XROOTD-L Archives

Support use of xrootd by HEP experiments

XROOTD-L@LISTSERV.SLAC.STANFORD.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Gerardo Ganis <[log in to unmask]>
Date:
19 Mar 2009 10:08:44 +0100Thu, 19 Mar 2009 10:08:44 +0100
Content-Type:
text/plain
Parts/Attachments:
text/plain (244 lines)

    Hi,

    I am processing this.

    Gerri

Fabrizio Furano wrote:
> Andy, what do you think?
>
> f
>
>
> Brian Bockelman ha scritto:
>> Hey Fabrizio,
>>
>> I went back with our folks, and we've come up with an acceptable 
>> solution (I don't really want to force all our users out there to get 
>> a new module!)
>>
>> Basically, they log into a web interface using the current auth 
>> scheme and it generates a one-time password for them.  They are given 
>> the one-time password and the first time they use it, they change it.
>>
>> HOWEVER, it appears that users added with xrdpwdadmin can't 
>> effectively use xrootd until the daemon is restarted.
>>
>> Here's the command I use, for example:
>>
>> xrdpwdadmin add bbockelmnocern3 -force -dontask
>>
>> I then take the generated password and try to use it.  The server 
>> logs are below.  The user output look like this (gDebug=5, removing 
>> un-interesting stuff):
>>
>> Password for [log in to unmask]:cmsfilemover:
>> Info in <TXNetFile::Open>: remote file could not be open
>> Info in <TXNetFile::CreateXClient>: remote file could not be open
>> Error in <TXNetFile::CreateXClient>: open attempt failed on 
>> root:[log in to unmask] 
>>
>>
>> If I then restart the xrootd server, things work.  In fact, after 
>> restarting the xrootd server, the client no longer asks me for the 
>> temporary password (I assume it saved it to the client's cache?) and 
>> just asks me to change the password.
>>
>> It appears that the xrootd server is claiming in the logs it has 
>> reloaded the cached authentication file, but this reloading failed to 
>> work.
>>
>> Brian
>>
>> First attempt:
>>
>> 090318 11:39:00 001 XrdInet: Accepted connection from [log in to unmask]
>> 090318 11:39:00 20699 XrdSched: running ?:[log in to unmask] inq=0
>> 090318 11:39:00 20699 XrdProtocol: matched protocol xrootd
>> 090318 11:39:00 20699 ?:[log in to unmask] XrdPoll: FD 27 attached to 
>> poller 0; num=1
>> 090318 11:39:00 20699 ?:[log in to unmask] XrootdProtocol: 0100 req=3007 
>> dlen=0
>> 090318 11:39:00 20699 sec_getParms: red.unl.edu 
>> sectoken=&P=pwd,v:10100,id:cmsfilemover,c:ssl
>> 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] XrootdResponse: 
>> 0100 sending 52 data bytes; status=0
>> 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 
>> 0100 req=3000 dlen=254
>> 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: constructing: host: 
>> red.unl.edu
>> 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: p: pwd, plen: 4
>> 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: mode: server
>> 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: object created: v..
>> 090318 11:39:00 20699 secpwd_Authenticate: handshaking ID: 
>> bbockelmn.4519:[log in to unmask]
>> 090318 11:39:00 20699 secpwd_ParseCrypto: parsing list: ssl
>> 090318 11:39:00 20699 crypto_Factory::GetCryptoFactory: ssl crypto 
>> factory object already loaded (0x7f7faf664960)
>> 090318 11:39:00 20699 secpwd_Authenticate: version run by client: 10100
>> 090318 11:39:00 20699 secpwd_CheckRtag: Nothing to check
>> 090318 11:39:00 20699 secpwd_CheckTimeStamp: Nothing to do
>> 090318 11:39:00 20699 sut_Rndm::GetString: enter: len: 8 (type: Crypt)
>> 090318 11:39:00 20699 sut_Rndm::GetString: got: V9JGOZzx
>> 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 
>> 0100 more auth requested; sz=103
>> 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] XrootdResponse: 
>> 0100 sending 103 data bytes; status=4002
>> 090318 11:39:03 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 
>> 0100 request timeout; read 0 of 24 bytes
>> 090318 11:39:03 20699 XrdPoll: Poller 0 enabled 
>> bbockelmn.4519:[log in to unmask]
>> 090318 11:39:11 20699 XrdSched: running bbockelmn.4519:[log in to unmask] 
>> inq=0
>> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 
>> 0100 req=3000 dlen=167
>> 090318 11:39:11 20699 secpwd_Authenticate: handshaking ID: 
>> bbockelmn.4519:[log in to unmask]
>> 090318 11:39:11 20699 secpwd_ParseCrypto: parsing list: ssl
>> 090318 11:39:11 20699 crypto_Factory::GetCryptoFactory: ssl crypto 
>> factory object already loaded (0x7f7faf664960)
>> 090318 11:39:11 20699 secpwd_Authenticate: version run by client: 10100
>> 090318 11:39:11 20699 secpwd_CheckRtag: Random tag successfully checked
>> 090318 11:39:11 20699 secpwd_CheckTimeStamp: Nothing to do
>> 090318 11:39:11 20699 secpwd_QueryUser: Enter: bbockelmnocern3
>> 090318 11:39:11 20699 sut_Cache::Rehash: Hash table updated (found 11 
>> active entries)
>> 090318 11:39:11 20699 sut_Cache::Refresh: Cache refreshed from file 
>> /uscms/home/bbockelm/.xrd/pwdadmin (0 entries updated)
>> 090318 11:39:11 20699 secpwd_ErrF: Secpwd: wrong credentials: : user 
>> : bbockelmnocern3: kXPC_normal
>> 090318 11:39:11 20699 XrootdXeq: User authentication failed; Secpwd: 
>> wrong credentials: : user : bbockelmnocern3: kXPC_normal
>> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrootdResponse: 
>> 0100 sending err 3010: Secpwd: wrong credentials: : user : 
>> bbockelmnocern3: kXPC_normal
>> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 
>> 0100 req=3010 dlen=136
>> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrootdResponse: 
>> 0100 sending err 3006: Invalid request; user not authenticated
>> 090318 11:39:11 20699 XrootdXeq: bbockelmn.4519:[log in to unmask] disc 
>> 0:00:11
>> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrdPoll: FD 27 
>> detached from poller 0; num=0
>>
>> Second attempt:
>>
>> 090318 11:40:59 001 XrdInet: Accepted connection from [log in to unmask]
>> 090318 11:40:59 20753 XrdSched: running ?:[log in to unmask] inq=0
>> 090318 11:40:59 20753 XrdProtocol: matched protocol xrootd
>> 090318 11:40:59 20753 ?:[log in to unmask] XrdPoll: FD 26 attached to 
>> poller 0; num=1
>> 090318 11:40:59 20753 ?:[log in to unmask] XrootdProtocol: 0100 req=3007 
>> dlen=0
>> 090318 11:40:59 20753 sec_getParms: red.unl.edu 
>> sectoken=&P=pwd,v:10100,id:cmsfilemover,c:ssl
>> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdResponse: 
>> 0100 sending 52 data bytes; status=0
>> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 
>> 0100 req=3000 dlen=254
>> 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: constructing: host: 
>> red.unl.edu
>> 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: p: pwd, plen: 4
>> 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: mode: server
>> 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: object created: v..
>> 090318 11:40:59 20753 secpwd_Authenticate: handshaking ID: 
>> bbockelmn.2466:[log in to unmask]
>> 090318 11:40:59 20753 secpwd_ParseCrypto: parsing list: ssl
>> 090318 11:40:59 20753 crypto_Factory::GetCryptoFactory: ssl crypto 
>> factory object already loaded (0x7fe2fb8a8960)
>> 090318 11:40:59 20753 secpwd_Authenticate: version run by client: 10100
>> 090318 11:40:59 20753 secpwd_CheckRtag: Nothing to check
>> 090318 11:40:59 20753 secpwd_CheckTimeStamp: Nothing to do
>> 090318 11:40:59 20753 sut_Rndm::GetString: enter: len: 8 (type: Crypt)
>> 090318 11:40:59 20753 sut_Rndm::Init: taking seed from /dev/urandom
>> 090318 11:40:59 20753 sut_Rndm::GetString: got: .8lrX3bS
>> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 
>> 0100 more auth requested; sz=103
>> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdResponse: 
>> 0100 sending 103 data bytes; status=4002
>> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 
>> 0100 req=3000 dlen=167
>> 090318 11:40:59 20753 secpwd_Authenticate: handshaking ID: 
>> bbockelmn.2466:[log in to unmask]
>> 090318 11:40:59 20753 secpwd_ParseCrypto: parsing list: ssl
>> 090318 11:40:59 20753 crypto_Factory::GetCryptoFactory: ssl crypto 
>> factory object already loaded (0x7fe2fb8a8960)
>> 090318 11:40:59 20753 secpwd_Authenticate: version run by client: 10100
>> 090318 11:40:59 20753 secpwd_CheckRtag: Random tag successfully checked
>> 090318 11:40:59 20753 secpwd_CheckTimeStamp: Nothing to do
>> 090318 11:40:59 20753 secpwd_QueryUser: Enter: bbockelmnocern3
>> 090318 11:40:59 20753 sut_Cache::Refresh: cached information for file 
>> /uscms/home/bbockelm/.xrd/pwdadmin is up-to-date
>> 090318 11:41:00 20753 secpwd_ExportCreds: File (template) undefined - 
>> do nothing
>> 090318 11:41:00 20753 secpwd_Authenticate: WARNING: some problem 
>> exporting creds to file; template is :
>> 090318 11:41:00 20753 sut_Rndm::GetString: enter: len: 8 (type: Crypt)
>> 090318 11:41:00 20753 sut_Rndm::GetString: got: 8SVtIe9a
>> 090318 11:41:00 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 
>> 0100 more auth requested; sz=127
>> 090318 11:41:00 20753 bbockelmn.2466:[log in to unmask] XrootdResponse: 
>> 0100 sending 127 data bytes; status=4002
>> 090318 11:41:03 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 
>> 0100 request timeout; read 0 of 24 bytes
>> 090318 11:41:03 20753 XrdPoll: Poller 0 enabled 
>> bbockelmn.2466:[log in to unmask]
>> 090318 11:41:19 20753 XrdSched: running bbockelmn.2466:[log in to unmask] 
>> inq=0
>> 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 
>> 0100 req=3000 dlen=143
>> 090318 11:41:19 20753 secpwd_Authenticate: handshaking ID: 
>> bbockelmn.2466:[log in to unmask]
>> 090318 11:41:19 20753 secpwd_ParseCrypto: parsing list: ssl
>> 090318 11:41:19 20753 crypto_Factory::GetCryptoFactory: ssl crypto 
>> factory object already loaded (0x7fe2fb8a8960)
>> 090318 11:41:19 20753 secpwd_Authenticate: version run by client: 10100
>> 090318 11:41:19 20753 secpwd_CheckRtag: Random tag successfully checked
>> 090318 11:41:19 20753 secpwd_CheckTimeStamp: Nothing to do
>> 090318 11:41:19 20753 sut_Rndm::GetBuffer: enter: len: 8
>> 090318 11:41:19 20753 secpwd_SaveCreds: Entry for tag: 
>> bbockelmnocern3_1 updated in cache
>> 090318 11:41:19 20753 sut_Cache::Flush: Cache flushed to file 
>> /uscms/home/bbockelm/.xrd/pwdadmin (1 entries updated / written)
>> 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] XrootdResponse: 
>> 0100 sending OK
>> 090318 11:41:19 20753 XrootdXeq: bbockelmn.2466:[log in to unmask] login 
>> as bbockelmnocern3
>> 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 
>> 0100 req=3010 dlen=136
>> 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 
>> 0100 open rt 
>> /cmsfs/lfns/store/relval/CMSSW_2_2_1/RelValTTbar/GEN-SIM-RECO/STARTUP_V7_LowLumiPileUp_v1/0004/EC41ED67-E5C6-DD11-97A2-000423D9989E.root 
>>
>>
>> On Mar 10, 2009, at 9:26 AM, Fabrizio Furano wrote:
>>
>>> Hi,
>>>
>>> I guess that this needs a new XrdSec plugin to be written. Probably 
>>> the secunix one could be a good starting point.
>>>
>>> Fabrizio
>>>
>>>
>>> Brian Bockelman ha scritto:
>>>> Hey Xrootd folks (hope I ended up on the right list),
>>>> I'd like to hook xrootd into our local-site authentication 
>>>> methods.  We currently keep all our user/passwords in a htpasswd 
>>>> file, as generated by apache.  What's the best way to have the 
>>>> server read the data from that file and use it for authentication?
>>>> Brian


-- 
+--------------------------------------------------------------------------+
  Gerardo GANIS    PH Department, CERN
        address    CERN, CH 1211 Geneve 23  
                   room: 32-RC-017, tel / fax: +412276 76439 / 69133
         e-mail    [log in to unmask]
+--------------------------------------------------------------------------+




ATOM RSS1 RSS2