Hi Jaime,
The file youâre talking about seems to be the signing key for IDTokens (as per the documentation) and contains a lot of nonsensical characters (Iâm assuming itâs binary).
What should I be writing in it? Just the password, in plain text? Same on each machine? Donât I have to put the name of the pool in it?
Iâm afraid I am going to need a bit more detail on this please.
Thank you
Marwan
From: Jaime Frey <jfrey@xxxxxxxxxxx>
Sent: mardi 13 mai 2025 21:02
To: BADAWI Marwan <marwan.badawi@xxxxxxxxxxx>
Cc: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Authentication on Windows without a domain
Instead of running condor_store_cred, you can write your pool password to the file <condor-install>\tokens.sk\POOL on each machine.
- Jaime
Thanks for your reply Jaime, unfortunately I am still having the issue.
I changed all my ALLOW_ options to * just to check, I removed the SEC_ entries as you suggested, and I even renamed the machines and got rid of the network_alias option. Still no luck.
When I turn âcondor_store_cred add -c -n project1â from the CM, the complete message I get is âOperation failed: Make sure you have ALLOW_ADMINISTARATOR access to the target Masterâ.
When I run âcondor_store_cred -u condor_pool@project2 addâ from the AP/EP, the error message I get is âOperation failed: Make sure your ALLOW_WRITE settings include this hostâ.
I get these messages whether I use the hostname, hostname.local, or the IP address.
And like I said above, my current settings just for testing purposes on both machines are to allow everything ( I even threw in an ALLOW_CONFIG for good measure):
ALLOW_NEGOTIATOR_SCHEDD = *
ALLOW_WRITE_COLLECTOR = *
This is driving me crazy!
Thanks for any insight, I donât know what else to do.
Your setting of SEC_DEFAULT_AUTHENTICATION and SEC_DEFAULT_AUTHENTICATION_METHODS will make job submission impossible. You should remove those.
For condor_store_cred, you need to give the name of the machine, not the IP address.
FWIW, attached are two sets of configuration files I tried.
The âAnon_Configâ set is the one I tried and failed with yesterday when I wrote.
The âPool_Configâ set is me trying to create a windows Pool. But when I try to register the credentials from the CM using âcondor_store_cred -c -n 192.168.1.2â I get a security error telling me
to check I have ADMINISTRATOR privileges on the target host. I thought thatâs what I did in the config file!
- CM/AP/EP is at 192.168.1.2, aliased as âproject1â and has its own windows machine name
- AP/EP is at 192.168.1.1, aliased as âproject2â and has its own windows machine name
(there will be a total o f8 AP/EP machines âprojectNâ with Ips 192.168.1.N, but for now, just trying to get this to work on 2 machines )
They all have the same admin account username âadm-projectâ with the same password.
Non centralized AD server with domain accounts available, each machine manages its own local users.
I just want this to work, regardless of authentication. It is a completely autonomous setup, not connected to any network in any way.
Thanks again for any insight you may have.
Sorry about that, I wrote the mail from memory because the machine with the logs does not have internet access.
The exact message is âSetEffectiveOwner security violation: attempting to set owner to dis-allowed value <username@submittingmachine>â
Hereâs the scheduler log attached.
Could you give us a little more information?
What version of HTCondor are you using.
Could you cut and paste about 20 lines before the failure message?
de-authorized does not appear anywhere in the current code base. Is this a typo?
...Tim
On 5/5/25 08:54, BADAWI Marwan via HTCondor-users wrote:
We are running a trial setup between individual Windows machines that each only have local users and no domain authentication. (If it helps, they have the same username account with the same password).
I cannot seem to find a way to allow condor to correctly authenticate and run jobs. Ikeep getting a security error in the SchedLog: âSeteffectiveowner security violation setting user to de-authorized
user <username@submittingmachine>â
I activated HOST_BASED security and used ALLOW_* variables to only allow hosts in the same subnet like this (as taken from the Host
Based Security web page):
ALLOW_WRITE = 192.168.1.*
ALLOW_NEGOTIATOR = 192.168.1.*
ALLOW_NEGOTIATOR_SCHEDD = 192.168.1.*
ALLOW_WRITE_COLLECTOR = 192.168.1.*
ALLOW_WRITE_STARTD = 192.168.1.*
ALLOW_READ_COLLECTOR = 192.168.1.*
ALLOW_READ_STARTD = 192.168.1.*
ALLOW_CLIENT = 192.168.1.*
But it doesnât seem to suffice.
RUN_AS_USER is deactivated in both the condor and job configurations.
Can anyone help with this issue?
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
Join us in June at Throughput Computing 25: https://urldefense.com/v3/__https://osg-htc.org/htc25__;!!Mak6IKo!IqQhOOH1SH7NjxckWuVAV6Z3lk-tEHcAK5hyN9AnedrS9azWpZw52TL0NiB0t3AQYyoWU-HRYXlc4W8sgG_hZqfI_-CW$
The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/
--
Tim Theisen (he, him, his)
Release Manager
Center for High Throughput Computing
Department of Computer Sciences
University of Wisconsin - Madison
4261 Computer Sciences and Statistics
1210 W Dayton St
Madison, WI 53706-1685
+1 608 265 5736
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}