Condor password authentication (with windows nodes)

This guide doesn’t let you submit jobs. I’ll get back to you when I’ve sorted that problem.
For simplicity I’m using condor password authentication. It’s reasonably simple to setup once you’ve worked out what’s going on.

Just as a bit of background I have a Linux central server and windows nodes. I’m using condor 7.6.0 installed with the .deb package. I recommend you attempt this on a test pool of at least 2 as you will most likely kill it repeatedly. Make sure condor is running on both machines with debugging turned on.

Set up the central server

Condor password authentication uses a single shared password to allow the machines to authenticate each other. This isn’t as good as some of the other options but it is fairly easy to set up.

First things first, set the pool password:

condor_store_cred add -c -f /etc/condor/pool_password

You can change the path but make sure its set the same below. Put this code in condor_config somewhere. I’ve put it just before “Network filesystem parameters:”.

SEC_PASSWORD_FILE = /etc/condor/pool_password
SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_INTEGRITY = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD
SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
SEC_NEGOTIATOR_INTEGRITY = REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = PASSWORD
SEC_CLIENT_AUTHENTICATION_METHODS =PASSWORD

You might also need to run:

condor_store_cred add -c add

If this command doesn’t work, make sure you have both write and config access to THIS machines condor daemons and that condor is running.

Restart condor

/etc/init.d/condor restart

Set up the nodes

As my nodes are all windows I can’t use (it only exists on Linux machines) :

condor_store_cred add -c -f /home/condor/pool_password

To set up the pool password you must use:

condor_store_cred add -c add
condor_store_cred add -u condor_pool@$your.central.server

I’m not sure if the first command is needed but I’d already done it before I ran the second one. I set the password to be the pool password in both cases. If you don’t do this condor will complain in the MasterLog that the credential for user condor_pool@yourmachine or condor_pool@yourcentralmanager is missing.

If these commands don’t work, make sure you have both write and config access to THIS machines condor daemons and that condor is running.

Again put this in condor_config somewhere.

SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_INTEGRITY = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD
SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
SEC_NEGOTIATOR_INTEGRITY = REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = PASSWORD
SEC_CLIENT_AUTHENTICATION_METHODS =PASSWORD
ALLOW_DAEMON = condor_pool@$(UID_DOMAIN)/$(IP_ADDRESS), condor@$(UID_DOMAIN)/$(IP_ADDRESS)
ALLOW_NEGOTIATOR = condor_pool@$(UID_DOMAIN)/$(IP_ADDRESS), condor@$(UID_DOMAIN)/$(IP_ADDRESS)

If condor manages to get past the DC_CHILDALIVE command in the MasterLog then the chances are you have managed to get it working.

Restart condor (sometimes you have to use the Task Manager to kill condor_master.exe)

net stop condor
net start condor

If your nodes are Linux then it’s much the same idea, just set them up the same as the central node.

Resources

I found some helpful info in the condor manual and here.

One comment

  1. You’ll probably find more on Condor users too.

    https://lists.cs.wisc.edu/archive/condor-users/htdig/search.shtml

    The pool I used to manage had ‘working’ authentication on Windows, but while that was switched on, it rejected all the unix submitted jobs, so I ended up getting rid of that. Therefore, I’m convinced I wasn’t really doing it right. I think some STARTER_ALLOW_RUNAS_OWNER stuff was involved too.

Leave a Reply