UNIX/Windows user account mapping

The UNIX/Windows user account mapping feature enables cross-platform job submission and execution in a mixed UNIX/Windows environment. Using this feature, you can map Windows user accounts, which include a domain name, to UNIX user accounts, which do not include a domain name, for user accounts with the same user name on both operating systems.

Contents

  • About UNIX/Windows user account mapping

  • Scope

  • Configuration to enable UNIX/Windows user account mapping

  • UNIX/Windows user account mapping behavior

  • Configuration to modify UNIX/Windows user account mapping behavior

  • UNIX/Windows user account mapping commands

About UNIX/Windows user account mapping

In a mixed UNIX/Windows cluster, LSF treats Windows user names (with domain) and UNIX user names (no domain) as different users. The UNIX/Windows user account mapping feature makes job submission and execution transparent across operating systems by mapping Windows accounts to UNIX accounts. With this feature enabled, LSF sends the user account name in the format required by the operating system on the execution host.
Figure 1. Default behavior (feature not enabled)
Figure 2. With UNIX/Windows user account mapping enabled
For mixed UNIX/Windows clusters, UNIX/Windows user account mapping allows you to do the following:
  • Submit a job from a Windows host and run the job on a UNIX host

  • Submit a job from a UNIX host and run the job on a Windows host

  • Specify the domain\user combination used to run a job on a Windows host

  • Schedule and track jobs submitted with either a Windows or UNIX account as though the jobs belong to a single user

LSF supports the use of both single and multiple Windows domains. In a multiple domain environment, you can choose one domain as the preferred execution domain for a particular job.

Existing Windows domain trust relationships apply in LSF. If the execution domain trusts the submission domain, the submission account is valid on the execution host.

Scope


Applicability

Details

Operating system

  • UNIX and Windows hosts within a single cluster

Not required for

  • Windows-only clusters

  • UNIX-only clusters

Dependencies

  • UNIX and Windows user accounts must be valid on all hosts in the cluster and must have the correct permissions to successfully run jobs.

Limitations

  • This feature works with a uniform user name space. If users at your site have different user names on UNIX and Windows hosts, you must enable between-host user account mapping.

  • This feature does not affect Windows workgroup installations. If you want to map all Windows workgroup users to a single Windows system account, you must configure between-host user account mapping.

  • This feature applies only to job execution. If you issue an LSF command or define an LSF parameter and specify a Windows user, you must use the long form of the user name, including the domain name typed in uppercase letters.


Configuration to enable UNIX/Windows user account mapping

Enable the UNIX/Windows user account mapping feature by defining one or more LSF user domains using the LSF_USER_DOMAIN parameter in lsf.conf.

Important:

Configure LSF_USER_DOMAIN immediately after you install LSF—changing this parameter in an existing cluster requires that you verify and possibly reconfigure service accounts, user group memberships, and user passwords.


Configuration file

Parameter and syntax

Behavior

lsf.conf

LSF_USER_DOMAIN=domain_name

  • Enables Windows domain account mapping in a single-domain environment

  • To run jobs on a UNIX host, LSF strips the specified domain name from the user name

  • To run jobs on a Windows host, LSF appends the domain name to the user name

LSF_USER_DOMAIN=domain_name:domain_name

  • Enables Windows domain account mapping in a multi-domain environment

  • To run jobs on a UNIX host, LSF strips the specified domain names from the user name

  • To run jobs on a Windows host, LSF appends the first domain name to the user name. If the first domain\user combination does not have permissions to run the job, LSF tries the next domain in the LSF_USER_DOMAIN list.

LSF_USER_DOMAIN= .

  • Enables Windows domain account mapping

  • To run jobs on a UNIX host, LSF strips the local machine name from the user name

  • To run jobs on a Windows host, LSF appends the local machine name to the user name


UNIX/Windows user account mapping behavior

The following examples describe how UNIX/Windows user account mapping enables job submission and execution across a mixed UNIX/Windows cluster.

When …

In the file …

And the job is submitted by …

The job …

UNIX/Windows user account mapping is not enabled

  • BUSINESS\user1 on a Windows host

  • Runs on a Windows host as BUSINESS\user1

  • Fails on a UNIX host: BUSINESS\user1 is not a valid UNIX user name

UNIX/Windows user account mapping is not enabled

  • user1 on a UNIX host

  • Fails on a Windows host: Windows requires a domain\user combination

  • Runs on a UNIX host as user1

LSF_USER_DOMAIN=BUSINESS

lsf.conf

  • BUSINESS\user1 on a Windows host

  • Runs on a Windows host as BUSINESS\user1

  • Runs on a UNIX host as user1

LSF_USER_DOMAIN=BUSINESS

lsf.conf

  • user1 on a UNIX host

  • Runs on a Windows host as BUSINESS\user1

  • Runs on a UNIX host as user1

LSF_USER_DOMAIN= SUPPORT:ENGINEERING

lsf.conf

  • SUPPORT\user1 on a Windows host

  • Runs on a Windows host as SUPPORT\user1

  • Runs on a UNIX host as user1

LSF_USER_DOMAIN= SUPPORT:ENGINEERING

lsf.conf

  • BUSINESS\user1 on a Windows host

  • Runs on a Windows host as BUSINESS\user1

  • Fails on a UNIX host: LSF cannot strip the domain name, and BUSINESS\user1 is not a valid UNIX user name

LSF_USER_DOMAIN= SUPPORT:ENGINEERING

lsf.conf

  • user1 on a UNIX host

  • Runs on a Windows host as SUPPORT\user1; if the job cannot run with those credentials, the job runs as ENGINEERING\user1

  • Runs on a UNIX host as user1


Configuration to modify UNIX/Windows user account mapping behavior

You can select a preferred execution domain for a particular job. The execution domain must be included in the LSF_USER_DOMAIN list. When you specify an execution domain, LSF ignores the order of the domains listed in LSF_USER_DOMAIN and runs the job using the specified domain. The environment variable LSF_EXECUTE_DOMAIN, defined in the user environment or from the command line, defines the preferred execution domain. Once you submit a job with an execution domain defined, you cannot change the execution domain for that particular job.

Configuration file

Parameter and syntax

Behavior

.cshrc

.profile

LSF_EXECUTE_DOMAIN=domain_name

  • Specifies the domain that LSF uses to run jobs on a Windows host

  • If LSF_USER_DOMAIN contains a list of multiple domains, LSF tries the LSF_EXECUTE_DOMAIN first


The following example shows the changed behavior when you define the LSF_EXECUTE_DOMAIN.

When …

In the file …

And the job is submitted by …

The job …

LSF_USER_DOMAIN= SUPPORT:ENGINEERING

and

LSF_EXECUTE_DOMAIN= ENGINEERING

lsf.conf

.profile .cshrc

  • user1 on a UNIX host

  • Runs on a Windows host as ENGINEERING\user1; if the job cannot run with those credentials, runs as SUPPORT\user1

  • Runs on a UNIX host as user1


These additional examples are based on the following conditions:

  • In lsf.conf, LSF_USER_DOMAIN=SALES:ENGINEERING:BUSINESS

  • The user has sufficient permissions to run the job in any of the LSF user domains


UNIX user1 enters …

And LSF_EXECUTE_DOMAIN is …

Then LSF runs the job as …

bsub -m "hostb" myjob

Not defined in the user environment file

SALES\user1

bsub -m "hostb" myjob

Defined as BUSINESS in the user environment file

BUSINESS\user1

setenv LSF_EXECUTE_DOMAIN BUSINESSbsub -m "hostb" myjob

Either defined or not defined in the user environment file

BUSINESS\user1 The command line overrides the user environment file.


UNIX/Windows user account mapping commands

Commands for submission


Command

Description

bsub

  • Submits the job with the user name and password of the user who entered the command. The job runs on the execution host with the same user name and password, unless you have configured UNIX/Windows user account mapping.

  • With UNIX/Windows user account mapping enabled, jobs that execute on a remote host run with the user account name in the format required by the operating system on the execution host.


Commands to monitor


Command

Description

bjobs -w

  • Displays detailed information about jobs.

  • Displays the long form of the Windows user name including the domain name.


Commands to control


Command

Description

lspasswd

  • Registers a password for a Windows user account. Windows users must register a password for each domain\user account using this command.


Commands to display configuration


Command

Description

bugroup -w

  • Displays information about user groups.

  • If UNIX/Windows user account mapping is enabled, the command bugroup displays user names without domains.

  • If UNIX/Windows user account mapping is not enabled, the command bugroup displays user names with domains.

busers

  • Displays information about specific users and user groups.

  • If UNIX/Windows user account mapping is enabled, the command busers displays user names without domains.

  • If UNIX/Windows user account mapping is not enabled, the command busers displays user names with domains.

badmin showconf

  • Displays all configured parameters and their values set in lsf.conf or ego.conf that affect mbatchd and sbatchd.

    Use a text editor to view other parameters in the lsf.conf or ego.conf configuration files.

  • In a MultiCluster environment, badmin showconf only displays the parameters of daemons on the local cluster.