Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Authorization issues with version 9.1 after upgrading from 8.8.9 - windows10

Hello,

 

Any comments or suggestions from your side?

Do you need more information?

Thanks,

Fernando

 

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of SCHAPIRA Fernando via HTCondor-users
Sent: Friday, July 16, 2021 13:36
To: htcondor-users@xxxxxxxxxxx
Cc: SCHAPIRA Fernando <fernando.schapira@xxxxxxxxxxxxxxxxxxxx>
Subject: [HTCondor-users] Authorization issues with version 9.1 after upgrading from 8.8.9 - windows10

 

This email is not from Hexagonâs Office 365 instance. Please be careful while clicking links, opening attachments, or replying to this email.

 

Hello,

 

I have upgraded our Pool (CM, Submitter & Nodes) from 8.8.9 to 9.1.

From the logs files was to see that token needed to get the approval for the ID.

After executing the commands as shown below the approval succeeded:

 

#####################################################################################

PS C:\Users\calibration> condor_token_request_auto_approve -netblock 194.11.95.* -lifetime 3600

Successfully installed auto-approval rule for netblock 194.11.95.* with lifetime of 1.00 hours

The following requests remain after auto-approval rule was installed:

==================================================

RequestId = "4470525"

ClientId = "SCHEDD-AHERDSKBLD10-9753"

AuthenticatedIdentity = "AHERDSKBLD10$@lgs-net"

LimitAuthorization = "ADVERTISE_SCHEDD"

RequestedIdentity = "condor@xxxxxxxxxxx"

PeerLocation = "194.11.95.240"

 

RequestId = "3034811"

ClientId = "MASTER-AHERDSKBLD10-32306"

AuthenticatedIdentity = "AHERDSKBLD10$@lgs-net"

RequestedIdentity = "condor@xxxxxxxxxxx"

LimitAuthorization = "ADVERTISE_MASTER"

PeerLocation = "194.11.95.240"

 

==================================================

To approve these requests, please run condor_token_request_approve manually.

PS C:\Users\calibration> condor_token_request_approve reqid 4470525

C:\condor\bin\condor_token_request_approve.exe: Invalid command line argument: reqid

Usage: C:\condor\bin\condor_token_request_approve.exe [-type TYPE] [-name NAME] [-pool POOL] [-reqid ID]

 

Generates a token from a remote daemon and prints its contents to stdout.

 

Token options:

    -reqid <val>                    Token request identity

Specifying target options:

    -pool    <host>                 Query this collector

    -name    <name>                 Find a daemon with this name

    -type    <subsystem>            Type of daemon to contact (default: COLLECTOR)

If not specified, the pool's collector is targeted.

PS C:\Users\calibration> condor_token_request_approve -reqid 4470525

Request contents:

RequestId = "4470525"

ClientId = "SCHEDD-AHERDSKBLD10-9753"

AuthenticatedIdentity = "AHERDSKBLD10$@lgs-net"

RequestedIdentity = "condor@xxxxxxxxxxx"

LimitAuthorization = "ADVERTISE_SCHEDD"

PeerLocation = "194.11.95.240"

 

To approve, please type 'yes'

yes

Request 4470525 approved successfully.

PS C:\Users\calibration> condor_token_request_approve -reqid 3034811

Request contents:

RequestId = "3034811"

ClientId = "MASTER-AHERDSKBLD10-32306"

AuthenticatedIdentity = "AHERDSKBLD10$@lgs-net"

RequestedIdentity = "condor@xxxxxxxxxxx"

LimitAuthorization = "ADVERTISE_MASTER"

PeerLocation = "194.11.95.240"

 

To approve, please type 'yes'

yes

Request 3034811 approved successfully.

PS C:\Users\calibration>

###############################################################################################

 

However after a while the CM reported following:

##############################################################################################################################################################################################

07/16/21 13:22:59 PERMISSION DENIED to AHERDSKBLD10$@lgs-net from host 194.11.95.240 for command 2 (UPDATE_MASTER_AD), access level ADVERTISE_MASTER: reason: cached result for ADVERTISE_MASTER; see first case for the full reason

07/16/21 13:22:59 DC_AUTHENTICATE: Command not authorized, done!

07/16/21 13:23:41 Got QUERY_STARTD_PVT_ADS

07/16/21 13:23:41 (Sending 0 ads in response to query)

07/16/21 13:23:41 Query info: matched=0; skipped=0; query_time=0.000102; send_time=0.000151; type=MachinePrivate; requirements={true}; locate=0; limit=0; from=COLLECTOR; peer=<194.11.95.126:58749>; projection={}; filter_private_ads=0

07/16/21 13:23:41 QueryWorker: forked new high priority worker with id 4236 ( max 4 active 1 pending 0 )

07/16/21 13:23:41 (Sending 0 ads in response to query)

07/16/21 13:23:41 Query info: matched=0; skipped=6; query_time=0.000159; send_time=0.000151; type=Any; requirements={(((MyType == "Submitter")) || ((MyType == "Machine")))}; locate=0; limit=0; from=COLLECTOR; peer=<194.11.95.126:58750>; projection={}; filter_private_ads=0

07/16/21 13:23:41 QueryWorker: forked new high priority worker with id 4237 ( max 4 active 1 pending 0 )

07/16/21 13:24:22 PERMISSION DENIED to AHERDSKBLD14$@lgs-net from host 194.11.95.190 for command 2 (UPDATE_MASTER_AD), access level ADVERTISE_MASTER: reason: cached result for ADVERTISE_MASTER; see first case for the full reason

07/16/21 13:24:22 DC_AUTHENTICATE: Command not authorized, done!

07/16/21 13:24:31 PERMISSION DENIED to AHERDSKBLD14$@lgs-net from host 194.11.95.190 for command 0 (UPDATE_STARTD_AD), access level ADVERTISE_STARTD: reason: cached result for ADVERTISE_STARTD; see first case for the full reason

07/16/21 13:24:31 DC_AUTHENTICATE: Command not authorized, done!

 

And the submitter:

#############################################################################################################

07/16/21 13:22:59 restarting C:\condor\.\bin\condor_schedd.exe in 3600 seconds

07/16/21 13:22:59 SECMAN: FAILED: Received "DENIED" from server for user AHERDSKBLD10$@lgs-net using method NTSSPI.

07/16/21 13:22:59 ERROR: SECMAN:2010:Received "DENIED" from server for user AHERDSKBLD10$@lgs-net using method NTSSPI.

07/16/21 13:22:59 Collector update failed; will try to get a token request for trust domain 194.11.95.xxx, identity (default).

07/16/21 13:22:59 Failed to start non-blocking update to <194.11.95.xxx:9618>.

07/16/21 13:22:59 Token requested; please ask collector 194.11.95.xxx admin to approve request ID 8680249.

07/16/21 13:23:04 Token requested not yet approved; please ask collector 194.11.95.126 admin to approve request ID 8680249.

07/16/21 13:23:09 Token requested not yet approved; please ask collector 194.11.95.126 admin to approve request ID 8680249.

07/16/21 13:23:14 Token requested not yet approved; please ask collector 194.11.95.126 admin to approve request ID 8680249.

 

As you see I was using NTSSPI, PASSWORD with 8.8.9.

Now with 9.1 Iâm using :

use SECURITY : recommended_v9_0(SYSTEM, Administrator@*, $(INSTALL_USER)@*)

use SECURITY:recommended_v9_0(SYSTEM, Administrator@*)

 

Can you tell why the approval didnât persist.

 

Kind Regards,

Fernando