[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] Credd problems with certain accounts



I am having credd problems.  I have a small pool that works just fine.  There are 2 submitters in the pool, and everything works just fine for these 2 users.  I have now been adding new submitters to the pool, and I am finding that these users are not being authenticated (condor_store_cred fails).  There is lots of info below (from previous posts), but I'll summarize my situation and findings:
    - Windows XP machines, using Condor 6.8.2
    - Network is a domain.  All users have same username and pw on all machine in the domain (i.e. users log into the domain, not the PC). 
    - The problem is specific to certain user accounts.  When these problem users are logged in to any condor machine (except the central manager), condor_store_cred fails.  However when "good" users are logged into the same machines, I can use condor_store_cred -u bad_user@domain add/query to successfully add and query.
    - When bad users are logged into the central manager, condor_store_cred works just fine.

I have attached a part of my CreddLog.  In it there are 2 authentication attempts, both for the same "bad user".  The first attempt comes from the bad user who is logged into the central manager; this attempt is successful.  The second attempt comes from the same "bad user" who is logged into another machine.  This attempt is unsuccessful in the sspi_server_auth routine.  These attempts were nearly simultaneous, from the same user, logged in to the same domain, with the same username and password.
Any help is appreciated, this is becoming very frustrating!
Thanks,
Richard.

<Previous posts below:>
Hi Greg,
I'm attempting to add another machine to my pool, and I'm having the same problem.  All previous comments apply, with the following new discoveries added:
    - when I log into the "problem machine" as myself, I can successfully add/query credentials for myself as well as the other user (owner of the machine).  However, when the owner of the machine logs into his machine, he gets the error shown below.
    - when the user in question (owner of the new machine) logs into MY machine, he CANNOT add/query any condor credentials (fails with the same error as below).
    - when the user in question logs into the central manager (also runs the Credd), he can successfully add/query his condor credentials. 

So the problem seems to be more or less isolated to the actual user, rather than his machine.  Are there any other debug hints that you can provide? 
Thanks,
Richard.

Richard Grieve wrote: Hi Greg,
I believe the answer is yes to both questions.  We are on Windows domain environment - the user for which we are trying to add credentials can log in to the domain on both his PC and on the machine running the Credd.  In fact, I've also tried adding my own credentials on the problem PC, and it fails with the same error even though I've successfully added my credentials to the rest of the PCs in the pool.  I believe it is related to the actual machine rather than the user.  In this pool, all PCs use identical config files (independently copied to the local_dir).  I have NOT yet tried uninstall/reinstall on this machine.
Richard.

Greg Quinn wrote:
Richard Grieve wrote:
  
  Hi,
I have a handful of PCs (all WinXP) in my pool, running 6.8.2.  I having 
problems with condor_store_cred on just one PC.  All the others run 
condor_store_cred just fine.  All PCs (including the problem PC) have 
the pool password set and are able to run jobs.  Here is the output from 
condor_store_cred add:

[user@computer]$ condor_store_cred add
Account: user@domain <mailto:dpeppy@AD3>
 
Enter password:
 
Operation failed.
    Make sure your HOSTALLOW_WRITE setting includes this host.
    

...

  
3/8 16:15:10 AUTHENTICATE: will try to use 16 (NTSSPI)
3/8 16:15:10 sspi_server_auth() entered
3/8 16:15:10 sspi_server_auth() looping
3/8 16:15:10 sspi_server_auth(): Oops! ASC() returned -2146893044!
3/8 16:15:10 sspi_server_auth(): Failed to impersonate (returns 
-2146893055)!
3/8 16:15:10 sspi_server_auth() exiting
3/8 16:15:10 AUTHENTICATE: method 16 (NTSSPI) failed.

Any help is appreciated.
    

It appears as though NTSSPI authentication is failing. Are you running a 
Windows domain environment, with common accounts on all the involved 
machines? If not, does the account for which you are trying to store a 
password have the same username/password on both the "problem PC" and 
the machine running the CredD?

If the answer is no to both these questions, NTSSPI authentication will 
not work between two distinct machines.

Greg Quinn
Condor Team
6/13 11:35:56 DC_AUTHENTICATE: received DC_AUTHENTICATE from <138.120.141.15:1083>
6/13 11:35:56 DC_AUTHENTICATE: received following ClassAd:
MyType = "(unknown type)"
TargetType = "(unknown type)"
AuthMethods = "NTSSPI, PASSWORD"
CryptoMethods = "3DES,BLOWFISH"
OutgoingNegotiation = "PREFERRED"
Authentication = "OPTIONAL"
Encryption = "OPTIONAL"
Integrity = "OPTIONAL"
Enact = "NO"
Subsystem = "TOOL"
ServerPid = 6020
SessionDuration = "60"
NewSession = "YES"
RemoteVersion = "$CondorVersion: 6.8.2 Oct 12 2006 $"
Command = 479
6/13 11:35:56 DC_AUTHENTICATE: our_policy:
MyType = ""
TargetType = ""
AuthMethods = "NTSSPI"
CryptoMethods = "3DES,BLOWFISH"
OutgoingNegotiation = "REQUIRED"
Authentication = "REQUIRED"
Encryption = "REQUIRED"
Integrity = "REQUIRED"
Enact = "NO"
Subsystem = "CREDD"
ServerPid = 1416
SessionDuration = "8640000"
6/13 11:35:56 DC_AUTHENTICATE: the_policy:
MyType = ""
TargetType = ""
Authentication = "YES"
Encryption = "YES"
Integrity = "YES"
AuthMethodsList = "NTSSPI"
AuthMethods = "NTSSPI"
CryptoMethods = "3DES,BLOWFISH"
SessionDuration = "60"
Enact = "YES"
6/13 11:35:56 DC_AUTHENTICATE: generating 3DES key for session CAOTTD02189:1416:1181748956:108...
6/13 11:35:56 SECMAN: Sending following response ClassAd:
MyType = ""
TargetType = ""
Authentication = "YES"
Encryption = "YES"
Integrity = "YES"
AuthMethodsList = "NTSSPI"
AuthMethods = "NTSSPI"
CryptoMethods = "3DES,BLOWFISH"
SessionDuration = "60"
Enact = "YES"
RemoteVersion = "$CondorVersion: 6.8.2 Oct 12 2006 $"
6/13 11:35:56 SECMAN: new session, doing initial authentication.
6/13 11:35:56 DC_AUTHENTICATE: authenticating RIGHT NOW.
6/13 11:35:56 AUTHENTICATE: in authenticate( addr == NULL, methods == 'NTSSPI')
6/13 11:35:56 AUTHENTICATE: can still try these methods: NTSSPI
6/13 11:35:56 HANDSHAKE: in handshake(my_methods = 'NTSSPI')
6/13 11:35:56 HANDSHAKE: handshake() - i am the server
6/13 11:35:56 HANDSHAKE: client sent (methods == 16)
6/13 11:35:56 HANDSHAKE: i picked (method == 16)
6/13 11:35:56 HANDSHAKE: client received (method == 16)
6/13 11:35:56 AUTHENTICATE: will try to use 16 (NTSSPI)
6/13 11:35:56 sspi_server_auth() entered
6/13 11:35:56 sspi_server_auth() looping
6/13 11:35:56 sspi_server_auth(): user name is: "sr_fpga_admin"
6/13 11:35:56 sspi_server_auth(): domain name is: "AD3"
6/13 11:35:56 sspi_server_auth() exiting
6/13 11:35:56 AUTHENTICATE: auth_status == 16 (NTSSPI)
6/13 11:35:56 Authentication was a Success.
6/13 11:35:56 Condor_Auth_SSPI::wrap() - input_len=24 output_len=40
6/13 11:35:56 DC_AUTHENTICATE: mutual authentication to 138.120.141.15 complete.
6/13 11:35:56 DC_AUTHENTICATE: message authenticator enabled with key id CAOTTD02189:1416:1181748956:108.
6/13 11:35:56 DC_AUTHENTICATE: encryption enabled for session CAOTTD02189:1416:1181748956:108
6/13 11:35:56 DC_AUTHENTICATE: sending session ad:
MyType = ""
TargetType = ""
User = "sr_fpga_admin@ad3"
Sid = "CAOTTD02189:1416:1181748956:108"
ValidCommands = "60004,479"
6/13 11:35:57 DC_AUTHENTICATE: sent session CAOTTD02189:1416:1181748956:108 info!
6/13 11:35:57 DC_AUTHENTICATE: added session id CAOTTD02189:1416:1181748956:108 to cache for 60 seconds!
MyType = ""
TargetType = ""
Authentication = "YES"
Encryption = "YES"
Integrity = "YES"
AuthMethodsList = "NTSSPI"
CryptoMethods = "3DES,BLOWFISH"
SessionDuration = "60"
Enact = "YES"
AuthMethods = "NTSSPI"
Subsystem = "TOOL"
ServerPid = 6020
RemoteVersion = "$CondorVersion: 6.8.2 Oct 12 2006 $"
User = "sr_fpga_admin@ad3"
Sid = "CAOTTD02189:1416:1181748956:108"
ValidCommands = "60004,479"
6/13 11:35:57 DC_AUTHENTICATE: setting sock->decode()
6/13 11:35:57 DC_AUTHENTICATE: allowing an empty message for sock.
6/13 11:35:57 DC_AUTHENTICATE: Success.
6/13 11:35:57 DaemonCore: Command received via TCP from sr_fpga_admin@ad3 from host <138.120.141.15:1083>
6/13 11:35:57 DaemonCore: received command 479 (STORE_CRED), calling handler (store_cred_handler)
6/13 11:35:57 Checking for sr_fpga_admin@AD3 in credential storage.
6/13 11:35:57 NETWORK logon failed. Attempting INTERACTIVE
6/13 11:35:57 Succeeded to log in sr_fpga_admin@AD3
6/13 11:35:57 Switching back to old priv state.
6/13 11:36:05 DC_AUTHENTICATE: received DC_AUTHENTICATE from <138.120.143.83:4072>
6/13 11:36:05 DC_AUTHENTICATE: received following ClassAd:
MyType = "(unknown type)"
TargetType = "(unknown type)"
AuthMethods = "NTSSPI, PASSWORD"
CryptoMethods = "3DES,BLOWFISH"
OutgoingNegotiation = "PREFERRED"
Authentication = "OPTIONAL"
Encryption = "OPTIONAL"
Integrity = "OPTIONAL"
Enact = "NO"
Subsystem = "TOOL"
ServerPid = 2592
SessionDuration = "60"
NewSession = "YES"
RemoteVersion = "$CondorVersion: 6.8.2 Oct 12 2006 $"
Command = 479
6/13 11:36:06 DC_AUTHENTICATE: our_policy:
MyType = ""
TargetType = ""
AuthMethods = "NTSSPI"
CryptoMethods = "3DES,BLOWFISH"
OutgoingNegotiation = "REQUIRED"
Authentication = "REQUIRED"
Encryption = "REQUIRED"
Integrity = "REQUIRED"
Enact = "NO"
Subsystem = "CREDD"
ServerPid = 1416
SessionDuration = "8640000"
6/13 11:36:06 DC_AUTHENTICATE: the_policy:
MyType = ""
TargetType = ""
Authentication = "YES"
Encryption = "YES"
Integrity = "YES"
AuthMethodsList = "NTSSPI"
AuthMethods = "NTSSPI"
CryptoMethods = "3DES,BLOWFISH"
SessionDuration = "60"
Enact = "YES"
6/13 11:36:06 DC_AUTHENTICATE: generating 3DES key for session CAOTTD02189:1416:1181748966:109...
6/13 11:36:06 SECMAN: Sending following response ClassAd:
MyType = ""
TargetType = ""
Authentication = "YES"
Encryption = "YES"
Integrity = "YES"
AuthMethodsList = "NTSSPI"
AuthMethods = "NTSSPI"
CryptoMethods = "3DES,BLOWFISH"
SessionDuration = "60"
Enact = "YES"
RemoteVersion = "$CondorVersion: 6.8.2 Oct 12 2006 $"
6/13 11:36:06 SECMAN: new session, doing initial authentication.
6/13 11:36:06 DC_AUTHENTICATE: authenticating RIGHT NOW.
6/13 11:36:06 AUTHENTICATE: in authenticate( addr == NULL, methods == 'NTSSPI')
6/13 11:36:06 AUTHENTICATE: can still try these methods: NTSSPI
6/13 11:36:06 HANDSHAKE: in handshake(my_methods = 'NTSSPI')
6/13 11:36:06 HANDSHAKE: handshake() - i am the server
6/13 11:36:06 HANDSHAKE: client sent (methods == 16)
6/13 11:36:06 HANDSHAKE: i picked (method == 16)
6/13 11:36:06 HANDSHAKE: client received (method == 16)
6/13 11:36:06 AUTHENTICATE: will try to use 16 (NTSSPI)
6/13 11:36:06 sspi_server_auth() entered
6/13 11:36:06 sspi_server_auth() looping
6/13 11:36:06 sspi_server_auth(): Oops! ASC() returned -2146893044!
6/13 11:36:06 sspi_server_auth(): Failed to impersonate (returns -2146893055)!
6/13 11:36:06 sspi_server_auth() exiting
6/13 11:36:06 AUTHENTICATE: method 16 (NTSSPI) failed.
6/13 11:36:06 AUTHENTICATE: can still try these methods: NTSSPI
6/13 11:36:06 HANDSHAKE: in handshake(my_methods = 'NTSSPI')
6/13 11:36:06 HANDSHAKE: handshake() - i am the server
6/13 11:36:06 condor_read(): Socket closed when trying to read 5 bytes from <138.120.143.83:4072>
6/13 11:36:06 IO: EOF reading packet header
6/13 11:36:06 AUTHENTICATE: handshake failed!
6/13 11:36:06 AUTHENTICATE: auth_status == 0 (?!?)
6/13 11:36:06 Authentication was a FAILURE.
6/13 11:36:06 DC_AUTHENTICATE: authenticate failed: AUTHENTICATE:1002:Failure performing handshake|AUTHENTICATE:1004:Failed to authenticate using NTSSPI
6