[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] HTCondor - condor_store_cred fails to store credentials of dedicated account on Windows in 8.6 series

I'm using a setup of HTCondor on Windows which executes jobs using a dedicated user account (SLOT_USER). I can't use the standard "transient" accounts as the user account used for the jobs needs special privileges which I configured for the dedicated account.

I used to register the dedicated account credentials on execution machines using condor_store_cred. This worked fine in Condor version 8.4.x and earlier.

When switching from HTCondor version 8.4.7 to 8.6.4 the setup stopped working though and the condor_store_cred failed to store the credentials of the dedicated account and printed its standard error message:

"Operation failed. Make sure your ALLOW_WRITE setting includes this host."

Digging through the source I found a part which was introduced in the 8.6 series as it seems:

condor-8.6.4/src/condor_utils/store_cred.cpp (line 725): // We don't allow one user to set another user's credential

The code part which follows leads to the failure. As I install condor using my ownÂaccount which has administrative permissions and register the credentials of the execution account during the installation process, I'm trying to register the credentials of an account I'm not logged in with.ÂI'm curious whether there's a workaround/best practice for such a setup available. For now I have removed the restriction from store_cred.cpp for my setup and recompiled HTCondor but this is not an optimal solution of course.

Additional comment: condor_store_cred seems to know only a single error message: "Operation failed. Make sure your ALLOW_WRITE setting includes this host." . It writes this message no matter for what reason an operation fails. This is a bit misleading for a user/admin, as this messageÂguides often in a wrong direction. I had to switch on all debugging (D_ALL) to seeÂa messageÂin the logsÂsaying that the user account was rejected. Then had to parseÂthe condor source code to find the comment listed above indicating that the operation as such is not allowed. I'd like to suggest,Âthat condor_store_cred writes an error messageÂindicatingÂthat the operation is not permitted, plusÂadd this information to the HTCondor documentation (preferable with a best practice how to register a dedicated account when installing HTCondorÂwith a different (admin) account).ÂÂÂ