Hello Zach,
Thanks for the quick and detailed answer!
1) I called the following command on Windows machine:
C:\Users\tester>condor_store_cred -c -p testtest add -debug
Account: condor_pool@w7-demo15
12/12/19 15:00:57 STORE_CRED: In mode 'add'
Operation succeeded.
2) I called the following command on Central Manager Unix machine:
root@htcondormanager:/etc/condor# condor_store_cred -f /etc/condor/passwords.d/condor_pool -u condor_pool@w7-demo15 -p testtest add -d
3) I called condor_reconfig and condor_restart.
4)ÂI still get the message on Central Manager:
condor_collector[7753]: DC_AUTHENTICATE: required authentication of 127.0.0.1 failed: AUTHENTICATE:1003:Failed to authenticate with any method
I do not understand this fail, so could you please tell me what I'm doing wrong?
As before there is no errorÂif I set the settings `SEC_DEFAULT_AUTHENTICATION` to `OPTIONAL` and `SEC_DEFAULT_INTEGRITY` to `OPTIONAL` on Central Manager.
Thanks in advance!
P.S.
The configuration has not changed much. On Unix Central Manager machine:
ETC = /etc/condor
SEC_PASSWORD_FILE = /secret-read-only-place/password
SEC_PASSWORD_DIRECTORY = $(ETC)/passwords.d
SEC_CREDENTIAL_DIRECTORY =Â$(ETC)/passwords.d
use SECURITY : HOST_BASED
SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_INTEGRITY = REQUIRED
SEC_READ_AUTHENTICATION = OPTIONAL
SEC_READ_INTEGRITY = OPTIONAL
SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD, TOKEN
SEC_CLIENT_AUTHENTICATION = REQUIRED
SEC_CLIENT_AUTHENTICATION_METHODS = PASSWORD
SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD
ALLOW_READ = *
HOSTALLOW_WRITE = *
ALLOW_WRITE = *
ALLOW_OWNER = *
ALLOW_CLIENT = *
ALLOW_NEGOTIATOR = *
ALLOW_NEGOTIATOR_SCHEDD = *
ALLOW_ADMINISTRATOR = $(CONDOR_HOST), $(IP_ADDRESS)
ALLOW_DAEMON = *
ALLOW_CONFIG = $(CONDOR_HOST), $(IP_ADDESS)
On Windows machine:
#Âw7-demo15
CONDOR_HOST = $(FULL_HOSTNAME)Â Â Â
#ÂCentral Manager address:
COLLECTOR_HOST =
10.7.128.99:9618Â Â Â Â
UID_DOMAIN =
CONDOR_ADMIN =
SMTP_SERVER =
ALLOW_READ = *
ALLOW_WRITE = *
ALLOW_ADMINISTRATOR = Â*
ALLOW_CONFIG = *
use POLICY : ALWAYS_RUN_JOBS
WANT_VACATE = FALSE
WANT_SUSPEND = TRUE
DAEMON_LIST = MASTER STARTD
# condor_version
$CondorVersion: 8.9.4 Nov 18 2019 BuildID: Debian-8.9.4-1 PackageID: 8.9.4-1 Debian-8.9.4-1 $
$CondorPlatform: X86_64-Ubuntu_18.04 $
C:\Users\tester>condor_version
$CondorVersion: 8.9.4 Nov 18 2019 BuildID: 489751 $
$CondorPlatform: x86_64_Windows10 $
Hello Ivan,
The support for "TOKEN" authentication is very new and currently works on UNIX-type systems but not on Windows. More work needs to be done, as you discovered, to put tokens in the right place for Windows. On Linux, they are stored in files but on Windows they are stored in the secure area of the registry, and there is currently no way to inject these tokens that were created by the collector into the registry.
In a mixed Windows/Unix pool like yours, I would suggest you configure your set up using the "PASSWORD" method. For this, on all machines you can create the credential by running:
 condor_store_cred -c add
Please try that and let me know if you have any problems or questions.
Cheers,
-zach
ïOn 12/11/19, 2:21 PM, "HTCondor-users on behalf of don_vanchos" <htcondor-users-bounces@xxxxxxxxxxx on behalf of hozblok@xxxxxxxxx> wrote:
  I am inspired by a great presentation
  https://indico.cern.ch/event/817927/contributions/3570551/attachments/1916450/3168528/SecurityBasics.pdf
  Thanks so much for this work!
  I built the similar scheme as on slide 25 where Worker Node - WIndows machine and Central Manager - Unix machine.
  Everything works as expected if I set the settings `SEC_DEFAULT_AUTHENTICATION` to `OPTIONAL` and `SEC_DEFAULT_INTEGRITY` to `OPTIONAL` on Central Manager.
  But if I set these to `REQUIRED` - I have the ERROR: AUTHENTICATE:1004:Failed to authenticate using TOKEN.
  The title of the slide is `And distribute tokensâ.`. Could you tell how to do it? How to distribute generated tokens from the Central Manager to the Worker Node on Windows?
  condor_config on Worker Node:
  HOST_ALIAS = htcnodor-remote
  CONDOR_HOST = $(FULL_HOSTNAME)
  COLLECTOR_HOST = 100.70.128.2:9618 <http://100.70.128.2:9618>  Â<--- path to the Central Manager
  FLOCK_FROM = *
  UID_DOMAIN =
  CONDOR_ADMIN =
  SMTP_SERVER =
  ALLOW_READ = *
  ALLOW_WRITE = *
  ALLOW_ADMINISTRATOR = *
  ALLOW_CONFIG = *
  use POLICY : ALWAYS_RUN_JOBS
  WANT_VACATE = FALSE
  WANT_SUSPEND = TRUE
  DAEMON_LIST = MASTER STARTD
  Central Manager is in private network (I use CCB + shared port):
  SHARED_PORT_PORT = 9618
  UPDATE_COLLECTOR_WITH_TCP = TRUE
  BIND_ALL_INTERFACES = TRUE
  PRIVATE_NETWORK_NAME = htcondor
  # require authentication and integrity for everything...
  SEC_DEFAULT_AUTHENTICATION = REQUIRED
  SEC_DEFAULT_INTEGRITY = REQUIRED
  SEC_CLIENT_AUTHENTICATION = REQUIRED
  # ...except read access...
  SEC_READ_AUTHENTICATION=OPTIONAL
  SEC_READ_INTEGRITY = OPTIONAL
  SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD, TOKEN
  SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD, TOKEN
  SEC_CLIENT_AUTHENTICATION_METHODS = PASSWORD, TOKEN
  ALLOW_READ = *
  ALLOW_WRITE = *
  ALLOW_OWNER = *
  ALLOW_CLIENT = *
  ALLOW_NEGOTIATOR = *
  ALLOW_NEGOTIATOR_SCHEDD = *
  ALLOW_ADMINISTRATOR = *
  ALLOW_DAEMON = *
  ALLOW_CONFIG = *
  FLOCK_FROM = *
  QUEUE_SUPER_USERS = $(QUEUE_SUPER_USERS) someuser
  TRUST_UID_DOMAIN = True
  DEFAULT_DOMAIN_NAME = htcondor
  TRUST_DOMAIN = htcondor
  UID_DOMAIN = htcondor
  FILESYSTEM_DOMAIN = htcondor
  --
  Sincerely yours,
  Ivan Ergunov                        Âmailto:hozblok@xxxxxxxxx
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
--
Sincerely yours,
Ivan Ergunov                         mailto:
hozblok@xxxxxxxxx![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}