Re: [HTCondor-users] Adding a Windows node to an existing Linux-Pool

Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

Hello John,

first of all thanks for your effort in helping me.

The output of "condor_config_val -summary" is the following:

PS C:\Windows\system32> condor_config_val -summary
# condor_config_val $CondorVersion: 9.0.2 May 09 2021 BuildID: 540227 DAILY $

#
# from C:\condor\condor_config
#
RELEASE_DIR = C:\condor
LOCAL_CONFIG_FILE = $(LOCAL_DIR)\condor_config.local
LOCAL_CONFIG_DIR = $(LOCAL_DIR)\config
ALLOW_ADMINISTRATOR = SYSTEM@* condor_pool@* Administrator@* jakobeit@*
ALLOW_DAEMON = SYSTEM@* condor_pool@*
ALLOW_NEGOTIATOR = SYSTEM@* condor_pool@*
ALLOW_READ = *
ALLOW_WRITE = *
SEC_DEFAULT_AUTHENTICATION = required
SEC_DEFAULT_ENCRYPTION = required
SEC_DEFAULT_INTEGRITY = required
SEC_READ_AUTHENTICATION = OPTIONAL
SEC_READ_ENCRYPTION = OPTIONAL
SEC_READ_INTEGRITY = OPTIONAL
SECURITY_MODEL = 9.0
INSTALL_USER = jakobeit
CONDOR_HOST = 131.234.172.154
CLAIM_WORKLIFE =
CONTINUE = ($(CPUIdle) && ($(ActivityTimer) > 10) && (KeyboardIdle >
$(ContinueIdleTime)))
IS_OWNER = (START =?= False)
MaxJobRetirementTime = 0
PREEMPT = (((Activity == "Suspended") && ($(ActivityTimer) >
$(MaxSuspendTime))) || (SUSPEND && (WANT_SUSPEND == False)))
START = ((KeyboardIdle > $(StartIdleTime)) && ( $(CPUIdle) || (State
!= "Unclaimed" && State != "Owner")) )
SUSPEND = ($(KeyboardBusy) || ( (CpuBusyTime > 120) &&
$(ActivationTimer) > 90))
WANT_SUSPEND = ($(SmallJob) || $(KeyboardNotBusy) || $(IsVanilla) ) &&
( $(SUSPEND))
WANT_VACATE = $(ActivationTimer) > 600 || $(IsVanilla)
DAEMON_LIST = MASTER STARTD KBDD

There is a tokens.sk and a tokens.d directory. From what I have
gathered from your mail I should use an IDTOKEN authentication to join
the Windows node into the existing Linux node.
I have tried to follow this guide:
https://htcondor.readthedocs.io/en/latest/admin-manual/security.html#token-authentication
I have generated a new token using condor_token_create -identity -file
and saved the file in both SEC_TOKEN_SYSTEM_DIRECTORYs (since I wasn't
sure whether to do it only for the user). However, that didn't change
anything for my problem.

Whatever I am trying I get the following:
PS C:\Windows\system32> condor_status -debug
06/08/21 11:43:01 TOKEN: No token found.
06/08/21 11:43:01 SECMAN: required authentication with collector at
<131.234.172.154:9618> failed, so aborting command QUERY_STARTD_ADS.
Error: communication error
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using IDTOKENS

It says "No token found" even though there are tokens in the
SEC_TOKEN_SYSTEM_DIRECTORY. It is also definitely defined:

PS C:\Windows\system32> condor_config_val -v SEC_TOKEN_SYSTEM_DIRECTORY
SEC_TOKEN_SYSTEM_DIRECTORY = C:\condor\tokens.d
# at: <Default>
# raw: SEC_TOKEN_SYSTEM_DIRECTORY = $(RELEASE_DIR)\tokens.d

Maybe I still have some basic misunderstanding regarding the whole
authentication process. Do you see what I did incorrectly?

Cheers,
Darius

> Date: Mon, 7 Jun 2021 14:39:14 +0000
> From: John M Knoeller <johnkn@xxxxxxxxxxx>
> To: "htcondor-users@xxxxxxxxxxx" <htcondor-users@xxxxxxxxxxx>
> Subject: Re: [HTCondor-users] Adding a Windows node to an existing
>        Linux-Pool
> Message-ID:
>        <BYAPR06MB5543A15618879F1D6E323B7296389@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>
> Content-Type: text/plain; charset="us-ascii"
>
> The Windows installer should have given the user that ran the
> installer ADMINSTRATOR access.   Lets check that.   please run
>
> condor_config_val -summary
>
> On your windows box and post the output.
>
> The Windows installer should also have created a tokens.d directory
> and a tokens.sk directory under the directory where HTCondor is
> installed (usually C:\Condor).   On Windows, the tokens.sk directory
> is where HTCondor looks for IDTOKEN signing keys, so this directory
> is the equivalent of passwords.d on a Linux machine for IDTOKEN auth
> (but not for PASSWORD auth).
>
> You should not need to store a pool password on a Windows machine
> unless you intend to use PASSWORD authentication between daemons.
> Unlike on Linux, HTCondor Windows never uses the pool password as
> part of IDTOKEN authentication because the pool password on Windows
> is actually stored in the registry.
>
> To use IDTOKEN authentication, it should be sufficient for whatever
> machine is running the condor_collector to have authorization for
> the Windows machine to join the pool.
>
> If you want to be able to issue tokens from the Windows machine, you
> can copy the POOL file from passwords.d on one of your Linux hosts
> to tokens.sk on the Windows machine.
>
> If you want to investigate why condor_store_cred add -c   is not
> working, try adding this to your condor_config.loca file.
>
> ALL_DEBUG = $(ALL_DEBUG) D_CAT
> debug_cmd = D_FULLDEBUG D_SECURITY:1 D_COMMAND:1
> MASTER_DEBUG = $(MASTER_DEBUG) $(debug_cmd)
> TOOL_DEBUG = $(TOOL_DEBUG) $(debug_cmd)
>
> Then run
>     condor_config_val add -c -debug
>
> And look at the debug output of this command as well as the
> MasterLog for that same time period.
>
> -tj
>
>
> ________________________________
> From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf
> of Darius Jakobeit <jakobeit@xxxxxxxxxxxxxxxxxxxxxxxxx>
> Sent: Friday, June 4, 2021 7:45 AM
> To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
> Subject: [HTCondor-users] Adding a Windows node to an existing Linux-Pool
>
> Hello everyone,
>
> I am currently trying to wrap my head around how to add a Windows 10
> node to an existing Linux-Pool (Ubuntu 20.04, HTCondor V. 9.0.0).
>
> How did I set up the Linux pool? I followed the instructions here:
> https://htcondor.readthedocs.io/en/v9_0/getting-htcondor/admin-quick-start.html#admin-quick-start-guide
>
> Using the get_htcondor script with a GET_HTCONDOR_PASSWORD. That
> worked like a charm. Now I want to add another execute node which is
> using the Windows 10 operation system. For that I installed HTCondor
> there using these instructions:
> https://htcondor.readthedocs.io/en/v9_0/getting-htcondor/install-windows-as-administrator.html#admin-install-windows-pool
>
> Now the problem here is, that I couldn't enter any HTCondor password
> during the steps in the GUI. A following "condor_status" in powershell
> gave me some authentification errors. From how I have understood the
> manual I think I am supposed to set the pool password with
> "condor_store_cred add -c". However, when I am trying to set the pool
> password with this command I am getting the following error:
>
> "Operation failed. Make sure you have CONFIG access to the target Master."
>
> Can anybody help me here?
>
> Cheers,
> Darius

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/

Mailing List Archives

Authenticated access

Re: [HTCondor-users] Adding a Windows node to an existing Linux-Pool