (filesystem) by default. add these lines to your
> condor_config:
> SEC_DEFAULT_AUTHENTICATION = REQUIRED
> SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS
>
> 2) condor will not show anything in the log unless you turn up the debug
> level by adding this line to your condor_config:
> ALL_DEBUG = D_SECURITY
>
>
> please let me know how that works for you. and by the way, if something
> doesn't work, you will have to manually kill the condor daemons since the
> condor_off command won't be able to authenticate you and will thus ignore
> your request to turn condor off. for testing purposes, it's sometimes handy
> to actually include filesystem authentication as a backup method like this:
> SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS, FS
>
> then condor will try kerb first and fall back to filesystem if that fails.
> once you get your kerb setup working the way you want, you can then remove
> FS from the list of allowed methods.
>
>
> cheers,
> -zach
>
> Condor Support Information:
> http://www.cs.wisc.edu/condor/condor-support/
> To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
> unsubscribe condor-users <your_email_address>
>
>
--
Chris Green, MiniBooNE / LANL. Email greenc@xxxxxxxx
Tel: (630) 840-2167. Fax: (630) 840-3867
Condor Support Information:
http://www.cs.wisc.edu/condor/condor-support/
To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
unsubscribe condor-users <your_email_address>