[Condor-users] Define Pool Password (Central password storage) for Windows Pool to use the RunAsOwner functionality

[Felix Wolfheimer <f.wolfheimer@xxxxxxxxxxxxxx>]

Hi Condor experts,

I'm building a Condor cluster which will contain Windows and Linux
machines. Currently I'm trying to get the Windows part of the cluster
to work. The jobs which will run on the cluster require the
"RunAsOwner" functionality. I already succeded installing Condor on a
small part of the Windows cluster (1x WinXP x64 which is the Central
Manger, 4x Win Server 2003 R2 which are submit and execution hosts).
I've read the manual section 6.2 about setting up the Central Manager
as Credential Server but the setup does not work in my case. This is
what I did:

1. Copied the contents of the condor_config.local.credd file to the
condor_config.local file on the Central Manager. The relevant part of
the condor_confic.local looks like:

CREDD_HOST = <hostname.of.my.central.manager>
STARTER_ALLOW_RUNAS_OWNER = True
CREDD_CACHE_LOCALLY = True

SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD

ALLOW_CONFIG = <hostname.of.my.central.manager>
SEC_CONFIG_NEGOTIATION = REQUIRED
SEC_CONFIG_AUTHENTICATION = REQUIRED
SEC_CONFIG_ENCRYPTION = REQUIRED
SEC_CONFIG_INTEGRITY = REQUIRED

Plus the part for the "UBER-KNOWLEDGABLE user" from the
condor_config.local.credd file. The settings shown above are identical
for all hosts in my pool (except for the part for the
UBER-KNOWLEDGABLE user which is only included in the config file of
the Central Manager).

2. I ran the condor_restart command on the Central Manager. The
condor_credd daemon is correctly starting on this machine.

3. I ran the command

condor_store_credd -c add

and

condor_store_cred -c -n <hostname> add

from the Central Manager to define a pool password localy and for the
other pool members. Although the condor_store_credd states that
"Operation succeeded" for all my pool members the testcommand

condor_status -f "%s\t" Name -f "%s\n"
ifThenElse(isUndefined(LocalCredd),\"UNDEF\",LocalCredd)

states an "UNDEF" for all machines except for the Central Manager
where I'm currently logged in. Another thing I can't really understand
(and which is probably related to this problem) is that when I call
the condor_store_cred -c add command it states

 "Account: condor_pool@<hostname.of.my.central.manager>"
This account does in fact not exist (should it be created?) and I
don't understand what the pool password has to do with this
nonexistent account. BTW: I executed the condor_store_credd command
using a domain account which has administrator priviledges for all
machines in my pool which is what the manual suggested. In the
CreddLog file on my Central Manager I can see a bunch of entries like

10/27 18:05:16 getStoredCredential(): Could not locate credential for
user 'condor_pool@xxxxxxxxxxxxxx'
10/27 18:05:36 getStoredCredential(): Could not locate credential for
user 'condor_pool@xxxxxxxxxxxxxx'

Seems that the machines are searching for some local accounts called
condor_pool which of course do again not exist on the machines...

=================================================================================

My question now is: Should I create a user called "condor_pool" in
order for the central password storage to work? If yes which
properties should this account have (Admin account (local), Domain
Admin, Normal user account...) or is there something else I'm missing
here?

I hope someone has an idea what is happening here. Thank you very much.

Best regards

Felix Wolfheimer