LISTSERV 16.5 - XROOTD-L Archives

Subscriber's Corner
Email Lists
XROOTD-L Archives

XROOTD-L@LISTSERV.SLAC.STANFORD.EDU

View:

Message:
[
First
Last
]
By Topic:
[
First
Last
]
By Author:
[
First
Last
]
Font:
Proportional Font
		LISTSERV Archives
		XROOTD-L Home
		XROOTD-L April 2009
Subject:
Re: Authentication using htpasswd files
From:
Gerardo Ganis <[log in to unmask]>
Date:
21 Apr 2009 14:51:26 +0200Tue, 21 Apr 2009 14:51:26 +0200
Content-Type:
text/plain
Parts/Attachments:
text/plain (349 lines)

    Hi,

    Sorry for the late reply, but I was hoping that a new development 
tarball could be made
    available on the web site. But that is delayed but some other 
problems. So I have made
    a snapshot of the current head and put on my public AFS areas at 
CERN and SLAC:

       /afs/slac.stanford.edu/u/br/ganis/public/xrootd-20090421-0541.src.tgz
       /afs/cern.ch/user/g/ganis/public/xrootd-20090421-0541.src.tgz

    Let me know if you manage to give a try.

    Cheers, Gerri  


Brian Bockelman wrote:
> Yup, a tarball would be more convenient for me - I have only used 
> tarballs from the website up to this point.
>
> Brian
>
> On Apr 9, 2009, at 2:42 AM, Gerardo Ganis wrote:
>
>>
>>   Hi Brian,
>>
>>   Sorry for the somewhat late reply.
>>   The problem should now be fixed in the CVS head.
>>   We can create a new tarball if that is a convenient way for you to 
>> test the fix.
>>
>>   Let me know,
>>
>>   Gerri
>>
>>
>> Brian Bockelman wrote:
>>> Hey Gerri,
>>>
>>> Any updates on this?
>>>
>>> Brian
>>>
>>> On Mar 19, 2009, at 12:14 PM, Brian Bockelman wrote:
>>>
>>>> Hey Gerardo,
>>>>
>>>> Here's the tarball I found from the xrootd homepage
>>>>
>>>> xrootd-20080828-1632.src.tgz
>>>>
>>>> Brian
>>>>
>>>> On Mar 19, 2009, at 12:08 PM, Gerardo Ganis wrote:
>>>>
>>>>>
>>>>> Hi Brian,
>>>>>
>>>>> I managed to reproduce the problem: the file is read but for some 
>>>>> reason the cache is not
>>>>> really updated (0 entries updated); this sounds like a bug. I will 
>>>>> try to understand whether
>>>>> there is any work around to re-starting the server.
>>>>>
>>>>> By default the client should not cache anything; it does cache  
>>>>> the relevant info if you  set
>>>>> the env XrdSecPWDAUTOLOG to 1 . You can check the client cache  by 
>>>>> running
>>>>>
>>>>>    xrdpwdadmin -m netrc
>>>>>
>>>>> Cheers, Gerri
>>>>>
>>>>> PS:  what version of XROOTD are you running?
>>>>>
>>>>> Brian Bockelman wrote:
>>>>>> Hey Fabrizio,
>>>>>>
>>>>>> I went back with our folks, and we've come up with an acceptable 
>>>>>> solution (I don't really want to force all our users out there to 
>>>>>> get a new module!)
>>>>>>
>>>>>> Basically, they log into a web interface using the current auth 
>>>>>> scheme and it generates a one-time password for them.  They are 
>>>>>> given the one-time password and the first time they use it, they 
>>>>>> change it.
>>>>>>
>>>>>> HOWEVER, it appears that users added with xrdpwdadmin can't 
>>>>>> effectively use xrootd until the daemon is restarted.
>>>>>>
>>>>>> Here's the command I use, for example:
>>>>>>
>>>>>> xrdpwdadmin add bbockelmnocern3 -force -dontask
>>>>>>
>>>>>> I then take the generated password and try to use it.  The server 
>>>>>> logs are below.  The user output look like this (gDebug=5, 
>>>>>> removing un-interesting stuff):
>>>>>>
>>>>>> Password for [log in to unmask]:cmsfilemover:
>>>>>> Info in <TXNetFile::Open>: remote file could not be open
>>>>>> Info in <TXNetFile::CreateXClient>: remote file could not be open
>>>>>> Error in <TXNetFile::CreateXClient>: open attempt failed on 
>>>>>> root:[log in to unmask] 
>>>>>>
>>>>>>
>>>>>> If I then restart the xrootd server, things work.  In fact, after 
>>>>>> restarting the xrootd server, the client no longer asks me for 
>>>>>> the temporary password (I assume it saved it to the client's 
>>>>>> cache?) and just asks me to change the password.
>>>>>>
>>>>>> It appears that the xrootd server is claiming in the logs it has 
>>>>>> reloaded the cached authentication file, but this reloading 
>>>>>> failed to work.
>>>>>>
>>>>>> Brian
>>>>>>
>>>>>> First attempt:
>>>>>>
>>>>>> 090318 11:39:00 001 XrdInet: Accepted connection from [log in to unmask]
>>>>>> 090318 11:39:00 20699 XrdSched: running ?:[log in to unmask] inq=0
>>>>>> 090318 11:39:00 20699 XrdProtocol: matched protocol xrootd
>>>>>> 090318 11:39:00 20699 ?:[log in to unmask] XrdPoll: FD 27 attached to 
>>>>>> poller 0; num=1
>>>>>> 090318 11:39:00 20699 ?:[log in to unmask] XrootdProtocol: 0100 
>>>>>> req=3007 dlen=0
>>>>>> 090318 11:39:00 20699 sec_getParms: red.unl.edu 
>>>>>> sectoken=&P=pwd,v:10100,id:cmsfilemover,c:ssl
>>>>>> 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] 
>>>>>> XrootdResponse: 0100 sending 52 data bytes; status=0
>>>>>> 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] 
>>>>>> XrootdProtocol: 0100 req=3000 dlen=254
>>>>>> 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: constructing: 
>>>>>> host: red.unl.edu
>>>>>> 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: p: pwd, plen: 4
>>>>>> 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: mode: server
>>>>>> 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: object created: v..
>>>>>> 090318 11:39:00 20699 secpwd_Authenticate: handshaking ID: 
>>>>>> bbockelmn.4519:[log in to unmask]
>>>>>> 090318 11:39:00 20699 secpwd_ParseCrypto: parsing list: ssl
>>>>>> 090318 11:39:00 20699 crypto_Factory::GetCryptoFactory: ssl 
>>>>>> crypto factory object already loaded (0x7f7faf664960)
>>>>>> 090318 11:39:00 20699 secpwd_Authenticate: version run by client: 
>>>>>> 10100
>>>>>> 090318 11:39:00 20699 secpwd_CheckRtag: Nothing to check
>>>>>> 090318 11:39:00 20699 secpwd_CheckTimeStamp: Nothing to do
>>>>>> 090318 11:39:00 20699 sut_Rndm::GetString: enter: len: 8 (type: 
>>>>>> Crypt)
>>>>>> 090318 11:39:00 20699 sut_Rndm::GetString: got: V9JGOZzx
>>>>>> 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] 
>>>>>> XrootdProtocol: 0100 more auth requested; sz=103
>>>>>> 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] 
>>>>>> XrootdResponse: 0100 sending 103 data bytes; status=4002
>>>>>> 090318 11:39:03 20699 bbockelmn.4519:[log in to unmask] 
>>>>>> XrootdProtocol: 0100 request timeout; read 0 of 24 bytes
>>>>>> 090318 11:39:03 20699 XrdPoll: Poller 0 enabled 
>>>>>> bbockelmn.4519:[log in to unmask]
>>>>>> 090318 11:39:11 20699 XrdSched: running 
>>>>>> bbockelmn.4519:[log in to unmask] inq=0
>>>>>> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] 
>>>>>> XrootdProtocol: 0100 req=3000 dlen=167
>>>>>> 090318 11:39:11 20699 secpwd_Authenticate: handshaking ID: 
>>>>>> bbockelmn.4519:[log in to unmask]
>>>>>> 090318 11:39:11 20699 secpwd_ParseCrypto: parsing list: ssl
>>>>>> 090318 11:39:11 20699 crypto_Factory::GetCryptoFactory: ssl 
>>>>>> crypto factory object already loaded (0x7f7faf664960)
>>>>>> 090318 11:39:11 20699 secpwd_Authenticate: version run by client: 
>>>>>> 10100
>>>>>> 090318 11:39:11 20699 secpwd_CheckRtag: Random tag successfully 
>>>>>> checked
>>>>>> 090318 11:39:11 20699 secpwd_CheckTimeStamp: Nothing to do
>>>>>> 090318 11:39:11 20699 secpwd_QueryUser: Enter: bbockelmnocern3
>>>>>> 090318 11:39:11 20699 sut_Cache::Rehash: Hash table updated 
>>>>>> (found 11 active entries)
>>>>>> 090318 11:39:11 20699 sut_Cache::Refresh: Cache refreshed from 
>>>>>> file /uscms/home/bbockelm/.xrd/pwdadmin (0 entries updated)
>>>>>> 090318 11:39:11 20699 secpwd_ErrF: Secpwd: wrong credentials: : 
>>>>>> user : bbockelmnocern3: kXPC_normal
>>>>>> 090318 11:39:11 20699 XrootdXeq: User authentication failed; 
>>>>>> Secpwd: wrong credentials: : user : bbockelmnocern3: kXPC_normal
>>>>>> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] 
>>>>>> XrootdResponse: 0100 sending err 3010: Secpwd: wrong credentials: 
>>>>>> : user : bbockelmnocern3: kXPC_normal
>>>>>> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] 
>>>>>> XrootdProtocol: 0100 req=3010 dlen=136
>>>>>> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] 
>>>>>> XrootdResponse: 0100 sending err 3006: Invalid request; user not 
>>>>>> authenticated
>>>>>> 090318 11:39:11 20699 XrootdXeq: bbockelmn.4519:[log in to unmask] 
>>>>>> disc 0:00:11
>>>>>> 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrdPoll: FD 
>>>>>> 27 detached from poller 0; num=0
>>>>>>
>>>>>> Second attempt:
>>>>>>
>>>>>> 090318 11:40:59 001 XrdInet: Accepted connection from [log in to unmask]
>>>>>> 090318 11:40:59 20753 XrdSched: running ?:[log in to unmask] inq=0
>>>>>> 090318 11:40:59 20753 XrdProtocol: matched protocol xrootd
>>>>>> 090318 11:40:59 20753 ?:[log in to unmask] XrdPoll: FD 26 attached to 
>>>>>> poller 0; num=1
>>>>>> 090318 11:40:59 20753 ?:[log in to unmask] XrootdProtocol: 0100 
>>>>>> req=3007 dlen=0
>>>>>> 090318 11:40:59 20753 sec_getParms: red.unl.edu 
>>>>>> sectoken=&P=pwd,v:10100,id:cmsfilemover,c:ssl
>>>>>> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] 
>>>>>> XrootdResponse: 0100 sending 52 data bytes; status=0
>>>>>> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] 
>>>>>> XrootdProtocol: 0100 req=3000 dlen=254
>>>>>> 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: constructing: 
>>>>>> host: red.unl.edu
>>>>>> 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: p: pwd, plen: 4
>>>>>> 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: mode: server
>>>>>> 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: object created: v..
>>>>>> 090318 11:40:59 20753 secpwd_Authenticate: handshaking ID: 
>>>>>> bbockelmn.2466:[log in to unmask]
>>>>>> 090318 11:40:59 20753 secpwd_ParseCrypto: parsing list: ssl
>>>>>> 090318 11:40:59 20753 crypto_Factory::GetCryptoFactory: ssl 
>>>>>> crypto factory object already loaded (0x7fe2fb8a8960)
>>>>>> 090318 11:40:59 20753 secpwd_Authenticate: version run by client: 
>>>>>> 10100
>>>>>> 090318 11:40:59 20753 secpwd_CheckRtag: Nothing to check
>>>>>> 090318 11:40:59 20753 secpwd_CheckTimeStamp: Nothing to do
>>>>>> 090318 11:40:59 20753 sut_Rndm::GetString: enter: len: 8 (type: 
>>>>>> Crypt)
>>>>>> 090318 11:40:59 20753 sut_Rndm::Init: taking seed from /dev/urandom
>>>>>> 090318 11:40:59 20753 sut_Rndm::GetString: got: .8lrX3bS
>>>>>> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] 
>>>>>> XrootdProtocol: 0100 more auth requested; sz=103
>>>>>> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] 
>>>>>> XrootdResponse: 0100 sending 103 data bytes; status=4002
>>>>>> 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] 
>>>>>> XrootdProtocol: 0100 req=3000 dlen=167
>>>>>> 090318 11:40:59 20753 secpwd_Authenticate: handshaking ID: 
>>>>>> bbockelmn.2466:[log in to unmask]
>>>>>> 090318 11:40:59 20753 secpwd_ParseCrypto: parsing list: ssl
>>>>>> 090318 11:40:59 20753 crypto_Factory::GetCryptoFactory: ssl 
>>>>>> crypto factory object already loaded (0x7fe2fb8a8960)
>>>>>> 090318 11:40:59 20753 secpwd_Authenticate: version run by client: 
>>>>>> 10100
>>>>>> 090318 11:40:59 20753 secpwd_CheckRtag: Random tag successfully 
>>>>>> checked
>>>>>> 090318 11:40:59 20753 secpwd_CheckTimeStamp: Nothing to do
>>>>>> 090318 11:40:59 20753 secpwd_QueryUser: Enter: bbockelmnocern3
>>>>>> 090318 11:40:59 20753 sut_Cache::Refresh: cached information for 
>>>>>> file /uscms/home/bbockelm/.xrd/pwdadmin is up-to-date
>>>>>> 090318 11:41:00 20753 secpwd_ExportCreds: File (template) 
>>>>>> undefined - do nothing
>>>>>> 090318 11:41:00 20753 secpwd_Authenticate: WARNING: some problem 
>>>>>> exporting creds to file; template is :
>>>>>> 090318 11:41:00 20753 sut_Rndm::GetString: enter: len: 8 (type: 
>>>>>> Crypt)
>>>>>> 090318 11:41:00 20753 sut_Rndm::GetString: got: 8SVtIe9a
>>>>>> 090318 11:41:00 20753 bbockelmn.2466:[log in to unmask] 
>>>>>> XrootdProtocol: 0100 more auth requested; sz=127
>>>>>> 090318 11:41:00 20753 bbockelmn.2466:[log in to unmask] 
>>>>>> XrootdResponse: 0100 sending 127 data bytes; status=4002
>>>>>> 090318 11:41:03 20753 bbockelmn.2466:[log in to unmask] 
>>>>>> XrootdProtocol: 0100 request timeout; read 0 of 24 bytes
>>>>>> 090318 11:41:03 20753 XrdPoll: Poller 0 enabled 
>>>>>> bbockelmn.2466:[log in to unmask]
>>>>>> 090318 11:41:19 20753 XrdSched: running 
>>>>>> bbockelmn.2466:[log in to unmask] inq=0
>>>>>> 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] 
>>>>>> XrootdProtocol: 0100 req=3000 dlen=143
>>>>>> 090318 11:41:19 20753 secpwd_Authenticate: handshaking ID: 
>>>>>> bbockelmn.2466:[log in to unmask]
>>>>>> 090318 11:41:19 20753 secpwd_ParseCrypto: parsing list: ssl
>>>>>> 090318 11:41:19 20753 crypto_Factory::GetCryptoFactory: ssl 
>>>>>> crypto factory object already loaded (0x7fe2fb8a8960)
>>>>>> 090318 11:41:19 20753 secpwd_Authenticate: version run by client: 
>>>>>> 10100
>>>>>> 090318 11:41:19 20753 secpwd_CheckRtag: Random tag successfully 
>>>>>> checked
>>>>>> 090318 11:41:19 20753 secpwd_CheckTimeStamp: Nothing to do
>>>>>> 090318 11:41:19 20753 sut_Rndm::GetBuffer: enter: len: 8
>>>>>> 090318 11:41:19 20753 secpwd_SaveCreds: Entry for tag: 
>>>>>> bbockelmnocern3_1 updated in cache
>>>>>> 090318 11:41:19 20753 sut_Cache::Flush: Cache flushed to file 
>>>>>> /uscms/home/bbockelm/.xrd/pwdadmin (1 entries updated / written)
>>>>>> 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] 
>>>>>> XrootdResponse: 0100 sending OK
>>>>>> 090318 11:41:19 20753 XrootdXeq: bbockelmn.2466:[log in to unmask] 
>>>>>> login as bbockelmnocern3
>>>>>> 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] 
>>>>>> XrootdProtocol: 0100 req=3010 dlen=136
>>>>>> 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] 
>>>>>> XrootdProtocol: 0100 open rt 
>>>>>> /cmsfs/lfns/store/relval/CMSSW_2_2_1/RelValTTbar/GEN-SIM-RECO/STARTUP_V7_LowLumiPileUp_v1/0004/EC41ED67-E5C6-DD11-97A2-000423D9989E.root 
>>>>>>
>>>>>>
>>>>>> On Mar 10, 2009, at 9:26 AM, Fabrizio Furano wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I guess that this needs a new XrdSec plugin to be written. 
>>>>>>> Probably the secunix one could be a good starting point.
>>>>>>>
>>>>>>> Fabrizio
>>>>>>>
>>>>>>>
>>>>>>> Brian Bockelman ha scritto:
>>>>>>>> Hey Xrootd folks (hope I ended up on the right list),
>>>>>>>> I'd like to hook xrootd into our local-site authentication 
>>>>>>>> methods.  We currently keep all our user/passwords in a 
>>>>>>>> htpasswd file, as generated by apache.  What's the best way to 
>>>>>>>> have the server read the data from that file and use it for 
>>>>>>>> authentication?
>>>>>>>> Brian
>>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> +--------------------------------------------------------------------------+ 
>>>>>
>>>>> Gerardo GANIS    PH Department, CERN
>>>>>     address    CERN, CH 1211 Geneve 23                    room: 
>>>>> 32-RC-017, tel / fax: +412276 76439 / 69133
>>>>>      e-mail    [log in to unmask]
>>>>> +--------------------------------------------------------------------------+ 
>>>>>
>>>>
>>>
>>
>>
>> -- 
>> +--------------------------------------------------------------------------+ 
>>
>> Gerardo GANIS    PH Department, CERN
>>       address    CERN, CH 1211 Geneve 23                    room: 
>> 32-RC-017, tel / fax: +412276 76439 / 69133
>>        e-mail    [log in to unmask]
>> +--------------------------------------------------------------------------+ 
>>
>


-- 
+--------------------------------------------------------------------------+
  Gerardo GANIS    PH Department, CERN
        address    CERN, CH 1211 Geneve 23  
                   room: 32-RC-017, tel / fax: +412276 76439 / 69133
         e-mail    [log in to unmask]
+--------------------------------------------------------------------------+
Top of Message | Previous Page | Permalink
Search Archives

Advanced Options
Options

		Log In
		Get Password

		Search Archives

		Subscribe or Unsubscribe