The problem can come from lot of things if you take the example of cern.
In production our nodes use kerberos 5, pool accounts need to be in
/etc/security/limits.conf and in /etc/loginusers.
But YAIM cannot manage all "special" settings of each computing center,
espacially when it is related to the system directly (cron, user
mamangement, ldconfig ...). The local security politics and the way to
manage account and access to the ressources is define locally.
Lp
On 3 mars 05, at 16:07, Ben Waugh wrote:
> In case it helps, I had a similar problem a while ago with pool
> accounts
> being locked. (This was using my own script, so YAIM was not to blame.)
>
> useradd (at least on the machine I was using) locks accounts by
> default.
> I unlocked them by replacing !! with * in /etc/shadow, but probably
> these
> accounts don't need to be in /etc/shadow anyway as they don't need to
> allow user logins.
>
> Cheers,
> Ben
>
> On Thu, 3 Mar 2005, Sangryul Ro wrote:
>
>> I will ask our site manager.
>> The answer will come tomorrow.
>> S.
>>
>> ----- Original Message -----
>> From: "Louis Poncet" <[log in to unmask]>
>> To: <[log in to unmask]>
>> Sent: Thursday, March 03, 2005 3:16 PM
>> Subject: Re: [LCG-ROLLOUT] YAIM congfiguration
>>
>>
>>> My question is how did you unlock the account cms001 ?
>>>
>>> On 3 mars 05, at 15:02, Sangryul Ro wrote:
>>>
>>>> Our site manager submited a job on cluster50.
>>>> And as shown on the first line, it said
>>>>> Mar 3 05:03:00 cluster50 sshd[28094]: User cms001 not allowed
>>>>> because
>>>>> account is locked.
>>>>
>>>> Cheers, Sangryul Ro
>>>>
>>>>
>>>> ----- Original Message -----
>>>> From: "Louis Poncet" <[log in to unmask]>
>>>> To: <[log in to unmask]>
>>>> Sent: Thursday, March 03, 2005 2:52 PM
>>>> Subject: Re: [LCG-ROLLOUT] YAIM congfiguration
>>>>
>>>>
>>>> What do you mean by locked ?
>>>> What is the action you did exactly ?
>>>>
>>>> On 3 mars 05, at 14:49, Sangryul Ro wrote:
>>>>
>>>>> Hello!
>>>>>
>>>>> Marco reported an error during an installation job in our RC shown
>>>>> below.
>>>>>
>>>>> #############################################################
>>>>> Event: Done
>>>>> - exit_code = 1
>>>>> - host = prod-rb-01.pd.infn.it
>>>>> - level = SYSTEM
>>>>> - priority = asynchronous
>>>>> - reason = Cannot read JobWrapper output, both from
>>>>> Condor and from Maradona.
>>>>> <---------------------------------------
>>>>> - seqcode =
>>>>>
>>>>> UI=000003:NS=0000000003:WM=000004:BH=0000000000:JSS=000003:
>>>>> LM=000007:
>>>>> LRMS=000000:APP=000000
>>>>> - source = LogMonitor
>>>>> - src_instance = unique
>>>>> - status_code = FAILED <---------------------------
>>>>> - timestamp = Tue Feb 22 17:54:31 2005
>>>>> - user = /C=IT/O=INFN/OU=Personal
>>>>> Certificate/L=Padova/CN=Marco [log in to unmask]
>>>>> ##############################################################
>>>>>
>>>>> It seems that ssh problem makes this maradona problem.
>>>>> There is ssh problem from WN to CE.
>>>>> Pool accounts are locked.
>>>>> When we submitted job on cluster50.knu.ac.kr, we got the following
>>>>> error.
>>>>> ##################################################################
>>>>> Mar 3 05:03:00 cluster50 sshd[28094]: User cms001 not allowed
>>>>> because
>>>>> account is locked
>>>>> Mar 3 05:03:00 cluster50 xinetd[3537]: START: shell pid=28096
>>>>> from=155.230.20.100
>>>>>
>>>>> Mar 3 10:48:46 cluster50 gridinfo: [1058-1058] summary:
>>>>> Mar 3 10:48:46 cluster50 gridinfo: [1058-1058] Sorry, no accounting
>>>>> information is collected from this type of batch system at the
>>>>> moment
>>>>> Mar 3 10:48:46 cluster50 gridinfo: [1058-1058] -- end of summary
>>>>> ################################################################
>>>>>
>>>>> We unlocked cms001 account, and It was fixed. But we need to unlock
>>>>> every
>>>>> pool account.
>>>>> Pool account is generated automatically by yaim.
>>>>> We don't know why they are locked.
>>>>>
>>>>> Job running failed finally.
>>>>> It seems to repeat infinitely and when proxy is expired, it was
>>>>> abort.
>>>>>
>>>>> Can anybody give me some hint for this problem?
>>>>>
>>>>> Cheers, Sangryul Ro
>>>>>
>>>> --
>>>> Louis Poncet
>>>> Where: Bat28-R-003 CERN
>>>> CH-1211 Geneve 23
>>>> Mail : [log in to unmask]
>>>> Phone: +41(0)227.674.231
>>>> LAL / IN2P3 / CNRS / CERN
>>>> Problem >> RTFM then google it !
>>>>
>>> --
>>> Louis Poncet
>>> Where: Bat28-R-003 CERN
>>> CH-1211 Geneve 23
>>> Mail : [log in to unmask]
>>> Phone: +41(0)227.674.231
>>> LAL / IN2P3 / CNRS / CERN
>>> Problem >> RTFM then google it !
>>
>
> --
> Dr Ben Waugh Tel. +44 (0)20 7679
> 3783
> Dept of Physics and Astronomy Internal: 33783
> University College London
> London WC1E 6BT
>
--
Louis Poncet
Where: Bat28-R-003 CERN
CH-1211 Geneve 23
Mail : [log in to unmask]
Phone: +41(0)227.674.231
LAL / IN2P3 / CNRS / CERN
Problem >> RTFM then google it !
|