Thanks for the tip.
Yeah the manual that could use some tightening and some more practical details for Windows. Most of the start guide and the administrator manual is very Linux specific and centered around the installation script. And, on Windows, weâre
left with attempting to apply macros that are working on Linux to Windows, not being sure it works the same (obviously not the case here).
Forgot to mention this was under HTCondor 23.0.0 using the MSI installer. Iâve just did a 23.0.5 installation from scratch using the MSI installer with the same result.
Iâve added the line youâve mentioned and restarted HTCondor, but the issue remain the same, with the same error messages when ALLOW_WRITE is not set (need to add local) or set (operation not allowed). Not sure where this condor_pool user
mentioned in SchedLog comes from as there is nothing related to this in the base or custom configuration (see summary of changes below). It does not appear anywhere when doing condor_config_val -dump either.
This is from the fesh install with condor_config initialized from the installer and condor_config.local empty:
> condor_config_val -summary
# condor_config_val $CondorVersion: 23.0.5 2024-01-10 BuildID: 702493 DAILY $
#
# from C:\condor\condor_config
#
RELEASE_DIR = C:\condor
LOCAL_CONFIG_FILE = $(LOCAL_DIR)\condor_config.local
LOCAL_CONFIG_DIR = $(LOCAL_DIR)\config
SEC_READ_AUTHENTICATION = OPTIONAL
SEC_READ_ENCRYPTION = OPTIONAL
SEC_READ_INTEGRITY = OPTIONAL
SECURITY_MODEL = 9.0
INSTALL_USER = <user>
#
# from C:\condor\config\99-spc-execute-ap.config
#
CONDOR_HOST = A
ALLOW_ADMINISTRATOR = root@* condor@$(TRUST_DOMAIN)
ALLOW_DAEMON = condor@$(TRUST_DOMAIN)
ALLOW_NEGOTIATOR = condor@$(TRUST_DOMAIN)
ALLOW_READ = *
SEC_DEFAULT_AUTHENTICATION = required
SEC_DEFAULT_ENCRYPTION = required
SEC_DEFAULT_INTEGRITY = required
TRUST_DOMAIN = $(CONDOR_HOST)
SEC_DEFAULT_AUTHENTICATION_METHODS = IDTOKENS, NTSSPI
SEC_READ_AUTHENTICATION_METHODS = IDTOKENS, NTSSPI, ANONYMOUS
SEC_CLIENT_AUTHENTICATION_METHODS = IDTOKENS, NTSSPI, ANONYMOUS
ALLOW_WRITE = condor@$(TRUST_DOMAIN) *
DAEMON_LIST = MASTER, SCHEDD, STARTD
CENTRAL_MANAGER1 = A
CENTRAL_MANAGER2 = B
COLLECTOR_HOST = $(CENTRAL_MANAGER1),$(CENTRAL_MANAGER2)
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ-
|
|
|
Fabrice BouyÃ
IT Specialist (Scientific Computing) - Fisheries, Aquaculture and Marine Ecosystems Division
SpÃcialiste des technologies de l'information (informatique scientifique) - Division pÃche, aquaculture et ÃcosystÃmes marin
Pacific Community | Communautà du Pacifique
CPS â B.P. D5 | 98848 Noumea, New Caledonia | NoumÃa, Nouvelle-CalÃdonie
Tel: (687) 26 20 00 | Ext: 31411 | Mob: (687) 77 91 25 | Fax: (687) 26 38 18
E: fabriceb@xxxxxxx | Website | Twitter | LinkedIn | Facebook | YouTube | Instagram
|
|
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ-
As part of our emissions reduction strategy, please only print this email if necessary
Dans le cadre de notre stratÃgie de rÃduction des Ãmissions, merci d'imprimer cet e-mail uniquement si nÃcessaire
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx>
On Behalf Of Jaime Frey via HTCondor-users
Sent: Friday, January 19, 2024 3:54 AM
To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
Cc: Jaime Frey <jfrey@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] [Windows] condor_store_cred add fails when using IDTokens
The get_htcondor configuration macros (like get_htcondor_idtokens) are very linux-specific and contain settings that wonât work on Windows. For example, they explicitly enable the FS authentication method (unix only) for same-machine connections
and disable NTSSPI (Windows only).
Adding the following lines (after use security:get_htcondor_idtokens) should help with the condor_store_cred failures:
SEC_DEFAULT_AUTHENTICATION_METHODS = IDTOKENS, NTSSPI
SEC_READ_AUTHENTICATION_METHODS = IDTOKENS, NTSSPI, ANONYMOUS
SEC_CLIENT_AUTHENTICATION_METHODS = IDTOKENS, NTSSPI, ANONYMOUS
Iâm surprised by the identity âcondor_pool@â in the SchedLog error message. Itâs missing a domain and the the condor_pool name is normally only used in the PASSWORD authentication method, which the get_htcondor_idtokens configuration macro
should be explicitly disabling.
- Jaime
I continue to expand my new security model + HAD test flock by integrating additional nodes, including a Windows AP + execute machine.
For now, I find the setup instructions for Windows to be lacking in details and practical examples on how you can proceed towards a working solution when integrating an existing Linux flock with IDTokens.
The things Iâve made so far, by following an older discussions Iâve found:
-
Copied /etc/condor/password.d/POOL from one of the test Linux machines to C:\condor\token.sk on the Windows machine.
-
Re-generated IDTokens for each of the CMs on the Windows machine.
-
Setup a file named 99-spc-execute-ap.config in C:\condor\config with the following content:
use security:get_htcondor_idtokens
DAEMON_LIST = MASTER, SCHEDD, STARTD
COLLECTOR_HOST = $(CENTRAL_MANAGER1),$(CENTRAL_MANAGER2)
The Windows machine connects to the test HAD flock and is able to receive and process jobs, with results returned to the Linux AP.
However, when attempting to submit jobs from the Windows machine, condor_submit fails, as expected, with:
ERROR: No credential stored for <user>
But when running condor_store_cred add with:
Make sure your ALLOW_WRITE setting includes this host.
So far, in this base config:
> condor_config_val -v ALLOW_WRITE
# at: C:\condor\config\99-spc-execute-ap.config, line 2, use SECURITY:get_htcondor_idtokens+52
# raw: ALLOW_WRITE = condor@$(TRUST_DOMAIN)
And in C:\condor\log\SchedLog:
01/18/24 09:32:53 (pid:14176) PERMISSION DENIED to condor_pool@ from host <ip> for command 479 (STORE_CRED), access level WRITE: reason: WRITE authorization policy contains no matching ALLOW entry for this request; identifiers used for
this host: <ip>,host.docker.internal, hostname size = 1, original ip address = <ip>
01/18/24 09:32:53 (pid:14176) DC_AUTHENTICATE: Command not authorized, done!
Iâve tested adding the following line to the custom configuration file:
ALLOW_WRITE = $(ALLOW_WRITE) *
However, the error message now changes to:
> condor_config_val -v ALLOW_WRITE
Operation failed because it is not allowed
And now C:\condor\log\SchedLog contains instead:
01/18/24 09:42:01 (pid:15052) WARNING: store_cred() for user <user> attempted by user condor_pool, rejecting
Debug info for the command using -d flag is:
01/18/24 09:42:01 STORE_CRED: In mode 100 'add', user is "<user>"
Operation failed because it is not allowed
Iâve also tried condor_store_cred add -u <user> to no avail (same error as above).
The same operation works OK when falling back to the previous host based configuration on the main flock.
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ-
|
|
IT Specialist (Scientific Computing) - Fisheries, Aquaculture and Marine Ecosystems Division
SpÃcialiste des technologies de l'information (informatique scientifique) - Division pÃche, aquaculture et ÃcosystÃmes marin
Pacific Community | Communautà du Pacifique
CPS â B.P. D5 | 98848 Noumea, New Caledonia | NoumÃa, Nouvelle-CalÃdonie
Tel: (687) 26 20 00 | Ext: 31411 | Mob: (687) 77 91 25 | Fax: (687) 26 38 18
|
|
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ-
As part of our emissions reduction strategy, please only print this email if necessary
Dans le cadre de notre stratÃgie de rÃduction des Ãmissions, merci d'imprimer cet e-mail uniquement si nÃcessaire
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with
a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}