Re: [HTCondor-users] Windows pool, how to remove security

[johnkn <johnkn@xxxxxxxxxxx>]

On 2014-07-21 21:38, Ralph Finch wrote:
> We run an all-Windows 7x64 HTC pool. I want to remove all the security
> stuff; what's the best way? I gave it a try via:
>
> All machines' condor_config (only changes shown):
>
>  SEC_CONFIG_NEGOTIATION = NONEÂ # these were all REQUIRED
> SEC_CONFIG_AUTHENTICATION = NONE
> SEC_CONFIG_ENCRYPTION = NONE
> SEC_CONFIG_INTEGRITY = NONE
>
> CM's condor_config:
>
> # Set security settings so that full security to the credd is NOT
> REQUIRED
>  CREDD.SEC_DEFAULT_AUTHENTICATION =NONE # these were all REQUIRED
> CREDD.SEC_DEFAULT_ENCRYPTION = NONE
> CREDD.SEC_DEFAULT_INTEGRITY = NONE
> CREDD.SEC_DEFAULT_NEGOTIATION = NONE
>
> However I get complaints e.g. CredLog:
>
> 07/21/14 21:27:37 PERMISSION DENIED to unauthenticated@unmapped from
> host 10.159.20.142 for command 81100 (CREDD_NOP), access level DAEMON:
> reason: DAEMON authorization policy contains no matching ALLOW entry
> for this request; identifiers used for this host:
> 10.159.20.142,BDOMO-024.ad.water.ca.gov [1], hostname size = 1,
> original ip address = 10.159.20.142
>  07/21/14 21:28:41 IPVERIFY: checking BDOMO-005 against 10.159.20.114
> 07/21/14 21:28:41 IPVERIFY: matched 10.159.20.114 to 10.159.20.114
> 07/21/14 21:28:41 IPVERIFY: ip found is 1
> 07/21/14 21:28:41 PERMISSION DENIED to unauthenticated@unmapped from
> host 10.159.20.114 for command 81099 (CREDD_GET_PASSWD), access level
> DAEMON: reason: DAEMON authorization policy contains no matching ALLOW
> entry for this request; identifiers used for this host:
> 10.159.20.114,BDOMO-005, hostname size = 1, original ip address =
> 10.159.20.114
>
> WHY I WANT TO REMOVE ALL THE SECURITY STUFF
> I'm the only one using the pool (~ 100 cores on at most 20 machines in
> a small LAN). Nothing "sensitive" is being done, and I've had troubles
> for years with pool passwords etc acting up and not being able to run
I believe you can remove all of the security stuff by just removing ALL 
of the security configuration statements from your configuration file.  
In the absence of any configuration statements, HTCondor defaults to 
trusting everyone.

If you are running HTCondor 8.2.x (or 8.3.x) don't forget to remove the 
"use SECURITY : HOST_BASED"  statement from the base condor_config file.

> on machines in the pool. Frankly I don't fully understand the security
> stuff, and because I don't need it just wish to shut it off once and
> for all.
>
> Note: I have tried over the years to understand this and get it
> properly set, but it acts dodgy and I'm not convinced I'm 100% the
> cause of it. Windows seems to have problems in this regard. So no, I
> don't want to try more to get all the security "right", I've tried
> several times on these lists, it doesn't work. Just shut it off,
> thanks.
>
>
> Links:
> ------
> [1] http://BDOMO-024.ad.water.ca.gov
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx 
> with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/