Dear experts,
I'm having trouble with using the proxy delegation feature. My setup is
as follows:
I have a client that wants to download files from an external site,
therefore authentication is required. The request is forwarded to a
proxy server (which is running in forwarding mode and also caches the
files). I see the following error in the proxy server log (the full log
is attached):
ofs_open: ds1034.9382:[log in to unmask] Unable to open
/root:/lcg-lrz-rootd.grid.lrz.de:1094/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasscratchdisk/rucio/user/dsammel/04/71/large.root;
invalid exchange
At one point before that, the proxy server tries to create a user proxy
for user xrootd. If I put my userkey and usercert on the proxy server
and manually create a user proxy for user xrootd, the authentication
works, but this is of course not a reasonable solution.
Client:
XRootD version: 4.12.3
$XrdSecGSIDELEGPROXY=2
$XrdSecGSIPROXYDEPLEN=-1
$X509_USER_PROXY=/tmp/x509up_u52246
$X509_USER_KEY=/home/ds1034/.globus/userkey.pem
$X509_USER_CERT=/home/ds1034/.globus/usercert.pem
Server:
XRootD version: 5.1.1
xrootd.seclib libXrdSec.so
sec.protocol gsi -certdir:/etc/grid-security/certificates
-cert:/etc/grid-security/hostcert.pem
-key:/etc/grid-security/hostkey.pem -dlgpxy:request -d:3
The complete server config is attached.
I also attached the debug logs for the client and the server when running
xrdcp -f -d 3
root://lcg-lrz-rootd.grid.lrz.de:1094/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasscratchdisk/rucio/user/dsammel/04/71/large.root
.
Two things I noticed: in the client log "Proxy delegation option: 0", in
the server log "Secgsi Proxy delegation option: ignore", it seems that
these settings are not applied?
Is anything missing in my configuration or is anything wrong?
Just tell me if I need to provide any missing information!
Cheers
Dirk
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
xrd.port 1094
pss.origin =
ofs.osslib libXrdPss.so
pss.cachelib default
pfc.ram 1G
pss.dca world
oss.localroot /work/ws/atlas/ds1034-shfs
xrootd.seclib libXrdSec.so
sec.protocol gsi -certdir:/etc/grid-security/certificates -cert:/etc/grid-security/hostcert.pem -key:/etc/grid-security/hostkey.pem -dlgpxy:request -d:3
pfc.trace info
xrd.timeout idle 10
all.export /xroot:/
all.export /root:/
all.export / r/w
ofs.persist off
all.pidpath /tmp/
all.adminpath /tmp/
cms.delay startup 10
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
|