Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Windows Condor problems with credd and executing jobs as submitting user

Try two things:

 

condor_q –ana

 

This will tell you why your jobs aren’t running.  In your case, I’d expect: “<n> are rejected by your job’s requirements.”

 

If that is true, then run either:

 

condor_status -constraint "isUnDefined(LocalCredd)"

 

This command will list any machines that do not have the localcredd attribute.  Ideally there will be no entries in this list.  There are three things that need to be true in order for localcredd to show up on for a machine:

 

1)      The pool password should be stored (looks like you did this already)

2)      The condor_credd daemon should be running on CREDD_HOST (obviously)

3)      condor_startd needs to be (re)started when 1) and 2) are both true  (read:  you need to restart the startd after you store the pool password).

 

If the credd isn’t up when you start your startd, it won’t pick up the localcredd attribute.

 

Coop

 

P.S.  My experiences are based off of Condor 6.8.5 and 7.0.0.

 

From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Robert Hecker
Sent: Friday, December 12, 2008 3:22 AM
To: condor-users@xxxxxxxxxxx; condor-admin@xxxxxxxxxxx
Subject: [Condor-users] Windows Condor problems with credd and executing jobs as submitting user

 


Hello everybody,

I want to use condor to get the Power of the HighThroughputComputing.
But it seems very hard to get Condor running.

Actually all Condor machines are installed, I can submit jobs, but the jobs will never be
executed. I think it depends on an wrong configuration because i want to use network access
and try to run the jobs under the submitted user.

I want to use condor in a windows domain, and I started to set up following machines:
       -1 condor controller machine
       -1 condor submitter machine
       -1 condor execution machine

I use condor version 7.0.5.
I want to use run the jobs under an "real" user account, to get access to special network files on an
File Server.

I used the help from site http://ben.versionzero.org/wiki/Condor_Authentication
and the Presentation called "quinn_windows_tutorial.ppt" to get the condor setup working, but without
success.

Have someone a idea, what's going wrong here ?
Where can I look next to get more information, to find the mistake?

When i installed condor, i put on every machine the pool password, with the commands

condor_store_cred add -c -n executionmachine.test.mydomain.com
condor_store_cred add -c -n submitmachine.test.mydomain.com
condor_store_cred add -c -n controller.test.mydomain.com

I Used here the password "xyz" which is no domain password.

after that i was on the submit machine and typed

"condor_store_cred add" where condor ask after an Passsword for User@test
I typed in my password, and that was all. (This password was my domian password)

After that i submitted my job.sub File which was tested on an default Condor installation
(without execute as submit user)(this worked...)

job.sub:
========

Universe   = vanilla
Executable = job.bat
Arguments  = 4 12
Log        = simple.log.txt
Output     = simple.out.txt
Error      = simple.err.txt

run_as_owner = true

Queue



But nothing happend. This means, when i check the status with condor_q
i will see the job in the queue, but they will be idle.

Did I made some configuration wrong?
Or did I set up some passwords wrong?

It would be great, if someone has an idea, what i have to to to get condor running.

Thank you very much for your help.
Every advice would be helpfull.

Robert
 




Here are my configurations:

The condor_config File of the Controller has following changes to the original:
========================================================

LOCAL_CONFIG_FILE = $(LOCAL_DIR)/condor_config.local \
                    $(LOCAL_DIR)/condor_config.local.credd

HOSTALLOW_CONFIG = Submitmachine.test.mydomain.com

And the condor_config.local.credd of the Controller looks like this:
================================================
######################################################################
##
##  condor_config.credd
##
##  This is the default local configuration file for the machine
##  running the condor_credd.  You should copy this file to the
##  appropriate location and customize it for your needs. 
##
######################################################################

## Note: The following settings will need to be present in your
## global config file:
##
##   CREDD_HOST = my-credd.cs.wisc.edu
##   STARTER_ALLOW_RUNAS_OWNER = True
##   CREDD_CACHE_LOCALLY = True
##
## You'll also need to ensure that clients are configured to use
## PASSWORD authentication on any machine that can run jobs as the
## submitting user. For example,
##
##   SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD

## CREDD_SETTINGS

## CREDD logging settings
## Customize these if you wish.
CREDD_LOG = $(LOG)/CreddLog
CREDD_DEBUG = D_COMMAND
MAX_CREDD_LOG = 50000000

#################################################
## CREDD Expert settings
## Everyting below is for the UBER-KNOWLEDGEABLE only!
## Do not change these unless you know what you do!
#################################################


DAEMON_LIST = $(DAEMON_LIST), CREDD
#DC_DAEMON_LIST = \
#MASTER, STARTD, SCHEDD, KBDD, COLLECTOR, NEGOTIATOR, EVENTD, \
#VIEW_SERVER, CONDOR_VIEW, VIEW_COLLECTOR, HAWKEYE, CREDD, HAD, \
#QUILL

CREDD    = $(SBIN)/condor_credd.exe

# Timeout session quickly since we normally only get contacted
# once per starter
SEC_CREDD_SESSION_TIMEOUT = 10


# Set security settings so that full security to the credd is required
CREDD.SEC_DEFAULT_AUTHENTICATION =REQUIRED
CREDD.SEC_DEFAULT_ENCRYPTION = REQUIRED
CREDD.SEC_DEFAULT_INTEGRITY = REQUIRED
CREDD.SEC_DEFAULT_NEGOTIATION = REQUIRED

# Require PASSWORD auth for password fetching
CREDD.SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD

# Only honor password fetch requests to the trusted "condor_pool" user
CREDD.ALLOW_DAEMON = condor_pool@$(UID_DOMAIN)

# Require NTSSPI for storing credentials
CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI

The Submit machine has following condor_config:
====================================
LOCAL_CONFIG_FILE = $(LOCAL_DIR)/condor_config.local \
                    $(LOCAL_DIR)/condor_config.local.submit.execute

HOSTALLOW_CONFIG = Submitmachine.test.mydomain.com

CREDD_HOST  = $(CONDOR_HOST):$(CREDD_PORT)

The file condor_config.local.submit.execute File from the Submit machine looks like:
=============================================================

######################################################################
##
##  condor_config.local.submit.execute
##
##  This is the default local configuration file for the submit machine
##  and execute machine. 
##
######################################################################

## Note: The following settings will need to be present in your
## global config file:
STARTER_ALLOW_RUNAS_OWNER = True
CREDD_CACHE_LOCALLY = True
##
## You'll also need to ensure that clients are configured to use
## PASSWORD authentication on any machine that can run jobs as the
## submitting user. For example,
##
SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD

And the condor_config File from the Execution machine looks like:
=================================================

LOCAL_CONFIG_FILE = $(LOCAL_DIR)/condor_config.local \
                    $(LOCAL_DIR)/condor_config.local.submit.execute

HOSTALLOW_CONFIG = Submitmachine.test.mydomain.com

CREDD_HOST  = $(CONDOR_HOST):$(CREDD_PORT)

And the condor_config.local.submit.execute File from the
Execution machine is the same file like this one from the Submitmachine.