[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] CREDD on windows locking out users

I am getting spurious CREDD errors leading to user account lockouts. All machines are Windows 7, on an air-gapped network. I've actually seen this on two entirely different networks now. The domain controller is configured to lock an account after three failures.

I have a credd running on all machines and these pertinent config options set:
    starter_allow_runas_owner = true
    credd_cache_locally = true
    skip_windows_logon_network = true

On a given machine (not the master, I haven't looked closely at those logs yet) after a lockout I will randomly see in the credd log file entries like this:
    NETWORK logon failed. Attempting interactive
    Failed to log in me@domain with err = 1326
    [a couple refrains of this later, and then:]
    NETWORK logon disabled. Trying INTERACTIVE only!
    Failed to logon me@domain with err = 1909

I will also sometimes see "condor_store_cred query" randomly report that there is no stored credential or the credential is invalid for a user. Wait about sixty seconds and often as not without having made any changes at all "condor_store_cred query" will go back to claiming everything is fine.

This is terribly vexing and potentially makes HTCondor non-viable here. Hopefully somebody can offer pointers on how to debug and fix this? Unfortunately, these are air-gapped secure networks and I simply cannot provide logs for review. I will need directions on how to examine outputs.