[MPICH] windows: credentials & passphrase

David Ashton ashton at mcs.anl.gov
Tue Sep 13 18:28:24 CDT 2005 

Daniel,

There are two layers of security when launching an MPICH2 application using
the smpd process manager.

First there is the authentication with the smpd service running on each
machine.  The smpd passphrase is used in conjunction with some runtime
random data to generate a hash to verify the connecting process (mpiexec or
another smpd) and the smpd have been installed with the same passphrase.

This step only gives access to the smpd, it is not used in any way to launch
processes.

The second step is launching processes.  In order to launch processes a user
name and password must be supplied to mpiexec.  This username and password
must be the same ones you use to log on to the machine.  Windows allows you
to have a screen name associated with your username.  You must supply your
username and not your screen name if they are different.

You can use mpiexec to encrypt your username and password and save it to the
registry so you don't have to type it in every time you run mpiexec.  Run
mpiexec -register to do this.

The encrypted user credentials are saved in the registry.  The smpd
passphrase is also saved in the registry.

The username you supply will be passed to the Windows API function -
LogonUser.  This is essentially the same function that gets called when you
walk up to a machine and log on from the console.  So you must use a
username and password that you could walk up to a machine and log in with.

There is one limitation.  The user password must not be blank.  Windows does
not allow a service to launch a process under user credentials with blank
passwords.

The most likely culprit is the wrong username or a blank password or using
the smpd passphrase instead of the user password.

You can change the smpd passphrase by doing the following on each machine:
smpd.exe -stop
smpd.exe -set phrase "whatever phrase you want"
smpd.exe -start

There isn't a problem with the smpd passphrase if you've reached the
rejected user credentials error since that occurs after the passphrase
authentication.

We haven't tested running the 32bit version of MPICH2 on Win64.  We've only
tested 64bit binaries on Win64.  We use the Intel Fortran ia32e compiler and
the Microsoft Platform SDK Win64 compiler to generate the 64bit code.

-David Ashton

-----Original Message-----
From: owner-mpich-discuss at mcs.anl.gov
[mailto:owner-mpich-discuss at mcs.anl.gov] On Behalf Of Daniel Evers
Sent: Wednesday, September 07, 2005 5:16 AM
To: mpich-discuss at mcs.anl.gov
Subject: [MPICH] windows: credentials & passphrase

Hello!

I just installed MPICH2 1.0.2-1 on our Opteron running Windows 64 bit. The 
installed version is 32 bi, because the Intel Compiler we installed only can

produce 32 bit binaries.
I can compile and run my test programs using the "-localonly" option for 
mpiexec, but when I run with "-n", I always get the "credentials rejected" 
error. I tried every combination of domain\user (with and w/o domain) and
all 
passwords of the last months. So my questions are:
	- where does the smpd look for credentials?
	- what is the passphrase good for and where can I configure it
(except 
		passing it to mpiexec)?

Sorry to bother you, but the documentation doesn't help.

thx 4 any hints
Daniel

More information about the mpich-discuss mailing list