[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [condor-users] Setting up creds for SYSTEM user, Windows

> We've moved to 6.6.1 but had to resort to submitting the Condor jobs
> manually and I suspect it's the creds that is needed for submitters. How can
> I set up the credentials for the SYSTEM user (assuming that this is my
> problem)?

Assuming the SYSTEM user is the account running condor_submit, that is
likely your problem, although I'm surprised that the webserver you're
using wouldn't attempt to separate the privileges of the webserver from
any commands that are run underneath it. 

That said, there's no way for you to set the password on the SYSTEM
account, so there's no way for you to store its credentials. But you
really shouldn't be submitting jobs as SYSTEM anyways (just as you
wouldn't want to submit jobs as root on unix either).

My suggestion would be to either:

(1) configure the webserver to spawn processes as some account other than
SYSTEM (for example, I understand that IIS spawns additional processes
as some kind of IWAM_<servername> account, and the password for this
account should be easy to get/set and hand off to condor_store_cred).

(2) use runas or some such to run condor_submit under some account
that you create on the system for this purpose. This has a few snags,
depending on what tool you use:

	a. runas won't take passwords non-interactively, although
	starting in XP you can call it with the /SAVECRED option and it
	will at least only prompt you for your password the first time
	you run it.

	b. cmdasuser (
	http://www.develop.com/kbrown/security/code/cmdasuser.zip )
	works great, but its hard-coded to only start cmd.exe. I have
	a patch which allows it to run anything off the command line,
	which I will post if there's interest.

> I don't get any error messages, is there a log that logs failures
> due to credentials? 

condor_submit (from 6.5.x and above) should fail right away with
an error message if the credential of the submitting user is not
stored. 'condor_store_cred query' will also tell you if the credentials
for the current account are stored.

Let us know if you continue to have problems.

Condor Support Information:
To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
unsubscribe condor-users <your_email_address>