LISTSERV 16.5 - XROOTD-DEV Archives

URL:
  <http://savannah.cern.ch/bugs/?88627>

                 Summary: erratic authorization behaviour in xrootdfs and sss
security
                 Project: XROOTD
            Submitted by: bdouglas
            Submitted on: 2011-11-08 16:11
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
      Fixed by commit(s): 

    _______________________________________________________

Details:

Hi,

  We are seeing at Duke some intermitent authorization problems 
on xrootd dataserver accessed through xrootdfs and fuse.

here is the salient line in the data server config file -

      sec.protocol /usr/lib64 sss -s /var/spool/xrootd/.xrd/sss_keytab.grp -c
/var/spool/xrootd/.xrd/sss_keytab.grp

Here is the content of the key tab file on data server:
[root@atlfs03 ~]# ls -l /var/spool/xrootd/.xrd/sss_keytab.grp
-r--r----- 1 xrootd hep 143 Nov  2 18:26
/var/spool/xrootd/.xrd/sss_keytab.grp
[root@atlfs03 ~]# xrdsssadmin list /var/spool/xrootd/.xrd/sss_keytab.grp
     Number Len Date/Time Created Expires  Keyname User & Group
     ------ --- --------- ------- -------- -------
          1  32 11/02/11 11:37:30 -------- phy.duke.edu anybody anygroup

Here is the corresponding information on client machine -
[root@atl010 ~]# ls -l /var/spool/xrootd/.xrd/sss_keytab.grp
-r--r----- 1 xrootd hep 143 Nov  2 16:05
/var/spool/xrootd/.xrd/sss_keytab.grp
[root@atl010 ~]# xrdsssadmin list /var/spool/xrootd/.xrd/sss_keytab.grp 
     Number Len Date/Time Created Expires  Keyname User & Group
     ------ --- --------- ------- -------- -------
          1  32 11/02/11 11:37:30 -------- phy.duke.edu anybody anygroup

Here is the mount line in /etc/fstab -
xrootdfs  /atlfs03/atlas fuse 
rdr=root://atlfs03.phy.duke.edu:1094//atlas,uid=54657,sss=/var/spool/xrootd/.xrd/sss_keytab.grp
0 0

here is a snippet of information from client system log file -
Nov  6 23:07:45 atl010 dhclient: DHCPREQUEST on eth0 to 152.3.57.1 port 67
Nov  6 23:07:45 atl010 dhclient: DHCPACK from 152.3.57.1
Nov  6 23:07:45 atl010 dhclient: bound to 152.3.57.128 -- renewal in 1757
seconds.
Nov  6 23:08:22 atl010 XrootdFS[29441]: WARNING:
(f)truncate(root:[log in to unmask]:1094//atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000020.root.1)
failed (errno = 13)
Nov  6 23:08:22 atl010 XrootdFS[29441]: WARNING:
(f)truncate(root:[log in to unmask]:1094//atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000021.root.1)
failed (errno = 13)
Nov  6 23:08:22 atl010 XrootdFS[29441]: WARNING:
(f)truncate(root:[log in to unmask]:1094//atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00





Here is snippet of the data server log file .   

111106 23:07:30 22610 acc_Audit: 53bc.29441:49@atl010 grant sss chiho@? stat
/atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000019.root.1
111106 23:07:30 22610 acc_Audit: 53bc.29441:49@atl010 grant sss chiho@? stat
/atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000019.root.1
111106 23:07:30 22610 acc_Audit: 53bc.29441:49@atl010 grant sss chiho@?
update
/atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000019.root.1
111106 23:07:30 22610 acc_Audit: 53bc.29441:49@atl010 grant sss chiho@? stat
/atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000019.root.1
111106 23:07:30 22610 acc_Audit: 53bc.29441:49@atl010 grant sss chiho@?
update
/atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000019.root.1
111106 23:08:12 22610 XrootdXeq: 53bc.29441:41@atl010 login as root
111106 23:08:18 22610 acc_Audit: 53bc.29441:49@atl010 grant sss chiho@? stat
/atlas/local
111106 23:08:18 22610 XrdLink: Unable to send to 53bc.29441:49@atl010; broken
pipe
111106 23:08:18 22610 XrootdXeq: 53bc.29441:49@atl010 disc 0:19:27 (send
failure)
111106 23:08:18 22610 acc_Audit: seog.11417:52@atl007 grant unix
[log in to unmask] read
/atlas/local/chiho/2011/PeriodK/muon/data11_7TeV.00186965.physics_Muons.merge.NTUP_SMWZ.f395_m939_p605_tid491334_00/NTUP_SMWZ.491334._000226.root.1
111106 23:08:22 22610 acc_Audit: 53bc.29441:41@atl010 grant sss root@? stat
/atlas/local
111106 23:08:22 22610 acc_Audit: 53bc.29441:41@atl010 deny sss root@? update
/atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000019.root.1
111106 23:08:22 22610 ofs_open: 53bc.29441:41@atl010 Unable to open
/atlas/local/chiho/2011/PeriodL/egamma/data11_7TeV.00189207.physics_Egamma.merge.NTUP_SMWZ.f404_m980_p716_tid523728_00/NTUP_SMWZ.523728._000019.root.1;
Permission denied
1




    _______________________________________________________

Reply to this item at:

  <http://savannah.cern.ch/bugs/?88627>

_______________________________________________
  Message sent via/by LCG Savannah
  http://savannah.cern.ch/