[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Authentication on Windows without a domain



Hi Jaime,

 

The file youâre talking about seems to be the signing key for IDTokens (as per the documentation) and contains a lot of nonsensical characters (Iâm assuming itâs binary). What should I be writing in it? Just the password, in plain text? Same on each machine? Donât I have to put the name of the pool in it?


Iâm afraid I am going to need a bit more detail on this please.

 

Thank you

 

Marwan

 

From: Jaime Frey <jfrey@xxxxxxxxxxx>
Sent: mardi 13 mai 2025 21:02
To: BADAWI Marwan <marwan.badawi@xxxxxxxxxxx>
Cc: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Authentication on Windows without a domain

 

Instead of running condor_store_cred, you can write your pool password to the file <condor-install>\tokens.sk\POOL on each machine.

 

 - Jaime



On May 12, 2025, at 5:02âAM, BADAWI Marwan <marwan.badawi@xxxxxxxxxxx> wrote:

 

Thanks for your reply Jaime, unfortunately I am still having the issue.

 

I changed all my ALLOW_ options to * just to check, I removed the SEC_ entries as you suggested, and I even renamed the machines and got rid of the network_alias option. Still no luck.

 

When I turn âcondor_store_cred add -c -n project1â from the CM, the complete message I get is âOperation failed: Make sure you have ALLOW_ADMINISTARATOR access to the target Masterâ.

When I run âcondor_store_cred -u condor_pool@project2 addâ from the AP/EP, the error message I get is âOperation failed: Make sure your ALLOW_WRITE settings include this hostâ.

 

I get these messages whether I use the hostname, hostname.local, or the IP address.

 

And like I said above, my current settings just for testing purposes on both machines are to allow everything ( I even threw in an ALLOW_CONFIG for good measure):

ALLOW_ADMINISTRATOR = *

ALLOW_CONFIG = *

ALLOW_DAEMON = *

ALLOW_READ = *

ALLOW_WRITE = *

ALLOW_NEGOTIATOR = *

ALLOW_NEGOTIATOR_SCHEDD = *

ALLOW_WRITE_COLLECTOR = *

ALLOW_WRITE_STARTD    = *

ALLOW_READ_COLLECTOR  = *

ALLOW_READ_STARTD     = *

ALLOW_CLIENT = *

 

This is driving me crazy!

 

Thanks for any insight, I donât know what else to do.

 

Marwan

 

 

From: Jaime Frey <jfrey@xxxxxxxxxxx>
Sent: mercredi 7 mai 2025 22:25
To: HTCondor-Users Mail List <
htcondor-users@xxxxxxxxxxx>
Cc: BADAWI Marwan <
marwan.badawi@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Authentication on Windows without a domain

 

Your setting of SEC_DEFAULT_AUTHENTICATION and SEC_DEFAULT_AUTHENTICATION_METHODS will make job submission impossible. You should remove those.

 

For condor_store_cred, you need to give the name of the machine, not the IP address.

 

 - Jaime




On May 6, 2025, at 9:55âAM, BADAWI Marwan via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:

 

FWIW, attached are two sets of configuration files I tried.

 

The âAnon_Configâ set is the one I tried and failed with yesterday when I wrote.

 

The âPool_Configâ set is me trying to create a windows Pool. But when I try to register the credentials from the CM using âcondor_store_cred -c -n 192.168.1.2â I get a security error telling me to check I have ADMINISTRATOR privileges on the target host. I thought thatâs what I did in the config file!

 

FYI:

- CM/AP/EP is at 192.168.1.2, aliased as âproject1â and has its own windows machine name

- AP/EP is at 192.168.1.1, aliased as âproject2â and has its own windows machine name

(there will be a total o f8 AP/EP machines âprojectNâ  with Ips 192.168.1.N, but for now, just trying to get this to work on 2 machines )

 

They all have the same admin account username âadm-projectâ with the same password.

 

Non centralized AD server with domain accounts available, each machine manages its own local users.

 

I just want this to work, regardless of authentication. It is a completely autonomous setup, not connected to any network in any way.

 

Thanks again for any insight you may have.

 

Marwan

 

 

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of BADAWI Marwan via HTCondor-users
Sent: mardi 6 mai 2025 09:51
To: HTCondor-Users Mail List <
htcondor-users@xxxxxxxxxxx>
Cc: BADAWI Marwan <
marwan.badawi@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Authentication on Windows without a domain

 

Sorry about that, I wrote the mail from memory because the machine with the logs does not have internet access.

 

The exact message is âSetEffectiveOwner security violation: attempting to set owner to dis-allowed value <username@submittingmachine>â

 

Hereâs the scheduler log attached.

 

Thank you!

 

Marwan

 

From: Tim Theisen <tim@xxxxxxxxxxx> 
Sent: lundi 5 mai 2025 18:02
To: HTCondor-Users Mail List <
htcondor-users@xxxxxxxxxxx>
Cc: BADAWI Marwan <
marwan.badawi@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Authentication on Windows without a domain

 

Could you give us a little more information?

What version of HTCondor are you using.

Could you cut and paste about 20 lines before the failure message?

de-authorized does not appear anywhere in the current code base. Is this a typo?

...Tim

On 5/5/25 08:54, BADAWI Marwan via HTCondor-users wrote:

Hello all,

 

We are running a trial setup between individual Windows machines that each only have local users and no domain authentication. (If it helps, they have the same username account with the same password).

 

I cannot seem to find a way to allow condor to correctly authenticate and run jobs. Ikeep getting a security error in the SchedLog: âSeteffectiveowner security violation setting user to de-authorized user <username@submittingmachine>â

 

I activated HOST_BASED security and used ALLOW_* variables to only allow hosts in the same subnet like this (as taken from the Host Based Security web page):

ALLOW_READ = 192.168.1.*

ALLOW_WRITE = 192.168.1.*

ALLOW_NEGOTIATOR = 192.168.1.*

ALLOW_NEGOTIATOR_SCHEDD = 192.168.1.*

ALLOW_WRITE_COLLECTOR = 192.168.1.*

ALLOW_WRITE_STARTD    = 192.168.1.*

ALLOW_READ_COLLECTOR  = 192.168.1.*

ALLOW_READ_STARTD     = 192.168.1.*

ALLOW_CLIENT = 192.168.1.*

 

But it doesnât seem to suffice.

 

RUN_AS_USER is deactivated in both the condor and job configurations.

 

Can anyone help with this issue? 

 

Thank you!

 

Marwan Badawi

 

 

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
 
Join us in June at Throughput Computing 25: https://urldefense.com/v3/__https://osg-htc.org/htc25__;!!Mak6IKo!IqQhOOH1SH7NjxckWuVAV6Z3lk-tEHcAK5hyN9AnedrS9azWpZw52TL0NiB0t3AQYyoWU-HRYXlc4W8sgG_hZqfI_-CW$ 
 
The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/ 
-- 
Tim Theisen (he, him, his)
Release Manager
Center for High Throughput Computing
Department of Computer Sciences
University of Wisconsin - Madison
4261 Computer Sciences and Statistics
1210 W Dayton St
Madison, WI 53706-1685
+1 608 265 5736

<HTCondor Config.zip>_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to 
htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe

Join us in June at Throughput Computing 25: 
https://urldefense.com/v3/__https://osg-htc.org/htc25__;!!Mak6IKo!P7tn4-MJ9m7BhUoQUhH65owOhBxGWY1ot4yIWUazelw1igq4QcyHwiL0CDWScPprZ-UFrWAJ2qTBMfxl7pFSXDM28OnBVQ$

The archives can be found at: 
https://www-auth.cs.wisc.edu/lists/htcondor-users/