Bug 675968

Summary: condor mismatches different users on different OSes
Product: Red Hat Enterprise MRG Reporter: Martin Kudlej <mkudlej>
Component: condorAssignee: Timothy St. Clair <tstclair>
Status: CLOSED NOTABUG QA Contact: MRG Quality Engineering <mrgqe-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.3CC: iboverma, jneedle, matt, tstclair
Target Milestone: 2.0   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-24 12:36:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Martin Kudlej 2011-02-08 13:20:51 UTC
Description of problem:
This bug is based on bug 608027. Condor mismatches user account which is on submit machine and user account which is on central manager. They are completely different user accounts on different operating systems.

Version-Release number of selected component (if applicable):
condor-7.4.5-0.7

How reproducible:
100%

Steps to Reproduce:
1. set up condor central manager and scheduler on linux
2. set up condor execute node on windows
3. disable authentication (claimtobe for client and default authentication variables)
4. create user with same name/login on both systems - they are different user accounts
5. submit windows job from windows to linux CM by condor_submit.exe -name <schedd> -spool
6. after job is done try to transfer files back to submit machine condor_transfer_data.exe -name <schedd name> <clusterid>
  
Actual results:
Condor mismatches different user accounts which have just the same name/login.

Expected results:
Condor will differ different user accounts which have just the same name/login. So it will allow just users who are authenticated in both operating system by one authentication authority. This can be verified by these scenarios:
1) one authentication authority for both OSes. authentication in condor is enabled. jobs are submitted ok and files are transferred back ok. Condor authenticates user on both sides by one authentication authority.
2) condor authentication is set to file system authentication on both systems and condor will denied submit/transfer files back/run job/...
3) condor authentication is off(claimtobe) and on both OSes are different user accounts. It is possible to submit jobs/transfer files back/run job/...

Comment 1 Matthew Farrellee 2011-02-08 18:00:46 UTC
Is this purely an OS difference issue, or is it a identity domain issue?

Does this appear if the UID_DOMAIN is different for the nodes?

Does this appear if two EL boxes have different passwd files?

Comment 5 Timothy St. Clair 2011-03-21 21:50:30 UTC
From the manual: 

The authentication method, CLAIMTOBE, trusts the identity claimed by a host or
IP address.

Notes:

So in scanning the files, it appears you are testing with CLAIMTOBE?  

In general, CLAIMTOBE does not attempt to validate against a single source, primarily for testing purposes.  If stronger methods are desired, which it appears that is what you are looking for above, then another authentication method should be chosen.  

This appears to be a UID_DOMAIN issue, as CLAIMTOBE will not check against any central authority.  

Could you please elaborate on what your expectations are, and how they differ from existing documentation.