Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] linux, windows security

Date: Wed, 26 May 2010 18:03:03 -0400
From: "SMITH Michael" <msmith@xxxxxxxxxxx>
Subject: Re: [Condor-users] linux, windows security

Hi Todd,

Following the suggested configuration, I assume the configuration for
security as follows has also to be done, is that correct?...  This is
from my windows exec and master host, and security like the following is
not configured on the linux box:

STARTER_ALLOW_RUNAS_OWNER = True
DAEMON_LIST = $(DAEMON_LIST), CREDD
CREDD_DEBUG = D_FULLDEBUG
CREDD_HOST = $(CONDOR_HOST)
CREDD_CACHE_LOCALLY = True
CRED_STORE_DIR = $(LOCAL_DIR)/cred_dir
ALLOW_CONFIG = *
SEC_WRITE_AUTHENTICATION_METHODS = NTSSPI
SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD
SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD
SEC_CONFIG_NEGOTIATION = REQUIRED
SEC_CONFIG_AUTHENTICATION = REQUIRED
SEC_CONFIG_ENCRYPTION = REQUIRED
SEC_CONFIG_INTEGRITY = REQUIRED

With this configuration, I am very close to getting it to work, I can
feel it.  If I don't put +NTDomain = "MIRANDA" into the submit file it
doesn't work and the StarterLog.slot1 reports the following:

05/26 17:53:12 Could not initialize user_priv as "(null)\msmith".
	Make sure this account's password is securely stored with
condor_store_cred.
05/26 17:53:12 ERROR: Failed to determine what user to run this job as,
aborting
05/26 17:53:12 Failed to initialize JobInfoCommunicator, aborting
05/26 17:53:12 Unable to start job.
05/26 17:53:12 **** condor_starter (condor_STARTER) pid 5252 EXITING
WITH STATUS 1

I don't want to have to put +NTDomain into the submit file.  I also have
run_as_owner = True, set in the submit file.  I verified the
condor_store_cred status with condor_store_cred query -u msmith@MIRANDA.

The UID_DOMAIN on both nodes, windows exec host and linux submit host is
MIRANDA.com. I am also using SOFT_UID_DOMAIN = True on the linux box
because it is not listing msmith in the /etc/passwd file.

Thank you very much,

Mike

-----Original Message-----
From: condor-users-bounces@xxxxxxxxxxx
[mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Todd Tannenbaum
Sent: Tuesday, May 25, 2010 12:00 PM
To: Condor-Users Mail List
Subject: Re: [Condor-users] linux, windows security

SMITH Michael wrote:
> 
> 
> Hello,
> 
> I want to submit a job on a linux submit node with requirements to run

> on a windows node under the credentials of a given a local account
added 
> to each windows execution node.  I want to do this because I want to
run 
> After Effects to have it render a composition and send the output to a

> network file share.
> 
>  
> 
> How is this done correctly?
> 
>  
> 
> I've tried using +Owner and +NTDomain.  It works only for a domain 
> account not for a local account.  However when a job runs the output 
> files cannot be written to the linux file system because the +Owner 
> cannot be found on the linux machine.  Even though this can be made to

> work, it does not feel correct.
> 
>  
> 
> Thank you very much,
> 
> Mike
>

Mike,

I think the problem space could be greatly simplified if
   1) your login id was consistent across your linux submit machine and 
your windows machines, and
   2) the UID_DOMAIN setting in condor_config was the same across both 
your windows and linux machines, telling Condor that user "mikes" (or 
whatever) is the same user across all machines in that UID_DOMAIN

If it is easy for you to make the above happen, I'd suggest doing so. 
If it is difficult/impossible, then some options would be:

   a) have your job on windows run as some dedicated login id via config

setting SLOTx_USER, one that has the proper permissions to read/write on

your to the required folders on your shared filesystem.    See
http://www.cs.wisc.edu/condor/manual/v7.4/3_6Security.html#sec:RunAsNobo
dy
You could even make a "dedicated slot" specific to After Effects jobs,
see
https://condor-wiki.cs.wisc.edu/index.cgi/wiki?p=HowToReserveSlotForSpec
ialJobs

or

   b) use Condor's authentication map file and an authentication 
mechanism that is in common on Linux and Windows to "map" your Windows 
ID to an appropriate Linux ID.  This option could be made very secure, 
but likely will require more configuration complexity than the above 
options. See
http://www.cs.wisc.edu/condor/manual/v7.4/3_6Security.html#SECTION004640
00000000000000

regards,
Todd

_______________________________________________
Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with
a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/condor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/condor-users/

References:
- [Condor-users] linux, windows security
  - From: SMITH Michael
- Re: [Condor-users] linux, windows security
  - From: Todd Tannenbaum

Prev by Date: Re: [Condor-users] ERROR “Assertion ERROR on (m_lock->isLocked()) ” at line 1312 in file read_user_log.cpp
Next by Date: Re: [Condor-users] ERROR “Assertion ERROR on (m_lock->isLocked()) ” at line 1312 in file read_user_log.cpp
Previous by thread: Re: [Condor-users] linux, windows security
Next by thread: [Condor-users] having multiple schedulers and collectors
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [Condor-users] linux, windows security