Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[HTCondor-users] windows authentication ht-condor 24.1.1
- Date: Thu, 7 Nov 2024 16:30:08 -0500
- From: Andy Barr <ajbarr@xxxxxxxxx>
- Subject: [HTCondor-users] windows authentication ht-condor 24.1.1
Hi,
I am working on testing ht-condor 24.1.1 on a small network of Windows 11 workstations. These machines are in a secure environment and only authenticated users can access the machines. I need to be able to utilize the run as owner option to launch jobs as the user who submitted them.
Is there a recommended authentication method I should use? I see Host-Based Security mentioned by HTCondor as less secure but I'm not sure how to setup
I tried to setup the recommended security method and did the following.
I successfully setup and ran ht-condor on 1 machine. I have condor_credd running on that machine and can successfully use the run as owner option on that machine. The machine with the initial setup is running,  collector, credd, master, negotiation, procd, schedd, shared_port,, and startd.
Now, I would like to install ht-condor on each users workstation with submit and execute roles so that users can submit jobs from their workstation and run on anyone's workstation in the pool.
So I installed ht-condor on a 2nd windows 11 workstation. Â While reading the documentation, I feel like I just need PASSWORD authentication and have created a pool password on both machines, condor_store_cred add -c
On my 1st machine (Central Manager) Âwhich works, Âcondor_store_cred add, works fine.
On my 2nd submit execute machine I get, Âcondor_store_cred add -c
Enter password:
Operation failed.
  Make sure your ALLOW_WRITE setting includes this host.
I have tried to allow everything using * for most things,
 ALLOW_ADMINISTRATOR = *
 ÂALLOW_READ = *
 ÂALLOW_WRITE = *
ALLOW_CLIENT = *
ALLOW_NEGOTIATOR = *
 SEC_CONFIG_NEGOTIATION = REQUIRED
 SEC_CONFIG_AUTHENTICATION = REQUIRED
 SEC_CONFIG_ENCRYPTION = REQUIRED
 SEC_CONFIG_INTEGRITY = REQUIRED
If I change to ÂSEC_CLIENT_AUTHENTICATION_METHODS = PASSWORD then my 1st machine doesn't work. Â
So for now I am using
ÂSEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD
but this gives me the following in the master log file on my 2nd computer.
11/07/24 14:01:38 SECMAN: FAILED: Received "DENIED" from server for user hostname$@company using method NTSSPI.
11/07/24 14:01:38 ERROR: SECMAN:2010:Received "DENIED" from server for user Âhostname$@company using method NTSSPI.
11/07/24 14:01:38 Failed to start non-blocking update to <ip addres of master:9618>.
I have through the config process process twice re-reading the documentation and spending 4 hours each time on it but still end up with the same issue.
Thanks for the help!
Andy