[Condor-users] problems with credd

["Chin, Tammy" <chint@xxxxxxx>]

Title: problems with credd

Hi,

I've been attempting to get the credd running under WINXP so that I can use the runas_owner option. Can anyone shed some light on this?

I am not even attempting to run jobs, but I keep getting the following errors in my credd log:

5/9 15:58:15 Got SIGHUP.  Re-reading config files.
5/9 15:58:16 main_config() called
5/9 15:58:16 DaemonCore: PERMISSION DENIED to condor_pool@*.aecl.ca from host <132.225.62.121:3295> for command 81100 (CREDD_NOP)

5/9 15:58:16 DaemonCore: PERMISSION DENIED to condor_pool@*.aecl.ca from host <132.225.62.115:1432> for command 81100 (CREDD_NOP)

5/9 15:58:16 DaemonCore: PERMISSION DENIED to condor_pool@*.aecl.ca from host <132.225.76.140:1603> for command 81100 (CREDD_NOP)

5/9 15:58:16 DaemonCore: PERMISSION DENIED to condor_pool@*.aecl.ca from host <132.225.77.81:3707> for command 81100 (CREDD_NOP)

5/9 15:58:16 DaemonCore: PERMISSION DENIED to condor_pool@*.aecl.ca from host <132.225.77.79:2824> for command 81100 (CREDD_NOP)

5/9 15:58:17 AUTHENTICATE: no available authentication methods succeeded, failing!
5/9 15:58:17 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using PASSWORD

5/9 16:11:34 DaemonCore: PERMISSION DENIED to condor_pool@*.aecl.ca from host <132.225.62.121:3366> for command 81100 (CREDD_NOP)

The following is a section of my condor_config from my master (which is duplicated across the to the execute nodes:

CREDD_HOST= crw2268.aecl.ca
STARTER_ALLOW_RUNAS_OWNER = True
CREDD_CACHE_LOCALLY = True
SEC_CLIENT_AUTHENTICATION_METHODS = \
             NTSSPI, PASSWORD

The following is the credd section from my condor_config.local from the master:

#################################################
## CREDD Expert settings
## Everyting below is for the UBER-KNOWLEDGEABLE only!
## Do not change these unless you know what you do!
#################################################

DAEMON_LIST = $(DAEMON_LIST), CREDD
DC_DAEMON_LIST = $(DC_DAEMON_LIST), CREDD

CREDD    = $(SBIN)/condor_credd.exe

# Timeout session quickly since we normally only get contacted
# once per starter
SEC_CREDD_SESSION_TIMEOUT = 10

# Set security settings so that full security to the credd is required
CREDD.SEC_DEFAULT_AUTHENTICATION =REQUIRED
CREDD.SEC_DEFAULT_ENCRYPTION = REQUIRED
CREDD.SEC_DEFAULT_INTEGRITY = REQUIRED
CREDD.SEC_DEFAULT_NEGOTIATION = REQUIRED

# Require PASSWORD auth for password fetching
CREDD.SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD

# Only honor password fetch requests to the trusted "condor_pool" user
CREDD.ALLOW_DAEMON = condor_pool@($UID_DOMAIN)

# Require NTSSPI for storing credentials
CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI

Thanks,

Tammy

CONFIDENTIAL AND PRIVILEGED INFORMATION NOTICE

This e-mail, and any attachments, may contain information that
is confidential, subject to copyright, or exempt from disclosure.
Any unauthorized review, disclosure, retransmission, 
dissemination or other use of or reliance on this information 
may be unlawful and is strictly prohibited.  

AVIS D'INFORMATION CONFIDENTIELLE ET PRIVILÉGIÉE

Le présent courriel, et toute pièce jointe, peut contenir de 
l'information qui est confidentielle, régie par les droits 
d'auteur, ou interdite de divulgation. Tout examen, 
divulgation, retransmission, diffusion ou autres utilisations 
non autorisées de l'information ou dépendance non autorisée 
envers celle-ci peut être illégale et est strictement interdite.