[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] linux, windows security


In your suggested approach, is it still necessary to run
condor_store_cred for each execution node?


-----Original Message-----
From: condor-users-bounces@xxxxxxxxxxx
[mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Todd Tannenbaum
Sent: Tuesday, May 25, 2010 12:00 PM
To: Condor-Users Mail List
Subject: Re: [Condor-users] linux, windows security

SMITH Michael wrote:
> Hello,
> I want to submit a job on a linux submit node with requirements to run

> on a windows node under the credentials of a given a local account
> to each windows execution node.  I want to do this because I want to
> After Effects to have it render a composition and send the output to a

> network file share.
> How is this done correctly?
> I've tried using +Owner and +NTDomain.  It works only for a domain 
> account not for a local account.  However when a job runs the output 
> files cannot be written to the linux file system because the +Owner 
> cannot be found on the linux machine.  Even though this can be made to

> work, it does not feel correct.
> Thank you very much,
> Mike


I think the problem space could be greatly simplified if
   1) your login id was consistent across your linux submit machine and 
your windows machines, and
   2) the UID_DOMAIN setting in condor_config was the same across both 
your windows and linux machines, telling Condor that user "mikes" (or 
whatever) is the same user across all machines in that UID_DOMAIN

If it is easy for you to make the above happen, I'd suggest doing so. 
If it is difficult/impossible, then some options would be:

   a) have your job on windows run as some dedicated login id via config

setting SLOTx_USER, one that has the proper permissions to read/write on

your to the required folders on your shared filesystem.    See
You could even make a "dedicated slot" specific to After Effects jobs,


   b) use Condor's authentication map file and an authentication 
mechanism that is in common on Linux and Windows to "map" your Windows 
ID to an appropriate Linux ID.  This option could be made very secure, 
but likely will require more configuration complexity than the above 
options. See


Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with
subject: Unsubscribe
You can also unsubscribe by visiting

The archives can be found at: