Finally, I have something a bit more concrete regarding this issue.
Running (from CM or Sched) condor_ping -type credd -verbose READ WRITE DAEMON CONFIG
I get:
LsaOpenPolicy returned 5
DAEMON failed!
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using PASSWORD
On all three systems (CM, Sched, Credd) , the logged in domain user "CVASIL\cvaadmin", has a password stored in credd
condor_store_cred query
Account: cvaadmin@CVASIL
CredType: password
A credential was stored and is valid.
After ensuring the 3 systems have: condor_store_cred add -c
Account: condor_pool@xxxxxxxxxx
CredType: password
Enter password: Operation succeeded.
Account: condor_pool@xxxxxxxxxx
CredType: password
Operation failed.
Make sure your ALLOW_WRITE setting includes this host.
while on Sched, condor_store_cred query -c
Account: condor_pool@xxxxxxxxxx
CredType: password
Operation failed because it is not allowed
I had opened almost all ALLOW_ options to *, but not CREDD.ALLOW_DAEMON = condor_pool@$(UID_DOMAIN) cvaadmin@xxxxxxxxxx
I noticed the "domains" were opposite of those in store_cred, so I switched them in config
Eventually, I added NTSSPI to CREDD.SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD
At least condor_ping accepts it, but from what I can tell condor_submit is still not as the submit user.
How do I resolve the LsaOpenPolicy issue? The logs (I read) didn't provide greater detail than the errors above.
Thank you,
Sam
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Sam.Dana@xxxxxxxxxxx <Sam.Dana@xxxxxxxxxxx>
Sent: Friday, September 1, 2023 6:35:01 AM To: HTCondor-Users Mail List Subject: [EXTERNAL] [HTCondor-users] Windows Run As Owner Can someone please provide "real world" config settings and steps to get Run As Owner working in a Windows 10, Windows domain environment?
I can't seem to get past SEC 2007 authentication.
Thanks, Sam NOTICE: This email message and all attachments transmitted with it may contain privileged and confidential information, and information that is protected by, and proprietary to, Parsons Corporation,
and is intended solely for the use of the addressee for the specific purpose set forth in this communication. If the reader of this message is not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other
use of this message or its attachments is strictly prohibited, and you should delete this message and all copies and backups thereof. The recipient may not further distribute or use any of the information contained herein without the express written authorization
of the sender. If you have received this message in error, or if you have any questions regarding the use of the proprietary information contained therein, please contact the sender of this message immediately, and the sender will provide you with further
instructions.
|