[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xgrid] Making Kerberos SSO survive a DNS name change

Subject: Re: [Xgrid] Making Kerberos SSO survive a DNS name change
From: Onsi Fakhouri <email@hidden>
Date: Fri, 3 Feb 2006 14:38:10 -0800
Delivered-to: email@hidden
Delivered-to: email@hidden

Hi all,

I edited the /Library/Preferences/edu.mit.Kerberos file on each of the cluster nodes and changed the address for the kdc and admin_server. They can now connect to the controller.

However, when I try to connect to the Xgrid controller via Xgrid admin I am greeted with the SSO login. My password is accepted (and Kerberos.app in /System/Library/CoreServices says I have a krbtgt ticker), however Xgrid Admin complains that "A connection to the service "****.berkeley.edu" could not be opened due to authentication failure.

My best guess for why this is happening is that sudo klist -k on the controller machine returns a list of principals that list the old host name. That is:

bloom1:~ onsi$ sudo klist -k Password: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ------------------------------------------------------------------------ -- 3 xgrid/email@hidden 3 xgrid/email@hidden 3 xgrid/email@hidden 3 vpn/email@hidden 3 vpn/email@hidden 3 vpn/email@hidden 3 ipp/email@hidden 3 ipp/email@hidden 3 ipp/email@hidden 3 XMPP/email@hidden 3 XMPP/email@hidden 3 XMPP/email@hidden 3 host/email@hidden 3 host/email@hidden 3 host/email@hidden 3 smtp/email@hidden 3 smtp/email@hidden 3 smtp/email@hidden 3 http/email@hidden 3 http/email@hidden 3 http/email@hidden 3 pop/email@hidden 3 pop/email@hidden 3 pop/email@hidden 3 imap/email@hidden 3 imap/email@hidden 3 imap/email@hidden 3 ftp/email@hidden 3 ftp/email@hidden 3 ftp/email@hidden 3 afpserver/email@hidden 3 afpserver/email@hidden 3 afpserver/email@hidden 3 ldap/email@hidden 3 ldap/email@hidden 3 ldap/email@hidden 3 xgrid/email@hiddenTE 3 xgrid/email@hiddenTE 3 xgrid/email@hiddenTE 3 vpn/email@hiddenTE 3 vpn/email@hiddenTE 3 vpn/email@hiddenTE 3 ipp/email@hiddenTE 3 ipp/email@hiddenTE 3 ipp/email@hiddenTE 3 XMPP/email@hiddenTE 3 XMPP/email@hiddenTE 3 XMPP/email@hiddenTE 3 host/email@hiddenTE 3 host/email@hiddenTE 3 host/email@hiddenTE 3 smtp/email@hiddenTE 3 smtp/email@hiddenTE 3 smtp/email@hiddenTE 3 http/email@hiddenTE 3 http/email@hiddenTE 3 http/email@hiddenTE 3 pop/email@hiddenTE 3 pop/email@hiddenTE 3 pop/email@hiddenTE 3 imap/email@hiddenTE 3 imap/email@hiddenTE 3 imap/email@hiddenTE 3 ftp/email@hiddenTE 3 ftp/email@hiddenTE 3 ftp/email@hiddenTE 3 afpserver/email@hiddenTE 3 afpserver/email@hiddenTE 3 afpserver/email@hiddenTE 3 ldap/email@hiddenTE 3 ldap/email@hiddenTE 3 ldap/email@hiddenTE

My question is: 1. Is this why users can't authenticate and grab an xgrid/ BOOM.CLUSTER.PRIVATE ticket? 2. If so, how do I change all these bloom1.ugastro.berkeley.edu??

The link:

http://lists.apple.com/faq/pub/xgrid_users/index.php? sid=1659&aktion=artikel&rubrik=001&id=15&lang=en


doesn't mention how to make changes to the keytab file.

Thanks,

Onsi


On Feb 3, 2006, at 2:00 PM, Ernest Prabhakar wrote:

Hi Onsi,
The current best summary is here:
http://lists.apple.com/faq/pub/xgrid_users/index.php? sid=1659&aktion=artikel&rubrik=001&id=15&lang=en

Hopefully people here can help fill in any items that may appear incomplete or unclear.
-- Ernie P.
On Feb 3, 2006, at 1:09 PM, Onsi Fakhouri wrote:
Hello all,
After an extended period of hair pulling in late October I finally managed to get our Xserve cluster to run Xgrid with Kerberos Single-Sign-On. We've, unfortunately, had to change the dns name of our server: the IP address is the same, but the IP is now bound to a different server name.

As a result, Kerberos is no longer working and the Xgrid agents (our cluster nodes) cannot authenticate with the Xgrid controller (our cluster's head node). Is there a simple way to fix this? A step by step guide would be absolutely wonderful.

In fact, I really think a step by step: do this, then do that, then do that, guide to getting Xgrid to work with Kerberos SSO in the first place would be great. In particular, a command line version of such instructions would be superlatively excellent -- as I've found that the server admin GUI doesn't always seem to do what I (or the documentation, for that matter) expect it to do.
Thanks,
Onsi _______________________________________________ Do not post admin requests to the list. They will be ignored. Xgrid-users mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/xgrid-users/prabhaka% 40apple.com

This email sent to email@hidden


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xgrid-users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/xgrid-users/email@hidden

This email sent to email@hidden

References:
	>[Xgrid] Making Kerberos SSO survive a DNS name change (From: Onsi Fakhouri <email@hidden>)
	>Re: [Xgrid] Making Kerberos SSO survive a DNS name change (From: Ernest Prabhakar <email@hidden>)

Prev by Date: Re: [Xgrid] Making Kerberos SSO survive a DNS name change
Next by Date: [Xgrid] Xgrid and Open MPI
Previous by thread: Re: [Xgrid] Making Kerberos SSO survive a DNS name change
Next by thread: [Xgrid] Xgrid and Open MPI
Index(es):
- Date
- Thread

Home