Hi, I guess the second one, the first one
seems already exist in global config settings file. Another thing,I found if I use PASSWORD AUTHTICATION
method in condor system, there will be always credential problem, but If
I comment out the following setting in the second file, everything seems
well. Could you try that and tell me? I don't know what's wrong. PS: in the old version 7.0.5 the following setting
is commented too.
# Require PASSWORD auth for password fetching
CREDD.SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD
Good luck!
Tao
Ralph Finch <rgf@xxxxxxx> Gesendet von: condor-users-bounces@xxxxxxxxxxx
10/01/2009 06:35 PM
Bitte antworten an
Condor-Users Mail List <condor-users@xxxxxxxxxxx>
An
condor-users@xxxxxxxxxxx
Kopie
Thema
[Condor-users] condor_credd setups
Condor 7.2.4
There seems to be different suggested setups for condor_credd in two files
provided in the distribution. Which should actually be used?
In the sample condor_config file in the top level of the zip file,
condor_credd
usage is as follows:
##
##--------------------------------------------------------------------
## condor_credd credential managment daemon
##--------------------------------------------------------------------
## Where is the CredD binary installed?
CREDD
=
$(SBIN)/condor_credd.exe
## When the credd starts up, it can place it's address (IP and port)
## into a file. This way, tools running on the local machine
don't
## need an additional "-n host:port" command line option.
This
## feature can be turned off by commenting out this setting.
CREDD_ADDRESS_FILE
= $(LOG)/.credd_address
## Specify a remote credd server here,
#CREDD_HOST = $(CONDOR_HOST):$(CREDD_PORT)
## CredD startup arguments
## Start the CredD on a well-known port. Uncomment to to simplify
## connecting to a remote CredD. Note: that this interface may change
## in a future release.
CREDD_PORT
= 9620
CREDD_ARGS
= -p $(CREDD_PORT) -f
## The credential owner submits the credential. This list specififies
## other user who are also permitted to see all credentials. Defaults
## to root on Unix systems, and Administrator on Windows systems.
#CRED_SUPER_USERS =
## Credential storage location. This directory must exist
## prior to starting condor_credd. It is highly recommended to
## restrict access permissions to _only_ the directory owner.
CRED_STORE_DIR = $(LOCAL_DIR)/cred_dir
## Index file path of saved credentials.
## This file will be automatically created if it does not exist.
#CRED_INDEX_FILE = $(CRED_STORE_DIR/cred-index
## condor_credd will attempt to refresh credentials when their
## remaining lifespan is less than this value. Units = seconds.
#DEFAULT_CRED_EXPIRE_THRESHOLD = 3600
## condor-credd periodically checks remaining lifespan of stored
## credentials, at this interval.
#CRED_CHECK_INTERVAL = 60
Meanwhile in etc/condor_config.local.credd, the usage is:
######################################################################
##
## condor_config.credd
##
## This is the default local configuration file for the machine
## running the condor_credd. You should copy this file to the
## appropriate location and customize it for your needs.
##
######################################################################
## Note: The following settings will need to be present in your
## global config file:
##
## CREDD_HOST = my-credd.cs.wisc.edu
## STARTER_ALLOW_RUNAS_OWNER = True
## CREDD_CACHE_LOCALLY = True
##
## You'll also need to ensure that clients are configured to use
## PASSWORD authentication on any machine that can run jobs as the
## submitting user. For example,
##
## SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD
##
## And finally, you'll need to enable CONFIG-level access for all
## machines in the pool so that the pool password can be stored:
##
## ALLOW_CONFIG = Administrator@*
## SEC_CONFIG_NEGOTIATION = REQUIRED
## SEC_CONFIG_AUTHENTICATION = REQUIRED
## SEC_CONFIG_ENCRYPTION = REQUIRED
## SEC_CONFIG_INTEGRITY = REQUIRED
##
## See the "Executing Jobs as the Submitting User" section of
the
## Condor manual for further details.
## CREDD_SETTINGS
## CREDD logging settings
## Customize these if you wish.
CREDD_LOG = $(LOG)/CreddLog
CREDD_DEBUG = D_COMMAND
MAX_CREDD_LOG = 50000000
#################################################
## CREDD Expert settings
## Everyting below is for the UBER-KNOWLEDGEABLE only!
## Do not change these unless you know what you do!
#################################################
# Timeout session quickly since we normally only get contacted
# once per starter
SEC_CREDD_SESSION_TIMEOUT = 10
# Set security settings so that full security to the credd is required
CREDD.SEC_DEFAULT_AUTHENTICATION =REQUIRED
CREDD.SEC_DEFAULT_ENCRYPTION = REQUIRED
CREDD.SEC_DEFAULT_INTEGRITY = REQUIRED
CREDD.SEC_DEFAULT_NEGOTIATION = REQUIRED
# Require PASSWORD auth for password fetching
CREDD.SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD
# Only honor password fetch requests to the trusted "condor_pool"
user
CREDD.ALLOW_DAEMON = condor_pool@$(UID_DOMAIN)
# Require NTSSPI for storing credentials
CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with
a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/condor-users/
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}