Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
|
All, We have condor installed on a group of windows PC’s. Condor_status reports all PC’s in the pool fine. The credd pool password has been entered on each node and on the pool controller. Condor_store_cred –u user.name@global query Reports valid credentials stored for all our users (and as these have been entered on one machine and report successfully on all, the central cred store is clearly operating). Jobs can be submitted fine, appear in the queue but don’t run. Shadow log below shows authentication errors. Shadow log and config extracts below.
Any help/advice greatly appreciated. Alasdair # #Shadow log shows: # 03/19/12 17:27:51 Locale: English_United States.1252 03/19/12 17:27:51 Setting maximum accepts per cycle 4. 03/19/12 17:27:51 ****************************************************** 03/19/12 17:27:51 ** condor_shadow (CONDOR_SHADOW) STARTING UP 03/19/12 17:27:51 ** C:\condor\bin\condor_shadow.exe 03/19/12 17:27:51 ** SubsystemInfo: name=SHADOW type=SHADOW(6) class=DAEMON(1) 03/19/12 17:27:51 ** Configuration: subsystem:SHADOW local:<NONE> class:DAEMON 03/19/12 17:27:51 ** $CondorVersion: 7.6.0 Apr 16 2011 BuildID: 327460 $ 03/19/12 17:27:51 ** $CondorPlatform: x86_winnt_5.1 $ 03/19/12 17:27:51 ** PID = 5032 03/19/12 17:27:51 ** Log last touched 3/19 17:27:51 03/19/12 17:27:51 ****************************************************** 03/19/12 17:27:51 Using config source: C:\condor\condor_config 03/19/12 17:27:51 Using local config sources: 03/19/12 17:27:51 C:\condor/condor_config.local 03/19/12 17:27:51 DaemonCore: command socket at <10.131.0.13:64305> 03/19/12 17:27:51 DaemonCore: private command socket at <10.131.0.13:64305> 03/19/12 17:27:51 Setting maximum accepts per cycle 4. 03/19/12 17:27:51 Initializing a VANILLA shadow for job 43.0 03/19/12 17:28:02 (43.0) (5032): condor_read(): timeout reading 5 bytes from credd glwnts04.global.arup.com:9620. 03/19/12 17:28:02 (43.0) (5032): IO: Failed to read packet header 03/19/12 17:28:02 (43.0) (5032): AUTHENTICATE: handshake failed! 03/19/12 17:28:02 (43.0) (5032): SECMAN: required authentication with credd glwnts04.global.arup.com:9620 failed, so aborting command command 81099. 03/19/12 17:28:02 (43.0) (5032): ERROR: AUTHENTICATE:1002:Failure performing handshake|AUTHENTICATE:1004:Failed to authenticate using PASSWORD 03/19/12 17:28:02 (43.0) (5032): ERROR: Could not locate valid credential for user 'nathan.roberts@GLOBAL' 03/19/12 17:28:02 (43.0) (5032): WriteUserLog::initialize: init_user_ids() failed! 03/19/12 17:28:02 (43.0) (5032): ERROR "Failed to initialize user log to C:\condor_test\access\access\access.log.txt" at line 777 in file c:\condor\execute\dir_4052\userdir\src\condor_shadow.v6.1\baseshadow.cpp # #Config on pool controller (GLWNTS04): # STARTER_ALLOW_RUNAS_OWNER = TRUE ## ##-------------------------------------------------------------------- ## condor_credd credential managment daemon ##-------------------------------------------------------------------- ## Where is the CredD binary installed? CREDD = $(SBIN)/condor_credd.exe ## When the credd starts up, it can place it's address (IP and port) ## into a file. This way, tools running on the local machine don't ## need an additional "-n host:port" command line option. This ## feature can be turned off by commenting out this setting. CREDD_ADDRESS_FILE = $(LOG)/.credd_address ## Specify a remote credd server here, ##CREDD_HOST = $(CONDOR_HOST):$(CREDD_PORT) CREDD_HOST = glwnts04.global.arup.com ## CredD startup arguments ## Start the CredD on a well-known port. Uncomment to to simplify ## connecting to a remote CredD. Note: that this interface may change ## in a future release. CREDD_PORT = 9620 CREDD_ARGS = -p $(CREDD_PORT) -f ## CredD daemon debugging log CREDD_LOG = $(LOG)/CredLog CREDD_DEBUG = D_FULLDEBUG MAX_CREDD_LOG = 4000000 ## The credential owner submits the credential. This list specififies ## other user who are also permitted to see all credentials. Defaults ## to root on Unix systems, and Administrator on Windows systems. #CRED_SUPER_USERS = ## Credential storage location. This directory must exist ## prior to starting condor_credd. It is highly recommended to ## restrict access permissions to _only_ the directory owner. CRED_STORE_DIR = $(LOCAL_DIR)/cred_dir ## Index file path of saved credentials. ## This file will be automatically created if it does not exist. #CRED_INDEX_FILE = $(CRED_STORE_DIR/cred-index ## condor_credd will attempt to refresh credentials when their # remaining lifespan is less than this value. Units = seconds. #DEFAULT_CRED_EXPIRE_THRESHOLD = 3600 ## condor-credd periodically checks remaining lifespan of stored ## credentials, at this interval. #CRED_CHECK_INTERVAL = 60 #####NWR additions CREDD_CACHE_LOCALLY = True SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD ALLOW_CONFIG = glwbackup@* user.name@*, Administrator@* SEC_CONFIG_NEGOTIATION = REQUIRED SEC_CONFIG_AUTHENTICATION = REQUIRED SEC_CONFIG_ENCRYPTION = REQUIRED SEC_CONFIG_INTEGRITY = REQUIRED # #Config on nodes: # STARTER_ALLOW_RUNAS_OWNER = TRUE ##-------------------------------------------------------------------- ## condor_credd credential managment daemon ##-------------------------------------------------------------------- ## Where is the CredD binary installed? CREDD = $(SBIN)/condor_credd.exe ## When the credd starts up, it can place it's address (IP and port) ## into a file. This way, tools running on the local machine don't ## need an additional "-n host:port" command line option. This ## feature can be turned off by commenting out this setting. CREDD_ADDRESS_FILE = $(LOG)/.credd_address ## Specify a remote credd server here, ##NWR enabled CREDD_HOST = glwnts04.global.arup.com:9620 ## CredD startup arguments ## Start the CredD on a well-known port. Uncomment to to simplify ## connecting to a remote CredD. Note: that this interface may change ## in a future release. CREDD_PORT = 9620 CREDD_ARGS = -p $(CREDD_PORT) -f ## CredD daemon debugging log CREDD_LOG = $(LOG)/CredLog CREDD_DEBUG = D_FULLDEBUG MAX_CREDD_LOG = 4000000 ## The credential owner submits the credential. This list specififies ## other user who are also permitted to see all credentials. Defaults ## to root on Unix systems, and Administrator on Windows systems. #CRED_SUPER_USERS = ## Credential storage location. This directory must exist ## prior to starting condor_credd. It is highly recommended to ## restrict access permissions to _only_ the directory owner. CRED_STORE_DIR = $(LOCAL_DIR)/cred_dir ## Index file path of saved credentials. ## This file will be automatically created if it does not exist. CRED_INDEX_FILE = $(CRED_STORE_DIR/cred-index ## condor_credd will attempt to refresh credentials when their ## remaining lifespan is less than this value. Units = seconds. DEFAULT_CRED_EXPIRE_THRESHOLD = 3600 ## condor-credd periodically checks remaining lifespan of stored ## credentials, at this interval. CRED_CHECK_INTERVAL = 60 #####NWR additions CREDD_CACHE_LOCALLY = True SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD ALLOW_CONFIG = user.name@*, Administrator@* SEC_CONFIG_NEGOTIATION = REQUIRED SEC_CONFIG_AUTHENTICATION = REQUIRED SEC_CONFIG_ENCRYPTION = REQUIRED SEC_CONFIG_INTEGRITY = REQUIRED Electronic mail messages entering and leaving Arup business systems are scanned for acceptability of content and viruses |