[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Adding a Windows node to an existing Linux-Pool



Thanks for the info.  If you want to run condor_store_cred add -c, you do need to have ALLOW_CONFIG on Windows. 

If you add this to your config

ALLOW_CONFIG = jakobeit@*

And then run condor_reconfig, you should be able to add a pool password for you windows node.   

But like I said before, unlike Linux where the pool password are the primary IDTOKEN signing key are allowed to be the same file,  On Windows the pool password is not a file, so it can't be the IDTOKEN signing key. 

As for creating a token and adding it to your SEC_TOKEN_SYSTEM_DIRECTORY, that should work for authorizing daemons, but tools like condor_status will never look in that directory when run as a user.  so it doesn't help if you need to authorize condor_status.  

In 9.0.1, tools will look for tokens in the current user's private token directory.  You could put that token file into %USERPROFILE%\.condor\tokens.d so it will be found by condor_status.

-tj


From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Darius Jakobeit <jakobeit@xxxxxxxxxxxxxxxxxxxxxxxxx>
Sent: Tuesday, June 8, 2021 5:24 AM
To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
Subject: Re: [HTCondor-users] Adding a Windows node to an existing Linux-Pool
 
Hello John,

first of all thanks for your effort in helping me.

The output of "condor_config_val -summary" is the following:

PS C:\Windows\system32>  condor_config_val -summary
# condor_config_val $CondorVersion: 9.0.2 May 09 2021 BuildID: 540227 DAILY $

#
# from C:\condor\condor_config
#
RELEASE_DIR = C:\condor
LOCAL_CONFIG_FILE = $(LOCAL_DIR)\condor_config.local
LOCAL_CONFIG_DIR = $(LOCAL_DIR)\config
ALLOW_ADMINISTRATOR = SYSTEM@* condor_pool@* Administrator@* jakobeit@*
ALLOW_DAEMON = SYSTEM@*  condor_pool@*
ALLOW_NEGOTIATOR = SYSTEM@* condor_pool@*
ALLOW_READ = *
ALLOW_WRITE = *
SEC_DEFAULT_AUTHENTICATION = required
SEC_DEFAULT_ENCRYPTION = required
SEC_DEFAULT_INTEGRITY = required
SEC_READ_AUTHENTICATION = OPTIONAL
SEC_READ_ENCRYPTION = OPTIONAL
SEC_READ_INTEGRITY = OPTIONAL
SECURITY_MODEL = 9.0
INSTALL_USER = jakobeit
CONDOR_HOST = 131.234.172.154
CLAIM_WORKLIFE =
CONTINUE = ($(CPUIdle) && ($(ActivityTimer) > 10) && (KeyboardIdle > 
$(ContinueIdleTime)))
IS_OWNER = (START =?= False)
MaxJobRetirementTime = 0
PREEMPT = (((Activity == "Suspended") && ($(ActivityTimer) > 
$(MaxSuspendTime))) || (SUSPEND && (WANT_SUSPEND == False)))
START = ((KeyboardIdle > $(StartIdleTime)) && ( $(CPUIdle) || (State 
!= "Unclaimed" && State != "Owner")) )
SUSPEND = ($(KeyboardBusy) || ( (CpuBusyTime > 120) && 
$(ActivationTimer) > 90))
WANT_SUSPEND = ($(SmallJob) || $(KeyboardNotBusy) || $(IsVanilla) ) && 
( $(SUSPEND))
WANT_VACATE = $(ActivationTimer) > 600 || $(IsVanilla)
DAEMON_LIST = MASTER STARTD KBDD

There is a tokens.sk and a tokens.d directory. From what I have 
gathered from your mail I should use an IDTOKEN authentication to join 
the Windows node into the existing Linux node.
I have tried to follow this guide: 
https://htcondor.readthedocs.io/en/latest/admin-manual/security.html#token-authentication
I have generated a new token using condor_token_create -identity -file 
and saved the file in both SEC_TOKEN_SYSTEM_DIRECTORYs (since I wasn't 
sure whether to do it only for the user). However, that didn't change 
anything for my problem.

Whatever I am trying I get the following:
PS C:\Windows\system32> condor_status -debug
06/08/21 11:43:01 TOKEN: No token found.
06/08/21 11:43:01 SECMAN: required authentication with collector at 
<131.234.172.154:9618> failed, so aborting command QUERY_STARTD_ADS.
Error: communication error
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using IDTOKENS

It says "No token found" even though there are tokens in the 
SEC_TOKEN_SYSTEM_DIRECTORY. It is also definitely defined:

PS C:\Windows\system32> condor_config_val -v SEC_TOKEN_SYSTEM_DIRECTORY
SEC_TOKEN_SYSTEM_DIRECTORY = C:\condor\tokens.d
  # at: <Default>
  # raw: SEC_TOKEN_SYSTEM_DIRECTORY = $(RELEASE_DIR)\tokens.d

Maybe I still have some basic misunderstanding regarding the whole 
authentication process. Do you see what I did incorrectly?

Cheers,
Darius


> Date: Mon, 7 Jun 2021 14:39:14 +0000
> From: John M Knoeller <johnkn@xxxxxxxxxxx>
> To: "htcondor-users@xxxxxxxxxxx" <htcondor-users@xxxxxxxxxxx>
> Subject: Re: [HTCondor-users] Adding a Windows node to an existing
>        Linux-Pool
> Message-ID:
>        <BYAPR06MB5543A15618879F1D6E323B7296389@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>
> Content-Type: text/plain; charset="us-ascii"
>
> The Windows installer should have given the user that ran the 
> installer ADMINSTRATOR access.   Lets check that.   please run
>
> condor_config_val -summary
>
> On your windows box and post the output.
>
> The Windows installer should also have created a tokens.d directory 
> and a tokens.sk directory under the directory where HTCondor is 
> installed (usually C:\Condor).   On Windows, the tokens.sk directory 
> is where HTCondor looks for IDTOKEN signing keys,  so this directory 
> is the equivalent of passwords.d on a Linux machine for IDTOKEN auth 
> (but not for PASSWORD auth).
>
> You should not need to store a pool password on a Windows machine 
> unless you intend to use PASSWORD authentication between daemons.   
> Unlike on Linux, HTCondor Windows never uses the pool password as 
> part of IDTOKEN authentication because the pool password on Windows 
> is actually stored in the registry.
>
> To use IDTOKEN authentication, it should be sufficient for whatever 
> machine is running the condor_collector to have authorization for 
> the Windows machine to join the pool.
>
> If you want to be able to issue tokens from the Windows machine, you 
> can copy the POOL file from passwords.d on one of your Linux hosts 
> to tokens.sk on the Windows machine.
>
> If you want to investigate why  condor_store_cred add -c   is not 
> working, try adding this to your condor_config.loca file.
>
> ALL_DEBUG = $(ALL_DEBUG) D_CAT
> debug_cmd = D_FULLDEBUG D_SECURITY:1 D_COMMAND:1
> MASTER_DEBUG = $(MASTER_DEBUG) $(debug_cmd)
> TOOL_DEBUG = $(TOOL_DEBUG)  $(debug_cmd)
>
> Then run
>     condor_config_val add -c -debug
>
> And look at the debug output of this command as well as the 
> MasterLog for that same time period.
>
> -tj
>
>
> ________________________________
> From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf 
> of Darius Jakobeit <jakobeit@xxxxxxxxxxxxxxxxxxxxxxxxx>
> Sent: Friday, June 4, 2021 7:45 AM
> To: htcondor-users@xxxxxxxxxxx <htcondor-users@xxxxxxxxxxx>
> Subject: [HTCondor-users] Adding a Windows node to an existing Linux-Pool
>
> Hello everyone,
>
> I am currently trying to wrap my head around how to add a Windows 10
> node to an existing Linux-Pool (Ubuntu 20.04, HTCondor V. 9.0.0).
>
> How did I set up the Linux pool? I followed the instructions here:
> https://htcondor.readthedocs.io/en/v9_0/getting-htcondor/admin-quick-start.html#admin-quick-start-guide
>
> Using the get_htcondor script with a GET_HTCONDOR_PASSWORD. That
> worked like a charm. Now I want to add another execute node which is
> using the Windows 10 operation system. For that I installed HTCondor
> there using these instructions:
> https://htcondor.readthedocs.io/en/v9_0/getting-htcondor/install-windows-as-administrator.html#admin-install-windows-pool
>
> Now the problem here is, that I couldn't enter any HTCondor password
> during the steps in the GUI. A following "condor_status" in powershell
> gave me some authentification errors. From how I have understood the
> manual I think I am supposed to set the pool password with
> "condor_store_cred add -c". However, when I am trying to set the pool
> password with this command I am getting the following error:
>
> "Operation failed. Make sure you have CONFIG access to the target Master."
>
> Can anybody help me here?
>
> Cheers,
> Darius

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/