Sponsors
Sponsor Products
Deadline + Windows + SMB - Any thoughts?
posted by Alfred Young  on March 8, 2018, 2:19 p.m. (6 months, 13 days ago)
3 Responses     0 Plus One's     1 Comments  

We're working with a very limited number of windows boxes on our renderfarm, connected to our servers via SMB.

In the event that the windows box runs a deadline job, it's restricted to saving files over smb to our network as a very specific user:group (deadline:service).

This causes a bit of problem, but I haven't figured out an elegant solution.

Can anyone chime in on how they handle Window-based render nodes? Any anecdotes would be appreciated!


Thread Tags:
  windows 

Response from Alfred Young @ March 8, 2018, 8:31 p.m.

Thanks Robin. Mapping the drive letter with elevated privileges was the first hurdle, and a special render user/account is what I mentioned.

Your response does help! I may leave it at this, and reconsider special privileges/group permissions for the render user.


0 Plus One's     0 Comments  
   

Response from Robin Scher @ March 8, 2018, 8:25 p.m.

In my experience, there is no good solution to this issue that doesnt involve the render manager code and a very ugly need to integrate passwords for the user accounts into it. The underlying issue is the Windows API that allows a process running under one user to act as another user. On Unix, any process running as the super user can switch to run under a different user context with only the user ID, but on Windows, the process still needs the users password for the API call that does the same thing (even when going from Administrator to a non-administrator user).

 

Building something that would allow the render user to be the same as the user that submitted the job is possible, but incredibly complex. Most everyone I know simply uses a render user account of some kind (though you may want to set up your own user account for this rather than rely on the default accounts that any specific render manager creates for you).

 

As far as the render user account needing administrative privileges, thats more on a case-by-case basis. The most common reason the render user account may need elevated privileges is to map a drive letter if it is not already mapped. Specific needs for advanced privileges may arise in other situations, but are generally rare, and often can be avoided with changes to your pipeline.

 

Hope this helps.

-robin

 

Robin Scher | Uberware | 213.448.0443 | robin@uberware.net | www.uberware.net

 

From: studiosysadmins-discuss-bounces@studiosysadmins.com <studiosysadmins-discuss-bounces@studiosysadmins.com> On Behalf Of Richard Hagen
Sent: Thursday, March 8, 2018 3:01 PM
To: studiosysadmins-discuss@studiosysadmins.com
Subject: Re: [SSA-Discuss] Deadline + Windows + SMB - Any thoughts?

 

Hi, 

 

I don't know if this helps, but I run Deadline with an Active Directory user that has administrator permissions (and a strong password) - note that this is not a recommended method but we need it because we have lots of users and need to sometimes bridge unexpected security entries on user folders (students!!) 

 

For the service user on Windows I give it this domain user.. if I run it as a desktop app (such as on the Mac) I will log in as this user which has autostart scripts for the shares, launcher and slave.  

 

 

 

 

 

On Thu, Mar 8, 2018 at 2:19 PM, Alfred Young <content@studiosysadmins.com> wrote:

We're working with a very limited number of windows boxes on our renderfarm, connected to our servers via SMB.

In the event that the windows box runs a deadline job, it's restricted to saving files over smb to our network as a very specific user:group (deadline:service).

This causes a bit of problem, but I haven't figured out an elegant solution.

Can anyone chime in on how they handle Window-based render nodes? Any anecdotes would be appreciated!


To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe



 

--

"Sound does not travel in a vacuum. All sound effects are produced by the animator while drawing." Narbonic

--

"Sound does not travel in a vacuum. All sound effects are produced by the animator while drawing." Narbonic


0 Plus One's     0 Comments  
   

Response from Anonymous @ March 8, 2018, 6:05 p.m.
Hi,
I don't know if this helps, but I run Deadline with an Active Directory user that has administrator permissions (and a strong password) - note that this is not a recommended method but we need it because we have lots of users and need to sometimes bridge unexpected security entries on user folders (students!!)
For the service user on Windows I give it this domain user.. if I run it as a desktop app (such as on the Mac) I will log in as this user which has autostart scripts for the shares, launcher and slave.




On Thu, Mar 8, 2018 at 2:19 PM, Alfred Young <content@studiosysadmins.com> wrote:

We're working with a very limited number of windows boxes on our renderfarm, connected to our servers via SMB.

In the event that the windows box runs a deadline job, it's restricted to saving files over smb to our network as a very specific user:group (deadline:service).

This causes a bit of problem, but I haven't figured out an elegant solution.

Can anyone chime in on how they handle Window-based render nodes? Any anecdotes would be appreciated!


To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe



--
"Sound does not travel in a vacuum. All sound effects are produced by the animator while drawing." Narbonic --
"Sound does not travel in a vacuum. All sound effects are produced by the animator while drawing." Narbonic

0 Plus One's     1 Comments