[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Trouble with authentication on Windows after upgrade from 8.9 to 25.11



Because the Windows OS does not honor our IDTOKEN authentication,  you still need to store the username and password for every Windows user that wants to submit jobs to a Windows schedd.   This is one of the uses of condor_store_cred.  

To store a Windows user credential, each user must run "condor_store_cred add" on a Windows machine that is running a Schedd (or Windows CREDD).

Are you running condor_submit on a Windows machine? or on a Linux machine?  

Only the Windows version of condor_submit should ask you to run condor_store_cred first.

When a user runs condor_store_cred to store the Windows credential, it should look like this (CRAN8 is my NT domain name)

C:\Users\johnkn>condor_store_cred add Account: johnkn@CRAN8 CredType: password Enter password: Operation succeeded.
---------------------------------------------------

You can run this with -debug to get logging about what command is being sent and to which daemon.   try this command


condor_store_cred -debug:D_HOSTNAME add


Which will log the command that is being sent and what condor daemon it is being sent to.  You are looking for 
STORE_CRED: In mode 100 'add', user is "username@NTDOMAIN"
and a bunch of messages about locating the address of the schedd.  most likely you will see 
Finding classad for local daemon, SCHEDD_DAEMON_AD_FILE is "C:\condor\spool/.schedd_classad"
but any method that gives you the address of the schedd is ok here.

-tj


From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of APEL Martin via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Sent: Wednesday, June 17, 2026 5:17 AM
To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Cc: APEL Martin <Martin.APEL@xxxxxxx>
Subject: [HTCondor-users] Trouble with authentication on Windows after upgrade from 8.9 to 25.11

ZjQcmQRYFpfptBannerEnd

We have recently upgraded our HTCondor cluster from 8.9 to 25.11. The cluster contains Linux as well as Windows machines. All authentication and authorization is configured to use IDTOKENS, which works fine under Linux. However when using the same approach on Windows any submissions fail and tell me, that I need to use condor_store_cred.

When I run condor_store_cred add I get an error ‘Operation failed because it is not allowed’ after entering the password.

SchedLog contains entries such as

 

06/17/26 11:58:38 (pid:25592) WARNING: store_cred() for user user@domain attempted by user condor, rejecting

 

I have to add that the DNS domain is not identical to the Windows domain name. I have tried adding both domains to the ‘ALLOW_*’ configurations, I have tried enabling PASSWORD authentication, but nothing seems to help. I have a token for user@winDomain in my tokens.d directory, which allows me to run e.g. condor_status. I tried the same with a token for user@dnsdomain, condor_status works here as well.

But condor_store_cred continues to fail in all these cases.

 

Any help would be very much appreciated.

 

Martin

This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer https://www.3ds.com/privacy-policy/contact/