[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] Windows Security configuration for user basedauthentication

     I have spent almost a week sorting out user rights and permissions for
Condor under windows. This information hasn't been documented elsewhere - the
condor team are very busy producing this wonderful product so no smear on them -
so I thought I should post the information I have gleaned.

Please accept the normal disclaimers. I have only tested the setup against a
very limited installation and other bits of condor that haven't been exercised
may need extra access. The majority of this information relates to exec nodes.
The submit node and manager node in my testbed are running under less access.

The aim is to get condor running under a domain account - not local system.
There are two entities involved:

The condor account that you create on the domain (called difman below) and the
condor-reuse-vmx account(s) that condor creates for you (called reuse below).

To run the condor service difman only needs "logon as service" to process jobs
it needs a bit more.

Symptoms of lockout - in the starter log on the execute node you will see things

   8/13 10:57:29 Dynuser: Couldn't param VM# - using 1 by default
   8/13 10:57:29 dynuser: Re-enabling account (condor-reuse-vm1)
   8/13 10:57:29 LogonUser(condor-reuse-vm1, ... ) failed with status 13148/13
   10:57:29 ERROR "Failed to create a user nobody" at line 332 in file


   8/13 16:22:11 Create_Process: CreateProcess failed, errno=5
   8/13 16:22:11 ERROR "Create_Process(C:\WINNT\system32\cmd.exe,condor_exec.exe
   /Q /C condor_exec.bat , ...) failed" at line 493 in file
   8/13 16:22:11 ShutdownFast all jobs.

Error 1314 (I don't know why it is showing as 13148) is "A required privilege is
not held " and error 5 is access denied.

Difman requires some user rights that are not given  even to administrators by
default. To spawn a process under another security context ie Difman spawning a
process for reuse in reuse' security context, Difman needs:

   Act as part of the operating system
   Increase quotas
   Create a token object
   Replace a process level token

In my testbed Difman only has those plus logon as service. Reuse only has logon
as batch. They will be picking up the defaults for Everyone for Difman and
Everyone and Users for Reuse. I believe that both also need access to the condor
directory tree and are getting the defaults  from the Everyone group.

I hope this helps someone.


ABS Web Site:  www.abs.gov.au