Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Adding a Windows node to an existing Linux-Pool

Date: Tue, 08 Jun 2021 12:24:47 +0200
From: Darius Jakobeit <jakobeit@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [HTCondor-users] Adding a Windows node to an existing Linux-Pool

Hello John,

first of all thanks for your effort in helping me.

The output of "condor_config_val -summary" is the following:

PS C:\Windows\system32>  condor_config_val -summary
# condor_config_val $CondorVersion: 9.0.2 May 09 2021 BuildID: 540227 DAILY $

#
# from C:\condor\condor_config
#
RELEASE_DIR = C:\condor
LOCAL_CONFIG_FILE = $(LOCAL_DIR)\condor_config.local
LOCAL_CONFIG_DIR = $(LOCAL_DIR)\config
ALLOW_ADMINISTRATOR = SYSTEM@* condor_pool@* Administrator@* jakobeit@*
ALLOW_DAEMON = SYSTEM@*  condor_pool@*
ALLOW_NEGOTIATOR = SYSTEM@* condor_pool@*
ALLOW_READ = *
ALLOW_WRITE = *
SEC_DEFAULT_AUTHENTICATION = required
SEC_DEFAULT_ENCRYPTION = required
SEC_DEFAULT_INTEGRITY = required
SEC_READ_AUTHENTICATION = OPTIONAL
SEC_READ_ENCRYPTION = OPTIONAL
SEC_READ_INTEGRITY = OPTIONAL
SECURITY_MODEL = 9.0
INSTALL_USER = jakobeit
CONDOR_HOST = 131.234.172.154
CLAIM_WORKLIFE =

CONTINUE = ($(CPUIdle) && ($(ActivityTimer) > 10) && (KeyboardIdle >$(ContinueIdleTime)))

IS_OWNER = (START =?= False)
MaxJobRetirementTime = 0

PREEMPT = (((Activity == "Suspended") && ($(ActivityTimer) >$(MaxSuspendTime))) || (SUSPEND && (WANT_SUSPEND == False)))START = ((KeyboardIdle > $(StartIdleTime)) && ( $(CPUIdle) || (State!= "Unclaimed" && State != "Owner")) )SUSPEND = ($(KeyboardBusy) || ( (CpuBusyTime > 120) &&$(ActivationTimer) > 90))WANT_SUSPEND = ($(SmallJob) || $(KeyboardNotBusy) || $(IsVanilla) ) &&( $(SUSPEND))

WANT_VACATE = $(ActivationTimer) > 600 || $(IsVanilla)
DAEMON_LIST = MASTER STARTD KBDD

There is a tokens.sk and a tokens.d directory. From what I havegathered from your mail I should use an IDTOKEN authentication to jointhe Windows node into the existing Linux node.I have tried to follow this guide:https://htcondor.readthedocs.io/en/latest/admin-manual/security.html#token-authenticationI have generated a new token using condor_token_create -identity -fileand saved the file in both SEC_TOKEN_SYSTEM_DIRECTORYs (since I wasn'tsure whether to do it only for the user). However, that didn't changeanything for my problem.


Whatever I am trying I get the following:
PS C:\Windows\system32> condor_status -debug
06/08/21 11:43:01 TOKEN: No token found.

06/08/21 11:43:01 SECMAN: required authentication with collector at<131.234.172.154:9618> failed, so aborting command QUERY_STARTD_ADS.

Error: communication error
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using IDTOKENS

It says "No token found" even though there are tokens in theSEC_TOKEN_SYSTEM_DIRECTORY. It is also definitely defined:


PS C:\Windows\system32> condor_config_val -v SEC_TOKEN_SYSTEM_DIRECTORY
SEC_TOKEN_SYSTEM_DIRECTORY = C:\condor\tokens.d
 # at: <Default>
 # raw: SEC_TOKEN_SYSTEM_DIRECTORY = $(RELEASE_DIR)\tokens.d

Maybe I still have some basic misunderstanding regarding the wholeauthentication process. Do you see what I did incorrectly?


Cheers,
Darius

Date: Mon, 7 Jun 2021 14:39:14 +0000
From: John M Knoeller <johnkn@xxxxxxxxxxx>
To: "htcondor-users@xxxxxxxxxxx" <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Adding a Windows node to an existing
	Linux-Pool
Message-ID:
	<BYAPR06MB5543A15618879F1D6E323B7296389@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>

Content-Type: text/plain; charset="us-ascii"
The Windows installer should have given the user that ran theinstaller ADMINSTRATOR access. Lets check that. please run
condor_config_val -summary

On your windows box and post the output.
The Windows installer should also have created a tokens.d directoryand a tokens.sk directory under the directory where HTCondor isinstalled (usually C:\Condor). On Windows, the tokens.sk directoryis where HTCondor looks for IDTOKEN signing keys, so this directoryis the equivalent of passwords.d on a Linux machine for IDTOKEN auth(but not for PASSWORD auth).
You should not need to store a pool password on a Windows machineunless you intend to use PASSWORD authentication between daemons.Unlike on Linux, HTCondor Windows never uses the pool password aspart of IDTOKEN authentication because the pool password on Windowsis actually stored in the registry.
To use IDTOKEN authentication, it should be sufficient for whatevermachine is running the condor_collector to have authorization forthe Windows machine to join the pool.
If you want to be able to issue tokens from the Windows machine, youcan copy the POOL file from passwords.d on one of your Linux hoststo tokens.sk on the Windows machine.
If you want to investigate why condor_store_cred add -c is notworking, try adding this to your condor_config.loca file.
ALL_DEBUG = $(ALL_DEBUG) D_CAT
debug_cmd = D_FULLDEBUG D_SECURITY:1 D_COMMAND:1
MASTER_DEBUG = $(MASTER_DEBUG) $(debug_cmd)
TOOL_DEBUG = $(TOOL_DEBUG)  $(debug_cmd)

Then run
    condor_config_val add -c -debug
And look at the debug output of this command as well as theMasterLog for that same time period.
-tj


________________________________
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalfof Darius Jakobeit <jakobeit@xxxxxxxxxxxxxxxxxxxxxxxxx>
Sent: Friday, June 4, 2021 7:45 AM
To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] Adding a Windows node to an existing Linux-Pool

Hello everyone,

I am currently trying to wrap my head around how to add a Windows 10
node to an existing Linux-Pool (Ubuntu 20.04, HTCondor V. 9.0.0).

How did I set up the Linux pool? I followed the instructions here:
https://htcondor.readthedocs.io/en/v9_0/getting-htcondor/admin-quick-start.html#admin-quick-start-guide

Using the get_htcondor script with a GET_HTCONDOR_PASSWORD. That
worked like a charm. Now I want to add another execute node which is
using the Windows 10 operation system. For that I installed HTCondor
there using these instructions:
https://htcondor.readthedocs.io/en/v9_0/getting-htcondor/install-windows-as-administrator.html#admin-install-windows-pool

Now the problem here is, that I couldn't enter any HTCondor password
during the steps in the GUI. A following "condor_status" in powershell
gave me some authentification errors. From how I have understood the
manual I think I am supposed to set the pool password with
"condor_store_cred add -c". However, when I am trying to set the pool
password with this command I am getting the following error:

"Operation failed. Make sure you have CONFIG access to the target Master."

Can anybody help me here?

Cheers,
Darius

Follow-Ups:
- Re: [HTCondor-users] Adding a Windows node to an existing Linux-Pool
  - From: John M Knoeller

Prev by Date: Re: [HTCondor-users] Shared port daemon fails to start after reboot on Dual Stack CentOS7 nodes
Next by Date: [HTCondor-users] partitionable slot and jobs stuck in idle state
Previous by thread: Re: [HTCondor-users] Adding a Windows node to an existing Linux-Pool
Next by thread: Re: [HTCondor-users] Adding a Windows node to an existing Linux-Pool
Index(es):
- Date
- Thread

Mailing List Archives

Authenticated access

Re: [HTCondor-users] Adding a Windows node to an existing Linux-Pool