Thanks for all the comments.
Our site manager used the command to unlock spool password.
/usr/bin/passwd -u -f cms001
It may possibly make security problem.
And I wonder it is a proper solution for ssh host-based authorization
problem.
Cheers, Sangryul Ro
----- Original Message -----
From: "Louis Poncet" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, March 03, 2005 4:22 PM
Subject: Re: [LCG-ROLLOUT] YAIM congfiguration
> The problem can come from lot of things if you take the example of cern.
> In production our nodes use kerberos 5, pool accounts need to be in
> /etc/security/limits.conf and in /etc/loginusers.
>
> But YAIM cannot manage all "special" settings of each computing center,
> espacially when it is related to the system directly (cron, user
> mamangement, ldconfig ...). The local security politics and the way to
> manage account and access to the ressources is define locally.
>
> Lp
>
> On 3 mars 05, at 16:07, Ben Waugh wrote:
>
> > In case it helps, I had a similar problem a while ago with pool
> > accounts
> > being locked. (This was using my own script, so YAIM was not to blame.)
> >
> > useradd (at least on the machine I was using) locks accounts by
> > default.
> > I unlocked them by replacing !! with * in /etc/shadow, but probably
> > these
> > accounts don't need to be in /etc/shadow anyway as they don't need to
> > allow user logins.
> >
> > Cheers,
> > Ben
> >
> > On Thu, 3 Mar 2005, Sangryul Ro wrote:
> >
> >> I will ask our site manager.
> >> The answer will come tomorrow.
> >> S.
> >>
> >> ----- Original Message -----
> >> From: "Louis Poncet" <[log in to unmask]>
> >> To: <[log in to unmask]>
> >> Sent: Thursday, March 03, 2005 3:16 PM
> >> Subject: Re: [LCG-ROLLOUT] YAIM congfiguration
> >>
> >>
> >>> My question is how did you unlock the account cms001 ?
> >>>
> >>> On 3 mars 05, at 15:02, Sangryul Ro wrote:
> >>>
> >>>> Our site manager submited a job on cluster50.
> >>>> And as shown on the first line, it said
> >>>>> Mar 3 05:03:00 cluster50 sshd[28094]: User cms001 not allowed
> >>>>> because
> >>>>> account is locked.
> >>>>
> >>>> Cheers, Sangryul Ro
> >>>>
> >>>>
> >>>> ----- Original Message -----
> >>>> From: "Louis Poncet" <[log in to unmask]>
> >>>> To: <[log in to unmask]>
> >>>> Sent: Thursday, March 03, 2005 2:52 PM
> >>>> Subject: Re: [LCG-ROLLOUT] YAIM congfiguration
> >>>>
> >>>>
> >>>> What do you mean by locked ?
> >>>> What is the action you did exactly ?
> >>>>
> >>>> On 3 mars 05, at 14:49, Sangryul Ro wrote:
> >>>>
> >>>>> Hello!
> >>>>>
> >>>>> Marco reported an error during an installation job in our RC shown
> >>>>> below.
> >>>>>
> >>>>> #############################################################
> >>>>> Event: Done
> >>>>> - exit_code = 1
> >>>>> - host = prod-rb-01.pd.infn.it
> >>>>> - level = SYSTEM
> >>>>> - priority = asynchronous
> >>>>> - reason = Cannot read JobWrapper output, both from
> >>>>> Condor and from Maradona.
> >>>>> <---------------------------------------
> >>>>> - seqcode =
> >>>>>
> >>>>> UI=000003:NS=0000000003:WM=000004:BH=0000000000:JSS=000003:
> >>>>> LM=000007:
> >>>>> LRMS=000000:APP=000000
> >>>>> - source = LogMonitor
> >>>>> - src_instance = unique
> >>>>> - status_code = FAILED <---------------------------
> >>>>> - timestamp = Tue Feb 22 17:54:31 2005
> >>>>> - user = /C=IT/O=INFN/OU=Personal
> >>>>> Certificate/L=Padova/CN=Marco [log in to unmask]
> >>>>> ##############################################################
> >>>>>
> >>>>> It seems that ssh problem makes this maradona problem.
> >>>>> There is ssh problem from WN to CE.
> >>>>> Pool accounts are locked.
> >>>>> When we submitted job on cluster50.knu.ac.kr, we got the following
> >>>>> error.
> >>>>> ##################################################################
> >>>>> Mar 3 05:03:00 cluster50 sshd[28094]: User cms001 not allowed
> >>>>> because
> >>>>> account is locked
> >>>>> Mar 3 05:03:00 cluster50 xinetd[3537]: START: shell pid=28096
> >>>>> from=155.230.20.100
> >>>>>
> >>>>> Mar 3 10:48:46 cluster50 gridinfo: [1058-1058] summary:
> >>>>> Mar 3 10:48:46 cluster50 gridinfo: [1058-1058] Sorry, no accounting
> >>>>> information is collected from this type of batch system at the
> >>>>> moment
> >>>>> Mar 3 10:48:46 cluster50 gridinfo: [1058-1058] -- end of summary
> >>>>> ################################################################
> >>>>>
> >>>>> We unlocked cms001 account, and It was fixed. But we need to unlock
> >>>>> every
> >>>>> pool account.
> >>>>> Pool account is generated automatically by yaim.
> >>>>> We don't know why they are locked.
> >>>>>
> >>>>> Job running failed finally.
> >>>>> It seems to repeat infinitely and when proxy is expired, it was
> >>>>> abort.
> >>>>>
> >>>>> Can anybody give me some hint for this problem?
> >>>>>
> >>>>> Cheers, Sangryul Ro
> >>>>>
> >>>> --
> >>>> Louis Poncet
> >>>> Where: Bat28-R-003 CERN
> >>>> CH-1211 Geneve 23
> >>>> Mail : [log in to unmask]
> >>>> Phone: +41(0)227.674.231
> >>>> LAL / IN2P3 / CNRS / CERN
> >>>> Problem >> RTFM then google it !
> >>>>
> >>> --
> >>> Louis Poncet
> >>> Where: Bat28-R-003 CERN
> >>> CH-1211 Geneve 23
> >>> Mail : [log in to unmask]
> >>> Phone: +41(0)227.674.231
> >>> LAL / IN2P3 / CNRS / CERN
> >>> Problem >> RTFM then google it !
> >>
> >
> > --
> > Dr Ben Waugh Tel. +44 (0)20 7679
> > 3783
> > Dept of Physics and Astronomy Internal: 33783
> > University College London
> > London WC1E 6BT
> >
> --
> Louis Poncet
> Where: Bat28-R-003 CERN
> CH-1211 Geneve 23
> Mail : [log in to unmask]
> Phone: +41(0)227.674.231
> LAL / IN2P3 / CNRS / CERN
> Problem >> RTFM then google it !
|