Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
|
Unless someone has a clue I have to conclude that CREDD doesn't actually work and I will proceed to refactor my system to run the parts that require user privileges
outside of condor. Sigh, quite a bit of work down the drain. Also, I have to add to the problem list that condor_store_cred frequently randomly fails with "Operation failed. Make sure your ALLOW_WRITE setting includes this host." Again, wait a few minutes
and it'll work. This is yet another sort of spurious bug. So, I'm having difficulty figuring out how to turn off CREDD entirely. When I `condor_submit` a job it still demands there be valid CREDD stored credentials
even when the job is not "run_as_owner". I don't see why there's any check for credentials. I removed CREDD from the daemon list on the master, commented out the credd_host on the submit machine, and changed these REQUIRED authentication settings to "NEVER"
on both the credd machine and the submit machine: CREDD.SEC_DEFAULT_AUTHENTICATION =REQUIRED CREDD.SEC_DEFAULT_ENCRYPTION = REQUIRED CREDD.SEC_DEFAULT_INTEGRITY = REQUIRED CREDD.SEC_DEFAULT_NEGOTIATION = REQUIRED condor_submit still demands I add a credential. But as explained previously I want nothing to do with credentials because they don't work. Is it possible to
completely remove CREDD from a windows pool? From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-bounces@xxxxxxxxxxx]
On Behalf Of Taylor, Brian T. I don't have any light to shed but I experienced very similar problems on an LDAP/Samba backed domain. Randomly and unpredictably, a user executing run_as_owner jobs would be locked out of their account because condor tried to authenticate
them with a bad password. I never figured out why this was happening and I eventually stopped using Condor and replaced it with my own service. On May 18, 2012, at 1:32 PM, Rowe, Thomas wrote:
I am having troubles with credd on Windows generating loads of "Logon Failure" events. The stored credentials for the relevant users are definitely valid. For no obvious
reason, run_as_owner jobs spuriously produce events like these: "Unknown user name or bad password; Logon Type: 3; Logon Process: Advapi; Authentication Package: Negotiate". If three such of these happen within an hour, the account gets locked out. This happens frequently. Is this an understood issue? I can't rule out that ActiveDirectory on
this network is misconfigured in some way. Probably relevant: `condor_store_cred query` also spuriously reports invalid or missing credentials. If you simply wait a couple minutes it will then report the stored credentials
are valid. So apropos of nothing, the credentials seem to temporarily blink out of existence. I've seen this behavior on two different networks. Can anyone shed some light? I'm near the end of my rope with this stuff. I might have to rip out condor and write some services, which I really didn't want to do. Thanks. _______________________________________________ |