Jaime -
If "generated dynamically at runtime" means when the condor service starts and/or condor_reconfig
is issued, perhaps these values could be "detected", using condor_config_val terminology.
- Sam
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Jaime Frey via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Sent: Tuesday, August 22, 2023 6:09:39 AM
To: HTCondor-Users Mail List
Cc: Jaime Frey
Subject: Re: [HTCondor-users] [EXTERNAL] Re: is this a bug? Windows using SECURITY:recommended_v9_0
Two minor notes here:
* The only meta-knob that alters the SEC_XXX_AUTHENTICATION_METHODS is 'use security: get_htcondor_idtokens’. That’s set if HTCondor is installed with the get_htcondor tool, so it’s common to see on linux.
* As you noticed, condor_config_val does display the ‘factory’ values for most parameters. The SEC_XXX_AUTHENTICATION_METHODS parameters are an exception. Their default value is generated dynamically at runtime based on your OS and the presence of optional
security libraries (e.g. kerberos, munge, scitokens). This can be a little confusing. We may consider making these defaults more static.
- Jaime
On Aug 21, 2023, at 4:18 PM, Sam.Dana@xxxxxxxxxxx wrote:
Thank you for the replies.
I can think of two potential bugs:
- SECURITY:recomended_v9_0 fails to list the Windows defaults, as it does for *nix
- condor_config_val does not display "factory" values
Perhaps I could make a feature request: make "factory" settings available through condor_config_val.
The first time I ran condor_config_val -v -dump, I was thrilled, this is absolutely brilliant.
It provides all the controls, what they are set to (= and expanded), how they get set (at), and what their "factory" setting (default) is.
condor_config_val follows the "knob" metaphor fairly well.
- You can easily key-in (push, pull, or rotate the "knob") to a
new value;
- you can take a quick look at its selected position within a range
of values;
- you can even loosen the screw, detaching it from the actual
control - how does this help the user?
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of John M Knoeller via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Sent: Monday, August 21, 2023 10:16:48 AM
To: HTCondor-Users Mail List
Cc: John M Knoeller
Subject: [EXTERNAL] Re: [HTCondor-users] is this a bug? Windows using SECURITY:recommended_v9_0
Note that NTSSPI on Windows is sort of equivalent to FS on Linux. It is a auth method that is always available and can be used to authenticate local users. NTSSPI can also be used
to authenticate remote users, but only when the machine is part of an NT Domain. If the machine is not part of an NT Domain, then NTSSPI can only authenticate local users.
The value for SEC_DEFAULT_AUTHENTICATION_METHODS is build up at runtime when the configured value is empty. Thus when condor_config_val shows the default value as blank
The effective value is usually NTSSPI, IDTOKEN, KERBEROS, SSL
KERBEROS AND SSL are present only if the libraries for those methods are installed. For Windows, they are installed by the MSI installer. NTSSPI is always installed, since it is
the native method for Windows, and IDTOKEN is baked into the HTCondor code, so it is always available as well.
-tj
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of Cole
Bollig via HTCondor-users
Sent: Friday, August 18, 2023 3:22 PM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Cc: Cole Bollig <cabollig@xxxxxxxx>
Subject: Re: [HTCondor-users] is this a bug? Windows using SECURITY:recommended_v9_0
This is expected. HTCondor does have a list of default authentication methods to use, and the methods (FS & IDTOKENS)
should be in that list. The Configuration knob SEC_DEFAULT_AUTHENTICATION_METHODS is a knob that allows administrators to overwrite the default authentication methods list. This specific knob is undefined by default so condor_config_val will so it as undefined
rather than output the internal default list. The internal default list for windows in V9 of HTCondor is: NTSSPI, IDTOKEN, KERBEROS, and SSL. FS is not available on windows.
Setting up a Windows only HTCondor pool.
As I explore the metaknobs, I noticed 'use SECURITY:recomended_v9_0' states:
# Assume that FS and IDTOKENS are in SEC_DEFAULT_AUTHENTICATION_METHODS, which they are by default.
However, condor_config_val -v SEC_DEFAULT_AUTHENTICATION_METHODS shows it is "Not defined".
What settings should used under Windows?
NOTICE: This email message and all attachments transmitted with it may contain privileged and confidential
information, and information that is protected by, and proprietary to, Parsons Corporation, and is intended solely for the use of the addressee for the specific purpose set forth in this communication. If the reader of this message is not the intended recipient,
you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited, and you should delete this message and all copies and backups thereof. The recipient may not further distribute
or use any of the information contained herein without the express written authorization of the sender. If you have received this message in error, or if you have any questions regarding the use of the proprietary information contained therein, please contact
the sender of this message immediately, and the sender will provide you with further instructions.
_______________________________________________
HTCondor-users
mailing list
To
unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject:
Unsubscribe
You
can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
[lists.cs.wisc.edu]
The
archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
[lists.cs.wisc.edu]
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}