Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] Mounting network resources in Windows

Date: Fri, 19 Jan 2007 10:35:05 -0700
From: "Buhl, Marshall" <Marshall_Buhl@xxxxxxxx>
Subject: [Condor-users] Mounting network resources in Windows

Hi,

I thought I would share a fairly simple, and reasonably secure,
technique I discovered to allow use of network files in Condor jobs on
Windows computers.  When looking at the methods mentioned in the manual,
I found them to be incredibly insecure or rather difficult to understand
and use.  The insecurity in the documented methods involves either
passing clear-text passwords over the network or making folders world
accessible, both of which are frowned upon by our IS department.

My method basically involves writing a very simple program that
generates a NET USE statement in a batch file that is called in the
batch file executed in the Condor job.  Below is my program in Fortran;
it should be trivial to write a similar one in your favorite language.
You will have to compile a different version of this program for each
user because the password is hard-wired into the executable.

---
PROGRAM Make_NetUse


   ! This program generates a Windows CMD batch file that will mount a
network resource.
   ! The password is set in an included file to allow sharing of most of
the code.
   ! The folder(s) containing the include file and this program's
resulting executable
   !  should be stored in an encrypted folder.
   ! The batch file resulting from execution of this program will
contain your password
   !  in clear text, so keep it secure too.


USE NWTC_Library         ! This module contains my version of the
Fortran 2003 GET_COMMAND_ARGUMENT routine (my compiler is F95).

IMPLICIT NONE


   ! Variables

include 'PassDec.f90'  ! Contents of this file should be one line that
looks something like:     CHARACTER(20) :: PW = 'my_password'

CHARACTER(20)   :: Domain
CHARACTER(2)    :: Drive
CHARACTER(200)  :: Resource
CHARACTER(20)   :: UserID


   ! Get arguments from the command line.  You may have to write your
own GET_COMMAND_ARGUMENT routine.

CALL GET_COMMAND_ARGUMENT ( 1, Drive )
CALL GET_COMMAND_ARGUMENT ( 2, Resource )
CALL GET_COMMAND_ARGUMENT ( 3, Domain )
CALL GET_COMMAND_ARGUMENT ( 4, UserID )


   ! Create batch file.
   ! I broke the write into several steps to make it less obvious
   !  what the password is if someone sniffs the network.

OPEN ( 1, FILE='NetUse.bat', STATUS='UNKNOWN' )

WRITE (1,"(A)",ADVANCE='NO') 'NET USE '//Drive//' '//TRIM( Resource )//'
'
WRITE (1,"(A)",ADVANCE='NO') TRIM( PW )
WRITE (1,"(A)") ' /USER:'//TRIM( Domain )//'\'//TRIM( UserID )

CLOSE ( 1 )


STOP
END PROGRAM Make_NetUse
---

Next is a batch file for Condor to execute to use network resources.
Please note that it deletes the resulting NetUse.bat file so that it
won't be returned to the results folder on the submitting system; it
contains the password in clear text.  Also note that you can use the
program multiple times to access more than one resource.

---
rem Mount the network drives.
Make_NetUse N: \\server_name1\path1 Domain UserID
call NetUse

Make_NetUse M: \\server_name2\path2 Domain UserID
call NetUse

del NetUse.bat

rem Use the network drives.
dir n:\
dir m:\
---

For some reason I do not understand, I have to pass the Windows NET.exe
command in addition to Make_NetUse.exe in the Condor job.  I added the
following two lines to my submit file:

---
transfer_files = ALWAYS
transfer_input_files = c:\windows\system32\net.exe,
AbsolutePath\Make_NetUse.exe
---

This method is not completely secure.  The password is stored in the
executable in an unencrypted way, but someone sniffing the network would
have to know exactly where to look for the password in the executable.
Also, the NetUse.bat file is stored on the executing system until
deleted.  I recommend deleting it as soon as you finish using it because
it includes the password.

As I told one of our SysAdmins, this is not the least-secure stuff we
allow on our network as long as it's still permitted to use FTP.

Cheers!


Marshall
 
Marshall L. Buhl, Jr.               
Senior Engineer                     
NWTC-3811                           
National Renewable Energy Laboratory
1617 Cole Boulevard                 
Golden, CO  80401-3393              
Voice: +1 (303) 384-6914          
Fax: +1 (303) 384-6901             
Email: marshall_buhl@xxxxxxxx     
Web: http://wind.nrel.gov/

Follow-Ups:
- Re: [Condor-users] Mounting network resources in Windows
  - From: Matt Hope

Prev by Date: [Condor-users] Capturing stdout and stderr in one file?
Next by Date: [Condor-users] DAGMan OnExitRemove bug fix
Previous by thread: Re: [Condor-users] Capturing stdout and stderr in one file?
Next by thread: Re: [Condor-users] Mounting network resources in Windows
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

[Condor-users] Mounting network resources in Windows