Bug #6261
Milestone #6351: Release JobSub v0.3.1
Server authentication should not recreate user keytabs. This causes problem when a index roll over happens
Description
Suspicion is that the roll over cause problem.
[rexbatch@fifebatch1 proxies]$ klist -t -k dbox.keytab.blarg Keytab name: FILE:dbox.keytab.blarg KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 92 01/31/14 15:01:36 dbox/batch/fifegrid@FNAL.GOV 98 02/13/14 14:58:54 dbox/batch/fifegrid@FNAL.GOV 103 02/18/14 10:51:29 dbox/batch/fifegrid@FNAL.GOV 105 02/18/14 13:29:25 dbox/batch/fifegrid@FNAL.GOV 106 02/18/14 15:34:18 dbox/batch/fifegrid@FNAL.GOV 107 02/20/14 10:26:04 dbox/batch/fifegrid@FNAL.GOV 110 02/20/14 17:30:18 dbox/batch/fifegrid@FNAL.GOV 113 02/21/14 11:49:12 dbox/batch/fifegrid@FNAL.GOV 137 03/14/14 14:01:43 dbox/batch/fifegrid@FNAL.GOV 138 03/17/14 11:37:34 dbox/batch/fifegrid@FNAL.GOV 139 03/17/14 12:38:08 dbox/batch/fifegrid@FNAL.GOV 141 03/17/14 13:39:29 dbox/batch/fifegrid@FNAL.GOV 142 03/17/14 15:16:41 dbox/batch/fifegrid@FNAL.GOV 143 03/17/14 16:31:56 dbox/batch/fifegrid@FNAL.GOV 145 03/18/14 13:58:44 dbox/batch/fifegrid@FNAL.GOV 150 03/19/14 12:07:43 dbox/batch/fifegrid@FNAL.GOV 151 03/19/14 19:54:55 dbox/batch/fifegrid@FNAL.GOV 152 03/20/14 15:04:28 dbox/batch/fifegrid@FNAL.GOV 153 03/26/14 12:22:08 dbox/batch/fifegrid@FNAL.GOV 154 03/26/14 13:34:38 dbox/batch/fifegrid@FNAL.GOV 155 03/26/14 14:46:21 dbox/batch/fifegrid@FNAL.GOV 156 03/26/14 14:46:33 dbox/batch/fifegrid@FNAL.GOV 163 03/28/14 14:35:08 dbox/batch/fifegrid@FNAL.GOV 181 04/07/14 11:03:14 dbox/batch/fifegrid@FNAL.GOV 182 04/07/14 14:15:49 dbox/batch/fifegrid@FNAL.GOV 183 04/07/14 16:15:32 dbox/batch/fifegrid@FNAL.GOV 184 04/07/14 17:26:45 dbox/batch/fifegrid@FNAL.GOV 187 04/08/14 16:47:26 dbox/batch/fifegrid@FNAL.GOV 216 04/17/14 10:01:12 dbox/batch/fifegrid@FNAL.GOV 218 04/21/14 10:33:29 dbox/batch/fifegrid@FNAL.GOV 226 04/29/14 16:33:43 dbox/batch/fifegrid@FNAL.GOV 1 05/13/14 13:57:55 dbox/batch/fifegrid@FNAL.GOV
Solution is to use the keytab file if exists and if using it fails, try to remove an recreate one before failing and giving auth error.
History
#1 Updated by Parag Mhashilkar over 6 years ago
- Assignee changed from Parag Mhashilkar to Dennis Box
#2 Updated by Dennis Box over 6 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
My original code left the user.keytab alone, not adding new lines to it with kadmin commands. This failed to authenticate for reasons I do not understand. Resolved problem by creating new keytab and replacing old one with it after success. Tested overnight with submissions every 10 minutes.
#3 Updated by Dennis Box over 6 years ago
- Status changed from Closed to Assigned
- Target version changed from v0.3 to v0.3.1
testing revealed that issue was not resolved, but operational load is no worse than before . Operational workaround is to delete the (username).keytab and ask them to resubmit. I have saved off an example of the keytabs which I can use to reproduce the problem and resolve it in the server code.
Dennis
#4 Updated by Parag Mhashilkar over 6 years ago
- Parent task changed from #6025 to #6351
#5 Updated by Dennis Box over 6 years ago
- Status changed from Assigned to Feedback
generating user keytab invalidates users keytab on all the other servers.
Resolution is to generate them in a central place and distribute them along with running auth.py from this branch
#6 Updated by Dennis Box over 6 years ago
- Status changed from Feedback to Resolved
#7 Updated by Parag Mhashilkar over 6 years ago
- Status changed from Resolved to Closed