Message boards :
Number crunching :
User in a domain unable to run BOINC
Message board moderation
Author | Message |
---|---|
elbea64 Send message Joined: 16 Aug 99 Posts: 114 Credit: 6,352,198 RAC: 0 |
Only Admins can run BOINC regardless of what i'm doing. I'm new to Domains but i'm an experienced User. I could always get things to work but this drives me crazy. I've set up a Small Business Server where i wanted to install BOINC which didn't work because ... yes, because of what ... ??? They say security, but i think it isn't more secure running BOINC v5. But it worked in the end. Now i try to run BOINC on the clients and all worked well for me (admin) but when i try to run it under a limited account it doesn't even allow access to the BOINC program folder and therefore i can't run BOINC under a limited account. It would be acceptable to run it as service but i have a cuda device and that doesn't work. So i tried to add the limited users to the boinc_users group, but guess, it doesn't work. i added the user to the folder so i could run boincmgr which works, it then runs boinc.exe and it takes ages to tell me that i don't have the permission to control boinc. Hey i have installed it with the option to allow all users to control boinc and i added the user to boinc_users ??? I messed around with permissions a lot but it simply won't run. Actually it runs under my account but only for the next 2 days as it's a notebook that won't be under my direct control from wednesday So please help me to get it to work. And to the devs, please make working solutions no holy grale solutions that don't work. I believe devs got on the wrong track on seti and on boinc.
|
Richard Haselgrove Send message Joined: 4 Jul 99 Posts: 14649 Credit: 200,643,578 RAC: 874 |
What OS are the clients running? The restriction "CUDA can't run as a service" only applies to Vista and Windows 7 - CUDA can run as a service under XP. (Mine are not domain-managed, so it's just possible that there are extra resrictions there - but I doubt it). Apart from that, I agree with everything you've said. The security problem with SBS is that Berkley haven't found a way to get the BOINC installer to interact with the Domain Contoller security mechanisms - so the only workround is to stick with the less-secure v5 installation. |
elbea64 Send message Joined: 16 Aug 99 Posts: 114 Credit: 6,352,198 RAC: 0 |
The clients are Vista 64bit and the SBS is 2008 I run cuda on the last XP client as service too but that isn't really the problem, i can't get the clients to run BOINC at all under a restricted domain-user account. i wouldn't have any problems running it under v5 if that would work with cuda. the 6.6.20 was the first official boinc that allowed me to run AP on CPU and MB on the GPU without constantly babysitting. Perhaps i'll try to run it through the task planer, so i could run it as admin without making all users to admins |
piper69 Send message Joined: 25 Sep 08 Posts: 49 Credit: 3,042,244 RAC: 0 |
Holger try running it as a service with youre admin credentials. that should work. |
elbea64 Send message Joined: 16 Aug 99 Posts: 114 Credit: 6,352,198 RAC: 0 |
Thanks, but cuda doesn't work on vista when running as service i restarted the PC repeatedly, but it's unlikely that it will change permissions the problem is that i use a domain |
elbea64 Send message Joined: 16 Aug 99 Posts: 114 Credit: 6,352,198 RAC: 0 |
I tried to start boincmgr with task planer but that didn't work. boincmgr was started but doesn't show its window and it doesn't start boinc. I then tried to start it through a batch file because i thought it would release boincmgr but it had the same behavior only with cmd.exe between taskeng.exe and boincmgr.exe (in ProcessExplorer) I need a way to start boincmgr as admin without using my password everytime it starts |
Jörg Send message Joined: 10 Dec 02 Posts: 51 Credit: 1,547,286 RAC: 0 |
Hey i have installed it with the option to allow all users to control boinc and i added the user to boinc_users ??? Good evening, I run Vista 64bit too and added the restrcited accounts to the boinc_admins group and it runs fine. Am Ende ist nur Verwirrung |
elbea64 Send message Joined: 16 Aug 99 Posts: 114 Credit: 6,352,198 RAC: 0 |
Thanks for the tip, i really thought that could it be, why didn't i found out myself, so teamviewer started opened boinc_admins group and guess what ... I added the accounts already. Seems i have done too much BOINC today :) But sadly that doesn't seem to work on a domain |
Alinator Send message Joined: 19 Apr 05 Posts: 4178 Credit: 4,647,982 RAC: 0 |
Thanks for the tip, i really thought that could it be, why didn't i found out myself, so teamviewer started opened boinc_admins group and guess what ... Hmmm... Yes, you are discovering that Windows domains are a whole different breed from what you would be used to as a user/admin in a home and/or 'workgroup' environment. I'm pretty sure what you are trying to do ain't gonna happen with BOINC 6x on Vista or Server 2008. The reason is the CC needs to install and run in a local admin security context, and Windows Security doesn't allow you to put objects from the domain user group into the local user group. Therefore there is no way to have it install and/or load from a domain user account as the new style 'single' user mode, since a domain user account (even a domain admin one) is not in the local security context. I haven't thought the whole thing through, but I don't know if it's even possible to have your CUDA 'cake and eat it too' the way you're trying to do it on a domain with the limitations imposed with the CUDA graphics driver and BOINC at this point. Alinator |
1mp0£173 Send message Joined: 3 Apr 99 Posts: 8423 Credit: 356,897 RAC: 0 |
BOINC isn't the first piece of software that I've seen that won't run on a domain controller, or even more irritating, on a BACKUP DOMAIN CONTROLLER. I've seen it at least as far back as NT 4.0. My only question is: what did Microsoft do in their design that makes domain controllers so special? What BOINC calls "protected application" is in fact running as a service. It isn't under the service account because on newer versions of windows, the service accounts do not have network privileges. |
OzzFan Send message Joined: 9 Apr 02 Posts: 15691 Credit: 84,761,841 RAC: 28 |
My only question is: what did Microsoft do in their design that makes domain controllers so special? Domain controllers separate local user accounts from Domain accounts. BOINC is not designed to make the sandboxed accounts in Active Directory, but in the local user accounts. Domain Controllers do not have local accounts because they must run Active Directory in order to authenticate users logging on to the network. Ergo, BOINC v6, with its sandboxed accounts, cannot run on Domain Controllers. On the client side, local user accounts and settings are ignored when the user logs on to the domain, therefore the sandboxed accounts are not seen when run in an Active Directory environment. Since BOINC is not authorized in Active Directory to make Domain accounts, or Domain Global Groups, or even Universal Groups, the sandboxed accounts can only be run when not logged on to the domain. |
Pappa Send message Joined: 9 Jan 00 Posts: 2562 Credit: 12,301,681 RAC: 0 |
While I do not have a copy of SBS 2008 I have had occasion to work with Users and LocalGroups on 2008 Server (outside of Domain Policy). To an extent the Old Net User/Groups commands still work from scripting. In setting up for a Test run of a Server Application did create a script that would add "users" to the Administrator Local Group and other low rights users. For the most part as you "own" the domain you can create things that you need (users/password). Group Policy gets tougher in that you can allow or disallow access from users/programs. So as an Administrator I can issue the commands. net user boinc_user password /add net localgroup administrators boinc_user /add Then log in as "boinc_user" Install the software and it should be fine for the local machine. If boinc_user is also a domain member, it has domain member creds in the domain and local administrator on the machine (but not in the domain). This is taken from the Premise that the Domain User does not have Domain Administrator Privledges but does have Local Machine Administrator Privleges (Yes, there is a Risk). Generally you could setup an Autologin for the "Boinc_User" to insure that all drivers start (with a screensaver password protected autolock). Regards Please consider a Donation to the Seti Project. |
elbea64 Send message Joined: 16 Aug 99 Posts: 114 Credit: 6,352,198 RAC: 0 |
I solved the problem by disabling UAC for boincmgr.exe using the Microsoft Application Compatibility Toolkit I tried it using AutoIt when i read your Message Pappa, and your way was the next for me to investigate as i don't really understand what you're doing due to my inabilities regarding english language and domains ;) but while doing AutoIt which i could get partially working i found the above link and a good tutorial (in german if someone is interested). So thanks for your explanation perhaps next time it will help me :) And thanks to the others enlighten me about domains |
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.