Re: [HTCondor-users] [EXTERNAL] Re: Run htcondor as domain user on Windows

[Leon Thielen <L.Thielen@xxxxxxxxxxxx>]

Hi Cole,

 

Many thanks for your help.

 

·         Is your pool only Windows or is it a mix of Windows/Linux?
We use a mix of Windows and Linux.

• Is `use SECURITY:HOST_BASED` still in the configuration of the newer versioned condor?
  No in the newer condor we use IDTOKEN
  SEC_CLIENT_AUTHENTICATION_METHODS = IDTOKENS, FS, ANONYMOUS
  SEC_DEFAULT_AUTHENTICATION_METHODS = IDTOKENS, FS
• Is HTCondor being ran as a service for these Windows instillations?
  When I start HTCondor as a service, there is no error. I can start jobs etc.
  But to run GUI tests I have to start HTCondor as a logged in domain user
  C:\Users\gui_tester>condor_master

 

Is set ALL_DEBUG = D_SECURITY

The CollectorLog on CM

08/20/24 13:21:51 PERMISSION GRANTED to condor@family from host 10.20.49.82 for command 77 (UPDATE_ACCOUNTING_AD), access level NEGOTIATOR: reason: NEGOTIATOR authorization has been made automatic for condor@family

08/20/24 13:22:23 DC_AUTHENTICATE: received DC_AUTHENTICATE from <10.20.53.16:65281>

08/20/24 13:22:23 SECMAN: new session, doing initial authentication.

08/20/24 13:22:23 Returning to DC while we wait for socket to authenticate.

08/20/24 13:22:23 AUTHENTICATE: setting timeout for (unknown) to 20.

08/20/24 13:22:23 HANDSHAKE: in handshake(my_methods = 'TOKEN')

08/20/24 13:22:23 HANDSHAKE: handshake() - i am the server

08/20/24 13:22:23 HANDSHAKE: client sent (methods == 2048)

08/20/24 13:22:23 HANDSHAKE: i picked (method == 2048)

08/20/24 13:22:23 HANDSHAKE: client received (method == 2048)

08/20/24 13:22:23 Will return to DC because authentication is incomplete.

08/20/24 13:22:23 getTokenSigningKey(): for id=POOL, pool=1 v84mode=0 reading /etc/condor/passwords.d/POOL

08/20/24 13:22:23 AUTHENTICATE: auth would still block

08/20/24 13:22:23 Will return to DC to continue authentication..

08/20/24 13:22:23 Authentication was a Success.

08/20/24 13:22:23 AUTHENTICATION: setting default map to condor@xxxxxxxxxxxxxxxxxxxx

08/20/24 13:22:23 AUTHENTICATION: post-map: current FQU is 'condor@xxxxxxxxxxxxxxxxxxxx'

08/20/24 13:22:23 AUTHENTICATE: Exchanging keys with remote side.

08/20/24 13:22:23 AUTHENTICATE: Result of end of authenticate is 1.

08/20/24 13:22:23 DC_AUTHENTICATE: authentication of 10.20.53.16 complete.

08/20/24 13:22:23 DC_AUTHENTICATE: generating AES key for session asrv0de148:3531561:1724152943:9...

08/20/24 13:22:23 DC_AUTHENTICATE: encryption enabled for session asrv0de148:3531561:1724152943:9

08/20/24 13:22:23 DC_AUTHENTICATE: message authenticator enabled with key id asrv0de148:3531561:1724152943:9.

08/20/24 13:22:23 DC_AUTHENTICATE: Success.

08/20/24 13:22:23 PERMISSION DENIED to condor@xxxxxxxxxxxxxxxxxxxx from host 10.20.53.16 for command 2 (UPDATE_MASTER_AD), access level ADVERTISE_MASTER: reason: cached result for ADVERTISE_MASTER; see first case for the full reason

08/20/24 13:22:23 DC_AUTHENTICATE: Command not authorized, done!

08/20/24 13:22:23 DC_AUTHENTICATE: received DC_AUTHENTICATE from <10.20.53.16:65282>

08/20/24 13:22:23 SECMAN: new session, doing initial authentication.

08/20/24 13:22:23 Returning to DC while we wait for socket to authenticate.

08/20/24 13:22:23 AUTHENTICATE: setting timeout for (unknown) to 20.

08/20/24 13:22:23 HANDSHAKE: in handshake(my_methods = 'TOKEN')

08/20/24 13:22:23 HANDSHAKE: handshake() - i am the server

08/20/24 13:22:23 HANDSHAKE: client sent (methods == 2048)

08/20/24 13:22:23 HANDSHAKE: i picked (method == 2048)

08/20/24 13:22:23 HANDSHAKE: client received (method == 2048)

08/20/24 13:22:23 Will return to DC because authentication is incomplete.

08/20/24 13:22:23 getTokenSigningKey(): for id=POOL, pool=1 v84mode=0 reading /etc/condor/passwords.d/POOL

08/20/24 13:22:23 AUTHENTICATE: auth would still block

08/20/24 13:22:23 Will return to DC to continue authentication..

08/20/24 13:22:23 Authentication was a Success.

08/20/24 13:22:23 AUTHENTICATION: setting default map to condor@xxxxxxxxxxxxxxxxxxxx

08/20/24 13:22:23 AUTHENTICATION: post-map: current FQU is 'condor@xxxxxxxxxxxxxxxxxxxx'

08/20/24 13:22:23 AUTHENTICATE: Exchanging keys with remote side.

08/20/24 13:22:23 AUTHENTICATE: Result of end of authenticate is 1.

08/20/24 13:22:23 DC_AUTHENTICATE: authentication of 10.20.53.16 complete.

08/20/24 13:22:23 DC_AUTHENTICATE: generating AES key for session asrv0de148:3531561:1724152943:10...

08/20/24 13:22:23 DC_AUTHENTICATE: encryption enabled for session asrv0de148:3531561:1724152943:10

08/20/24 13:22:23 DC_AUTHENTICATE: message authenticator enabled with key id asrv0de148:3531561:1724152943:10.

08/20/24 13:22:23 DC_AUTHENTICATE: Success.

08/20/24 13:22:23 Checking limit in token (ADVERTISE_MASTER) for permission ALLOW

08/20/24 13:22:23 SESSION: server duplicated AES to BLOWFISH key for UDP.

08/20/24 13:22:23 DC_AUTHENTICATE: added incoming session id asrv0de148:3531561:1724152943:10 to cache for 86420 seconds (lease is 3620s, return address is <10.20.53.16:9618?addrs=10.20.53.16-9618&alias=AWS0DE227.corpdir.zz&noUDP&sock=master_8708_df30>).

Gruß

Leon

 

 

 

	Dipl.-Ing. Leon Thielen Software Development MAGMA Gießereitechnologie GmbH P: +49 241 88901 244  Kackertstrasse 16-18, 52072 Aachen, Germany  www.magmasoft.de L.Thielen@xxxxxxxxxxxx
GERMANY ● USA ● BRAZIL ● SINGAPORE ● SOUTH KOREA ● CHINA ● INDIA ● TURKEY ● CZECH REPUBLIC

International MAGMA User Meeting 2024 - October 9-11 | RADISSON BLU - Frankfurt

MAGMA Gießereitechnologie GmbH | Kackertstraße 16-18, 52072 Aachen, Germany | Legal form: GmbH, Register court: Aachen HRB 3912, Value added tax identification number: DE121745780 | Management: Dr. Marc C. Schneider (CEO and President), Dipl.-Ing. Mathieu Weber (Managing Director)

Von: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> Im Auftrag von Cole Bollig via HTCondor-users
Gesendet: Freitag, 16. August 2024 19:55
An: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Cc: Cole Bollig <cabollig@xxxxxxxx>
Betreff: [EXTERNAL] Re: [HTCondor-users] Run htcondor as domain user on Windows

 

Hi Leon,

 

You should be able to piece together specifically why the daemons are being denied during authorization from the logs. You can build a complete picture by looking at the other/server side of the conversation (Collector in this case). I do also have some questions about your setup:

• Is your pool only Windows or is it a mix of Windows/Linux?

• Is `use SECURITY:HOST_BASED` still in the configuration of the newer versioned condor?

• Is HTCondor being ran as a service for these Windows instillations?

 

-Cole Bollig

---

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Leon Thielen <L.Thielen@xxxxxxxxxxxx>
Sent: Thursday, August 15, 2024 7:31 AM
To:htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] Run htcondor as domain user on Windows

 

Hi,

We have been working successfully with HTCondor 8.x for many years.

We also use HTCondor 8.x to carry out GUI tests.

With the program QF-Test we can test our application automatically.

An open desktop is required.

 

I know:

“Running the HTCondor services as any other account (such as a domain user) is not supported and could be problematic.”

>From <https://htcondor.readthedocs.io/en/v8_8/admin-manual/installation-startup-shutdown-reconfiguration.html>

 

But for us the following worked:

HTCondor 8.8.15 use SECURITY : HOST_BASED

1. autologin as test-user

2. start condor_master as test-user

So we can perform 24x7 GUI test.

 

But with the change to 23.012 there are problems.

 

All services start but the hosts are not in the cluster (condor_status does not list the hosts) and therefore do not receive any jobs.

 

In the MasterLog :

08/15/24 09:30:10 Setting ready state 'Ready' for STARTD

08/15/24 09:30:10 SECMAN: FAILED: Received "DENIED" from server for user condor@xxxxxxxxxxxxxxx using method IDTOKENS.

08/15/24 09:30:10 ERROR: SECMAN:2010:Received "DENIED" from server for user condor@xxxxxxxxxxxxxxx using method IDTOKENS.

08/15/24 09:30:10 Collector update failed; will try to get a token request for trust domain cmhost, identity (default).

08/15/24 09:30:10 Failed to start non-blocking update to <10.20.49.82:9618>.

 

Can anyone help me with the solution?

 

Thanks for your help in advance

Leon