Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] credd locking out accounts with inexplicable bad logon attempts
- Date: Mon, 4 Jun 2012 21:53:12 +0000
- From: "Rowe, Thomas" <rowet@xxxxxxxxxx>
- Subject: Re: [Condor-users] credd locking out accounts with inexplicable bad logon attempts
Can credd authentication be made to work with Kerberos instead of NTSSPI, including support for RUN_AS_OWNER?
If I change the SEC_CLIENT_AUTHENTICATION_METHODS to "Kerberos" I get this error in the creddlog at startup: Unable to initialize kerberos: Can't open/find Kerberos configuration file.
There is no documentation on how to specify this Kerberos configuration file.
Wikipedia indicates that NTLM and SSPI are deprecated in favor of Kerberos. The code in Condor doing NTLM authentication appears to be from 12 year old sample code. I don't know, but the age and deprecation of this stuff may play into how it's randomly not working for me.
> -----Original Message-----
> From: Rowe, Thomas
> Sent: Wednesday, May 30, 2012 2:19 PM
> To: Condor-Users Mail List
> Cc: 'Cathrin Weiss'
> Subject: RE: [Condor-users] credd locking out accounts with inexplicable bad
> logon attempts
>
> I have tried this setting and also tried disabling all credential caching, to no
> effect. Are there any other ideas?
>
> At least one other guy reported this problem of authentications randomly
> failing. Are there any other reports?
>
>
> > -----Original Message-----
> > From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-
> > bounces@xxxxxxxxxxx] On Behalf Of Cathrin Weiss
> > Sent: Friday, May 18, 2012 11:17 PM
> > To: Condor-Users Mail List
> > Subject: Re: [Condor-users] credd locking out accounts with
> > inexplicable bad logon attempts
> >
> > Thomas,
> >
> > give setting
> >
> > SKIP_WINDOWS_LOGON_NETWORK = True
> >
> > a try. (See documentation here:
> > http://research.cs.wisc.edu/condor/manual/v7.6/3_3Configuration.html#2
> > 0 111). Restart Condor thereafter (reconfig might be enough, I don't
> > recall.) I've seen this kind of failure go away with this
> > configuration.
> >
> > -- Cathrin
> >
> >
> >
> > On May 18, 2012, at 3:43 PM, Rowe, Thomas wrote:
> >
> > > Unless someone has a clue I have to conclude that CREDD doesn't
> > > actually
> > work and I will proceed to refactor my system to run the parts that
> > require user privileges outside of condor. Sigh, quite a bit of work down the
> drain.
> > Also, I have to add to the problem list that condor_store_cred
> > frequently randomly fails with "Operation failed. Make sure your
> > ALLOW_WRITE setting includes this host." Again, wait a few minutes and
> > it'll work. This is yet another sort of spurious bug.
> > >
> > > So, I'm having difficulty figuring out how to turn off CREDD
> > > entirely. When I
> > `condor_submit` a job it still demands there be valid CREDD stored
> > credentials even when the job is not "run_as_owner". I don't see why
> > there's any check for credentials. I removed CREDD from the daemon
> > list on the master, commented out the credd_host on the submit
> > machine, and changed these REQUIRED authentication settings to "NEVER"
> > on both the credd machine and the submit machine:
> > > CREDD.SEC_DEFAULT_AUTHENTICATION =REQUIRED
> > > CREDD.SEC_DEFAULT_ENCRYPTION = REQUIRED
> > CREDD.SEC_DEFAULT_INTEGRITY =
> > > REQUIRED CREDD.SEC_DEFAULT_NEGOTIATION = REQUIRED
> > >
> > > condor_submit still demands I add a credential. But as explained
> > > previously
> > I want nothing to do with credentials because they don't work. Is it
> > possible to completely remove CREDD from a windows pool?
> > >
> > >
> > > From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-
> > bounces@xxxxxxxxxxx] On Behalf Of Taylor, Brian T.
> > > Sent: Friday, May 18, 2012 1:42 PM
> > > To: Condor-Users Mail List
> > > Subject: Re: [Condor-users] credd locking out accounts with
> > > inexplicable bad logon attempts
> > >
> > > I don't have any light to shed but I experienced very similar
> > > problems on an
> > LDAP/Samba backed domain. Randomly and unpredictably, a user
> executing
> > run_as_owner jobs would be locked out of their account because condor
> > tried to authenticate them with a bad password. I never figured out
> > why this was happening and I eventually stopped using Condor and
> > replaced it with my own service.
> > >
> > >
> > > On May 18, 2012, at 1:32 PM, Rowe, Thomas wrote:
> > >
> > >
> > > I am having troubles with credd on Windows generating loads of
> > > "Logon
> > Failure" events. The stored credentials for the relevant users are
> > definitely valid. For no obvious reason, run_as_owner jobs spuriously
> > produce events like these: "Unknown user name or bad password; Logon
> > Type: 3; Logon
> > Process: Advapi; Authentication Package: Negotiate".
> > >
> > > If three such of these happen within an hour, the account gets locked
> out.
> > This happens frequently. Is this an understood issue? I can't rule out
> > that ActiveDirectory on this network is misconfigured in some way.
> > >
> > > Probably relevant: `condor_store_cred query` also spuriously reports
> > invalid or missing credentials. If you simply wait a couple minutes it
> > will then report the stored credentials are valid. So apropos of
> > nothing, the credentials seem to temporarily blink out of existence.
> > I've seen this behavior on two different networks.
> > >
> > > Can anyone shed some light? I'm near the end of my rope with this
> > > stuff. I
> > might have to rip out condor and write some services, which I really
> > didn't want to do.
> > >
> > > Thanks.
> > > _______________________________________________
> > > Condor-users mailing list
> > > To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx
> > > with a
> > > subject: Unsubscribe
> > > You can also unsubscribe by visiting
> > > https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> > >
> > > The archives can be found at:
> > > https://lists.cs.wisc.edu/archive/condor-users/
> > >
> > > _______________________________________________
> > > Condor-users mailing list
> > > To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx
> > > with a
> > > subject: Unsubscribe
> > > You can also unsubscribe by visiting
> > > https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> > >
> > > The archives can be found at:
> > > https://lists.cs.wisc.edu/archive/condor-users/
> >
> > _______________________________________________
> > Condor-users mailing list
> > To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx
> > with a
> > subject: Unsubscribe
> > You can also unsubscribe by visiting
> > https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> >
> > The archives can be found at:
> > https://lists.cs.wisc.edu/archive/condor-users/