Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[condor-users] More condor / kerberos trouble.
- Date: Mon, 24 May 2004 11:07:28 -0500 (CDT)
- From: Chris Green <greenc@xxxxxxxx>
- Subject: [condor-users] More condor / kerberos trouble.
Hi,
So I'm still trying to move forward on getting our condor cluster
kerberos-aware, and I've run into a troubling problem.
The relevant lines of my condor_config are:
CONDOR_SERVER_PRINCIPAL = host
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS, FS
In addition to our normal accounts on the condor cluster, which are
kerberos-authenticated and have matching AFS principals (eg
greenc@xxxxxxxx -> greenc) we have a couple of service accounts which are
not directly related to kerberos principals. People log into this account,
e898, based on the .k5login file, and will need to submit jobs as the e898
user. Unfortunately, with the above configuration in effect, we get:
clark.fnal.gov> $BOONE_CONDOR/bin/real/condor_submit sleep.sh_20040524_100217_1.cmd
Submitting job(s)
ERROR: Failed to set Owner="e898" for job 10384.0
ERROR: Failed to queue job.
From the log, we get:
5/24 10:11:23 Reading request object
5/24 10:11:23 SetAttribute security violation: setting owner to "e898" when active owner is "greenc"
5/24 10:11:45 Activity on stashed negotiator socket
5/24 10:11:45 Socket activated, but could not read command
5/24 10:11:45 (Negotiator probably invalidated cached socket)
Useful information:
<kingery.fnal.gov> whoami
e898
<kingery.fnal.gov> klist -f
Ticket cache: /tmp/krb5cc_3557_t4uz1n
Default principal: greenc@xxxxxxxx
Valid starting Expires Service principal
05/24/04 10:48:42 05/25/04 10:37:24 krbtgt/FNAL.GOV@xxxxxxxx
renew until 05/25/04 12:24:04, Flags: FfPRA
05/24/04 10:48:42 05/25/04 10:37:24 afs@xxxxxxxx
renew until 05/25/04 12:24:04, Flags: FfPRA
05/24/04 10:48:47 05/25/04 10:37:24 host/cdcvs0.fnal.gov@xxxxxxxx
renew until 05/25/04 12:24:04, Flags: FfPRA
<kingery.fnal.gov> tokens
Tokens held by the Cache Manager:
User's (AFS ID 8483) tokens for afs@xxxxxxxx [Expires May 25 14:00]
--End of list--
Given that we need to move to kerberos authentication to allow Condor jobs
to access other machines, what is the best way to proceed? Prior to
submitting the job, the user can, if required, obtain a machine principal
of the type e898/e898/machine.fnal.gov@xxxxxxxx, but it's unclear what
Condor would do with this.
I'd be grateful for any help. Let me know if I can provide any other
information on or off-list.
Thanks for your time,
Chris.
--
Chris Green, MiniBooNE / LANL. Email greenc@xxxxxxxx
Tel: (630) 840-2167. Fax: (630) 840-3867
Condor Support Information:
http://www.cs.wisc.edu/condor/condor-support/
To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
unsubscribe condor-users <your_email_address>