[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] Windows, Samba share and Run as owner



Hello,

I'm still in my first trials with HTCondor version :

Z:\test_condor>condor_version
$CondorVersion: 8.4.3 Dec 15 2015 BuildID: 352143 $
$CondorPlatform: x86_64_Windows7 $


and trying to setup a Windows pool.

After my initial issues, I'm now able to properly run a one machine
setup (yeah !) but only when data is stored on the local hard drive.

When trying to access the data on a Samba share (mounted as z: drive),
in order to avoid unnecessary input file copy, I'm facing the fact that
the LocalSystem user is denied the access to those shares It seem that I
have to enable the RunAsOwner feature.

However, despite following the user manuel and various web tutorials I
cannot succeed.

I attached the current configuration of condor_config,
condor_config.local and condor_config.local.credd (correctly referenced
from condor_config) which all three stays in c:\condor (default
installation directory)

All the deamons are running (included condor_credd) on the machine
called LUTECE, no NT Domain (only Windows WORKGROUP), under user Mathieu

I've been trying to add the credentials on the ways found from various
sources, but the command line

Z:\test_condor>condor_status -f "%s\t" Name -f "%s\n"
ifThenElse(isUndefined(LocalCredd),\"UNDEF\",LocalCredd)

always returns

slot1@LUTECE    UNDEF
slot2@LUTECE    UNDEF
slot3@LUTECE    UNDEF
slot4@LUTECE    UNDEF
slot5@LUTECE    UNDEF
slot6@LUTECE    UNDEF
slot7@LUTECE    UNDEF
slot8@LUTECE    UNDEF

which let me think that those credential are not applied.

And condor_submit results in idle jobs where condor_q -analyze explains
that requierements are not matched :

Suggestions:

    Condition                         Machines Matched    Suggestion
    ---------                         ----------------    ----------
1   ( .RIGHT.HasWindowsRunAsOwner && ( .RIGHT.LocalCredd is "LUTECE" ) )
                                      0                   REMOVE

HasWindowsRunAsOwner seems well defined, so the issue is the .LocalCredd
which is undefined.

Does someone have any clue ?

Best regards,

Mathieu

-- 
tel : +33 (0)6 87 30 83 59
######################################################################
##
##  condor_config
##
##  This is the global configuration file for condor. This is where
##  you define where the local config file is. Any settings
##  made here may potentially be overridden in the local configuration
##  file.  KEEP THAT IN MIND!  To double-check that a variable is
##  getting set from the configuration file that you expect, use
##  condor_config_val -v <variable name>
##
##  condor_config.annotated is a more detailed sample config file
##
##  Unless otherwise specified, settings that are commented out show
##  the defaults that are used if you don't define a value.  Settings
##  that are defined here MUST BE DEFINED since they have no default
##  value.
##
######################################################################

##  Where have you installed the bin, sbin and lib condor directories?   
RELEASE_DIR = C:\condor

##  Where is the local condor directory for each host?  This is where the local config file(s), logs and
##  spool/execute directories are located. this is the default for Linux and Unix systems.
#LOCAL_DIR = $(TILDE)
##  this is the default on Windows sytems
#LOCAL_DIR = $(RELEASE_DIR)

##  Where is the machine-specific local config file for each host?
LOCAL_CONFIG_FILE = $(LOCAL_DIR)\condor_config.local \
                    $(LOCAL_DIR)\condor_config.local.credd
					
##  If your configuration is on a shared file system, then this might be a better default
#LOCAL_CONFIG_FILE = $(RELEASE_DIR)\etc\$(HOSTNAME).local
##  If the local config file is not present, is it an error? (WARNING: This is a potential security issue.)
REQUIRE_LOCAL_CONFIG_FILE = FALSE

##  The normal way to do configuration with RPMs is to read all of the
##  files in a given directory that don't match a regex as configuration files.
##  Config files are read in lexicographic order.
LOCAL_CONFIG_DIR = $(LOCAL_DIR)\config
#LOCAL_CONFIG_DIR_EXCLUDE_REGEXP = ^((\..*)|(.*~)|(#.*)|(.*\.rpmsave)|(.*\.rpmnew))$

##  Use a host-based security policy. By default CONDOR_HOST and the local machine will be allowed
use SECURITY : HOST_BASED
##  To expand your condor pool beyond a single host, set ALLOW_WRITE to match all of the hosts
#ALLOW_WRITE = *.cs.wisc.edu
##  FLOCK_FROM defines the machines that grant access to your pool via flocking. (i.e. these machines can join your pool).
#FLOCK_FROM =
##  FLOCK_TO defines the central managers that your schedd will advertise itself to (i.e. these pools will give matches to your schedd).
#FLOCK_TO = condor.cs.wisc.edu, cm.example.edu

##--------------------------------------------------------------------
## Values set by the condor_configure script:
##--------------------------------------------------------------------

CONDOR_HOST = $(FULL_HOSTNAME)
CREDD_HOST = $(CONDOR_HOST)

STARTER_ALLOW_RUNAS_OWNER = True

SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD

CREDD_CACHE_LOCALLY = True

NETWORK_INTERFACE = 192.168.1.181
COLLECTOR_NAME = ATLAS
FILESYSTEM_DOMAIN = WORKGROUP
UID_DOMAIN = WORKGROUP
TRUST_UID_DOMAIN = True
CONDOR_ADMIN = 
SMTP_SERVER = 
ALLOW_READ = *
ALLOW_WRITE = $(CONDOR_HOST), $(IP_ADDRESS), *@$(CONDOR_HOST), *@$(UID_DOMAIN)
ALLOW_ADMINISTRATOR = $(CONDOR_HOST), $(IP_ADDRESS), *@$(CONDOR_HOST)
ALLOW_CONFIG = $(CONDOR_HOST), $(IP_ADDRESS), *@$(CONDOR_HOST)

JAVA = C:\PROGRA~2\Java\JRE18~1.0_6\bin\java.exe
use POLICY : ALWAYS_RUN_JOBS

WANT_VACATE = False
WANT_SUSPEND = False
START = True
SUSPEND = False
CONTINUE = True
PREEMPT = False
KILL = False

JOB_RENICE_INCREMENT = 0
SYSAPI_GET_LOADAVG = False

WANT_VACATE_VANILLA = False
WANT_SUSPEND_VANILLA = False
START_VANILLA = True
SUSPEND_VANILLA = False
CONTINUE_VANILLA = True
PREEMPT_VANILLA = False
KILL_VANILLA = False

NEGOTIATOR_CONSIDER_PREEMPTION = False

DAEMON_LIST = MASTER SCHEDD COLLECTOR NEGOTIATOR STARTD
######################################################################
##
##  condor_config.credd
##
##  This is the default local configuration file for the machine
##  running the condor_credd.  You should copy this file to the
##  appropriate location and customize it for your needs.  
##
######################################################################

## Note: The following settings will need to be present in your
## global config file:
##
##   CREDD_HOST = my-credd.cs.wisc.edu
##   STARTER_ALLOW_RUNAS_OWNER = True
##   CREDD_CACHE_LOCALLY = True
##
## You'll also need to ensure that clients are configured to use
## PASSWORD authentication on any machine that can run jobs as the
## submitting user. For example,
##
##   SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD
##
## And finally, you'll need to enable CONFIG-level access for all
## machines in the pool so that the pool password can be stored:
##
##   ALLOW_CONFIG = Administrator@*
##   SEC_CONFIG_NEGOTIATION = REQUIRED
##   SEC_CONFIG_AUTHENTICATION = REQUIRED
##   SEC_CONFIG_ENCRYPTION = REQUIRED
##   SEC_CONFIG_INTEGRITY = REQUIRED
##
## See the "Executing Jobs as the Submitting User" section of the
## Condor manual for further details.

## CREDD_SETTINGS

## CREDD logging settings
## Customize these if you wish.
CREDD_LOG = $(LOG)/CreddLog
CREDD_DEBUG = D_COMMAND
MAX_CREDD_LOG = 50000000

#################################################
## CREDD Expert settings
## Everyting below is for the UBER-KNOWLEDGEABLE only!
## Do not change these unless you know what you do!
#################################################


DAEMON_LIST = $(DAEMON_LIST), CREDD
#DC_DAEMON_LIST = \
#MASTER, STARTD, SCHEDD, KBDD, COLLECTOR, NEGOTIATOR, EVENTD, \
#VIEW_SERVER, CONDOR_VIEW, VIEW_COLLECTOR, HAWKEYE, CREDD, HAD, \
#QUILL

CREDD    = $(SBIN)/condor_credd.exe

# Timeout session quickly since we normally only get contacted
# once per starter
SEC_CREDD_SESSION_TIMEOUT = 10


# Set security settings so that full security to the credd is required
CREDD.SEC_DEFAULT_AUTHENTICATION =REQUIRED
CREDD.SEC_DEFAULT_ENCRYPTION = REQUIRED
CREDD.SEC_DEFAULT_INTEGRITY = REQUIRED
CREDD.SEC_DEFAULT_NEGOTIATION = REQUIRED 

# Require PASSWORD auth for password fetching
CREDD.SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD

# Only honor password fetch requests to the trusted "condor_pool" user
CREDD.ALLOW_DAEMON = *@$(UID_DOMAIN),*@LUTECE, *

# Require NTSSPI for storing credentials
CREDD.SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI
####################
#
####################
Executable = c:\lastools\bin\laszip.exe
Universe = vanilla
should_transfer_files = NO
transfer_executable = false


initialdir = z:\test_condor
#error = err.$(Process)
#input = in.$(Process)
#output = $(filename).out
log = test.$(Process).log
arguments = -i $(filename)

RunAsOwner=True
queue filename matching files $(initialdir)\*.las