Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] [EXTERNAL] Re: Run htcondor as domain user on Windows

Hi tj,

 

Thank you very much.

 

I have added the following on the CM in the file /etc/condor/config.d/01-central-manager.config.

 

ALLOW_DAEMON = $(ALLOW_DAEMON) condor@xxxxxxxxxxxxxxxxxxxx

 

After restarting the CM, condor works as expected.

 

 

 

Dipl.-Ing. Leon Thielen
Software Development

MAGMA Gießereitechnologie GmbH

P: +49 241 88901 244 
Kackertstrasse 16-18, 52072 Aachen, Germany 
www.magmasoft.de
L.Thielen@xxxxxxxxxxxx

 GERMANY ● USA ● BRAZIL ● SINGAPORE ● SOUTH KOREA ● CHINA ● INDIA ● TURKEY ● CZECH REPUBLIC

International MAGMA User Meeting 2024 - October 9-11 | RADISSON BLU - Frankfurt

MAGMA Gießereitechnologie GmbH | Kackertstraße 16-18, 52072 Aachen, Germany | Legal form: GmbH, Register court: Aachen HRB 3912, Value added tax identification number: DE121745780 | Management: Dr. Marc C. Schneider (CEO and President), Dipl.-Ing. Mathieu Weber (Managing Director)

Von: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> Im Auftrag von John M Knoeller via HTCondor-users
Gesendet: Mittwoch, 21. August 2024 22:24
An: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Cc: John M Knoeller <johnkn@xxxxxxxxxxx>
Betreff: Re: [HTCondor-users] [EXTERNAL] Re: Run htcondor as domain user on Windows

 

We can see from the CollectorLog that authentication is succeeding, but the collector does not ALLOW the Master or Startd to send updates. 

 

08/21/24 12:07:01 Authentication was a Success.

08/21/24 12:07:01 AUTHENTICATION: setting default map to condor@xxxxxxxxxxxxxxxxxxxx

08/21/24 12:07:01 AUTHENTICATION: post-map: current FQU is 'condor@xxxxxxxxxxxxxxxxxxxx'

08/21/24 12:07:01 AUTHENTICATE: Exchanging keys with remote side.

08/21/24 12:07:01 AUTHENTICATE: Result of end of authenticate is 1.

08/21/24 12:07:01 DC_AUTHENTICATE: authentication of 10.20.53.16 complete.

08/21/24 12:07:01 DC_AUTHENTICATE: generating AES key for session asrv0de148:3531561:1724234821:212...

08/21/24 12:07:01 DC_AUTHENTICATE: encryption enabled for session asrv0de148:3531561:1724234821:212

08/21/24 12:07:01 DC_AUTHENTICATE: message authenticator enabled with key id asrv0de148:3531561:1724234821:212.

08/21/24 12:07:01 DC_AUTHENTICATE: Success.

08/21/24 12:07:01 PERMISSION DENIED to condor@xxxxxxxxxxxxxxxxxxxx from host 10.20.53.16 for command 2 (UPDATE_MASTER_AD), access level ADVERTISE_MASTER: reason: cached result for ADVERTISE_MASTER; see first case for the full reason

 

You need to look at the ALLOW_ADVERTISE_MASTER and ALLOW_ADVERTISE_STARTD config knob on the central manager,

that knob needs to have a pattern that matches condor@xxxxxxxxxxxxxxxxxxxx.

 

If the config  does not have ALLOW_ADVERTISE_MASTER or ALLOW_ADVERTISE_STARTD,  then look at ALLOW_DAEMON instead. 

 

-tj

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Leon Thielen <L.Thielen@xxxxxxxxxxxx>
Sent: Wednesday, August 21, 2024 9:53 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] [EXTERNAL] Re: Run htcondor as domain user on Windows

 

Hi tj,

 

Here is the CollectorLog at this time 08/21/24 12:07:01

 

08/21/24 12:06:53 DC_AUTHENTICATE: authentication of <10.20.53.16:52711> was successful but resulted in a limited authorization which did not include this command (5 QUERY_STARTD_ADS), so aborting.

08/21/24 12:06:53 DC_AUTHENTICATE: Command not authorized, done!

08/21/24 12:07:01 DC_AUTHENTICATE: received DC_AUTHENTICATE from <10.20.53.16:52724>

08/21/24 12:07:01 SECMAN: new session, doing initial authentication.

08/21/24 12:07:01 Returning to DC while we wait for socket to authenticate.

08/21/24 12:07:01 AUTHENTICATE: setting timeout for (unknown) to 20.

08/21/24 12:07:01 HANDSHAKE: in handshake(my_methods = 'TOKEN')

08/21/24 12:07:01 HANDSHAKE: handshake() - i am the server

08/21/24 12:07:01 HANDSHAKE: client sent (methods == 2048)

08/21/24 12:07:01 HANDSHAKE: i picked (method == 2048)

08/21/24 12:07:01 HANDSHAKE: client received (method == 2048)

08/21/24 12:07:01 Will return to DC because authentication is incomplete.

08/21/24 12:07:01 getTokenSigningKey(): for id=POOL, pool=1 v84mode=0 reading /etc/condor/passwords.d/POOL

08/21/24 12:07:01 AUTHENTICATE: auth would still block

08/21/24 12:07:01 Will return to DC to continue authentication..

08/21/24 12:07:01 Authentication was a Success.

08/21/24 12:07:01 AUTHENTICATION: setting default map to condor@xxxxxxxxxxxxxxxxxxxx

08/21/24 12:07:01 AUTHENTICATION: post-map: current FQU is 'condor@xxxxxxxxxxxxxxxxxxxx'

08/21/24 12:07:01 AUTHENTICATE: Exchanging keys with remote side.

08/21/24 12:07:01 AUTHENTICATE: Result of end of authenticate is 1.

08/21/24 12:07:01 DC_AUTHENTICATE: authentication of 10.20.53.16 complete.

08/21/24 12:07:01 DC_AUTHENTICATE: generating AES key for session asrv0de148:3531561:1724234821:212...

08/21/24 12:07:01 DC_AUTHENTICATE: encryption enabled for session asrv0de148:3531561:1724234821:212

08/21/24 12:07:01 DC_AUTHENTICATE: message authenticator enabled with key id asrv0de148:3531561:1724234821:212.

08/21/24 12:07:01 DC_AUTHENTICATE: Success.

08/21/24 12:07:01 PERMISSION DENIED to condor@xxxxxxxxxxxxxxxxxxxx from host 10.20.53.16 for command 2 (UPDATE_MASTER_AD), access level ADVERTISE_MASTER: reason: cached result for ADVERTISE_MASTER; see first case for the full reason

08/21/24 12:07:01 DC_AUTHENTICATE: Command not authorized, done!

08/21/24 12:07:01 DC_AUTHENTICATE: received DC_AUTHENTICATE from <10.20.53.16:52725>

08/21/24 12:07:01 SECMAN: new session, doing initial authentication.

08/21/24 12:07:01 Returning to DC while we wait for socket to authenticate.

08/21/24 12:07:01 AUTHENTICATE: setting timeout for (unknown) to 20.

08/21/24 12:07:01 HANDSHAKE: in handshake(my_methods = 'TOKEN')

08/21/24 12:07:01 HANDSHAKE: handshake() - i am the server

08/21/24 12:07:01 HANDSHAKE: client sent (methods == 2048)

08/21/24 12:07:01 HANDSHAKE: i picked (method == 2048)

08/21/24 12:07:01 HANDSHAKE: client received (method == 2048)

08/21/24 12:07:01 Will return to DC because authentication is incomplete.

08/21/24 12:07:01 getTokenSigningKey(): for id=POOL, pool=1 v84mode=0 reading /etc/condor/passwords.d/POOL

08/21/24 12:07:01 AUTHENTICATE: auth would still block

08/21/24 12:07:01 Will return to DC to continue authentication..

08/21/24 12:07:01 Authentication was a Success.

08/21/24 12:07:01 AUTHENTICATION: setting default map to condor@xxxxxxxxxxxxxxxxxxxx

08/21/24 12:07:01 AUTHENTICATION: post-map: current FQU is 'condor@xxxxxxxxxxxxxxxxxxxx'

08/21/24 12:07:01 AUTHENTICATE: Exchanging keys with remote side.

08/21/24 12:07:01 AUTHENTICATE: Result of end of authenticate is 1.

08/21/24 12:07:01 DC_AUTHENTICATE: authentication of 10.20.53.16 complete.

08/21/24 12:07:01 DC_AUTHENTICATE: generating AES key for session asrv0de148:3531561:1724234821:213...

08/21/24 12:07:01 DC_AUTHENTICATE: encryption enabled for session asrv0de148:3531561:1724234821:213

08/21/24 12:07:01 DC_AUTHENTICATE: message authenticator enabled with key id asrv0de148:3531561:1724234821:213.

08/21/24 12:07:01 DC_AUTHENTICATE: Success.

08/21/24 12:07:01 Checking limit in token (ADVERTISE_MASTER) for permission ALLOW

08/21/24 12:07:01 SESSION: server duplicated AES to BLOWFISH key for UDP.

08/21/24 12:07:01 DC_AUTHENTICATE: added incoming session id asrv0de148:3531561:1724234821:213 to cache for 86420 seconds (lease is 3620s, return address is <10.20.53.16:9618?addrs=10.20.53.16-9618&alias=AWS0DE227.corpdir.zz&noUDP&sock=master_4172_01a2>).

08/21/24 12:07:01 DC_AUTHENTICATE: received DC_AUTHENTICATE from <10.20.53.16:52731>

08/21/24 12:07:01 SECMAN: new session, doing initial authentication.

08/21/24 12:07:01 Returning to DC while we wait for socket to authenticate.

08/21/24 12:07:01 AUTHENTICATE: setting timeout for (unknown) to 20.

08/21/24 12:07:01 HANDSHAKE: in handshake(my_methods = 'TOKEN')

08/21/24 12:07:01 HANDSHAKE: handshake() - i am the server

08/21/24 12:07:01 HANDSHAKE: client sent (methods == 2048)

08/21/24 12:07:01 HANDSHAKE: i picked (method == 2048)

08/21/24 12:07:01 HANDSHAKE: client received (method == 2048)

08/21/24 12:07:01 Will return to DC because authentication is incomplete.

08/21/24 12:07:01 getTokenSigningKey(): for id=POOL, pool=1 v84mode=0 reading /etc/condor/passwords.d/POOL

08/21/24 12:07:01 AUTHENTICATE: auth would still block

08/21/24 12:07:01 Will return to DC to continue authentication..

08/21/24 12:07:01 Authentication was a Success.

08/21/24 12:07:01 AUTHENTICATION: setting default map to condor@xxxxxxxxxxxxxxxxxxxx

08/21/24 12:07:01 AUTHENTICATION: post-map: current FQU is 'condor@xxxxxxxxxxxxxxxxxxxx'

08/21/24 12:07:01 AUTHENTICATE: Exchanging keys with remote side.

08/21/24 12:07:01 AUTHENTICATE: Result of end of authenticate is 1.

08/21/24 12:07:01 DC_AUTHENTICATE: authentication of 10.20.53.16 complete.

08/21/24 12:07:01 DC_AUTHENTICATE: generating AES key for session asrv0de148:3531561:1724234821:214...

08/21/24 12:07:01 DC_AUTHENTICATE: encryption enabled for session asrv0de148:3531561:1724234821:214

08/21/24 12:07:01 DC_AUTHENTICATE: message authenticator enabled with key id asrv0de148:3531561:1724234821:214.

08/21/24 12:07:01 DC_AUTHENTICATE: Success.

08/21/24 12:07:01 PERMISSION DENIED to condor@xxxxxxxxxxxxxxxxxxxx from host 10.20.53.16 for command 0 (UPDATE_STARTD_AD), access level ADVERTISE_STARTD: reason: cached result for ADVERTISE_STARTD; see first case for the full reason

08/21/24 12:07:01 DC_AUTHENTICATE: Command not authorized, done!

08/21/24 12:07:01 DC_AUTHENTICATE: received DC_AUTHENTICATE from <10.20.53.16:52733>

08/21/24 12:07:01 SECMAN: new session, doing initial authentication.

08/21/24 12:07:01 Returning to DC while we wait for socket to authenticate.

08/21/24 12:07:01 AUTHENTICATE: setting timeout for (unknown) to 20.

08/21/24 12:07:01 HANDSHAKE: in handshake(my_methods = 'TOKEN')

08/21/24 12:07:01 HANDSHAKE: handshake() - i am the server

08/21/24 12:07:01 HANDSHAKE: client sent (methods == 2048)

08/21/24 12:07:01 HANDSHAKE: i picked (method == 2048)

08/21/24 12:07:01 HANDSHAKE: client received (method == 2048)

08/21/24 12:07:01 Will return to DC because authentication is incomplete.

08/21/24 12:07:01 getTokenSigningKey(): for id=POOL, pool=1 v84mode=0 reading /etc/condor/passwords.d/POOL

08/21/24 12:07:01 AUTHENTICATE: auth would still block

08/21/24 12:07:01 Will return to DC to continue authentication..

08/21/24 12:07:01 Authentication was a Success.

08/21/24 12:07:01 AUTHENTICATION: setting default map to condor@xxxxxxxxxxxxxxxxxxxx

08/21/24 12:07:01 AUTHENTICATION: post-map: current FQU is 'condor@xxxxxxxxxxxxxxxxxxxx'

08/21/24 12:07:01 AUTHENTICATE: Exchanging keys with remote side.

08/21/24 12:07:01 AUTHENTICATE: Result of end of authenticate is 1.

08/21/24 12:07:01 DC_AUTHENTICATE: authentication of 10.20.53.16 complete.

08/21/24 12:07:01 DC_AUTHENTICATE: generating AES key for session asrv0de148:3531561:1724234821:215...

08/21/24 12:07:01 DC_AUTHENTICATE: encryption enabled for session asrv0de148:3531561:1724234821:215

08/21/24 12:07:01 DC_AUTHENTICATE: message authenticator enabled with key id asrv0de148:3531561:1724234821:215.

08/21/24 12:07:01 DC_AUTHENTICATE: Success.

08/21/24 12:07:01 Checking limit in token (ADVERTISE_STARTD) for permission ALLOW

08/21/24 12:07:01 SESSION: server duplicated AES to BLOWFISH key for UDP.

08/21/24 12:07:01 DC_AUTHENTICATE: added incoming session id asrv0de148:3531561:1724234821:215 to cache for 86420 seconds (lease is 3620s, return address is <10.20.53.16:9618?addrs=10.20.53.16-9618&alias=AWS0DE227.corpdir.zz&noUDP&sock=startd_4172_01a2>).

08/21/24 12:07:02 DC_AUTHENTICATE: received DC_AUTHENTICATE from <10.20.53.16:52727>

08/21/24 12:07:02 SECMAN: new session, doing initial authentication.

08/21/24 12:07:02 Returning to DC while we wait for socket to authenticate.

08/21/24 12:07:02 AUTHENTICATE: setting timeout for (unknown) to 20.

08/21/24 12:07:02 HANDSHAKE: in handshake(my_methods = 'TOKEN')

08/21/24 12:07:02 HANDSHAKE: handshake() - i am the server

08/21/24 12:07:02 HANDSHAKE: client sent (methods == 2048)

08/21/24 12:07:02 HANDSHAKE: i picked (method == 2048)

08/21/24 12:07:02 HANDSHAKE: client received (method == 2048)

08/21/24 12:07:02 Will return to DC because authentication is incomplete.

08/21/24 12:07:02 getTokenSigningKey(): for id=POOL, pool=1 v84mode=0 reading /etc/condor/passwords.d/POOL

08/21/24 12:07:02 AUTHENTICATE: auth would still block

08/21/24 12:07:02 Will return to DC to continue authentication..

08/21/24 12:07:02 Authentication was a Success.

08/21/24 12:07:02 AUTHENTICATION: setting default map to condor@xxxxxxxxxxxxxxxxxxxx

08/21/24 12:07:02 AUTHENTICATION: post-map: current FQU is 'condor@xxxxxxxxxxxxxxxxxxxx'

08/21/24 12:07:02 AUTHENTICATE: Exchanging keys with remote side.

08/21/24 12:07:02 AUTHENTICATE: Result of end of authenticate is 1.

08/21/24 12:07:02 DC_AUTHENTICATE: authentication of 10.20.53.16 complete.

08/21/24 12:07:02 DC_AUTHENTICATE: generating AES key for session asrv0de148:3531561:1724234822:216...

08/21/24 12:07:02 DC_AUTHENTICATE: encryption enabled for session asrv0de148:3531561:1724234822:216

08/21/24 12:07:02 DC_AUTHENTICATE: message authenticator enabled with key id asrv0de148:3531561:1724234822:216.

08/21/24 12:07:02 DC_AUTHENTICATE: Success.

08/21/24 12:07:02 PERMISSION DENIED to condor@xxxxxxxxxxxxxxxxxxxx from host 10.20.53.16 for command 1 (UPDATE_SCHEDD_AD), access level ADVERTISE_SCHEDD: reason: cached result for ADVERTISE_SCHEDD; see first case for the full reason

08/21/24 12:07:02 DC_AUTHENTICATE: Command not authorized, done!

08/21/24 12:07:02 DC_AUTHENTICATE: received DC_AUTHENTICATE from <10.20.53.16:52736>

08/21/24 12:07:02 SECMAN: new session, doing initial authentication.

08/21/24 12:07:02 Returning to DC while we wait for socket to authenticate.

08/21/24 12:07:02 AUTHENTICATE: setting timeout for (unknown) to 20.

08/21/24 12:07:02 HANDSHAKE: in handshake(my_methods = 'TOKEN')

 

 

Leon

 

 

Von: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> Im Auftrag von John M Knoeller via HTCondor-users
Gesendet: Mittwoch, 21. August 2024 16:20
An: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Cc: John M Knoeller <johnkn@xxxxxxxxxxx>
Betreff: Re: [HTCondor-users] [EXTERNAL] Re: Run htcondor as domain user on Windows

 

Thank you. 

 

The MasterLog has 

 

08/21/24 12:07:01 SECMAN: resuming command 2 UPDATE_MASTER_AD to collector asrv0de148 from TCP port 52724 (non-blocking).

08/21/24 12:07:01 SECMAN: FAILED: Received "DENIED" from server for user condor@xxxxxxxxxxxxxxxxxxxx using method IDTOKENS.

08/21/24 12:07:01 ERROR: SECMAN:2010:Received "DENIED" from server for user condor@xxxxxxxxxxxxxxxxxxxx using method IDTOKENS.

08/21/24 12:07:01 Collector update failed; will try to get a token request for trust domain asrv0de148, identity (default).

 

And later

 

08/21/24 12:07:01 Token requested; please ask collector asrv0de148 admin to approve request ID 5480890.

 

Did you approve those token requests in at the Collector? 

The Master does not think so. 

 

the StartLog shows a similar thing

 

 SECMAN: FAILED: Received "DENIED" from server for user condor@xxxxxxxxxxxxxxxxxxxx using method IDTOKENS.

08/21/24 12:07:01 ERROR: SECMAN:2010:Received "DENIED" from server for user condor@xxxxxxxxxxxxxxxxxxxx using method IDTOKENS.

08/21/24 12:07:01 Collector update failed; will try to get a token request for trust domain asrv0de148, identity (default).

 

..

 

08/21/24 12:07:01 Token requested; please ask collector asrv0de148 admin to approve request ID 5431563.

 

It would be useful to know what the CollectorLog has to say a time 08/21/24 12:07:01 about those failures.

 

-tj

 

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Leon Thielen <L.Thielen@xxxxxxxxxxxx>
Sent: Wednesday, August 21, 2024 6:13 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] [EXTERNAL] Re: Run htcondor as domain user on Windows

 

Hi tj,

here are the log files you asked for

 

Thanks

Leon

 

 

 

Von: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> Im Auftrag von John M Knoeller via HTCondor-users
Gesendet: Dienstag, 20. August 2024 20:33
An: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Cc: John M Knoeller <johnkn@xxxxxxxxxxx>
Betreff: Re: [HTCondor-users] [EXTERNAL] Re: Run htcondor as domain user on Windows

 

Can we see the first failure for this message?

 

08/20/24 13:22:23 PERMISSION DENIED to condor@xxxxxxxxxxxxxxxxxxxx from host 10.20.53.16 for command 2 (UPDATE_MASTER_AD), access level ADVERTISE_MASTER: reason: cached result for ADVERTISE_MASTER; see first case for the full reason

 

I suspect the problem is that a MASTER or STARTD which is running as a user does not have access the token or token signing key that a MASTER or STARTD running as a service is able to use. 

 

Looking in the MasterLog or StartLog of the htcondor instance running as a domain users should make this clearer, especially if you add 

 

MASTER_DEBUG = D_SECURITY:1 $(MASTER_DEBUG)

STARTD_DEBUG = D_SECURITY:1 $(STARTD_DEBUG)


to the configuration of that instance of HTCondor. 

 

-tj

 

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Leon Thielen <L.Thielen@xxxxxxxxxxxx>
Sent: Tuesday, August 20, 2024 6:42 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] [EXTERNAL] Re: Run htcondor as domain user on Windows

 

Hi Cole,

 

Many thanks for your help.

 

·         Is your pool only Windows or is it a mix of Windows/Linux?
We use a mix of Windows and Linux.

  • Is `use SECURITY:HOST_BASED` still in the configuration of the newer versioned condor?
    No in the newer condor we use IDTOKEN
    SEC_CLIENT_AUTHENTICATION_METHODS = IDTOKENS, FS, ANONYMOUS
    SEC_DEFAULT_AUTHENTICATION_METHODS = IDTOKENS, FS
  • Is HTCondor being ran as a service for these Windows instillations?
    When I start HTCondor as a service, there is no error. I can start jobs etc.
    But to run GUI tests I have to start HTCondor as a logged in domain user
    C:\Users\gui_tester>condor_master

 

Is set ALL_DEBUG = D_SECURITY

The CollectorLog on CM

08/20/24 13:21:51 PERMISSION GRANTED to condor@family from host 10.20.49.82 for command 77 (UPDATE_ACCOUNTING_AD), access level NEGOTIATOR: reason: NEGOTIATOR authorization has been made automatic for condor@family

08/20/24 13:22:23 DC_AUTHENTICATE: received DC_AUTHENTICATE from <10.20.53.16:65281>

08/20/24 13:22:23 SECMAN: new session, doing initial authentication.

08/20/24 13:22:23 Returning to DC while we wait for socket to authenticate.

08/20/24 13:22:23 AUTHENTICATE: setting timeout for (unknown) to 20.

08/20/24 13:22:23 HANDSHAKE: in handshake(my_methods = 'TOKEN')

08/20/24 13:22:23 HANDSHAKE: handshake() - i am the server

08/20/24 13:22:23 HANDSHAKE: client sent (methods == 2048)

08/20/24 13:22:23 HANDSHAKE: i picked (method == 2048)

08/20/24 13:22:23 HANDSHAKE: client received (method == 2048)

08/20/24 13:22:23 Will return to DC because authentication is incomplete.

08/20/24 13:22:23 getTokenSigningKey(): for id=POOL, pool=1 v84mode=0 reading /etc/condor/passwords.d/POOL

08/20/24 13:22:23 AUTHENTICATE: auth would still block

08/20/24 13:22:23 Will return to DC to continue authentication..

08/20/24 13:22:23 Authentication was a Success.

08/20/24 13:22:23 AUTHENTICATION: setting default map to condor@xxxxxxxxxxxxxxxxxxxx

08/20/24 13:22:23 AUTHENTICATION: post-map: current FQU is 'condor@xxxxxxxxxxxxxxxxxxxx'

08/20/24 13:22:23 AUTHENTICATE: Exchanging keys with remote side.

08/20/24 13:22:23 AUTHENTICATE: Result of end of authenticate is 1.

08/20/24 13:22:23 DC_AUTHENTICATE: authentication of 10.20.53.16 complete.

08/20/24 13:22:23 DC_AUTHENTICATE: generating AES key for session asrv0de148:3531561:1724152943:9...

08/20/24 13:22:23 DC_AUTHENTICATE: encryption enabled for session asrv0de148:3531561:1724152943:9

08/20/24 13:22:23 DC_AUTHENTICATE: message authenticator enabled with key id asrv0de148:3531561:1724152943:9.

08/20/24 13:22:23 DC_AUTHENTICATE: Success.

08/20/24 13:22:23 PERMISSION DENIED to condor@xxxxxxxxxxxxxxxxxxxx from host 10.20.53.16 for command 2 (UPDATE_MASTER_AD), access level ADVERTISE_MASTER: reason: cached result for ADVERTISE_MASTER; see first case for the full reason

08/20/24 13:22:23 DC_AUTHENTICATE: Command not authorized, done!

08/20/24 13:22:23 DC_AUTHENTICATE: received DC_AUTHENTICATE from <10.20.53.16:65282>

08/20/24 13:22:23 SECMAN: new session, doing initial authentication.

08/20/24 13:22:23 Returning to DC while we wait for socket to authenticate.

08/20/24 13:22:23 AUTHENTICATE: setting timeout for (unknown) to 20.

08/20/24 13:22:23 HANDSHAKE: in handshake(my_methods = 'TOKEN')

08/20/24 13:22:23 HANDSHAKE: handshake() - i am the server

08/20/24 13:22:23 HANDSHAKE: client sent (methods == 2048)

08/20/24 13:22:23 HANDSHAKE: i picked (method == 2048)

08/20/24 13:22:23 HANDSHAKE: client received (method == 2048)

08/20/24 13:22:23 Will return to DC because authentication is incomplete.

08/20/24 13:22:23 getTokenSigningKey(): for id=POOL, pool=1 v84mode=0 reading /etc/condor/passwords.d/POOL

08/20/24 13:22:23 AUTHENTICATE: auth would still block

08/20/24 13:22:23 Will return to DC to continue authentication..

08/20/24 13:22:23 Authentication was a Success.

08/20/24 13:22:23 AUTHENTICATION: setting default map to condor@xxxxxxxxxxxxxxxxxxxx

08/20/24 13:22:23 AUTHENTICATION: post-map: current FQU is 'condor@xxxxxxxxxxxxxxxxxxxx'

08/20/24 13:22:23 AUTHENTICATE: Exchanging keys with remote side.

08/20/24 13:22:23 AUTHENTICATE: Result of end of authenticate is 1.

08/20/24 13:22:23 DC_AUTHENTICATE: authentication of 10.20.53.16 complete.

08/20/24 13:22:23 DC_AUTHENTICATE: generating AES key for session asrv0de148:3531561:1724152943:10...

08/20/24 13:22:23 DC_AUTHENTICATE: encryption enabled for session asrv0de148:3531561:1724152943:10

08/20/24 13:22:23 DC_AUTHENTICATE: message authenticator enabled with key id asrv0de148:3531561:1724152943:10.

08/20/24 13:22:23 DC_AUTHENTICATE: Success.

08/20/24 13:22:23 Checking limit in token (ADVERTISE_MASTER) for permission ALLOW

08/20/24 13:22:23 SESSION: server duplicated AES to BLOWFISH key for UDP.

08/20/24 13:22:23 DC_AUTHENTICATE: added incoming session id asrv0de148:3531561:1724152943:10 to cache for 86420 seconds (lease is 3620s, return address is <10.20.53.16:9618?addrs=10.20.53.16-9618&alias=AWS0DE227.corpdir.zz&noUDP&sock=master_8708_df30>).

Gruß

Leon

 

 

 

Von: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> Im Auftrag von Cole Bollig via HTCondor-users
Gesendet: Freitag, 16. August 2024 19:55
An: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Cc: Cole Bollig <cabollig@xxxxxxxx>
Betreff: [EXTERNAL] Re: [HTCondor-users] Run htcondor as domain user on Windows

 

Hi Leon,

 

You should be able to piece together specifically why the daemons are being denied during authorization from the logs. You can build a complete picture by looking at the other/server side of the conversation (Collector in this case). I do also have some questions about your setup:

  • Is your pool only Windows or is it a mix of Windows/Linux?
  • Is `use SECURITY:HOST_BASED` still in the configuration of the newer versioned condor?
  • Is HTCondor being ran as a service for these Windows instillations?

 

-Cole Bollig

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Leon Thielen <L.Thielen@xxxxxxxxxxxx>
Sent: Thursday, August 15, 2024 7:31 AM
To:htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Subject: [HTCondor-users] Run htcondor as domain user on Windows

 

Hi,

We have been working successfully with HTCondor 8.x for many years.

We also use HTCondor 8.x to carry out GUI tests.

With the program QF-Test we can test our application automatically.

An open desktop is required.

 

I know:

“Running the HTCondor services as any other account (such as a domain user) is not supported and could be problematic.”

From <https://htcondor.readthedocs.io/en/v8_8/admin-manual/installation-startup-shutdown-reconfiguration.html>

 

But for us the following worked:

HTCondor 8.8.15 use SECURITY : HOST_BASED

1. autologin as test-user

2. start condor_master as test-user

So we can perform 24x7 GUI test.

 

But with the change to 23.012 there are problems.

 

All services start but the hosts are not in the cluster (condor_status does not list the hosts) and therefore do not receive any jobs.

 

In the MasterLog :

08/15/24 09:30:10 Setting ready state 'Ready' for STARTD

08/15/24 09:30:10 SECMAN: FAILED: Received "DENIED" from server for user condor@xxxxxxxxxxxxxxx using method IDTOKENS.

08/15/24 09:30:10 ERROR: SECMAN:2010:Received "DENIED" from server for user condor@xxxxxxxxxxxxxxx using method IDTOKENS.

08/15/24 09:30:10 Collector update failed; will try to get a token request for trust domain cmhost, identity (default).

08/15/24 09:30:10 Failed to start non-blocking update to <10.20.49.82:9618>.

 

Can anyone help me with the solution?

 

Thanks for your help in advance

Leon

 

 

 

PNG image

PNG image