[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Windows, Credd, and run_as_owner question



Title: Message
Appologies,
 
I should have specified that the condor_config files on your entire pool should be the same. I was only pointing out the difference between what was posted and the configuration files that I have on my two working pools.
 
YMMV
 
Tammy
-----Original Message-----
From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx]On Behalf Of Thompson, Cooper
Sent: December 7, 2007 12:22 PM
To: Condor-Users Mail List
Subject: Re: [Condor-users] Windows, Credd, and run_as_owner question

To state the obvious – the problem seems to start here:

12/5 20:20:24 condor_read(): recv() returned -1, errno = 10054, assuming failure reading 5 bytes from <128.244.140.110:3383>.

 

Which means the connection between the credd and the client is being reset for some reason.  I’ve seen a similar problem related to this issue:

https://lists.cs.wisc.edu/archive/condor-users/2007-October/msg00292.shtml

 

I don’t see any obvious relationship however.

 

My next step would be to take a look at the StartLog on the execute machine – probably with STARTD_DEBUG set with D_FULLDEBUG and D_SECURITY   (probably add D_SECURITY to CREDD_DEBUG on your master as well).

 

 

Coop

 

P.S.  Moving things between condor_config and condor_config.local should have no affect if you have condor_config.local everywhere.  My understanding is that you do want the 4 lines mentioned on execute machines as well.

 


From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Chin, Tammy
Sent: Friday, December 07, 2007 11:36 AM
To: Condor-Users Mail List
Subject: Re: [Condor-users] Windows, Credd, and run_as_owner question

 

Matt,

 

The 4 lines you have in your condor_config.local should actually be in your condor_config file. The condor_config.local file on your slave machine should be empty.

 

Hope this helps,

 

Tammy

-----Original Message-----
From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx]On Behalf Of Valencia, Matthew C.
Sent: December 5, 2007 8:40 PM
To: Condor-Users Mail List
Subject: Re: [Condor-users] Windows, Credd, and run_as_owner question

Ok, I made the CREDD_DEBUG change, and did everything again, and I think I understand more about the sequence of events that occur (bear with me, I'm a novice).

 

First, some more information on my setup

 

condor_config (on both machines) -- pretty much the standard config file, except:

HOSTALLOW_CONFIG = $(CONDOR_HOST), $(FULL_HOSTNAME)

UID_DOMAIN = dom1.jhuapl.edu

CREDD_HOST = $(CONDOR_HOST):$(CREDD_PORT)

TRUST_UID_DOMAIN = True #(I was trying different settings...)

 

condor_config.local (on both machines):

ADD_WINDOWS_FIREWALL_EXCEPTION = FALSE
STARTER_ALLOW_RUNAS_OWNER = True
CREDD_CACHE_LOCALLY = True
SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD

 

condor_config.local.credd (on the submit / master machine -- comments elided):
CREDD_LOG = $(LOG)/CreddLog
CREDD_DEBUG = D_FULLDEBUG
MAX_CREDD_LOG = 50000000

DAEMON_LIST = $(DAEMON_LIST), CREDD
CREDD    = $(SBIN)/condor_credd.exe

SEC_CREDD_SESSION_TIMEOUT = 10

CREDD.SEC_DEFAULT_AUTHENTICATION =REQUIRED
CREDD.SEC_DEFAULT_ENCRYPTION = REQUIRED
CREDD.SEC_DEFAULT_INTEGRITY = REQUIRED
CREDD.SEC_DEFAULT_NEGOTIATION = REQUIRED

CREDD.SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD

CREDD.ALLOW_DAEMON = condor_pool@$(UID_DOMAIN)

CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI

The most interesting piece of info is the CreddLog.  Credd started up fine on the master / submit machine (after condor_on), but when I did condor_on on the execute machine, an error occured (looks like it got the condor_pool credential ok, though): 

 

12/5 20:17:14 ******************************************************
12/5 20:17:15 ** condor_credd.exe (CONDOR_CREDD) STARTING UP
12/5 20:17:15 ** C:\condor\bin\condor_credd.exe
12/5 20:17:15 ** $CondorVersion: 6.9.5 Nov 28 2007 $
12/5 20:17:15 ** $CondorPlatform: INTEL-WINNT50 $
12/5 20:17:16 ** PID = 476
12/5 20:17:16 ** Log last touched time unavailable (No such file or directory)
12/5 20:17:16 ******************************************************
12/5 20:17:16 Using config source: C:\condor\condor_config
12/5 20:17:16 Using local config sources:
12/5 20:17:16    C:\condor/condor_config.local
12/5 20:17:16    C:\condor/condor_config.local.credd
12/5 20:17:16 DaemonCore: Command Socket at <128.244.140.226:9620>
12/5 20:17:16 Will use UDP to update collector SHIPSIM.dom1.jhuapl.edu <128.244.140.226:9618>
12/5 20:17:16 main_init() called
12/5 20:17:16 Getting monitoring info for pid 476
12/5 20:17:16 Trying to update collector <128.244.140.226:9618>
12/5 20:17:16 Attempting to send update via UDP to collector SHIPSIM.dom1.jhuapl.edu <128.244.140.226:9618>
12/5 20:17:16 File descriptor limits: max 1024, safe 820
12/5 20:17:17 sspi_client_auth() entered
12/5 20:17:17 sspi_client_auth() looping
12/5 20:17:17 sspi_client_auth() exiting
12/5 20:17:17 ZKM: setting default map to (null)
12/5 20:17:17 DaemonCore: in SendAliveToParent()
12/5 20:17:18 sspi_client_auth() entered
12/5 20:17:18 sspi_client_auth() looping
12/5 20:17:18 sspi_client_auth() exiting
12/5 20:17:18 ZKM: setting default map to (null)
12/5 20:17:18 DaemonCore: Leaving SendAliveToParent() - success
12/5 20:20:24 Found credential for user 'condor_pool'
12/5 20:20:24 Found credential for user 'condor_pool'
12/5 20:20:24 condor_read(): recv() returned -1, errno = 10054, assuming failure reading 5 bytes from <128.244.140.110:3383>.
12/5 20:20:24 IO: Failed to read packet header
12/5 20:20:24 condor_read(): recv() returned -1, errno = 10054, assuming failure reading 5 bytes from <128.244.140.110:3383>.
12/5 20:20:24 IO: Failed to read packet header
12/5 20:20:24 AUTHENTICATE: handshake failed!
12/5 20:20:24 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1002:Failure performing handshake|AUTHENTICATE:1004:Failed to authenticate using PASSWORD
12/5 20:21:16 Getting monitoring info for pid 476
12/5 20:22:18 Trying to update collector <128.244.140.226:9618>
12/5 20:22:18 Attempting to send update via UDP to collector SHIPSIM.dom1.jhuapl.edu <128.244.140.226:9618>
12/5 20:25:16 Getting monitoring info for pid 476
12/5 20:27:18 Trying to update collector <128.244.140.226:9618>
12/5 20:27:18 Attempting to send update via UDP to collector SHIPSIM.dom1.jhuapl.edu <128.244.140.226:9618>
12/5 20:29:16 Getting monitoring info for pid 476

Any thoughts?

 

Thanks,

Matt

 


From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Thompson, Cooper
Sent: Wednesday, December 05, 2007 4:36 PM
To: Condor-Users Mail List
Subject: Re: [Condor-users] Windows, Credd, and run_as_owner question

Can you include your security configuration from condor_config (any SEC_<type>_AUTHENTICATION_METHODS, ALLOW_CONFIG, etc).

 

Also – an excerpt from the CreddLog with CREDD_DEBUG = D_FULLDEBUG would be useful.  Specifically there should be some log entries related to fetching and exchanging the pool password.

 

 


From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Valencia, Matthew C.
Sent: Wednesday, December 05, 2007 3:59 PM
To: Condor-Users Mail List
Subject: Re: [Condor-users] Windows, Credd, and run_as_owner question

 

Yes, I have CREDD_HOST  = $(CONDOR_HOST):$(CREDD_PORT) 

 

and I've also run condor_store_cred to add the credentials for the user I'd like to run as (and the command returned successfully).

 

I did everything again from scratch to make sure I didn't miss anything, and I noticed the following message in the MasterLog of both machines (it is also listed below) after running the condor_store_cred -c -n A.dom1.jhuapl.edu and condor_store_cred -c -n B.dom1.jhuapl.edu:

 

store_pool_cred: failed to receive all parameters

 

Could this be important?

 


From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Jones, Torrin A (US SSA)
Sent: Wednesday, December 05, 2007 3:42 PM
To: Condor-Users Mail List
Subject: Re: [Condor-users] Windows, Credd, and run_as_owner question

Also, is CREDD_HOST defined in the condor_config for both machine A and machine B.

-----Original Message-----
From: Jones, Torrin A (US SSA)
Sent: Wednesday, December 05, 2007 12:38
To: 'Condor-Users Mail List'
Subject: RE: [Condor-users] Windows, Credd, and run_as_owner question

Did you also run condor_store_cred for the user you want to run as?

 

condor_store_cred add

 

 

<snip>

 


CONFIDENTIAL AND PRIVILEGED INFORMATION NOTICE

This e-mail, and any attachments, may contain information that
is confidential, subject to copyright, or exempt from disclosure.
Any unauthorized review, disclosure, retransmission, 
dissemination or other use of or reliance on this information 
may be unlawful and is strictly prohibited.  

AVIS D'INFORMATION CONFIDENTIELLE ET PRIVILÉGIÉE

Le présent courriel, et toute pièce jointe, peut contenir de 
l'information qui est confidentielle, régie par les droits 
d'auteur, ou interdite de divulgation. Tout examen, 
divulgation, retransmission, diffusion ou autres utilisations 
non autorisées de l'information ou dépendance non autorisée 
envers celle-ci peut être illégale et est strictement interdite.

 




CONFIDENTIAL AND PRIVILEGED INFORMATION NOTICE

This e-mail, and any attachments, may contain information that
is confidential, subject to copyright, or exempt from disclosure.
Any unauthorized review, disclosure, retransmission, 
dissemination or other use of or reliance on this information 
may be unlawful and is strictly prohibited.  

AVIS D'INFORMATION CONFIDENTIELLE ET PRIVILÉGIÉE

Le présent courriel, et toute pièce jointe, peut contenir de 
l'information qui est confidentielle, régie par les droits 
d'auteur, ou interdite de divulgation. Tout examen, 
divulgation, retransmission, diffusion ou autres utilisations 
non autorisées de l'information ou dépendance non autorisée 
envers celle-ci peut être illégale et est strictement interdite.