[slurm-users] Secondary Unix group id of users not being issued in interactive srun command
30 views
Skip to first unread message
Ratnasamy, Fritz
Jan 28, 2022, 12:56:47 AM1/28/22
to Slurm User Community List, James Millsap
Hi,
I have a similar issue as described on the following link (https://groups.google.com/g/slurm-users/c/6SnwFV-S_Nk)
I have a similar issue as described on the following link (https://groups.google.com/g/slurm-users/c/6SnwFV-S_Nk)
A machine had some existing local permissions.
We have added it as a compute node to our cluster via Slurm. When running an srun interactive session on that server,
it would seem that the LDAP groups shadow the local groups.
johndoe@ecolonnelli:~ $ groups
Faculty_Collab ecolonnelli_access #Those are LDAP groups
johndoe@ecolonnelli:~ $ groups johndoe
johndoe : Faculty_Collab projectsbrasil core rais rfb polconnfirms johndoe vpce rfb_all backup_johndoe ecolonnelli_access
Faculty_Collab ecolonnelli_access #Those are LDAP groups
johndoe@ecolonnelli:~ $ groups johndoe
johndoe : Faculty_Collab projectsbrasil core rais rfb polconnfirms johndoe vpce rfb_all backup_johndoe ecolonnelli_access
The issue is that now the user can not access folders that have
his local group permissions (such as projectsbrasil,rais, rfb, core ect..) when he request an interative session to that compute node
Is there any solution to that issue?
Is there any solution to that issue?
Best,
Fritz Ratnasamy
Data Scientist
Information Technology
The University of Chicago
Booth School of Business
5807 S. Woodlawn
Chicago, Illinois 60637
Phone: +(1) 773-834-4556
Rémi Palancher
Jan 28, 2022, 3:04:53 AM1/28/22
to Slurm User Community List
Le vendredi 28 janvier 2022 à 06:56, Ratnasamy, Fritz <fritz.r...@chicagobooth.edu> a écrit :
> Hi,
>
> I have a similar issue as described on the following link (https://groups.google.com/g/slurm-users/c/6SnwFV-S_Nk)A machine had some existing local permissions. We have added it as a compute node to our cluster via Slurm. When running an srun interactive session on that server,it would seem that the LDAP groups shadow the local groups.
> Hi,
>
>
> johndoe@ecolonnelli:~ $ groups
>
> Faculty_Collab ecolonnelli_access #Those are LDAP groups
>
> johndoe@ecolonnelli:~ $ groups johndoe
>
> johndoe : Faculty_Collab projectsbrasil core rais rfb polconnfirms johndoe vpce rfb_all backup_johndoe ecolonnelli_access
The difference between the first and the second command could be the UID used for the resolution. The first command calls getgroups() syscall using the UID of the shell. The second command resolves johndoe UID through nsswitch stack then looks after the groups of this UID.
> johndoe@ecolonnelli:~ $ groups
>
> Faculty_Collab ecolonnelli_access #Those are LDAP groups
>
> johndoe@ecolonnelli:~ $ groups johndoe
>
> johndoe : Faculty_Collab projectsbrasil core rais rfb polconnfirms johndoe vpce rfb_all backup_johndoe ecolonnelli_access
Do you have johndoe declared in both local /etc/passwd and LDAP directory with different UID?
Do `id` and `id johndoe` return the same UID?
--
Rémi Palancher
Rackslab: Open Source Solutions for HPC Operations
https://rackslab.io
Ratnasamy, Fritz
Jan 28, 2022, 12:13:49 PM1/28/22
to Rémi Palancher, Slurm User Community List, James Millsap
Hi Remi,
Yes it does return the same id. See below:
johndoe@ecolonnelli:~ $ id
uid=71953(johndoe) gid=100026(Faculty_Collab) groups=100026(Faculty_Collab),100181(ecolonnelli_access)
johndoe@ecolonnelli:~ $ id johndoe
uid=71953(johndoe) gid=100026(Faculty_Collab) groups=100026(Faculty_Collab),1000(projectsbrasil),1003(core),1549(rais),1550(rfb),1552(polconnfirms),1558(vpce),1559(rfb_all),1563(johndoe),100181(ecolonnelli_access)
Yes it does return the same id. See below:
johndoe@ecolonnelli:~ $ id
uid=71953(johndoe) gid=100026(Faculty_Collab) groups=100026(Faculty_Collab),100181(ecolonnelli_access)
johndoe@ecolonnelli:~ $ id johndoe
uid=71953(johndoe) gid=100026(Faculty_Collab) groups=100026(Faculty_Collab),1000(projectsbrasil),1003(core),1549(rais),1550(rfb),1552(polconnfirms),1558(vpce),1559(rfb_all),1563(johndoe),100181(ecolonnelli_access)
Fritz Ratnasamy
Data Scientist
Information Technology
The University of Chicago
Booth School of Business
5807 S. Woodlawn
Chicago, Illinois 60637
Phone: +(1) 773-834-4556
CAUTION: This email has originated outside of University email systems. Please do not click links or open attachments unless you recognize the sender and trust the contents as safe.
Walls, Mitchell
Jan 28, 2022, 1:01:38 PM1/28/22
to Slurm User Community List
Do you see the uid in /sys/fs/cgroup? (i.e. find /sys/fs/cgroup -name "*71953*"). If not that could point to cgroup config.
________________________________________
From: slurm-users <slurm-use...@lists.schedmd.com> on behalf of Ratnasamy, Fritz <fritz.r...@chicagobooth.edu>
Sent: Friday, January 28, 2022 11:13 AM
To: Rémi Palancher; Slurm User Community List; James Millsap
Subject: Re: [slurm-users] Secondary Unix group id of users not being issued in interactive srun command
Hi Remi,
Yes it does return the same id. See below:
johndoe@ecolonnelli:~ $ id
uid=71953(johndoe) gid=100026(Faculty_Collab) groups=100026(Faculty_Collab),100181(ecolonnelli_access)
johndoe@ecolonnelli:~ $ id johndoe
uid=71953(johndoe) gid=100026(Faculty_Collab) groups=100026(Faculty_Collab),1000(projectsbrasil),1003(core),1549(rais),1550(rfb),1552(polconnfirms),1558(vpce),1559(rfb_all),1563(johndoe),100181(ecolonnelli_access)
Fritz Ratnasamy
Data Scientist
Information Technology
The University of Chicago
Booth School of Business
5807 S. Woodlawn
Chicago, Illinois 60637
Phone: +(1) 773-834-4556
On Fri, Jan 28, 2022 at 2:04 AM Rémi Palancher <re...@rackslab.io<mailto:re...@rackslab.io>> wrote:
________________________________________
From: slurm-users <slurm-use...@lists.schedmd.com> on behalf of Ratnasamy, Fritz <fritz.r...@chicagobooth.edu>
Sent: Friday, January 28, 2022 11:13 AM
To: Rémi Palancher; Slurm User Community List; James Millsap
Subject: Re: [slurm-users] Secondary Unix group id of users not being issued in interactive srun command
Hi Remi,
Yes it does return the same id. See below:
johndoe@ecolonnelli:~ $ id
uid=71953(johndoe) gid=100026(Faculty_Collab) groups=100026(Faculty_Collab),100181(ecolonnelli_access)
johndoe@ecolonnelli:~ $ id johndoe
uid=71953(johndoe) gid=100026(Faculty_Collab) groups=100026(Faculty_Collab),1000(projectsbrasil),1003(core),1549(rais),1550(rfb),1552(polconnfirms),1558(vpce),1559(rfb_all),1563(johndoe),100181(ecolonnelli_access)
Fritz Ratnasamy
Data Scientist
Information Technology
The University of Chicago
Booth School of Business
5807 S. Woodlawn
Chicago, Illinois 60637
Phone: +(1) 773-834-4556
Ratnasamy, Fritz
Jan 28, 2022, 6:00:37 PM1/28/22
to Slurm User Community List, James Millsap, Rémi Palancher
Hi Mitchell, Remi
This is what returned the command: find /sys/fs/cgroup -name "*71953*"/sys/fs/cgroup/freezer/slurm/uid_71953
/sys/fs/cgroup/devices/slurm/uid_71953
/sys/fs/cgroup/cpuset/slurm/uid_71953
/sys/fs/cgroup/cpu,cpuacct/slurm/uid_71953
/sys/fs/cgroup/memory/slurm/uid_71953
This is what returned the command: find /sys/fs/cgroup -name "*71953*"
/sys/fs/cgroup/devices/slurm/uid_71953
/sys/fs/cgroup/cpuset/slurm/uid_71953
/sys/fs/cgroup/cpu,cpuacct/slurm/uid_71953
/sys/fs/cgroup/memory/slurm/uid_71953
Do you have any idea what could cause the issue?
Thanks,
Fritz Ratnasamy
Data Scientist
Information Technology
The University of Chicago
Booth School of Business
5807 S. Woodlawn
Chicago, Illinois 60637
Phone: +(1) 773-834-4556
Russell Jones
Jan 31, 2022, 10:16:59 AM1/31/22
to Slurm User Community List, James Millsap
I solved this issue by adding a group to IPA that matched the same name and GID of the local groups, then using [SUCCESS=merge] in nsswitch.conf for groups, and on our CentOS 8 nodes adding "enable_files_domain = False" in the sssd.conf file.
Timo Rothenpieler
Jan 31, 2022, 10:28:39 AM1/31/22
to Slurm User Community List, Ratnasamy, Fritz, James Millsap
Make sure you properly configured nsswitch.conf.
Most commonly this kind of issue indicates that you forgot to define
initgroups correctly.
It should look something like this:
...
group: files [SUCCESS=merge] systemd [SUCCESS=merge] ldap
...
initgroups: files [SUCCESS=continue] ldap
...
Most commonly this kind of issue indicates that you forgot to define
initgroups correctly.
It should look something like this:
...
group: files [SUCCESS=merge] systemd [SUCCESS=merge] ldap
...
initgroups: files [SUCCESS=continue] ldap
...
Reply all
Reply to author
Forward
0 new messages