|Main||EGI.eu operations services||Support||Documentation||Tools||Activities||Performance||Technology||Catch-all Services||Resource Allocation||Security|
|Documentation menu:||Home •||Manuals •||Procedures •||Training •||Other •||Contact ►||For:||VO managers •||Administrators|
Back to Troubleshooting Guide
7 authentication failed
$ glite-wms-job-logging-info -v 2 https://wms206.cern.ch:9000/9NpOfrIxvbgRMp8tYfinSw [...] --- Event: Transfer - Arrived = Wed Oct 29 02:01:24 2008 CET - Dest host = unavailable - Dest instance = /var/glite/logmonitor/CondorG.log/CondorG.1225235393.log - Dest jobid = unavailable - Destination = LRMS - Host = wms206.cern.ch - Reason = 7 authentication failed: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: init.c:499: globus_gss_assist_init_sec_context_async: Error during context initialization init_sec_context - Result = FAIL - Source = LogMonitor [...]
There are 2 possibilities:
- The WMS (or RB) could not authenticate the CE.
- The CE could not authenticate or map the user's job proxy.
There can be various causes, either on the WMS (or RB) or on the CE:
- Ensure both nodes have the correct time. Refer to sslv3 alert bad certificate.
- Refer to 530 530 No local mapping for Globus ID for many possible causes.
- To get more information, try to access the server using GridFTP:
edg-gridftp-ls gsiftp://<CE-name>/ uberftp <CE-name> pwd
- Check that the CRLs are up to date (less than 6 hours old) on both nodes.
- Check that the host certificate is still valid:
openssl x509 -in /etc/grid-security/hostcert.pem -noout -enddate
- Check that the grid-mapfile is up-to-date.
With globus-job-run <CE-name> /bin/hostname you may get an error like this:
GRAM Job submission failed because authentication failed: GSS Major Status: Unexpected Gatekeeper or Service Name GSS Minor Status Error Chain: init.c:499: globus_gss_assist_init_sec_context_async: Error during context initialization init_sec_context.c:251: gss_init_sec_context: Mutual authentication failed: The target name (/C=IT/O=ORG/OU=Host/L=INST/CN=server02.domain.net) in the context, and the target name (/CN=host/server01.domain.net) passed to the function do not match (error code 7)
Here the reverse resolution of the host IP address to its name (server01.domain.net) is not equal to what is found in the host certificate (server02.domain.net). In such cases the client side has a bad entry for the server. Check:
- bad caching by nscd or local named process
- DNS configuration.