Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
|
[Accounts]
I'm a bit confused on when to use which "accounts".
So, first of all, there is no actual condor or condor_pool accounts in the windows sense. Those are just names we use to represent a couple of special authenticated identities. "condor_pool" is the name given when the pool password was uses to authenticate a connection. "condor" is the name we use to represent the identity of a condor daemon generally.
It some sense "condor" is an alias for the windows "SYSTEM" account that the condor daemons run as. But "condor" is also used when daemons communicate to each other even when the daemons are not running as services. the "condor" account really just means fully-trusted.
> Is the "condor_pool" account strictly for use with "store_cred" and Password handling?
It is used for the pool password and PASSWORD authentication only.
No. Think of the POOL signing key as a stand-in for the pool password. If two machines have the same value for the POOL signing key, they can authenticate to each other as ifâ you ran condor_store_cred -c to on each machine to store the same pool password on each. But POOL signing key does more. It can also be used to sign and authenticate IDTOKENs if you use IDTOKEN authentication.
> Other than running "store_cred", when is the elevated "SYSTEM" account appropriate to use?
You do not need to use an elevated SYSTEM account to run store_cred, If you run it in an elevated SYSTEM account it will modify the registry directory, but if you run it in a normal account it will send commands to a condor daemon and that daemon will modify the registry.
> Other than to stop/start the condor service, when should, and shouldn't, the "Run as Administrator" Command Prompt be used?
The only use for an elevated Administrator command prompt is to start the condor service.
> What is significant about the contents of "admintoken.log" ?
If the installer fails, we may ask you to send us this log.
It is used to sign the local admin token
It is a token that a local admin can use to send administrative commands to the local condor_daemons.
Indirectly yes. It is given same identity as the install user, and the install user is given ALLOW_ADMINSTRATOR rights in the default condor config.
Since the admin token is readable by any account with Windows Administrator rights, any account in the Administrators group can send commands to the local condor daemons using that token if the daemons accept IDTOKENS as an authentication method
> How do I limit condor users to a specific group of domain users?
Condor does not understand Windows account groups, so you can't do this directly. But with 23.0 you can configure
the Schedd to only allow jobs to be submitted by user accounts
that already exist in the Schedd. An admin can use the condor_qusers tool to add users to the schedd.
> [condor_config]
> Which settings MUST be placed in the "base" condor_config file, instead of being accessed through the "config" directory; and why is the directory inadequate? Is the trend moving toward having a single dedicated file for each individual machine?
LOCAL_CONFIG_FILE and a few networking knobs (see the manual) must be in the base config, the rest can be in condor_config.local or in the config directory. Use of the single local config file or the config directory is just personal preference. The directory seems to be preferred by Linux admins, I believe this is mostly due to limitations of the installer technology.
In general you should put customizations of the config in condor_config.local or in the config directory, whichever you prefer. It's probably not a good idea to edit condor_config because that is the file an upgrade install will want to change.
-tj |