Hello.

I’m having trouble setting acl_groups on queues.

I have two queues, test and training, but I can only submit to “test” queue.
I cannot submit to training queue, even though I have both primary and secondary group "testing"
I want this to work with ldap.

id einjen

tells me I’m in both groups

so what is going on? how do I set up this acl correctly?

create queue test
set queue test queue_type = Execution
set queue test acl_user_enable = True
set queue test acl_users = einjen
set queue test enabled = True
set queue test started = True
Qmgr: p q training

Create queues and set their attributes.

Create and define queue training

create queue training
set queue training queue_type = Execution
set queue training acl_group_enable = True
set queue training acl_groups = training
set queue training enabled = True
set queue training started = True

I am assuming the secondary group for user einjen is training, correct?

If you want to the secondary group to be used in job submission, then you will need to specify this at submission time by using the -W group_list= option. Please see below.

I have recreated your queue setup.

Qmgr: p q test,training
#
# Create queues and set their attributes.
#
#
# Create and define queue test
#
create queue test
set queue test queue_type = Execution
set queue test acl_user_enable = True
set queue test acl_users = scott
set queue test enabled = True
set queue test started = True
#
# Create queues and set their attributes.
#
#
# Create and define queue training
#
create queue training
set queue training queue_type = Execution
set queue training acl_group_enable = True
set queue training acl_groups = users
set queue training enabled = True
set queue training started = True

As the user, scott, I will attempt to submit the job to the training queue where the acl_group=users.

My secondary group is users

[scott@centos7-00 ~]$ id scott
uid=1000(scott) gid=1000(scott) groups=1000(scott),100(users),993(docker)

First job submission, I do not specify -W group_list, so my primary group is used at submission. And, I am rejected.

[scott@centos7-00 ~]$ /opt/pbs/default/bin/qsub -q training -- /bin/sleep 100
qsub: Unauthorized Request 

Second job submission, I specify -W group_list=users and the job is accepted

[scott@centos7-00 ~]$ /opt/pbs/default/bin/qsub -q training -W group_list=users -- /bin/sleep 100
1657.centos7-00.virtualworld

Thanks, but no luck.
neither primary, nor secondary group works, with or without -W group_list.
it doesn’t work if group is in ldap or if it is not.

acl_user_enable = True
acl_users = einjen

does work. with or without ldap

PBS does not directly interface with LDAP, it uses the standard c-library functions getpwname and getpwent.

There are sites using LDAP on clusters with PBS Professional managing the jobs.

Curious… was PBS Professional server running before you configured the system to use LDAP? I seem to recall that some sites restarted the PBS Server and it started working.

Are you submitting the job on the same host as the PBS Server?

Does your user have the same group membership on the server and the submission host?

Hey! Thanks!

Restart of PBS server was the secret sauce.
Ldap clients on pbs server and submitting host was installed after PBS was installed.

I was really puzzled by this since it was working quite well on our PBS pro 12 production cluster