RE: [condor-users] Setting up creds for SYSTEM user, Windows

["Ron Viloria" <Ron.Viloria@xxxxxxxxxxxxx>]

Comments below ....

> Assuming the SYSTEM user is the account running 
> condor_submit, that is likely your problem, although I'm 
> surprised that the webserver you're using wouldn't attempt to 
> separate the privileges of the webserver from any commands 
> that are run underneath it. 
> 
> That said, there's no way for you to set the password on the 
> SYSTEM account, so there's no way for you to store its 
> credentials. But you really shouldn't be submitting jobs as 
> SYSTEM anyways (just as you wouldn't want to submit jobs as 
> root on unix either).

I will bring this point up to my web admin though in the past there were
reasons for this.
Possibly due to permissions on other facets of the entire system, not
just the web component. We are running Apache on Windows, with a very
limited set of user accounts, no NT domain, all administrator user
accounts on the servers only. I know there are other alternatives to
this infrastructure, though this is what was working with the older
Condor. (In other words I promised my team that an upgrade to condor
6.6.1 would not incur any changes on the rest of the system and can all
be handled on the Condor end, but I was simply mistaken.)

> My suggestion would be to either:
> 
> (1) configure the webserver to spawn processes as some 
> account other than SYSTEM (for example, I understand that IIS 
> spawns additional processes as some kind of IWAM_<servername> 
> account, and the password for this account should be easy to 
> get/set and hand off to condor_store_cred).
> 
> (2) use runas or some such to run condor_submit under some 
> account that you create on the system for this purpose. This 
> has a few snags, depending on what tool you use:
> 
> 	a. runas won't take passwords non-interactively, although
> 	starting in XP you can call it with the /SAVECRED option and it
> 	will at least only prompt you for your password the first time
> 	you run it.
> 
> 	b. cmdasuser (
> 	http://www.develop.com/kbrown/security/code/cmdasuser.zip )
> 	works great, but its hard-coded to only start cmd.exe. I have
> 	a patch which allows it to run anything off the command line,
> 	which I will post if there's interest.

If you don't post the patch, please send it to me. That would be helpful
for more
Than this situation.

> > I don't get any error messages, is there a log that logs 
> failures due 
> > to credentials?
> 
> condor_submit (from 6.5.x and above) should fail right away 
> with an error message if the credential of the submitting 
> user is not stored. 'condor_store_cred query' will also tell 
> you if the credentials for the current account are stored.
> 
> Let us know if you continue to have problems.
> 

I'll rehash the issue with 1) and investigate 2).
You guys are the best, thanks for your help and I'll investigate this
further.

Ron

Condor Support Information:
http://www.cs.wisc.edu/condor/condor-support/
To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
unsubscribe condor-users <your_email_address>