[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Windows, Credd, and run_as_owner question



Title: Message
Ok, I made the CREDD_DEBUG change, and did everything again, and I think I understand more about the sequence of events that occur (bear with me, I'm a novice).
 
First, some more information on my setup
 
condor_config (on both machines) -- pretty much the standard config file, except:
HOSTALLOW_CONFIG = $(CONDOR_HOST), $(FULL_HOSTNAME)
UID_DOMAIN = dom1.jhuapl.edu
CREDD_HOST = $(CONDOR_HOST):$(CREDD_PORT)
TRUST_UID_DOMAIN = True #(I was trying different settings...)
 
condor_config.local (on both machines):
ADD_WINDOWS_FIREWALL_EXCEPTION = FALSE
STARTER_ALLOW_RUNAS_OWNER = True
CREDD_CACHE_LOCALLY = True
SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD
 
condor_config.local.credd (on the submit / master machine -- comments elided):
CREDD_LOG = $(LOG)/CreddLog
CREDD_DEBUG = D_FULLDEBUG
MAX_CREDD_LOG = 50000000
DAEMON_LIST = $(DAEMON_LIST), CREDD
CREDD    = $(SBIN)/condor_credd.exe
SEC_CREDD_SESSION_TIMEOUT = 10
CREDD.SEC_DEFAULT_AUTHENTICATION =REQUIRED
CREDD.SEC_DEFAULT_ENCRYPTION = REQUIRED
CREDD.SEC_DEFAULT_INTEGRITY = REQUIRED
CREDD.SEC_DEFAULT_NEGOTIATION = REQUIRED
CREDD.SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD
CREDD.ALLOW_DAEMON = condor_pool@$(UID_DOMAIN)
CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI
The most interesting piece of info is the CreddLog.  Credd started up fine on the master / submit machine (after condor_on), but when I did condor_on on the execute machine, an error occured (looks like it got the condor_pool credential ok, though): 
 
12/5 20:17:14 ******************************************************
12/5 20:17:15 ** condor_credd.exe (CONDOR_CREDD) STARTING UP
12/5 20:17:15 ** C:\condor\bin\condor_credd.exe
12/5 20:17:15 ** $CondorVersion: 6.9.5 Nov 28 2007 $
12/5 20:17:15 ** $CondorPlatform: INTEL-WINNT50 $
12/5 20:17:16 ** PID = 476
12/5 20:17:16 ** Log last touched time unavailable (No such file or directory)
12/5 20:17:16 ******************************************************
12/5 20:17:16 Using config source: C:\condor\condor_config
12/5 20:17:16 Using local config sources:
12/5 20:17:16    C:\condor/condor_config.local
12/5 20:17:16    C:\condor/condor_config.local.credd
12/5 20:17:16 DaemonCore: Command Socket at <128.244.140.226:9620>
12/5 20:17:16 Will use UDP to update collector SHIPSIM.dom1.jhuapl.edu <128.244.140.226:9618>
12/5 20:17:16 main_init() called
12/5 20:17:16 Getting monitoring info for pid 476
12/5 20:17:16 Trying to update collector <128.244.140.226:9618>
12/5 20:17:16 Attempting to send update via UDP to collector SHIPSIM.dom1.jhuapl.edu <128.244.140.226:9618>
12/5 20:17:16 File descriptor limits: max 1024, safe 820
12/5 20:17:17 sspi_client_auth() entered
12/5 20:17:17 sspi_client_auth() looping
12/5 20:17:17 sspi_client_auth() exiting
12/5 20:17:17 ZKM: setting default map to (null)
12/5 20:17:17 DaemonCore: in SendAliveToParent()
12/5 20:17:18 sspi_client_auth() entered
12/5 20:17:18 sspi_client_auth() looping
12/5 20:17:18 sspi_client_auth() exiting
12/5 20:17:18 ZKM: setting default map to (null)
12/5 20:17:18 DaemonCore: Leaving SendAliveToParent() - success
12/5 20:20:24 Found credential for user 'condor_pool'
12/5 20:20:24 Found credential for user 'condor_pool'
12/5 20:20:24 condor_read(): recv() returned -1, errno = 10054, assuming failure reading 5 bytes from <128.244.140.110:3383>.
12/5 20:20:24 IO: Failed to read packet header
12/5 20:20:24 condor_read(): recv() returned -1, errno = 10054, assuming failure reading 5 bytes from <128.244.140.110:3383>.
12/5 20:20:24 IO: Failed to read packet header
12/5 20:20:24 AUTHENTICATE: handshake failed!
12/5 20:20:24 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1002:Failure performing handshake|AUTHENTICATE:1004:Failed to authenticate using PASSWORD
12/5 20:21:16 Getting monitoring info for pid 476
12/5 20:22:18 Trying to update collector <128.244.140.226:9618>
12/5 20:22:18 Attempting to send update via UDP to collector SHIPSIM.dom1.jhuapl.edu <128.244.140.226:9618>
12/5 20:25:16 Getting monitoring info for pid 476
12/5 20:27:18 Trying to update collector <128.244.140.226:9618>
12/5 20:27:18 Attempting to send update via UDP to collector SHIPSIM.dom1.jhuapl.edu <128.244.140.226:9618>
12/5 20:29:16 Getting monitoring info for pid 476
Any thoughts?
 
Thanks,
Matt


From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Thompson, Cooper
Sent: Wednesday, December 05, 2007 4:36 PM
To: Condor-Users Mail List
Subject: Re: [Condor-users] Windows, Credd, and run_as_owner question

Can you include your security configuration from condor_config (any SEC_<type>_AUTHENTICATION_METHODS, ALLOW_CONFIG, etc).

 

Also – an excerpt from the CreddLog with CREDD_DEBUG = D_FULLDEBUG would be useful.  Specifically there should be some log entries related to fetching and exchanging the pool password.

 

 


From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Valencia, Matthew C.
Sent: Wednesday, December 05, 2007 3:59 PM
To: Condor-Users Mail List
Subject: Re: [Condor-users] Windows, Credd, and run_as_owner question

 

Yes, I have CREDD_HOST  = $(CONDOR_HOST):$(CREDD_PORT) 

 

and I've also run condor_store_cred to add the credentials for the user I'd like to run as (and the command returned successfully).

 

I did everything again from scratch to make sure I didn't miss anything, and I noticed the following message in the MasterLog of both machines (it is also listed below) after running the condor_store_cred -c -n A.dom1.jhuapl.edu and condor_store_cred -c -n B.dom1.jhuapl.edu:

 

store_pool_cred: failed to receive all parameters

 

Could this be important?

 


From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Jones, Torrin A (US SSA)
Sent: Wednesday, December 05, 2007 3:42 PM
To: Condor-Users Mail List
Subject: Re: [Condor-users] Windows, Credd, and run_as_owner question

Also, is CREDD_HOST defined in the condor_config for both machine A and machine B.

-----Original Message-----
From: Jones, Torrin A (US SSA)
Sent: Wednesday, December 05, 2007 12:38
To: 'Condor-Users Mail List'
Subject: RE: [Condor-users] Windows, Credd, and run_as_owner question

Did you also run condor_store_cred for the user you want to run as?

 

condor_store_cred add

 

 

<snip>