Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Condor-users] credd locking out accounts with inexplicable bad logon attempts
- Date: Wed, 30 May 2012 18:18:36 +0000
- From: "Rowe, Thomas" <rowet@xxxxxxxxxx>
- Subject: Re: [Condor-users] credd locking out accounts with inexplicable bad logon attempts
I have tried this setting and also tried disabling all credential caching, to no effect. Are there any other ideas?
At least one other guy reported this problem of authentications randomly failing. Are there any other reports?
> -----Original Message-----
> From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-
> bounces@xxxxxxxxxxx] On Behalf Of Cathrin Weiss
> Sent: Friday, May 18, 2012 11:17 PM
> To: Condor-Users Mail List
> Subject: Re: [Condor-users] credd locking out accounts with inexplicable bad
> logon attempts
>
> Thomas,
>
> give setting
>
> SKIP_WINDOWS_LOGON_NETWORK = True
>
> a try. (See documentation here:
> http://research.cs.wisc.edu/condor/manual/v7.6/3_3Configuration.html#20
> 111). Restart Condor thereafter (reconfig might be enough, I don't recall.)
> I've seen this kind of failure go away with this configuration.
>
> -- Cathrin
>
>
>
> On May 18, 2012, at 3:43 PM, Rowe, Thomas wrote:
>
> > Unless someone has a clue I have to conclude that CREDD doesn't actually
> work and I will proceed to refactor my system to run the parts that require
> user privileges outside of condor. Sigh, quite a bit of work down the drain.
> Also, I have to add to the problem list that condor_store_cred frequently
> randomly fails with "Operation failed. Make sure your ALLOW_WRITE setting
> includes this host." Again, wait a few minutes and it'll work. This is yet
> another sort of spurious bug.
> >
> > So, I'm having difficulty figuring out how to turn off CREDD entirely. When I
> `condor_submit` a job it still demands there be valid CREDD stored
> credentials even when the job is not "run_as_owner". I don't see why
> there's any check for credentials. I removed CREDD from the daemon list on
> the master, commented out the credd_host on the submit machine, and
> changed these REQUIRED authentication settings to "NEVER" on both the
> credd machine and the submit machine:
> > CREDD.SEC_DEFAULT_AUTHENTICATION =REQUIRED
> > CREDD.SEC_DEFAULT_ENCRYPTION = REQUIRED
> CREDD.SEC_DEFAULT_INTEGRITY =
> > REQUIRED CREDD.SEC_DEFAULT_NEGOTIATION = REQUIRED
> >
> > condor_submit still demands I add a credential. But as explained previously
> I want nothing to do with credentials because they don't work. Is it possible
> to completely remove CREDD from a windows pool?
> >
> >
> > From: condor-users-bounces@xxxxxxxxxxx [mailto:condor-users-
> bounces@xxxxxxxxxxx] On Behalf Of Taylor, Brian T.
> > Sent: Friday, May 18, 2012 1:42 PM
> > To: Condor-Users Mail List
> > Subject: Re: [Condor-users] credd locking out accounts with
> > inexplicable bad logon attempts
> >
> > I don't have any light to shed but I experienced very similar problems on an
> LDAP/Samba backed domain. Randomly and unpredictably, a user executing
> run_as_owner jobs would be locked out of their account because condor
> tried to authenticate them with a bad password. I never figured out why this
> was happening and I eventually stopped using Condor and replaced it with
> my own service.
> >
> >
> > On May 18, 2012, at 1:32 PM, Rowe, Thomas wrote:
> >
> >
> > I am having troubles with credd on Windows generating loads of "Logon
> Failure" events. The stored credentials for the relevant users are definitely
> valid. For no obvious reason, run_as_owner jobs spuriously produce events
> like these: "Unknown user name or bad password; Logon Type: 3; Logon
> Process: Advapi; Authentication Package: Negotiate".
> >
> > If three such of these happen within an hour, the account gets locked out.
> This happens frequently. Is this an understood issue? I can't rule out that
> ActiveDirectory on this network is misconfigured in some way.
> >
> > Probably relevant: `condor_store_cred query` also spuriously reports
> invalid or missing credentials. If you simply wait a couple minutes it will then
> report the stored credentials are valid. So apropos of nothing, the credentials
> seem to temporarily blink out of existence. I've seen this behavior on two
> different networks.
> >
> > Can anyone shed some light? I'm near the end of my rope with this stuff. I
> might have to rip out condor and write some services, which I really didn't
> want to do.
> >
> > Thanks.
> > _______________________________________________
> > Condor-users mailing list
> > To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx
> > with a
> > subject: Unsubscribe
> > You can also unsubscribe by visiting
> > https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> >
> > The archives can be found at:
> > https://lists.cs.wisc.edu/archive/condor-users/
> >
> > _______________________________________________
> > Condor-users mailing list
> > To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx
> > with a
> > subject: Unsubscribe
> > You can also unsubscribe by visiting
> > https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> >
> > The archives can be found at:
> > https://lists.cs.wisc.edu/archive/condor-users/
>
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with
> a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/condor-users/