[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Condor-users] condor_credd process issues on windows (Re: [Condor-devel] information regarding ticket 1264)
- Date: Tue, 26 Oct 2010 14:55:55 +0200
- From: Alexandre Fayolle <alexandre.fayolle@xxxxxxxxxx>
- Subject: [Condor-users] condor_credd process issues on windows (Re: [Condor-devel] information regarding ticket 1264)
On Thursday 08 July 2010 10:33:54 Alexandre Fayolle wrote:
> On Wednesday 07 July 2010 18:06:51 Timothy St. Clair wrote:
> > In looking through the handshake your credd is trying you auth
> > with
> > only PASSWORD, but the master is responding with NTSSPI, KERBEROS which
> > is failing authentication b/c there are no matching auth methods.
> > You may want to try changing your condor_config.local file to:
> > CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS="NTSSPI,PASSWORD" and give that
> > a whirl.
> This worked indeed. Many thanks. I have a few of additional questions and
(For the record, the first part of this thread is available at
I'm coming back on this because the patch suggested has stopped working
recently on our production servers, after some security patches from microsoft
were installed (I unfortunately don't have the precise list of which patches
were installed, and cannot be sure this is the only thing that changed).
Symptoms : after restarting Condor, condor_credd would not start with the
above line, because it would not connect to condor_master. Hence, jobs with
run_as_owner would not start.
CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD
(i.e. without quotes) would enable condor_credd to connect to condor_master,
but then, stopping the service using Windows service manager or net stop
condor would fail to kill condor_credd.
I've given the issue some thought, as well as an in-depth look at the logs
with full debugging log enabled, and found out that, as is mentionned in the
sample condor_config.credd file :
## You'll also need to ensure that clients are configured to use
## PASSWORD authentication on any machine that can run jobs as the
## submitting user. For example,
## SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD
This includes the configuration file of the computer running condor_credd.
Indeed adding that line in the condor_config.local of my central manager fully
solves the issue. The issue is still solved if I revert to
CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS = PASSWORD
in the same file.
I suggest that the condor_cconfig.credd file includes the
SEC_CLIENT_AUTHENTICATION_METHOD setting by default in future releases of
Thanks for your time,
Alexandre Fayolle LOGILAB, Paris (France)
Formations Python, CubicWeb, Debian : http://www.logilab.fr/formations
Développement logiciel sur mesure : http://www.logilab.fr/services
Informatique scientifique: http://www.logilab.fr/science