[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Two Factor Authentication

Please contact me directly and we can discuss options. 

This likely has nothing to do with authentication per-se.  (authentication is proving who you are - and the nobody user is by definition not an actual user)

Currently HTCondor will always create a 'nobody' user on the execute node and run the job as that user unless the job has run_as_owner=TRUE.
The nobody user only needs to have access to the files in the execute directory on the execute node.   That temporary users will own the files while the job is running, and it will be disabled as soon as the job exits and the results are transferred back. 

We create one 'nobody' user for each slot so that they slots dont have access to each other's files.


On 7/29/2015 11:01 AM, Michael Fienen wrote:
Hi HTCondor peoples

We at the US Geological Survey have just been mandated to use two-factor authentication for all Windows machines in the agency. The result is that credentials for authentication seem not to be passed through HTCondor properly. When I submit runs from a submit node, condor_q lists them as running (“R”), and condor_status shows machines as claimed, but the job log reports:

007 (408.088.000) 07/27 17:14:16 Shadow exception!
Error from slot1@xxxxxxxx.xxx.net: Failed to create a user nobody
0  -  Run Bytes Sent By Job
0  -  Run Bytes Received By Job

This is reported for all machines that have TFA enabled. 

Is there a way to pass the credentials through in this setup? Anyone have experience with TFA and HTCondor?

I can provide more specifics about how TFA was implemented if that would help.

Mike Fienen
USGS Wisconsin Water Science Center

HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting

The archives can be found at: