Tools/Manuals/TS01

From EGIWiki
Jump to: navigation, search
Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators



Back to Troubleshooting Guide


7 authentication failed

Full message

$ glite-wms-job-logging-info -v 2 https://wms206.cern.ch:9000/9NpOfrIxvbgRMp8tYfinSw
[...]
---
Event: Transfer
- Arrived                    =    Wed Oct 29 02:01:24 2008 CET
- Dest host                  =    unavailable
- Dest instance              =    /var/glite/logmonitor/CondorG.log/CondorG.1225235393.log
- Dest jobid                 =    unavailable
- Destination                =    LRMS
- Host                       =    wms206.cern.ch
- Reason                     =    7 authentication failed: GSS Major Status:
 Authentication Failed GSS Minor Status Error Chain:  init.c:499:
 globus_gss_assist_init_sec_context_async:
 Error during context initialization init_sec_context
- Result                     =    FAIL
- Source                     =    LogMonitor
[...]

Diagnosis

There are 2 possibilities:

  1. The WMS (or RB) could not authenticate the CE.
  2. The CE could not authenticate or map the user's job proxy.

There can be various causes, either on the WMS (or RB) or on the CE:

 edg-gridftp-ls gsiftp://<CE-name>/
 uberftp <CE-name> pwd
  • Check that the CRLs are up to date (less than 6 hours old) on both nodes.
  • Check that the host certificate is still valid:
 openssl x509 -in /etc/grid-security/hostcert.pem -noout -enddate
  • Check that the grid-mapfile is up-to-date.

With globus-job-run <CE-name> /bin/hostname you may get an error like this:

GRAM Job submission failed because authentication failed:
GSS Major Status: Unexpected Gatekeeper or Service Name
GSS Minor Status Error Chain:

init.c:499: globus_gss_assist_init_sec_context_async: Error during context initialization
init_sec_context.c:251: gss_init_sec_context: Mutual authentication failed: The target name
(/C=IT/O=ORG/OU=Host/L=INST/CN=server02.domain.net) in the context, and the target name
(/CN=host/server01.domain.net) passed to the function do not match (error code 7)


Here the reverse resolution of the host IP address to its name (server01.domain.net) is not equal to what is found in the host certificate (server02.domain.net). In such cases the client side has a bad entry for the server. Check:

  • /etc/hosts
  • bad caching by nscd or local named process
  • DNS configuration.