[torquedev] Re: [torqueusers] host not authorized

Brock Palen brockp at umich.edu
Wed Apr 30 09:17:36 MDT 2008


On Apr 29, 2008, at 4:50 PM, Sergio Gelato wrote:

> * Brock Palen [2008-04-28 15:03:42 -0400]:
>> Thanks,
>> I backed up to r1987  which is back to 2.3 days.
>>
>> I am now getting a new error that we never used to get.  I will dig
>> more to find what is going on but maybe someone has seen this before:
>>
>> 04/28/2008 14:21:10;0080;PBS_Server;Svr;req_quejob;saving creds.
>> conn is 10, creds (nil), princ (null)
>
> It looks like you didn't authenticate using GSS at all:
> svr_conn[preq->rq_conn].principal is NULL.

I thought this was strange my self.  I was not getting this error the  
day before with a newer build.  When I tried to move back to that  
build, the problem persisted.

>
>> 04/28/2008 14:21:10;0080;PBS_Server;Req;req_reject;Reject reply
>> code=15018(Unknown queue MSG=cannot save creds), aux=0,
>> type=QueueJob, from brockp at gridlock.engin.umich.edu
>
> Question: how would you like TORQUE to handle the case of
> non-GSS authentication/non-forwarded credentials at your site?
> The code as it stands will always reject the job when that happens;
> if you want it to continue anyway (maybe that's acceptable in your
> environment) then someone will have to code up that behaviour.

Not for this grid.  Users of this system only have access to an AFS  
space which holds their home space.  So this cluster should be rejected.

On the other hand our production cluster, we have afs only on the  
login nodes and users must use lustre/nfs for files in batch.  It  
would be nice that if they have a principle to take it along such  
that if they wish to use /afs they could.  But warned otherwise.

In any case we need to get this working before we explore such ideas.

I am not sure where to look why torque is not picking up my principle,
klist shows i have tickets and tokens.

kinit brockp at UMICH.EDU
aklog UMICH.EDU
qsub test.pbs

and the error appears.

Thanks.

>
>> This is very much a GSSAPI branch problem.
>
> Yes.
>
> I'm attaching a completely untested patch (I hope it compiles) that
> tries to address some of the problems at hand:
> 1) don't try to save credentials if the principal is NULL;
> 2) emit a more helpful error message if no forwarded credentials are
>    available;
> 3) add a missing return statement after a call to req_reject().
> As the FIXME comment indicates, there is room for further work.
>
>> Thanks,
>>
>> Brock Palen
>> www.umich.edu/~brockp
>> Center for Advanced Computing
>> brockp at umich.edu
>> (734)936-1985
>>
>>
>>
>> On Apr 28, 2008, at 12:54 PM, Glen Beane wrote:
>>
>>>
>>>
>>> On Mon, Apr 28, 2008 at 12:50 PM, Brock Palen <brockp at umich.edu>
>>> wrote:
>>> Steve,
>>> What Trunk was this introduced at?  I did a fresh checkout of the
>>> GSSAPI branch today, and its last merged trunk was: trunk at 2021
>>>
>>>
>>> I think the problem was introduced with revision 2014
>>
>> <gssapi-req_queuejob-1.patch>



More information about the torquedev mailing list