Re: [HTCondor-users] HTCondor with smartcard logon

["Durnan, Andy" <adurnan@xxxxxxxx>]

I made some progress.

I used this syntax to store the password:

condor_store_cred add -u accountname@computername

With smartcard disabled, jobs run and I observe this in StarterLog.slot1:

About to exec C:\Windows\System32\cmd.exe /c echo hello

Running job as user condor1

Create_Process succeeded, pid=4264

Then, after enabling smartcard, jobs go idle and I see this in the same log:

init_user_ids: LogonUser failed with NT Status -2146892994

Could not initialize user_priv as "igskolcwws063\condor1".

Make sure this account's password is securely stored with condor_store_cred.

ERROR: Failed to determine what user to run this job as, aborting

Failed to initialize JobInfoCommunicator, aborting

Unable to start job.

In the Windows Security log:

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: condor1

Account Domain: IGSKOLCWWS063

Failure Information:

Failure Reason: Smartcard logon is required and was not used.

Status: 0xc000006e

Sub Status: 0xc00002fa

Process Information:

Caller Process ID: 0x1760

Caller Process Name: C:\condor\bin\condor_starter.exe

It appears the smartcard registry setting is affecting even the local accounts

On Fri, Oct 2, 2015 at 12:08 PM, Durnan, Andy <adurnan@xxxxxxxx> wrote:

Zach,

Thanks for the response.

Running as "slot users" sounds like a suitable solution. I've followed the instructions for such in section 3.6.13.2 but it still doesn't work.

I assume I need to store the account credentials with condor_store_cred but I don't know the syntax to use for a local account.

STARTER_ALLOW_RUNAS_OWNER = False

Andy

On Fri, Oct 2, 2015 at 10:18 AM, Zach Miller <zmiller@xxxxxxxxxxx> wrote:

> -----Original Message-----
> From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf
> Of Durnan, Andy
> Sent: Friday, October 02, 2015 8:47 AM
> To: htcondor-users@xxxxxxxxxxx
> Subject: [HTCondor-users] HTCondor with smartcard logon
>
> Hello,
>
> All job submissions go idle when smartcard authentication is enforced. I've
> implemented credd per the guidance in the 8.4.0 manual to no avail.

The high-level issue here is that in order to run jobs on the execute machines as a specific user, HTCondor needs to "log in" as that user on the execute machine before running the job.

When you are requiring smartcard logon, HTCondor can no longer do that, even if you have stored the password using the CredD.

One option is to run the jobs as either "nobody" users or "slot users". Check out this section:
 http://research.cs.wisc.edu/htcondor/manual/v8.4/7_2Microsoft_Windows.html

And this one:
 http://research.cs.wisc.edu/htcondor/manual/v8.4/3_3Configuration.html#21746

Basically, if you'll require smartcard logon, jobs will not be allowed to run as their owner. This is normally the default on Windows, so have you changed settings such as STARTER_ALLOW_RUNAS_OWNER?


Cheers,
-zach

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/

--

Andy Durnan, IT Specialist

Wyoming-Montana Water Science Center

521 Progress Circle, Ste 6

Cheyenne WY 82007

(307) 775-9171 (Office)

(307) 757-6464 (Cell)

--

Andy Durnan, IT Specialist

Wyoming-Montana Water Science Center

521 Progress Circle, Ste 6

Cheyenne WY 82007

(307) 775-9171 (Office)

(307) 757-6464 (Cell)