Hi Gerri, Andy, Brian,
well that's the strange thing. No matter what host I tried, I wasn't
aware to set any of variables and never experienced such warning error.
So, I've have believed there must have changed something withing auth
method here between the version ;).
Anyway, thanks for heads up, it's completely good enough I export
X509_USER_PROXY and things to work as expected (*****). That's all what
I needed so I wont' bother with cosmetics here... And yes, I want to run
this as root.
Thanks,
Marian
(*****)
[root@vocms037 ~]# xrdmapc --list all cms-xrd-transit.cern.ch:1094
150804 19:19:16 27964 secgsi_InitProxy: cannot access private key file:
/root/.globus/userkey.pem
xrdmapc: Unable to connect to osg-se.cac.cornell.edu:1094; [FATAL] Auth
failed
0**** vocms027.cern.ch:1094
Srv cms25.physics.ucsb.edu:1094
Srv cms-se.hep.uprm.edu:1094
1 Man osg-se.cac.cornell.edu:1094
[root@vocms037 ~]# export X509_USER_PROXY=/root/.globus/slsprobe.proxy
[root@vocms037 ~]# xrdmapc --list all cms-xrd-transit.cern.ch:1094
0**** vocms027.cern.ch:1094
Srv cms25.physics.ucsb.edu:1094
Srv cms-se.hep.uprm.edu:1094
1 Man osg-se.cac.cornell.edu:1094
Srv osg-xrootd01.cac.cornell.edu:1095
Srv osg-xrootd01.cac.cornell.edu:34968
On 8/4/15 3:16 AM, ganis wrote:
>
> Hello,
>
> Yes, what happens is the that the application tries to use GSI auth
> and looks in the standard default place, i.e. $HOME/.globus,
> for the credentials, not finding them.
> So there is nothing wrong in the code and it does not depend on the
> version of XRootD; as Andy says, it requires proper setup.
> The location of the relevant files are controlled by env variables
> <http://xrootd.org/doc/dev41/sec_config.htm#_Toc361850226> .
> Question: is it expected/understood that the application runs as ‘root’ ?
> In such a case you may want to use the host credentials, usually
> found under /etc/grid-security/host{cert,key}.pem .
> Gerri
>
> On 04 Aug 2015, at 09:45, Andrew Hanushevsky <[log in to unmask]
> <mailto:[log in to unmask]>> wrote:
>
>> Correct, xrdmapc has to follow to authentication requirements of each
>> endpoint. So, the auth stuff has to be setup correctly for any of this
>> to work.
>>
>> Andy
>>
>> On Mon, 3 Aug 2015, Brian Bockelman wrote:
>>
>>> Hi Marian,
>>>
>>> xrdmapc appears to be trying to use GSI authentication, but cannot
>>> find either proxy or cert/key for the root account.
>>>
>>> Where do you believe the GSI credentials should be coming from?
>>>
>>> Brian
>>>
>>>> On Aug 3, 2015, at 4:35 PM, Marian Zvada <[log in to unmask]
>>>> <mailto:[log in to unmask]>> wrote:
>>>>
>>>> Forgot to say - behavior is reproducible now in both xrootd rpm
>>>> flavors, from EPEL and OSG. (In 4.2.1 it was just in EPEL, weird
>>>> enough, huh?) I have still other unresolved questions with xrdmapc
>>>> but those are under microscope of Andy progressing...
>>>>
>>>> Thanks,
>>>> Marian
>>>>
>>>> On 8/3/15 4:27 PM, Marian Zvada wrote:
>>>>> Hi,
>>>>>
>>>>> did anyone had chance look at this and perhaps explain? I can see same
>>>>> annoyance running 4.2.2 (****).
>>>>>
>>>>> Thanks,
>>>>> Marian
>>>>>
>>>>> (****)
>>>>> [root@vocms027 ~]# xrdmapc --list all cms-xrd-transit.cern.ch
>>>>> <http://cms-xrd-transit.cern.ch>:1094
>>>>> 150803 23:23:09 7669 secgsi_InitProxy: cannot access private key file:
>>>>> /root/.globus/userkey.pem
>>>>> xrdmapc: Unable to connect to osg-se.cac.cornell.edu
>>>>> <http://osg-se.cac.cornell.edu>:1094; [FATAL] Auth
>>>>> failed
>>>>> 0**** vocms027.cern.ch <http://vocms027.cern.ch>:1094
>>>>> Srv cms25.physics.ucsb.edu <http://cms25.physics.ucsb.edu>:1094
>>>>> Srv cms-se.hep.uprm.edu <http://cms-se.hep.uprm.edu>:1094
>>>>> 1 Man osg-se.cac.cornell.edu <http://osg-se.cac.cornell.edu>:1094
>>>>> [root@vocms027 ~]# ls -al /root/.glo*
>>>>> ls: cannot access /root/.glo*: No such file or directory
>>>>> [root@vocms027 ~]# rpm -qa | grep xrootd
>>>>> xrootd-server-devel-4.2.2-1.el6.x86_64
>>>>> xrootd-server-libs-4.2.2-1.el6.x86_64
>>>>> xrootd-devel-4.2.2-1.el6.x86_64
>>>>> xrootd-client-4.2.2-1.el6.x86_64
>>>>> xrootd-libs-4.2.2-1.el6.x86_64
>>>>> xrootd-client-devel-4.2.2-1.el6.x86_64
>>>>> xrootd-client-libs-4.2.2-1.el6.x86_64
>>>>> xrootd-server-4.2.2-1.el6.x86_64
>>>>>
>>>>>
>>>>> On 7/16/15 2:24 PM, Marian Zvada wrote:
>>>>>> Hi Folks,
>>>>>>
>>>>>> I find this annoying:
>>>>>>
>>>>>> # xrdmapc --list all vocms027.cern.ch <http://vocms027.cern.ch>:1094
>>>>>> 150716 21:11:38 5509 secgsi_InitProxy: cannot access private key file:
>>>>>> /root/.globus/userkey.pem
>>>>>> ...
>>>>>> ...
>>>>>> [root@vocms027 ~]# ls -al /root/.globus/
>>>>>> ls: cannot access /root/.globus/: No such file or directory
>>>>>>
>>>>>> Note the "secgsi_InitProxy: cannot access private key", on the system
>>>>>> that directory .globus doesn't even exist. How come? Here the rpms
>>>>>> installed on the system (*).
>>>>>>
>>>>>> Strangely, I don't see same behavior on 4.2.1 from osg-repo (**).
>>>>>> xrdmapc doesn't complain about any and comparing configs between
>>>>>> the two
>>>>>> systems are pretty much same.
>>>>>>
>>>>>> Although there might be difference in the packaging between CERN
>>>>>> provided and OSG, I fear there must be something else why it tries to
>>>>>> locate /root/.globus/userkey.pem file on my system?
>>>>>>
>>>>>> Oh, and here is the config how it looks like (***).
>>>>>>
>>>>>> Do you see anything obvious why this happens?
>>>>>>
>>>>>> Thanks,
>>>>>> Marian
>>>>>>
>>>>>> (*)
>>>>>> xrootd-server-devel-4.2.1-1.slc6.x86_64
>>>>>> xrootd-server-libs-4.2.1-1.slc6.x86_64
>>>>>> xrootd-libs-4.2.1-1.slc6.x86_64
>>>>>> xrootd-devel-4.2.1-1.slc6.x86_64
>>>>>> xrootd-client-libs-4.2.1-1.slc6.x86_64
>>>>>> xrootd-client-devel-4.2.1-1.slc6.x86_64
>>>>>> xrootd-server-4.2.1-1.slc6.x86_64
>>>>>> xrootd-client-4.2.1-1.slc6.x86_64
>>>>>>
>>>>>> (**)
>>>>>> xrootd-server-libs-4.2.1-2.osg32.el6.x86_64
>>>>>> xrootd-client-libs-4.2.1-2.osg32.el6.x86_64
>>>>>> xrootd-server-4.2.1-2.osg32.el6.x86_64
>>>>>> xrootd-4.2.1-2.osg32.el6.x86_64
>>>>>> xrootd-libs-4.2.1-2.osg32.el6.x86_64
>>>>>> xrootd-selinux-4.2.1-2.osg32.el6.noarch
>>>>>>
>>>>>> (***)
>>>>>> xrd.port 1213 if exec cmsd
>>>>>> xrd.port 1094 if exec xrootd
>>>>>> all.sitename CERN-TRANSIT
>>>>>> all.role meta manager
>>>>>> all.export /
>>>>>> all.manager meta all cms-xrd-transit.cern.ch
>>>>>> <http://cms-xrd-transit.cern.ch>+ 1213
>>>>>> cms.delay startup 10 lookup 5 qdl 30 servers 1
>>>>>> cms.trace forward redirect
>>>>>> xrd.report xrootd.t2.ucsd.edu <http://xrootd.t2.ucsd.edu>:9931
>>>>>> every 30s all sync
>>>>>> xrootd.monitor all fstat 60s lfn ops ssq xfr 5 ident 5m dest fstat
>>>>>> info
>>>>>> user redir CMS-AAA-EU-COLLECTOR.cern.ch
>>>>>> <http://CMS-AAA-EU-COLLECTOR.cern.ch>:9330
>>>>>> xrootd.trace emsg redirect
>>>>>> xrd.network keepalive kaparms 5m,5s,5
>>>>>> xrd.timeout idle 30m
>>>>>> frm.xfr.copycmd /bin/cp /dev/null $PFN
>>>>>> all.adminpath /var/spool/xrootd
>>>>>> all.pidpath /var/run/xrootd
>>>>>>
>>>>>> ########################################################################
>>>>>> Use REPLY-ALL to reply to list
>>>>>>
>>>>>> To unsubscribe from the XROOTD-DEV list, click the following link:
>>>>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>>>>>
>>>>> ########################################################################
>>>>> Use REPLY-ALL to reply to list
>>>>>
>>>>> To unsubscribe from the XROOTD-DEV list, click the following link:
>>>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>>>>
>>>> ########################################################################
>>>> Use REPLY-ALL to reply to list
>>>>
>>>> To unsubscribe from the XROOTD-DEV list, click the following link:
>>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>>>
>>> ########################################################################
>>> Use REPLY-ALL to reply to list
>>>
>>> To unsubscribe from the XROOTD-DEV list, click the following link:
>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>>>
>>
>> ########################################################################
>> Use REPLY-ALL to reply to list
>>
>> To unsubscribe from the XROOTD-DEV list, click the following link:
>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
|