URL:
<http://savannah.cern.ch/bugs/?88627>
Summary: erratic authorization behaviour in xrootdfs and sss
security
Project: XROOTD
Submitted by: bdouglas
Submitted on: 2011-11-08 16:11
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Fixed by commit(s):
_______________________________________________________
Details:
Hi,
We are seeing at Duke some intermitent authorization problems
on xrootd dataserver accessed through xrootdfs and fuse.
here is the salient line in the data server config file -
sec.protocol /usr/lib64 sss -s /var/spool/xrootd/.xrd/sss_keytab.grp -c
/var/spool/xrootd/.xrd/sss_keytab.grp
Here is the content of the key tab file on data server:
[root@atlfs03 ~]# ls -l /var/spool/xrootd/.xrd/sss_keytab.grp
-r--r----- 1 xrootd hep 143 Nov 2 18:26
/var/spool/xrootd/.xrd/sss_keytab.grp
[root@atlfs03 ~]# xrdsssadmin list /var/spool/xrootd/.xrd/sss_keytab.grp
Number Len Date/Time Created Expires Keyname User & Group
------ --- --------- ------- -------- -------
1 32 11/02/11 11:37:30 -------- phy.duke.edu anybody anygroup
Here is the corresponding information on client machine -
[root@atl010 ~]# ls -l /var/spool/xrootd/.xrd/sss_keytab.grp
-r--r----- 1 xrootd hep 143 Nov 2 16:05
/var/spool/xrootd/.xrd/sss_keytab.grp
[root@atl010 ~]# xrdsssadmin list /var/spool/xrootd/.xrd/sss_keytab.grp
Number Len Date/Time Created Expires Keyname User & Group
------ --- --------- ------- -------- -------
1 32 11/02/11 11:37:30 -------- phy.duke.edu anybody anygroup
Here is the mount line in /etc/fstab -
xrootdfs /atlfs03/atlas fuse
rdr=root://atlfs03.phy.duke.edu:1094//atlas,uid=54657,sss=/var/spool/xrootd/.xrd/sss_keytab.grp
0 0
here is a snippet of information from client system log file -
Nov 6 23:07:45 atl010 dhclient: DHCPREQUEST on eth0 to 152.3.57.1 port 67
Nov 6 23:07:45 atl010 dhclient: DHCPACK from 152.3.57.1
Nov 6 23:07:45 atl010 dhclient: bound to 152.3.57.128 -- renewal in 1757
seconds.
Nov 6 23:08:22 atl010 XrootdFS[29441]: WARNING:
(f)truncate(root:[log in to unmask]:1094//atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000020.root.1)
failed (errno = 13)
Nov 6 23:08:22 atl010 XrootdFS[29441]: WARNING:
(f)truncate(root:[log in to unmask]:1094//atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000021.root.1)
failed (errno = 13)
Nov 6 23:08:22 atl010 XrootdFS[29441]: WARNING:
(f)truncate(root:[log in to unmask]:1094//atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00
Here is snippet of the data server log file .
111106 23:07:30 22610 acc_Audit: 53bc.29441:49@atl010 grant sss chiho@? stat
/atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000019.root.1
111106 23:07:30 22610 acc_Audit: 53bc.29441:49@atl010 grant sss chiho@? stat
/atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000019.root.1
111106 23:07:30 22610 acc_Audit: 53bc.29441:49@atl010 grant sss chiho@?
update
/atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000019.root.1
111106 23:07:30 22610 acc_Audit: 53bc.29441:49@atl010 grant sss chiho@? stat
/atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000019.root.1
111106 23:07:30 22610 acc_Audit: 53bc.29441:49@atl010 grant sss chiho@?
update
/atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000019.root.1
111106 23:08:12 22610 XrootdXeq: 53bc.29441:41@atl010 login as root
111106 23:08:18 22610 acc_Audit: 53bc.29441:49@atl010 grant sss chiho@? stat
/atlas/local
111106 23:08:18 22610 XrdLink: Unable to send to 53bc.29441:49@atl010; broken
pipe
111106 23:08:18 22610 XrootdXeq: 53bc.29441:49@atl010 disc 0:19:27 (send
failure)
111106 23:08:18 22610 acc_Audit: seog.11417:52@atl007 grant unix
[log in to unmask] read
/atlas/local/chiho/2011/PeriodK/muon/data11_7TeV.00186965.physics_Muons.merge.NTUP_SMWZ.f395_m939_p605_tid491334_00/NTUP_SMWZ.491334._000226.root.1
111106 23:08:22 22610 acc_Audit: 53bc.29441:41@atl010 grant sss root@? stat
/atlas/local
111106 23:08:22 22610 acc_Audit: 53bc.29441:41@atl010 deny sss root@? update
/atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000019.root.1
111106 23:08:22 22610 ofs_open: 53bc.29441:41@atl010 Unable to open
/atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000019.root.1;
Permission denied
1
_______________________________________________________
Reply to this item at:
<http://savannah.cern.ch/bugs/?88627>
_______________________________________________
Message sent via/by LCG Savannah
http://savannah.cern.ch/
|