[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] HTCondor with smartcard logon



John,

Thanks for the response.

I'm currently working on implementing the dedicated slot users solution. Could you explain what the Windows Local System Policy editor is?

I've tinkered around in Local Group Policy and Local Security Policy but cannot find a way to adjust the cndrusr properties with those tools.

Andy

On Fri, Oct 2, 2015 at 1:00 PM, John M Knoeller <johnkn@xxxxxxxxxxx> wrote:
I met with some people from the USGS office in Madison a few weeks ago about this very issue, When last I spoke to them, they were in process of implementing my suggested workaround, but I don't know if they ever completed that.

What it comes down to is this

There is no way for HTCondor to run jobs under a user account that requires smartcard authentication. ÂAs far as I know, it's impossible for ANY service process to run on an account that requires two-factor authentication - jobs running on your Windows execute nodes are just a special case of this.

Normally on Windows, the HTCondor daemons run as local system, I'm fairly confident that your local system accounts don't require smartcard authentication, which is why you are able to start HTCondor at all.

When Its time to run a job, HTCondor does this by creating a process as another user, so that jobs don't run as local system. By default, when HTCondor runs a job it uses the 'nobody' user, which on Windows really means that we use a dynamically created user with a name like condor-slot1 or condor-reuse-slot1. ÂWe use a different username for each slot so that jobs cannot mess with each other.

By default HTCondor will create these dynamic users as members of the Windows local group "Users", but you can use a configuration knob to control what group HTCondor will use. ÂThis knob provides the first (and IMO best) way to solve the smart-card authentication problem.

the procedure is this:

1) Use the windows user management tools to create a new group called CondorSlotUsers.

1a) If you have an users with names matching condor-slot* or condor-reuse-slot* on this machine, remove them from group Users and add them to group CondorSlotUsers

1b) Use the Windows Local System Policy to set policies for the CondorSlotUsers group.

  It's important that this group have the ability to login without needing the smartcard. But this group does not need to be able to login interactively, It only needs read/write access to the condor execute directory and the ability to open a socket connection back to the schedd. The CondorSlotUsers group can have VERY few rights.

2) configure HTCondor to add 'nobody' users to this group when it creates them by setting
   ÂDYNAMIC_RUN_ACCOUNT_LOCAL_GROUP = CondorSlotUsers

3) (maybe needed). Change the permissions on the c:\condor\execute directory so that the CondorSlotUsers group has read/write access.

That's it.

You can get the same effect by creating dedicated slots users rather than a special group, but most of the steps are the same.

1) Use the windows user management tools to create a new users called cndrusr1, cndrusr2, etc

1a) Use Windows Local System Policy editor to remove the smartcard requirement for these users. Â(you can also turn off interactive logins and anything else you like).

2) Configure HTCondor to use these users rather than the dynamic 'nobody' users.

  ÂSLOT1_USER = cndrusr1
  ÂSLOT2_USER = cndrusr2
  Âetc

-tj

________________________________________
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Zach Miller <zmiller@xxxxxxxxxxx>
Sent: Friday, October 2, 2015 11:18 AM
To: HTCondor-Users Mail List
Subject: Re: [HTCondor-users] HTCondor with smartcard logon

> -----Original Message-----
> From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf
> Of Durnan, Andy
> Sent: Friday, October 02, 2015 8:47 AM
> To: htcondor-users@xxxxxxxxxxx
> Subject: [HTCondor-users] HTCondor with smartcard logon
>
> Hello,
>
> All job submissions go idle when smartcard authentication is enforced. I've
> implemented credd per the guidance in the 8.4.0 manual to no avail.

The high-level issue here is that in order to run jobs on the execute machines as a specific user, HTCondor needs to "log in" as that user on the execute machine before running the job.

When you are requiring smartcard logon, HTCondor can no longer do that, even if you have stored the password using the CredD.

One option is to run the jobs as either "nobody" users or "slot users". Check out this section:
 http://research.cs.wisc.edu/htcondor/manual/v8.4/7_2Microsoft_Windows.html

And this one:
 http://research.cs.wisc.edu/htcondor/manual/v8.4/3_3Configuration.html#21746

Basically, if you'll require smartcard logon, jobs will not be allowed to run as their owner. This is normally the default on Windows, so have you changed settings such as STARTER_ALLOW_RUNAS_OWNER?


Cheers,
-zach

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/



--
Andy Durnan, IT Specialist
Wyoming-Montana Water Science Center
521 Progress Circle, Ste 6
Cheyenne WY 82007
(307) 775-9171 (Office)
(307) 757-6464 (Cell)