Hey Fabrizio, I went back with our folks, and we've come up with an acceptable solution (I don't really want to force all our users out there to get a new module!) Basically, they log into a web interface using the current auth scheme and it generates a one-time password for them. They are given the one- time password and the first time they use it, they change it. HOWEVER, it appears that users added with xrdpwdadmin can't effectively use xrootd until the daemon is restarted. Here's the command I use, for example: xrdpwdadmin add bbockelmnocern3 -force -dontask I then take the generated password and try to use it. The server logs are below. The user output look like this (gDebug=5, removing un- interesting stuff): Password for [log in to unmask]:cmsfilemover: Info in <TXNetFile::Open>: remote file could not be open Info in <TXNetFile::CreateXClient>: remote file could not be open Error in <TXNetFile::CreateXClient>: open attempt failed on root:[log in to unmask] //cmsfs/lfns/store/relval/CMSSW_2_2_1/RelValTTbar/GEN-SIM-RECO/ STARTUP_V7_LowLumiPileUp_v1/0004/EC41ED67-E5C6- DD11-97A2-000423D9989E.root If I then restart the xrootd server, things work. In fact, after restarting the xrootd server, the client no longer asks me for the temporary password (I assume it saved it to the client's cache?) and just asks me to change the password. It appears that the xrootd server is claiming in the logs it has reloaded the cached authentication file, but this reloading failed to work. Brian First attempt: 090318 11:39:00 001 XrdInet: Accepted connection from [log in to unmask] 090318 11:39:00 20699 XrdSched: running ?:[log in to unmask] inq=0 090318 11:39:00 20699 XrdProtocol: matched protocol xrootd 090318 11:39:00 20699 ?:[log in to unmask] XrdPoll: FD 27 attached to poller 0; num=1 090318 11:39:00 20699 ?:[log in to unmask] XrootdProtocol: 0100 req=3007 dlen=0 090318 11:39:00 20699 sec_getParms: red.unl.edu sectoken=&P=pwd,v: 10100,id:cmsfilemover,c:ssl 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] XrootdResponse: 0100 sending 52 data bytes; status=0 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 0100 req=3000 dlen=254 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: constructing: host: red.unl.edu 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: p: pwd, plen: 4 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: mode: server 090318 11:39:00 20699 secpwd_XrdSecProtocolpwd: object created: v.. 090318 11:39:00 20699 secpwd_Authenticate: handshaking ID: bbockelmn. 4519:[log in to unmask] 090318 11:39:00 20699 secpwd_ParseCrypto: parsing list: ssl 090318 11:39:00 20699 crypto_Factory::GetCryptoFactory: ssl crypto factory object already loaded (0x7f7faf664960) 090318 11:39:00 20699 secpwd_Authenticate: version run by client: 10100 090318 11:39:00 20699 secpwd_CheckRtag: Nothing to check 090318 11:39:00 20699 secpwd_CheckTimeStamp: Nothing to do 090318 11:39:00 20699 sut_Rndm::GetString: enter: len: 8 (type: Crypt) 090318 11:39:00 20699 sut_Rndm::GetString: got: V9JGOZzx 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 0100 more auth requested; sz=103 090318 11:39:00 20699 bbockelmn.4519:[log in to unmask] XrootdResponse: 0100 sending 103 data bytes; status=4002 090318 11:39:03 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 0100 request timeout; read 0 of 24 bytes 090318 11:39:03 20699 XrdPoll: Poller 0 enabled bbockelmn.4519:[log in to unmask] 090318 11:39:11 20699 XrdSched: running bbockelmn.4519:[log in to unmask] inq=0 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 0100 req=3000 dlen=167 090318 11:39:11 20699 secpwd_Authenticate: handshaking ID: bbockelmn. 4519:[log in to unmask] 090318 11:39:11 20699 secpwd_ParseCrypto: parsing list: ssl 090318 11:39:11 20699 crypto_Factory::GetCryptoFactory: ssl crypto factory object already loaded (0x7f7faf664960) 090318 11:39:11 20699 secpwd_Authenticate: version run by client: 10100 090318 11:39:11 20699 secpwd_CheckRtag: Random tag successfully checked 090318 11:39:11 20699 secpwd_CheckTimeStamp: Nothing to do 090318 11:39:11 20699 secpwd_QueryUser: Enter: bbockelmnocern3 090318 11:39:11 20699 sut_Cache::Rehash: Hash table updated (found 11 active entries) 090318 11:39:11 20699 sut_Cache::Refresh: Cache refreshed from file / uscms/home/bbockelm/.xrd/pwdadmin (0 entries updated) 090318 11:39:11 20699 secpwd_ErrF: Secpwd: wrong credentials: : user : bbockelmnocern3: kXPC_normal 090318 11:39:11 20699 XrootdXeq: User authentication failed; Secpwd: wrong credentials: : user : bbockelmnocern3: kXPC_normal 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrootdResponse: 0100 sending err 3010: Secpwd: wrong credentials: : user : bbockelmnocern3: kXPC_normal 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrootdProtocol: 0100 req=3010 dlen=136 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrootdResponse: 0100 sending err 3006: Invalid request; user not authenticated 090318 11:39:11 20699 XrootdXeq: bbockelmn.4519:[log in to unmask] disc 0:00:11 090318 11:39:11 20699 bbockelmn.4519:[log in to unmask] XrdPoll: FD 27 detached from poller 0; num=0 Second attempt: 090318 11:40:59 001 XrdInet: Accepted connection from [log in to unmask] 090318 11:40:59 20753 XrdSched: running ?:[log in to unmask] inq=0 090318 11:40:59 20753 XrdProtocol: matched protocol xrootd 090318 11:40:59 20753 ?:[log in to unmask] XrdPoll: FD 26 attached to poller 0; num=1 090318 11:40:59 20753 ?:[log in to unmask] XrootdProtocol: 0100 req=3007 dlen=0 090318 11:40:59 20753 sec_getParms: red.unl.edu sectoken=&P=pwd,v: 10100,id:cmsfilemover,c:ssl 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdResponse: 0100 sending 52 data bytes; status=0 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100 req=3000 dlen=254 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: constructing: host: red.unl.edu 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: p: pwd, plen: 4 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: mode: server 090318 11:40:59 20753 secpwd_XrdSecProtocolpwd: object created: v.. 090318 11:40:59 20753 secpwd_Authenticate: handshaking ID: bbockelmn. 2466:[log in to unmask] 090318 11:40:59 20753 secpwd_ParseCrypto: parsing list: ssl 090318 11:40:59 20753 crypto_Factory::GetCryptoFactory: ssl crypto factory object already loaded (0x7fe2fb8a8960) 090318 11:40:59 20753 secpwd_Authenticate: version run by client: 10100 090318 11:40:59 20753 secpwd_CheckRtag: Nothing to check 090318 11:40:59 20753 secpwd_CheckTimeStamp: Nothing to do 090318 11:40:59 20753 sut_Rndm::GetString: enter: len: 8 (type: Crypt) 090318 11:40:59 20753 sut_Rndm::Init: taking seed from /dev/urandom 090318 11:40:59 20753 sut_Rndm::GetString: got: .8lrX3bS 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100 more auth requested; sz=103 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdResponse: 0100 sending 103 data bytes; status=4002 090318 11:40:59 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100 req=3000 dlen=167 090318 11:40:59 20753 secpwd_Authenticate: handshaking ID: bbockelmn. 2466:[log in to unmask] 090318 11:40:59 20753 secpwd_ParseCrypto: parsing list: ssl 090318 11:40:59 20753 crypto_Factory::GetCryptoFactory: ssl crypto factory object already loaded (0x7fe2fb8a8960) 090318 11:40:59 20753 secpwd_Authenticate: version run by client: 10100 090318 11:40:59 20753 secpwd_CheckRtag: Random tag successfully checked 090318 11:40:59 20753 secpwd_CheckTimeStamp: Nothing to do 090318 11:40:59 20753 secpwd_QueryUser: Enter: bbockelmnocern3 090318 11:40:59 20753 sut_Cache::Refresh: cached information for file / uscms/home/bbockelm/.xrd/pwdadmin is up-to-date 090318 11:41:00 20753 secpwd_ExportCreds: File (template) undefined - do nothing 090318 11:41:00 20753 secpwd_Authenticate: WARNING: some problem exporting creds to file; template is : 090318 11:41:00 20753 sut_Rndm::GetString: enter: len: 8 (type: Crypt) 090318 11:41:00 20753 sut_Rndm::GetString: got: 8SVtIe9a 090318 11:41:00 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100 more auth requested; sz=127 090318 11:41:00 20753 bbockelmn.2466:[log in to unmask] XrootdResponse: 0100 sending 127 data bytes; status=4002 090318 11:41:03 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100 request timeout; read 0 of 24 bytes 090318 11:41:03 20753 XrdPoll: Poller 0 enabled bbockelmn.2466:[log in to unmask] 090318 11:41:19 20753 XrdSched: running bbockelmn.2466:[log in to unmask] inq=0 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100 req=3000 dlen=143 090318 11:41:19 20753 secpwd_Authenticate: handshaking ID: bbockelmn. 2466:[log in to unmask] 090318 11:41:19 20753 secpwd_ParseCrypto: parsing list: ssl 090318 11:41:19 20753 crypto_Factory::GetCryptoFactory: ssl crypto factory object already loaded (0x7fe2fb8a8960) 090318 11:41:19 20753 secpwd_Authenticate: version run by client: 10100 090318 11:41:19 20753 secpwd_CheckRtag: Random tag successfully checked 090318 11:41:19 20753 secpwd_CheckTimeStamp: Nothing to do 090318 11:41:19 20753 sut_Rndm::GetBuffer: enter: len: 8 090318 11:41:19 20753 secpwd_SaveCreds: Entry for tag: bbockelmnocern3_1 updated in cache 090318 11:41:19 20753 sut_Cache::Flush: Cache flushed to file /uscms/ home/bbockelm/.xrd/pwdadmin (1 entries updated / written) 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] XrootdResponse: 0100 sending OK 090318 11:41:19 20753 XrootdXeq: bbockelmn.2466:[log in to unmask] login as bbockelmnocern3 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100 req=3010 dlen=136 090318 11:41:19 20753 bbockelmn.2466:[log in to unmask] XrootdProtocol: 0100 open rt /cmsfs/lfns/store/relval/CMSSW_2_2_1/RelValTTbar/GEN-SIM- RECO/STARTUP_V7_LowLumiPileUp_v1/0004/EC41ED67-E5C6- DD11-97A2-000423D9989E.root On Mar 10, 2009, at 9:26 AM, Fabrizio Furano wrote: > Hi, > > I guess that this needs a new XrdSec plugin to be written. Probably > the secunix one could be a good starting point. > > Fabrizio > > > Brian Bockelman ha scritto: >> Hey Xrootd folks (hope I ended up on the right list), >> I'd like to hook xrootd into our local-site authentication >> methods. We currently keep all our user/passwords in a htpasswd >> file, as generated by apache. What's the best way to have the >> server read the data from that file and use it for authentication? >> Brian