[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Two Factor Authentication



We are apart of the USGS as well with the same new TFA requirements. Though not the same issue, we are having an issue with jobs stuck in idle since yesterday. The user also said he is not getting anything in the logs. We haven't been able to look into it as much as we like, just not a top priority right now. So whatever you figure out I would like to be keeped in the loop somehow.


Thanks

Jon Knudson
IT Specialist
Upper Midwest Environmental Sciences Center
United States Geological Survey
2630 Fanta Reed Road
La Crosse, Wisconsin Â54603
www.umesc.usgs.gov
E-Mail: jknudson@xxxxxxxx
Phone: 608-781-6201
Cell: 608-304-4189


On Thu, Jul 30, 2015 at 3:39 PM, John (TJ) Knoeller <johnkn@xxxxxxxxxxx> wrote:
Please contact me directly and we can discuss options.Â

This likely has nothing to do with authentication per-se. (authentication is proving who you are - and the nobody user is by definition not an actual user)

Currently HTCondor will always create a 'nobody' user on the execute node and run the job as that user unless the job has run_as_owner=TRUE.
The nobody user only needs to have access to the files in the execute directory on the execute node.ÂÂ That temporary users will own the files while the job is running, and it will be disabled as soon as the job exits and the results are transferred back.Â

We create one 'nobody' user for each slot so that they slots dont have access to each other's files.

-tj


On 7/29/2015 11:01 AM, Michael Fienen wrote:
Hi HTCondor peoples

We at the US Geological Survey have just been mandated to use two-factor authentication for all Windows machines in the agency. The result is that credentials for authentication seem not to be passed through HTCondor properly. When I submit runs from a submit node, condor_q lists them as running (âRâ), and condor_status shows machines as claimed, but the job log reports:

007 (408.088.000) 07/27 17:14:16 Shadow exception!
Error from slot1@xxxxxxxx.xxx.net: Failed to create a user nobody
0 Â- ÂRun Bytes Sent By Job
0 Â- ÂRun Bytes Received By Job

This is reported for all machines that have TFA enabled.Â

Is there a way to pass the credentials through in this setup? Anyone have experience with TFA and HTCondor?

I can provide more specifics about how TFA was implemented if that would help.

Thanks
Mike Fienen
USGS Wisconsin Water Science Center



_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/


_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/