<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='mso-fareast-language:EN-US'>I have a script that does more or less what is suggested. I also took an idea from elsewhere to add accounts for the department (primary GID), assign shares to that account, and make the members of the department draw their usage from the parent account. It does then allow other ways to adjust the shares – the source that I read did that according to the $$ contributed to the back-end by the various departments.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>I can share the script once I have cleaned it up.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>BUT I found that it doesn’t currently work in a cron job, although it works fine interactively. The issue is getting the list of AD groups, where I use ‘net ads group’ and that doesn’t work without a valid login to AD, and I haven’t yet solved that. It can be done with ldapsearch but that requires a hard-coded username and password, so requires a special AD account that has no login rights and raises security issues anyhow, but is a solution widely used in other scripts we have to find if users are members of a group. ‘net ads group’ I found was way faster and simpler.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Essentially I have an AD group <cluster>_<partition> and if the script finds new members, it creates the account. I haven’t yet developed the inverse script but that is just a problem of having time.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>I am looking at using keytab to solve the Kerberos ticket but I haven’t cracked it yet.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>William Brown<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Rothamsted Research<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> slurm-users <slurm-users-bounces@lists.schedmd.com> <b>On Behalf Of </b>Sam Hawarden<br><b>Sent:</b> 20 December 2018 23:36<br><b>To:</b> Slurm User Community List <slurm-users@lists.schedmd.com><br><b>Subject:</b> Re: [slurm-users] Accounting: Default Associations for Unknown Accounts<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p><span style='font-size:14.0pt;color:black'>Hi there,<o:p></o:p></span></p><p><span style='font-size:14.0pt;color:black'><o:p> </o:p></span></p><p><span style='font-size:14.0pt;color:black'>I use the following cron job that runs every night to add new users:<o:p></o:p></span></p><p><span style='font-size:14.0pt;color:black'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;color:black'>#!/bin/bash</span><span style='font-size:14.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:14.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;color:black'>function usersInGrp {</span><span style='font-size:14.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;color:black'> echo -n $(getent group "$*" | cut -d':' -f 4- | awk -F',' '$1=$1')</span><span style='font-size:14.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;color:black'>}</span><span style='font-size:14.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:14.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;color:black'>for user in $(usersInGrp 'cluster.users'<span style='background:white'>; usersInGrp 'ALT_DOMAIN1+cluster.users'; usersInGrp 'ALT_DOMAIN2+cluster.users'</span>)</span><span style='font-size:14.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;color:black'>do</span><span style='font-size:14.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;color:black'> # Check for existing account.</span><span style='font-size:14.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;color:black'> if [ "$(sacctmgr -nP show user $user | awk -F'|' '{print $2}')" == "" ];</span><span style='font-size:14.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;color:black'> then</span><span style='font-size:14.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;color:black'> # User has no default account. Add one.</span><span style='font-size:14.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;color:black'> sacctmgr add user $user DefaultAccount=nullAccount</span><span style='font-size:14.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;color:black'> fi</span><span style='font-size:14.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas;color:black'>done</span><span style='font-size:14.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:14.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:14.0pt;color:black'>There's also a relatively simple inverse script to remove users who are no longer in the group.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:14.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:14.0pt;color:black'>Regards,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:14.0pt;color:black'> Sam<o:p></o:p></span></p></div><p><span style='font-size:14.0pt;color:black'><o:p> </o:p></span></p><p><span style='font-size:14.0pt;color:black'><o:p> </o:p></span></p><div id=Signature><div name=divtagdefaultwrapper><div><div class=MsoNormal align=center style='text-align:center'><span style='font-size:14.0pt;color:black'><hr size=3 width="100%" align=center></span></div><div><p class=MsoNormal align=right style='text-align:right'><span style='font-size:18.0pt;color:black'>Sam Hawarden</span><span style='font-size:14.0pt;color:black'><o:p></o:p></span></p><p class=MsoNormal align=right style='text-align:right'><span style='font-size:13.5pt;color:black'>Assistant Research Fellow<o:p></o:p></span></p><p class=MsoNormal align=right style='text-align:right'><span style='font-size:13.5pt;color:black'>Pathology Department<o:p></o:p></span></p><p class=MsoNormal align=right style='text-align:right'><span style='font-size:13.5pt;color:black'>Dunedin School of Medicine<o:p></o:p></span></p><p class=MsoNormal align=right style='text-align:right'><span style='font-size:13.5pt;color:black'>sam.hawarden(at)otago.ac.nz<o:p></o:p></span></p><p class=MsoNormal align=right style='text-align:right'><span style='font-size:13.5pt;color:black'>DDI: +64 (0)3 470 3455<o:p></o:p></span></p><p class=MsoNormal align=right style='text-align:right'><span style='font-size:13.5pt;color:black;background:white'>Mb: +64 (0)21 898 895</span><span style='font-size:13.5pt;color:black'><o:p></o:p></span></p><div><p class=MsoNormal align=right style='text-align:right'><span style='font-size:13.5pt;color:black'>Rm 228 Hercus Building<o:p></o:p></span></p></div></div></div></div></div><div><div class=MsoNormal align=center style='text-align:center'><span style='font-size:14.0pt;color:#212121'><hr size=3 width="98%" align=center></span></div><div id=divRplyFwdMsg><p class=MsoNormal><b><span style='color:black'>From:</span></b><span style='color:black'> slurm-users <<a href="mailto:slurm-users-bounces@lists.schedmd.com">slurm-users-bounces@lists.schedmd.com</a>> on behalf of Fulcomer, Samuel <<a href="mailto:samuel_fulcomer@brown.edu">samuel_fulcomer@brown.edu</a>><br><b>Sent:</b> Friday, 21 December 2018 12:02<br><b>To:</b> Slurm User Community List<br><b>Subject:</b> Re: [slurm-users] Accounting: Default Associations for Unknown Accounts</span><span style='font-size:14.0pt;color:#212121'> <o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:14.0pt;color:#212121'> <o:p></o:p></span></p></div></div><div><div><p class=MsoNormal><span style='font-size:14.0pt;color:#212121'>Yes, in a way. In thinking about this for Brown (we haven't implemented it, yet), we've the idea of having a Linux cron job periodically query the group membership of the AD group granted access to the HPC resource, and adding any new users to the SLURM accounting database. <o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:14.0pt;color:#212121'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:14.0pt;color:#212121'>We're at the point of using AD for ssh/login authentication via sssd, but still maintain an cluster/internal NIS database for pwent and cluster-specific group info (i.e., only the login gateways do AD authentication). Our SLURM associations are updated automatically when the NIS account is created or modified (via webmin).<o:p></o:p></span></p></div></div><p class=MsoNormal><span style='font-size:14.0pt;color:#212121'><o:p> </o:p></span></p><div><div><p class=MsoNormal><span style='font-size:14.0pt;color:#212121'>On Thu, Dec 20, 2018 at 5:46 PM Ulf <<a href="mailto:mopp@gmx.net">mopp@gmx.net</a>> wrote:<o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#212121'>Hello,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#212121'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#212121'>we think about switch to SLURM. Currently we grant access to the cluster using a active directory group, everyone in this group is allowed to run jobs.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#212121'>So the users are not known to the SLURM accounting database.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#212121'>Is it possible to automatically add every new user to an default account without manually adding the user with "sacctmgr add user user123 Account=test".<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#212121'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#212121'>Regards<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#212121'>Ulf<o:p></o:p></span></p></div></div></div></blockquote></div></div></div></div></body></html>