User in a domain unable to run BOINC

Message boards : Number crunching : User in a domain unable to run BOINC
Message board moderation

To post messages, you must log in.

AuthorMessage
Profile elbea64

Send message
Joined: 16 Aug 99
Posts: 114
Credit: 6,352,198
RAC: 0
Germany
Message 888766 - Posted: 27 Apr 2009, 13:47:33 UTC

Only Admins can run BOINC regardless of what i'm doing.
I'm new to Domains but i'm an experienced User. I could always get things to work but this drives me crazy.

I've set up a Small Business Server where i wanted to install BOINC which didn't work because ... yes, because of what ... ??? They say security, but i think it isn't more secure running BOINC v5. But it worked in the end.

Now i try to run BOINC on the clients and all worked well for me (admin) but when i try to run it under a limited account it doesn't even allow access to the BOINC program folder and therefore i can't run BOINC under a limited account. It would be acceptable to run it as service but i have a cuda device and that doesn't work.

So i tried to add the limited users to the boinc_users group, but guess, it doesn't work.
i added the user to the folder so i could run boincmgr which works, it then runs boinc.exe and it takes ages to tell me that i don't have the permission to control boinc. Hey i have installed it with the option to allow all users to control boinc and i added the user to boinc_users ???
I messed around with permissions a lot but it simply won't run.
Actually it runs under my account but only for the next 2 days as it's a notebook that won't be under my direct control from wednesday

So please help me to get it to work.

And to the devs, please make working solutions no holy grale solutions that don't work. I believe devs got on the wrong track on seti and on boinc.

  • it would be so easy to send no VLARs to cuda devices, ok, it's not perfect, but it's working.
  • Messing with words in boinc instead of making things work

    • See this thread
    • protected application execution instead of service install which everybody knows what it is


  • option to not use the securitybugs so install on DomainControllers is possible
  • and the same for DomainUsers


I believe that it's well-meant but think about that: The contrary of good isn't evil, it's well-meant (Kurt Tucholsky)

Sorry, but i'm really disgruntled, i spent a lot of hours to find work arounds for so called features. waiting only for the ultimate security feature to not allow installation at all.

ID: 888766 · Report as offensive
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14649
Credit: 200,643,578
RAC: 874
United Kingdom
Message 888776 - Posted: 27 Apr 2009, 14:24:52 UTC - in response to Message 888766.  

What OS are the clients running?

The restriction "CUDA can't run as a service" only applies to Vista and Windows 7 - CUDA can run as a service under XP. (Mine are not domain-managed, so it's just possible that there are extra resrictions there - but I doubt it).

Apart from that, I agree with everything you've said. The security problem with SBS is that Berkley haven't found a way to get the BOINC installer to interact with the Domain Contoller security mechanisms - so the only workround is to stick with the less-secure v5 installation.
ID: 888776 · Report as offensive
Profile elbea64

Send message
Joined: 16 Aug 99
Posts: 114
Credit: 6,352,198
RAC: 0
Germany
Message 888783 - Posted: 27 Apr 2009, 14:50:29 UTC - in response to Message 888776.  

The clients are Vista 64bit and the SBS is 2008

I run cuda on the last XP client as service too but that isn't really the problem, i can't get the clients to run BOINC at all under a restricted domain-user account. i wouldn't have any problems running it under v5 if that would work with cuda. the 6.6.20 was the first official boinc that allowed me to run AP on CPU and MB on the GPU without constantly babysitting.

Perhaps i'll try to run it through the task planer, so i could run it as admin without making all users to admins
ID: 888783 · Report as offensive
piper69

Send message
Joined: 25 Sep 08
Posts: 49
Credit: 3,042,244
RAC: 0
Romania
Message 888816 - Posted: 27 Apr 2009, 17:17:39 UTC - in response to Message 888783.  

Holger try running it as a service with youre admin credentials. that should work.
ID: 888816 · Report as offensive
Profile elbea64

Send message
Joined: 16 Aug 99
Posts: 114
Credit: 6,352,198
RAC: 0
Germany
Message 888820 - Posted: 27 Apr 2009, 17:24:19 UTC - in response to Message 888816.  
Last modified: 27 Apr 2009, 17:32:01 UTC

Thanks, but cuda doesn't work on vista when running as service

i restarted the PC repeatedly, but it's unlikely that it will change permissions

the problem is that i use a domain
ID: 888820 · Report as offensive
Profile elbea64

Send message
Joined: 16 Aug 99
Posts: 114
Credit: 6,352,198
RAC: 0
Germany
Message 888824 - Posted: 27 Apr 2009, 17:34:00 UTC - in response to Message 888820.  

I tried to start boincmgr with task planer but that didn't work. boincmgr was started but doesn't show its window and it doesn't start boinc.

I then tried to start it through a batch file because i thought it would release boincmgr but it had the same behavior only with cmd.exe between taskeng.exe and boincmgr.exe (in ProcessExplorer)

I need a way to start boincmgr as admin without using my password everytime it starts
ID: 888824 · Report as offensive
Jörg

Send message
Joined: 10 Dec 02
Posts: 51
Credit: 1,547,286
RAC: 0
Germany
Message 888849 - Posted: 27 Apr 2009, 18:52:05 UTC - in response to Message 888766.  

Hey i have installed it with the option to allow all users to control boinc and i added the user to boinc_users ???
I messed around with permissions a lot but it simply won't run.


Good evening,

I run Vista 64bit too and added the restrcited accounts to the boinc_admins group and it runs fine.

Am Ende ist nur Verwirrung
ID: 888849 · Report as offensive
Profile elbea64

Send message
Joined: 16 Aug 99
Posts: 114
Credit: 6,352,198
RAC: 0
Germany
Message 888854 - Posted: 27 Apr 2009, 19:06:21 UTC - in response to Message 888849.  

Thanks for the tip, i really thought that could it be, why didn't i found out myself, so teamviewer started opened boinc_admins group and guess what ...
I added the accounts already. Seems i have done too much BOINC today :)

But sadly that doesn't seem to work on a domain
ID: 888854 · Report as offensive
Alinator
Volunteer tester

Send message
Joined: 19 Apr 05
Posts: 4178
Credit: 4,647,982
RAC: 0
United States
Message 888864 - Posted: 27 Apr 2009, 19:34:54 UTC - in response to Message 888854.  

Thanks for the tip, i really thought that could it be, why didn't i found out myself, so teamviewer started opened boinc_admins group and guess what ...
I added the accounts already. Seems i have done too much BOINC today :)

But sadly that doesn't seem to work on a domain


Hmmm...

Yes, you are discovering that Windows domains are a whole different breed from what you would be used to as a user/admin in a home and/or 'workgroup' environment.

I'm pretty sure what you are trying to do ain't gonna happen with BOINC 6x on Vista or Server 2008.

The reason is the CC needs to install and run in a local admin security context, and Windows Security doesn't allow you to put objects from the domain user group into the local user group. Therefore there is no way to have it install and/or load from a domain user account as the new style 'single' user mode, since a domain user account (even a domain admin one) is not in the local security context.

I haven't thought the whole thing through, but I don't know if it's even possible to have your CUDA 'cake and eat it too' the way you're trying to do it on a domain with the limitations imposed with the CUDA graphics driver and BOINC at this point.

Alinator
ID: 888864 · Report as offensive
1mp0£173
Volunteer tester

Send message
Joined: 3 Apr 99
Posts: 8423
Credit: 356,897
RAC: 0
United States
Message 888986 - Posted: 28 Apr 2009, 0:22:07 UTC - in response to Message 888766.  


*protected application execution instead of service install which everybody knows what it is[/list]
*option to not use the securitybugs so install on DomainControllers is possible
*and the same for DomainUsers
[/list]
I believe that it's well-meant but think about that: The contrary of good isn't evil, it's well-meant (Kurt Tucholsky)

Sorry, but i'm really disgruntled, i spent a lot of hours to find work arounds for so called features. waiting only for the ultimate security feature to not allow installation at all.

BOINC isn't the first piece of software that I've seen that won't run on a domain controller, or even more irritating, on a BACKUP DOMAIN CONTROLLER.

I've seen it at least as far back as NT 4.0.

My only question is: what did Microsoft do in their design that makes domain controllers so special?

What BOINC calls "protected application" is in fact running as a service. It isn't under the service account because on newer versions of windows, the service accounts do not have network privileges.
ID: 888986 · Report as offensive
OzzFan Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 9 Apr 02
Posts: 15691
Credit: 84,761,841
RAC: 28
United States
Message 889002 - Posted: 28 Apr 2009, 0:55:42 UTC - in response to Message 888986.  

My only question is: what did Microsoft do in their design that makes domain controllers so special?


Domain controllers separate local user accounts from Domain accounts. BOINC is not designed to make the sandboxed accounts in Active Directory, but in the local user accounts. Domain Controllers do not have local accounts because they must run Active Directory in order to authenticate users logging on to the network. Ergo, BOINC v6, with its sandboxed accounts, cannot run on Domain Controllers.

On the client side, local user accounts and settings are ignored when the user logs on to the domain, therefore the sandboxed accounts are not seen when run in an Active Directory environment. Since BOINC is not authorized in Active Directory to make Domain accounts, or Domain Global Groups, or even Universal Groups, the sandboxed accounts can only be run when not logged on to the domain.
ID: 889002 · Report as offensive
Profile Pappa
Volunteer tester
Avatar

Send message
Joined: 9 Jan 00
Posts: 2562
Credit: 12,301,681
RAC: 0
United States
Message 889020 - Posted: 28 Apr 2009, 2:07:45 UTC

While I do not have a copy of SBS 2008 I have had occasion to work with Users and LocalGroups on 2008 Server (outside of Domain Policy).

To an extent the Old Net User/Groups commands still work from scripting. In setting up for a Test run of a Server Application did create a script that would add "users" to the Administrator Local Group and other low rights users.

For the most part as you "own" the domain you can create things that you need (users/password). Group Policy gets tougher in that you can allow or disallow access from users/programs. So as an Administrator I can issue the commands.

net user boinc_user password /add
net localgroup administrators boinc_user /add

Then log in as "boinc_user"
Install the software and it should be fine for the local machine. If boinc_user is also a domain member, it has domain member creds in the domain and local administrator on the machine (but not in the domain).

This is taken from the Premise that the Domain User does not have Domain Administrator Privledges but does have Local Machine Administrator Privleges (Yes, there is a Risk).

Generally you could setup an Autologin for the "Boinc_User" to insure that all drivers start (with a screensaver password protected autolock).

Regards

Please consider a Donation to the Seti Project.

ID: 889020 · Report as offensive
Profile elbea64

Send message
Joined: 16 Aug 99
Posts: 114
Credit: 6,352,198
RAC: 0
Germany
Message 889163 - Posted: 28 Apr 2009, 13:47:32 UTC

I solved the problem by disabling UAC for boincmgr.exe using the Microsoft Application Compatibility Toolkit

I tried it using AutoIt when i read your Message Pappa, and your way was the next for me to investigate as i don't really understand what you're doing due to my inabilities regarding english language and domains ;) but while doing AutoIt which i could get partially working i found the above link and a good tutorial (in german if someone is interested). So thanks for your explanation perhaps next time it will help me :)
And thanks to the others enlighten me about domains
ID: 889163 · Report as offensive

Message boards : Number crunching : User in a domain unable to run BOINC


 
©2024 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.