Andy, what do you think?
f
Brian Bockelman ha scritto:
> Hey Fabrizio,
>
> I went back with our folks, and we've come up with an acceptable
> solution (I don't really want to force all our users out there to get a
> new module!)
>
> Basically, they log into a web interface using the current auth scheme
> and it generates a one-time password for them. They are given the
> one-time password and the first time they use it, they change it.
>
> HOWEVER, it appears that users added with xrdpwdadmin can't effectively
> use xrootd until the daemon is restarted.
>
> Here's the command I use, for example:
>
> xrdpwdadmin add bbockelmnocern3 -force -dontask
>
> I then take the generated password and try to use it. The server logs
> are below. The user output look like this (gDebug=5, removing
> un-interesting stuff):
>
> Password for [log in to unmask]:cmsfilemover:
> Info in <TXNetFile::Open>: remote file could not be open
> Info in <TXNetFile::CreateXClient>: remote file could not be open
> Error in <TXNetFile::CreateXClient>: open attempt failed on
> root:[log in to unmask]
>
>
> If I then restart the xrootd server, things work. In fact, after
> restarting the xrootd server, the client no longer asks me for the
> temporary password (I assume it saved it to the client's cache?) and
> just asks me to change the password.
>
> It appears that the xrootd server is claiming in the logs it has
> reloaded the cached authentication file, but this reloading failed to work.
>
> Brian
>
> First attempt:
>
> 090318 11:39:00 001 XrdInet: Accepted connection from [log in to unmask]
> 090318 11:39:00 20699 XrdSched: running ?:[log in to unmask] inq=0
> 090318 11:39:00 20699 XrdProtocol: matched protocol xrootd
> 090318 11:39:00 20699 ?:[log in to unmask] XrdPoll: FD 27 attached to poller
> 0; num=1
> 090318 11:39:00 20699 ?:[log in to unmask] XrootdProtocol: 0100 req=3007 dlen=0
> 090318 11:39:00 20699 sec_getParms: red.unl.edu
> sectoken=&P=pwd,v:10100,id:cmsfilemover,c:ssl
> 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] XrootdResponse: 0100
> sending 52 data bytes; status=0
> 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 0100
> req=3000 dlen=254
> 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: constructing: host:
> red.unl.edu
> 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: p: pwd, plen: 4
> 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: mode: server
> 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: object created: v..
> 090318 11:39:00 20699 secpwd_Authenticate: handshaking ID:
> bbockelmn.4519:[log in to unmask]
> 090318 11:39:00 20699 secpwd_ParseCrypto: parsing list: ssl
> 090318 11:39:00 20699 crypto_Factory::GetCryptoFactory: ssl crypto
> factory object already loaded (0x7f7faf664960)
> 090318 11:39:00 20699 secpwd_Authenticate: version run by client: 10100
> 090318 11:39:00 20699 secpwd_CheckRtag: Nothing to check
> 090318 11:39:00 20699 secpwd_CheckTimeStamp: Nothing to do
> 090318 11:39:00 20699 sut_Rndm::GetString: enter: len: 8 (type: Crypt)
> 090318 11:39:00 20699 sut_Rndm::GetString: got: V9JGOZzx
> 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 0100
> more auth requested; sz=103
> 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] XrootdResponse: 0100
> sending 103 data bytes; status=4002
> 090318 11:39:03 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 0100
> request timeout; read 0 of 24 bytes
> 090318 11:39:03 20699 XrdPoll: Poller 0 enabled
> bbockelmn.4519:[log in to unmask]
> 090318 11:39:11 20699 XrdSched: running bbockelmn.4519:[log in to unmask] inq=0
> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 0100
> req=3000 dlen=167
> 090318 11:39:11 20699 secpwd_Authenticate: handshaking ID:
> bbockelmn.4519:[log in to unmask]
> 090318 11:39:11 20699 secpwd_ParseCrypto: parsing list: ssl
> 090318 11:39:11 20699 crypto_Factory::GetCryptoFactory: ssl crypto
> factory object already loaded (0x7f7faf664960)
> 090318 11:39:11 20699 secpwd_Authenticate: version run by client: 10100
> 090318 11:39:11 20699 secpwd_CheckRtag: Random tag successfully checked
> 090318 11:39:11 20699 secpwd_CheckTimeStamp: Nothing to do
> 090318 11:39:11 20699 secpwd_QueryUser: Enter: bbockelmnocern3
> 090318 11:39:11 20699 sut_Cache::Rehash: Hash table updated (found 11
> active entries)
> 090318 11:39:11 20699 sut_Cache::Refresh: Cache refreshed from file
> /uscms/home/bbockelm/.xrd/pwdadmin (0 entries updated)
> 090318 11:39:11 20699 secpwd_ErrF: Secpwd: wrong credentials: : user :
> bbockelmnocern3: kXPC_normal
> 090318 11:39:11 20699 XrootdXeq: User authentication failed; Secpwd:
> wrong credentials: : user : bbockelmnocern3: kXPC_normal
> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrootdResponse: 0100
> sending err 3010: Secpwd: wrong credentials: : user : bbockelmnocern3:
> kXPC_normal
> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 0100
> req=3010 dlen=136
> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrootdResponse: 0100
> sending err 3006: Invalid request; user not authenticated
> 090318 11:39:11 20699 XrootdXeq: bbockelmn.4519:[log in to unmask] disc 0:00:11
> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrdPoll: FD 27
> detached from poller 0; num=0
>
> Second attempt:
>
> 090318 11:40:59 001 XrdInet: Accepted connection from [log in to unmask]
> 090318 11:40:59 20753 XrdSched: running ?:[log in to unmask] inq=0
> 090318 11:40:59 20753 XrdProtocol: matched protocol xrootd
> 090318 11:40:59 20753 ?:[log in to unmask] XrdPoll: FD 26 attached to poller
> 0; num=1
> 090318 11:40:59 20753 ?:[log in to unmask] XrootdProtocol: 0100 req=3007 dlen=0
> 090318 11:40:59 20753 sec_getParms: red.unl.edu
> sectoken=&P=pwd,v:10100,id:cmsfilemover,c:ssl
> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdResponse: 0100
> sending 52 data bytes; status=0
> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100
> req=3000 dlen=254
> 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: constructing: host:
> red.unl.edu
> 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: p: pwd, plen: 4
> 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: mode: server
> 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: object created: v..
> 090318 11:40:59 20753 secpwd_Authenticate: handshaking ID:
> bbockelmn.2466:[log in to unmask]
> 090318 11:40:59 20753 secpwd_ParseCrypto: parsing list: ssl
> 090318 11:40:59 20753 crypto_Factory::GetCryptoFactory: ssl crypto
> factory object already loaded (0x7fe2fb8a8960)
> 090318 11:40:59 20753 secpwd_Authenticate: version run by client: 10100
> 090318 11:40:59 20753 secpwd_CheckRtag: Nothing to check
> 090318 11:40:59 20753 secpwd_CheckTimeStamp: Nothing to do
> 090318 11:40:59 20753 sut_Rndm::GetString: enter: len: 8 (type: Crypt)
> 090318 11:40:59 20753 sut_Rndm::Init: taking seed from /dev/urandom
> 090318 11:40:59 20753 sut_Rndm::GetString: got: .8lrX3bS
> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100
> more auth requested; sz=103
> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdResponse: 0100
> sending 103 data bytes; status=4002
> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100
> req=3000 dlen=167
> 090318 11:40:59 20753 secpwd_Authenticate: handshaking ID:
> bbockelmn.2466:[log in to unmask]
> 090318 11:40:59 20753 secpwd_ParseCrypto: parsing list: ssl
> 090318 11:40:59 20753 crypto_Factory::GetCryptoFactory: ssl crypto
> factory object already loaded (0x7fe2fb8a8960)
> 090318 11:40:59 20753 secpwd_Authenticate: version run by client: 10100
> 090318 11:40:59 20753 secpwd_CheckRtag: Random tag successfully checked
> 090318 11:40:59 20753 secpwd_CheckTimeStamp: Nothing to do
> 090318 11:40:59 20753 secpwd_QueryUser: Enter: bbockelmnocern3
> 090318 11:40:59 20753 sut_Cache::Refresh: cached information for file
> /uscms/home/bbockelm/.xrd/pwdadmin is up-to-date
> 090318 11:41:00 20753 secpwd_ExportCreds: File (template) undefined - do
> nothing
> 090318 11:41:00 20753 secpwd_Authenticate: WARNING: some problem
> exporting creds to file; template is :
> 090318 11:41:00 20753 sut_Rndm::GetString: enter: len: 8 (type: Crypt)
> 090318 11:41:00 20753 sut_Rndm::GetString: got: 8SVtIe9a
> 090318 11:41:00 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100
> more auth requested; sz=127
> 090318 11:41:00 20753 bbockelmn.2466:[log in to unmask] XrootdResponse: 0100
> sending 127 data bytes; status=4002
> 090318 11:41:03 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100
> request timeout; read 0 of 24 bytes
> 090318 11:41:03 20753 XrdPoll: Poller 0 enabled
> bbockelmn.2466:[log in to unmask]
> 090318 11:41:19 20753 XrdSched: running bbockelmn.2466:[log in to unmask] inq=0
> 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100
> req=3000 dlen=143
> 090318 11:41:19 20753 secpwd_Authenticate: handshaking ID:
> bbockelmn.2466:[log in to unmask]
> 090318 11:41:19 20753 secpwd_ParseCrypto: parsing list: ssl
> 090318 11:41:19 20753 crypto_Factory::GetCryptoFactory: ssl crypto
> factory object already loaded (0x7fe2fb8a8960)
> 090318 11:41:19 20753 secpwd_Authenticate: version run by client: 10100
> 090318 11:41:19 20753 secpwd_CheckRtag: Random tag successfully checked
> 090318 11:41:19 20753 secpwd_CheckTimeStamp: Nothing to do
> 090318 11:41:19 20753 sut_Rndm::GetBuffer: enter: len: 8
> 090318 11:41:19 20753 secpwd_SaveCreds: Entry for tag: bbockelmnocern3_1
> updated in cache
> 090318 11:41:19 20753 sut_Cache::Flush: Cache flushed to file
> /uscms/home/bbockelm/.xrd/pwdadmin (1 entries updated / written)
> 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] XrootdResponse: 0100
> sending OK
> 090318 11:41:19 20753 XrootdXeq: bbockelmn.2466:[log in to unmask] login as
> bbockelmnocern3
> 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100
> req=3010 dlen=136
> 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100
> open rt
> /cmsfs/lfns/store/relval/CMSSW_2_2_1/RelValTTbar/GEN-SIM-RECO/STARTUP_V7_LowLumiPileUp_v1/0004/EC41ED67-E5C6-DD11-97A2-000423D9989E.root
>
>
> On Mar 10, 2009, at 9:26 AM, Fabrizio Furano wrote:
>
>> Hi,
>>
>> I guess that this needs a new XrdSec plugin to be written. Probably
>> the secunix one could be a good starting point.
>>
>> Fabrizio
>>
>>
>> Brian Bockelman ha scritto:
>>> Hey Xrootd folks (hope I ended up on the right list),
>>> I'd like to hook xrootd into our local-site authentication methods.
>>> We currently keep all our user/passwords in a htpasswd file, as
>>> generated by apache. What's the best way to have the server read the
>>> data from that file and use it for authentication?
>>> Brian
|