[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Mounting network resources in Windows



Greg,

That looks good.  It'll take some figuring out, but it sounds really
promising.  Thanks for the help.


Marshall                            
      
Marshall L. Buhl Jr.                       
NREL/NWTC
Voice: +1 (303) 384-6914          
Fax: +1 (303) 384-6901             

-----Original Message-----
From: condor-users-bounces@xxxxxxxxxxx
[mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Greg Quinn
Sent: Tuesday, January 23, 2007 7:47 AM
To: Condor-Users Mail List
Subject: Re: [Condor-users] Mounting network resources in Windows

> We are using Condor 6.8.2, but I couldn't find anything for mounting
> network disks in the on-line manual that was actually secure except
> maybe the stuff about using the "contrib module from Bristol."  

Marshall,

Please take a look at sections 6.8.3 and 6.8.4 in the online manual:

http://www.cs.wisc.edu/condor/manual/v6.8/6_2Microsoft_Windows.html#SECT
ION00723000000000000000

This describes a feature added late in the 6.7 series that allows user 
passwords to be securely delivered to execute machines so that files can

be accessed over the network.

Regards,

Greg Quinn
Condor Team



The
> instructions were over 170 lines long and seemed anything but easy.  I
> am referring to Section 6.2.7 of the manual.  
> 
> I believe we are using the credential-passing system, but it doesn't
> seem to help with network resources.  I used the condor_store_cred
tool
> if that's what you are talking about.  Maybe we are not using it
> correctly, but if it's designed to work with network mounts, I would
> appreciate it if the developers would mention how to do it in Section
> 6.2.7.  Why would they waste time telling people to use clear-text
> passwords if there were an easy way to do it securely?  If there is a
> way, I'd like to know about it.
> 
> I do not have administrative rights on my co-worker's PCs and found
that
> the net command did not work until I included it in the job.
> 
> Thanks again!
> 
> 
> Marshall                            
>       
> Marshall L. Buhl Jr.                       
> NREL/NWTC
> Voice: +1 (303) 384-6914          
> Fax: +1 (303) 384-6901             
> 
> 
> -----Original Message-----
> From: condor-users-bounces@xxxxxxxxxxx
> [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Matt Hope
> Sent: Saturday, January 20, 2007 3:59 AM
> To: Condor-Users Mail List
> Subject: Re: [Condor-users] Mounting network resources in Windows
> 
> On 1/19/07, Buhl, Marshall <Marshall_Buhl@xxxxxxxx> wrote:
>> Hi,
>>
>> I thought I would share a fairly simple, and reasonably secure,
>> technique
> 
> Whilst not wanting to denigrate your efforts nor discourage sharing
> them with the community I should point out that this security through
> obscurity is in not significantly more secure than passing them as
> plain text and users should not kid themselves that this is the case.
> 
> To evesdroppers this is roughly equivalent to putting bit of
> (consistent) junk in between the user/password components which you
> could do in the batch file if you wanted. In fact based on how many
> compiled programs operate the string literals could all be relocated
> into contiguous locations thus rendering even that step pointless.
> 
> If you believe the network your farm operates on is not secure from
> snooping and this is a worry then you should move to 6.8 with genuine
> encryption on the creddential passing which allows running as the
> submitting user or comparable equivalent.
> 
> As a side note there is no need to transfer the net executable so long
> as the executing condor user has rights to run the net command in the
> system directory. Win2003 does not allow this by default for low
> priviledge users. Explictly adding permission to the users that condor
> executes as without runas behaviour is a sensible solution. If you use
> runas then it is assumed that the users have the relevant permissions
> if you want them to. Obviously if you are executing on machines which
> are cycle stealing where you do not have admin control in the same way
> then passing the executable is a solution.
> 
> Matt
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx
with
> a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> 
> The archives can be found at either
> https://lists.cs.wisc.edu/archive/condor-users/
> http://www.opencondor.org/spaces/viewmailarchive.action?key=CONDOR
> 
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx
with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> 
> The archives can be found at either
> https://lists.cs.wisc.edu/archive/condor-users/
> http://www.opencondor.org/spaces/viewmailarchive.action?key=CONDOR

_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with
a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at either
https://lists.cs.wisc.edu/archive/condor-users/
http://www.opencondor.org/spaces/viewmailarchive.action?key=CONDOR