URL:
<http://savannah.cern.ch/bugs/?93876>
Summary: potention sss, xrootdfs interaction problem
Project: XROOTD
Submitted by: bdouglas
Submitted on: 2012-04-20 08:39
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Fixed by commit(s):
_______________________________________________________
Details:
Hi,
We are seeing a bad configuration between sss, xrootdfs and xrootd daemon
on data server.
with sss on xrootdfs mount. a user can not create a directory that he should
be able to do so.
Here are the details for the client machine with the xrootdfs mount:
client machine
xrootdfs mount:
xrootdfs /atlfs03/atlas fuse
rdr=root://atlfs03.phy.duke.edu:1094//atlas,uid=54657,sss=/var/spool/xrootd/.xrd/sss_keytab.grp
0 0
Contents of sss keytab file on client machine:
[root@atl008 ~]# xrdsssadmin list /var/spool/xrootd/.xrd/sss_keytab.grp
Number Len Date/Time Created Expires Keyname User & Group
------ --- --------- ------- -------- -------
1 32 11/02/11 11:37:30 -------- phy.duke.edu anybody anygroup
root@atl008 ~]# ls -l /var/spool/xrootd/.xrd/sss_keytab.grp
-r--r----- 1 xrootd hep 143 Nov 2 15:45
/var/spool/xrootd/.xrd/sss_keytab.grp
Here are the details for the server machine:
sss config on server:
xrootd config file -
[root@atlfs03 ~]# grep sss /etc/xrootd/xrootd-clustered.cfg
# specify the sss authentication module
sec.protocol /usr/lib64 sss -s /var/spool/xrootd/.xrd/sss_keytab.grp -c
/var/spool/xrootd/.xrd/sss_keytab.grp
contents of sss on server
[root@atlfs03 ~]# xrdsssadmin list /var/spool/xrootd/.xrd/sss_keytab.grp
Number Len Date/Time Created Expires Keyname User & Group
------ --- --------- ------- -------- -------
1 32 11/02/11 11:37:30 -------- phy.duke.edu anybody anygroup
sss file ownership on data server
[root@atlfs03 ~]# ls -l /var/spool/xrootd/.xrd/sss_keytab.grp
-r--r----- 1 xrootd hep 143 Nov 2 18:26
/var/spool/xrootd/.xrd/sss_keytab.grp
server auth file:
# This means that all the users have read access to the datasets
u * /atlas lr
# This means that all the users have full access to their private dirs
u = /atlas/local/@=/ a
# This means that this privileged user can do everything
# You need at least one user like that, in order to create the
# private dir for each user willing to store his data in the facility
u xrootd /atlas a
u benjamin /atlas a
u root /atlas a
Here is the relevant part of the xrootd log file:
120419 12:20:08 1879 XrootdXeq: d580.29342:79@atl008 login as goshaw
120419 12:20:08 1879 acc_Audit: d580.29342:79@atl008 grant sss goshaw@? stat
/atlas/local
120419 12:20:08 1879 acc_Audit: d580.29342:79@atl008 grant sss goshaw@? stat
/atlas/local/goshaw
120419 12:20:08 1879 ofs_stat: d580.29342:79@atl008 Unable to locate
/atlas/local/goshaw; No such file or directory
120419 12:20:08 1879 acc_Audit: d580.29342:79@atl008 deny sss goshaw@? mkdir
/atlas/local/goshaw
120419 12:20:08 1879 ofs_mkdir: d580.29342:79@atl008 Unable to mkdir
/atlas/local/goshaw; Permission denied
120419 12:20:08 1879 acc_Audit: d580.29342:79@atl008 deny sss goshaw@? create
/atlas/local/goshaw
120419 12:20:08 1879 ofs_open: d580.29342:79@atl008 Unable to create
/atlas/local/goshaw; Permission denied
120419 12:20:08 1879 acc_Audit: d580.29342:79@atl008 deny sss goshaw@? mkdir
/atlas/local/goshaw
120419 12:20:08 1879 ofs_mkdir: d580.29342:79@atl008 Unable to mkdir
/atlas/local/goshaw; Permission denied
_______________________________________________________
Reply to this item at:
<http://savannah.cern.ch/bugs/?93876>
_______________________________________________
Message sent via/by LCG Savannah
http://savannah.cern.ch/
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
