Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] condor_credd process issues on windows (Re: [Condor-devel] information regarding ticket 1264)

Date: Tue, 26 Oct 2010 14:55:55 +0200
From: Alexandre Fayolle <alexandre.fayolle@xxxxxxxxxx>
Subject: [Condor-users] condor_credd process issues on windows (Re: [Condor-devel] information regarding ticket 1264)

On Thursday 08 July 2010 10:33:54 Alexandre Fayolle wrote:
> On Wednesday 07 July 2010 18:06:51 Timothy St. Clair wrote:
> >         In looking through the handshake your credd is trying you auth
> >         with
> > 
> > only PASSWORD, but the master is responding with NTSSPI, KERBEROS which
> > is failing authentication b/c there are no matching auth methods.
> > 
> > You may want to try changing your condor_config.local file to:
> > CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS="NTSSPI,PASSWORD" and give that
> > a whirl.
> 
> This worked indeed. Many thanks. I have a few of additional questions and
> suggestions:

Hello, 

(For the record, the first part of this thread is available at 
https://lists.cs.wisc.edu/archive/condor-devel/2010-July/msg00000.shtml)

I'm coming back on this because the patch suggested has stopped working 
recently on our production servers, after some security patches from microsoft 
were installed (I unfortunately don't have the precise list of which patches 
were installed, and cannot be sure this is the only thing that changed). 

Symptoms : after restarting Condor, condor_credd would not start with the 
above line, because it would not connect to condor_master. Hence, jobs with 
run_as_owner would not start. 

Setting 

CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD

(i.e. without quotes) would enable condor_credd to connect to condor_master, 
but then, stopping the service using Windows service manager or net stop 
condor would fail to kill condor_credd. 

I've given the issue some thought, as well as an in-depth look at the logs 
with full debugging log enabled, and found out that, as is mentionned in the 
sample condor_config.credd file :

## You'll also need to ensure that clients are configured to use
## PASSWORD authentication on any machine that can run jobs as the
## submitting user. For example,
##
## SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD

This includes the configuration file of the computer running condor_credd. 

Indeed adding that line in the condor_config.local of my central manager fully 
solves the issue. The issue is still solved if I revert to

CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD

in the same file. 

I suggest that the condor_cconfig.credd file includes the 
SEC_CLIENT_AUTHENTICATION_METHOD setting by default in future releases of 
Condor. 

Thanks for your time,

-- 
Alexandre Fayolle                              LOGILAB, Paris (France)
Formations Python, CubicWeb, Debian :  http://www.logilab.fr/formations
Développement logiciel sur mesure :      http://www.logilab.fr/services
Informatique scientifique:               http://www.logilab.fr/science

Follow-Ups:
- Re: [Condor-users] condor_credd process issues on windows (Re: [Condor-devel] information regarding ticket 1264)
  - From: Alexandre Fayolle
- Re: [Condor-users] condor_credd process issues on windows (Re: [Condor-devel] information regarding ticket 1264)
  - From: Alexandre Fayolle

Prev by Date: Re: [Condor-users] Why do jobs get held?
Next by Date: Re: [Condor-users] condor_credd process issues on windows (Re: [Condor-devel] information regarding ticket 1264)
Previous by thread: Re: [Condor-users] Why do jobs get held?
Next by thread: Re: [Condor-users] condor_credd process issues on windows (Re: [Condor-devel] information regarding ticket 1264)
Index(es):
- Date
- Thread

Mailing List Archives

Authenticated access

[Condor-users] condor_credd process issues on windows (Re: [Condor-devel] information regarding ticket 1264)