[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [condor-users] kerberos in condor 6.6



On Tue, May 04, 2004 at 01:23:19PM -0500, Chris Green wrote:
> Hi,
> 
> So, the maxwell.local configuration now has:
> 
> CONDOR_SERVER_PRINCIPAL = e898-condor/e898-condor
> SEC_DEFAULT_AUTHENTICATION = REQUIRED
> SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS, FS
> ALL_DEBUG = $(ALL_DEBUG) D_SECURITY

cool.

> in addition to the setup already described. Things pretty much croak a
> few seconds after restarting.

not cool. :(

> MasterLog says:
> 
> 5/4 13:14:51 The SCHEDD (pid 28185) died due to signal 11
> 
> SchedLog says:
> 
> 5/4 13:14:51 Failed to build server principal
> 
> Help!

okay, at a quick glance it seems there's really two issues at heart here:

1) it seems the 6.6.X series does not support well the constructing of
arbitrary principals.  it was orignally designed to use a service principal
like host/hostname@REALM or condor/hostname@REALM.  this is lame and has
already been fixed in a development branch.  you should see this feature
available in 6.7.1.

2) the 6.6.X series does not handle the failure case properly either and dies
instead of continuing on with the next authentication method.  this will be
fixed in 6.6.6.

i will investigate further myself and let you know if i am wrong in my above
analysis.  thanks for your help and patience in trying it out.

in the meantime, we can try to work around the problem.  why don't you email
me off list and we can discuss your security policy and constraints and find
a solution for you.


cheers,
-zach

Condor Support Information:
http://www.cs.wisc.edu/condor/condor-support/
To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
unsubscribe condor-users <your_email_address>