I have a script that does more or less what is suggested. I also took an idea
from elsewhere to add accounts for the department (primary GID), assign shares
to that account, and make the members of the department draw their usage from
the parent account. It does then allow other ways to adjust the shares – the
source that I read did that according to the $$ contributed to the back-end by
the various departments.
I can share the script once I have cleaned it up.
BUT I found that it doesn’t currently work in a cron job, although it works
fine interactively. The issue is getting the list of AD groups, where I use
‘net ads group’ and that doesn’t work without a valid login to AD, and I
haven’t yet solved that. It can be done with ldapsearch but that requires a
hard-coded username and password, so requires a special AD account that has no
login rights and raises security issues anyhow, but is a solution widely used
in other scripts we have to find if users are members of a group. ‘net ads
group’ I found was way faster and simpler.
Essentially I have an AD group <cluster>_<partition> and if the script finds
new members, it creates the account. I haven’t yet developed the inverse
script but that is just a problem of having time.
I am looking at using keytab to solve the Kerberos ticket but I haven’t cracked
it yet.
William Brown
Rothamsted Research
From: slurm-users <slurm-users-boun...@lists.schedmd.com> On Behalf Of Sam
Hawarden
Sent: 20 December 2018 23:36
To: Slurm User Community List <slurm-users@lists.schedmd.com>
Subject: Re: [slurm-users] Accounting: Default Associations for Unknown Accounts
Hi there,
I use the following cron job that runs every night to add new users:
#!/bin/bash
function usersInGrp {
echo -n $(getent group "$*" | cut -d':' -f 4- | awk -F',' '$1=$1')
}
for user in $(usersInGrp 'cluster.users'; usersInGrp
'ALT_DOMAIN1+cluster.users'; usersInGrp 'ALT_DOMAIN2+cluster.users')
do
# Check for existing account.
if [ "$(sacctmgr -nP show user $user | awk -F'|' '{print $2}')" == "" ];
then
# User has no default account. Add one.
sacctmgr add user $user DefaultAccount=nullAccount
fi
done
There's also a relatively simple inverse script to remove users who are no
longer in the group.
Regards,
Sam
_____
Sam Hawarden
Assistant Research Fellow
Pathology Department
Dunedin School of Medicine
sam.hawarden(at)otago.ac.nz
DDI: +64 (0)3 470 3455
Mb: +64 (0)21 898 895
Rm 228 Hercus Building
_____
From: slurm-users <slurm-users-boun...@lists.schedmd.com
<mailto:slurm-users-boun...@lists.schedmd.com> > on behalf of Fulcomer, Samuel
<samuel_fulco...@brown.edu <mailto:samuel_fulco...@brown.edu> >
Sent: Friday, 21 December 2018 12:02
To: Slurm User Community List
Subject: Re: [slurm-users] Accounting: Default Associations for Unknown
Accounts
Yes, in a way. In thinking about this for Brown (we haven't implemented it,
yet), we've the idea of having a Linux cron job periodically query the group
membership of the AD group granted access to the HPC resource, and adding any
new users to the SLURM accounting database.
We're at the point of using AD for ssh/login authentication via sssd, but still
maintain an cluster/internal NIS database for pwent and cluster-specific group
info (i.e., only the login gateways do AD authentication). Our SLURM
associations are updated automatically when the NIS account is created or
modified (via webmin).
On Thu, Dec 20, 2018 at 5:46 PM Ulf <m...@gmx.net <mailto:m...@gmx.net> > wrote:
Hello,
we think about switch to SLURM. Currently we grant access to the cluster using
a active directory group, everyone in this group is allowed to run jobs.
So the users are not known to the SLURM accounting database.
Is it possible to automatically add every new user to an default account
without manually adding the user with "sacctmgr add user user123 Account=test".
Regards
Ulf
