[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Condor-users] Mounting network resources in Windows
- Date: Fri, 19 Jan 2007 10:35:05 -0700
- From: "Buhl, Marshall" <Marshall_Buhl@xxxxxxxx>
- Subject: [Condor-users] Mounting network resources in Windows
I thought I would share a fairly simple, and reasonably secure,
technique I discovered to allow use of network files in Condor jobs on
Windows computers. When looking at the methods mentioned in the manual,
I found them to be incredibly insecure or rather difficult to understand
and use. The insecurity in the documented methods involves either
passing clear-text passwords over the network or making folders world
accessible, both of which are frowned upon by our IS department.
My method basically involves writing a very simple program that
generates a NET USE statement in a batch file that is called in the
batch file executed in the Condor job. Below is my program in Fortran;
it should be trivial to write a similar one in your favorite language.
You will have to compile a different version of this program for each
user because the password is hard-wired into the executable.
! This program generates a Windows CMD batch file that will mount a
! The password is set in an included file to allow sharing of most of
! The folder(s) containing the include file and this program's
! should be stored in an encrypted folder.
! The batch file resulting from execution of this program will
contain your password
! in clear text, so keep it secure too.
USE NWTC_Library ! This module contains my version of the
Fortran 2003 GET_COMMAND_ARGUMENT routine (my compiler is F95).
include 'PassDec.f90' ! Contents of this file should be one line that
looks something like: CHARACTER(20) :: PW = 'my_password'
CHARACTER(20) :: Domain
CHARACTER(2) :: Drive
CHARACTER(200) :: Resource
CHARACTER(20) :: UserID
! Get arguments from the command line. You may have to write your
own GET_COMMAND_ARGUMENT routine.
CALL GET_COMMAND_ARGUMENT ( 1, Drive )
CALL GET_COMMAND_ARGUMENT ( 2, Resource )
CALL GET_COMMAND_ARGUMENT ( 3, Domain )
CALL GET_COMMAND_ARGUMENT ( 4, UserID )
! Create batch file.
! I broke the write into several steps to make it less obvious
! what the password is if someone sniffs the network.
OPEN ( 1, FILE='NetUse.bat', STATUS='UNKNOWN' )
WRITE (1,"(A)",ADVANCE='NO') 'NET USE '//Drive//' '//TRIM( Resource )//'
WRITE (1,"(A)",ADVANCE='NO') TRIM( PW )
WRITE (1,"(A)") ' /USER:'//TRIM( Domain )//'\'//TRIM( UserID )
CLOSE ( 1 )
END PROGRAM Make_NetUse
Next is a batch file for Condor to execute to use network resources.
Please note that it deletes the resulting NetUse.bat file so that it
won't be returned to the results folder on the submitting system; it
contains the password in clear text. Also note that you can use the
program multiple times to access more than one resource.
rem Mount the network drives.
Make_NetUse N: \\server_name1\path1 Domain UserID
Make_NetUse M: \\server_name2\path2 Domain UserID
rem Use the network drives.
For some reason I do not understand, I have to pass the Windows NET.exe
command in addition to Make_NetUse.exe in the Condor job. I added the
following two lines to my submit file:
transfer_files = ALWAYS
transfer_input_files = c:\windows\system32\net.exe,
This method is not completely secure. The password is stored in the
executable in an unencrypted way, but someone sniffing the network would
have to know exactly where to look for the password in the executable.
Also, the NetUse.bat file is stored on the executing system until
deleted. I recommend deleting it as soon as you finish using it because
it includes the password.
As I told one of our SysAdmins, this is not the least-secure stuff we
allow on our network as long as it's still permitted to use FTP.
Marshall L. Buhl, Jr.
National Renewable Energy Laboratory
1617 Cole Boulevard
Golden, CO 80401-3393
Voice: +1 (303) 384-6914
Fax: +1 (303) 384-6901