Mailing List ArchivesPublic Access |
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesPublic Access |
|
|
TL,DR: Does anyone have a working Win Server 2012 R2 Condor setup using run_as_owner that doesn’t involve adding the submitting user accounts to the Administrator group? What permissions are necessary on the user accounts to make it work? I’ve got some lovely new machines for my Condor pool. They’re running Windows Server 2012 R2. I’ve never added boxes running that OS before. I can remote desktop into my target box with my user account just fine.
But when I submit a test job with run_as_owner, it fails unless I make myself an Administrator on the target box. Failures look like this: 05/06/15 15:56:14 (pid:7932) ****************************************************** 05/06/15 15:56:14 (pid:7932) ** condor_starter (CONDOR_STARTER) STARTING UP 05/06/15 15:56:14 (pid:7932) ** C:\condor\bin\condor_starter.exe 05/06/15 15:56:14 (pid:7932) ** SubsystemInfo: name=STARTER type=STARTER(8) class=DAEMON(1) 05/06/15 15:56:14 (pid:7932) ** Configuration: subsystem:STARTER local:<NONE> class:DAEMON 05/06/15 15:56:14 (pid:7932) ** $CondorVersion: 8.2.7 Feb 09 2015 BuildID: 300022 $ 05/06/15 15:56:14 (pid:7932) ** $CondorPlatform: x86_64_Windows8 $ 05/06/15 15:56:14 (pid:7932) ** PID = 7932 05/06/15 15:56:14 (pid:7932) ** Log last touched 5/6 15:55:46 05/06/15 15:56:14 (pid:7932) ****************************************************** … 05/06/15 15:56:14 (pid:7932) init_user_ids: want user [myuseraccount], current is '(null)@(null)' 05/06/15 15:56:14 (pid:7932) Locally stored credential for [myuseraccount] is stale 05/06/15 15:56:14 (pid:7932) trying to fetch password from credd: [mycredd] 05/06/15 15:56:14 (pid:7932) Will use UDP to update collector [mycollector] 05/06/15 15:56:14 (pid:7932) Trying to query collector [mycollector] 05/06/15 15:56:14 (pid:7932) Found credential for user 'condor_pool@’ 05/06/15 15:56:14 (pid:7932) Found credential for user 'condor_pool@' 05/06/15 15:56:14 (pid:7932) Found credential for user [myuseraccount] 05/06/15 15:56:14 (pid:7932) LogonUser completed. 05/06/15 15:56:14 (pid:7932) init_user_ids: LogonUser failed with NT Status 1385 05/06/15 15:56:14 (pid:7932) Could not initialize user_priv as "[myuseraccount]". Make sure this account's password is securely stored with condor_store_cred. 05/06/15 15:56:14 (pid:7932) ERROR: Failed to determine what user to run this job as, aborting 05/06/15 15:56:14 (pid:7932) Failed to initialize JobInfoCommunicator, aborting 05/06/15 15:56:14 (pid:7932) Unable to start job. 05/06/15 15:56:14 (pid:7932) **** condor_starter (condor_STARTER) pid 7932 EXITING WITH STATUS 1 05/06/15 15:56:14 (pid:7932) Deleting the StarterHookMgr When I make my user account an Administrator, it looks like this: 05/04/15 15:43:41 (pid:12156) ****************************************************** 05/04/15 15:43:41 (pid:12156) ** condor_starter (CONDOR_STARTER) STARTING UP 05/04/15 15:43:41 (pid:12156) ** C:\condor\bin\condor_starter.exe 05/04/15 15:43:41 (pid:12156) ** SubsystemInfo: name=STARTER type=STARTER(8) class=DAEMON(1) 05/04/15 15:43:41 (pid:12156) ** Configuration: subsystem:STARTER local:<NONE> class:DAEMON 05/04/15 15:43:41 (pid:12156) ** $CondorVersion: 8.2.7 Feb 09 2015 BuildID: 300022 $ 05/04/15 15:43:41 (pid:12156) ** $CondorPlatform: x86_64_Windows8 $ 05/04/15 15:43:41 (pid:12156) ** PID = 12156 05/04/15 15:43:41 (pid:12156) ** Log last touched 5/4 15:31:43 05/04/15 15:43:41 (pid:12156) ****************************************************** … 05/04/15 15:43:41 (pid:12156) init_user_ids: want user
[myuseraccount], current is '(null)@(null)' 05/04/15 15:43:41 (pid:12156) trying to fetch password from credd:
[mycredd] 05/04/15 15:43:41 (pid:12156) Will use UDP to update collector
[mycollector] 05/04/15 15:43:41 (pid:12156) Trying to query collector
[mycollector] 05/04/15 15:43:41 (pid:12156) Found credential for user 'condor_pool@’ 05/04/15 15:43:41 (pid:12156) Found credential for user 'condor_pool@’ 05/04/15 15:43:41 (pid:12156) Found credential for user
[myuseraccount] 05/04/15 15:43:41 (pid:12156) LogonUser completed. 05/04/15 15:43:41 (pid:12156) STORE_CRED: In mode 'add' 05/04/15 15:43:41 (pid:12156) Adding
[myuseraccount]@[mydomain] to credential storage. 05/04/15 15:43:41 (pid:12156) Succeeded to log in
[myuseraccount]@[mydomain] 05/04/15 15:43:41 (pid:12156) Attempting to store 370 bytes to reg key... 05/04/15 15:43:41 (pid:12156) Switching back to old priv state. 05/04/15 15:43:41 (pid:12156) Addition succeeded! 05/04/15 15:43:41 (pid:12156) init_user_ids: Successfully stashed credential in registry for user
[myuseraccount]@[mydomain] 05/04/15 15:43:41 (pid:12156) perm::init() starting up for account
[myuseraccount] domain (NULL) 05/04/15 15:43:41 (pid:12156) perm::init: Found Account Name
[myuseraccount] 05/04/15 15:43:41 (pid:12156) TokenCache contents:
[myuseraccount]@[mydomain] 05/04/15 15:43:41 (pid:12156) Done moving to directory "C:\condor\execute\dir_12156" 05/04/15 15:43:41 (pid:12156) TokenCache contents:
[myuseraccount]@[mydomain] Our IT won’t let me simply add all our Condor users to the Administrators group, so am trying to find a minimum set of permissions which lets my jobs start. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Jason Ross
Intel Corporation Graphics Architect
FM5-64 VPG Architecture
1900 Prairie City Road (916) 356-8964
Folsom, CA 95630 |