URL: <http://savannah.cern.ch/bugs/?93876> Summary: potention sss, xrootdfs interaction problem Project: XROOTD Submitted by: bdouglas Submitted on: 2012-04-20 08:39 Severity: 3 - Normal Priority: 5 - Normal Status: None Privacy: Public Assigned to: None Originator Email: Open/Closed: Open Discussion Lock: Any Fixed by commit(s): _______________________________________________________ Details: Hi, We are seeing a bad configuration between sss, xrootdfs and xrootd daemon on data server. with sss on xrootdfs mount. a user can not create a directory that he should be able to do so. Here are the details for the client machine with the xrootdfs mount: client machine xrootdfs mount: xrootdfs /atlfs03/atlas fuse rdr=root://atlfs03.phy.duke.edu:1094//atlas,uid=54657,sss=/var/spool/xrootd/.xrd/sss_keytab.grp 0 0 Contents of sss keytab file on client machine: [root@atl008 ~]# xrdsssadmin list /var/spool/xrootd/.xrd/sss_keytab.grp Number Len Date/Time Created Expires Keyname User & Group ------ --- --------- ------- -------- ------- 1 32 11/02/11 11:37:30 -------- phy.duke.edu anybody anygroup root@atl008 ~]# ls -l /var/spool/xrootd/.xrd/sss_keytab.grp -r--r----- 1 xrootd hep 143 Nov 2 15:45 /var/spool/xrootd/.xrd/sss_keytab.grp Here are the details for the server machine: sss config on server: xrootd config file - [root@atlfs03 ~]# grep sss /etc/xrootd/xrootd-clustered.cfg # specify the sss authentication module sec.protocol /usr/lib64 sss -s /var/spool/xrootd/.xrd/sss_keytab.grp -c /var/spool/xrootd/.xrd/sss_keytab.grp contents of sss on server [root@atlfs03 ~]# xrdsssadmin list /var/spool/xrootd/.xrd/sss_keytab.grp Number Len Date/Time Created Expires Keyname User & Group ------ --- --------- ------- -------- ------- 1 32 11/02/11 11:37:30 -------- phy.duke.edu anybody anygroup sss file ownership on data server [root@atlfs03 ~]# ls -l /var/spool/xrootd/.xrd/sss_keytab.grp -r--r----- 1 xrootd hep 143 Nov 2 18:26 /var/spool/xrootd/.xrd/sss_keytab.grp server auth file: # This means that all the users have read access to the datasets u * /atlas lr # This means that all the users have full access to their private dirs u = /atlas/local/@=/ a # This means that this privileged user can do everything # You need at least one user like that, in order to create the # private dir for each user willing to store his data in the facility u xrootd /atlas a u benjamin /atlas a u root /atlas a Here is the relevant part of the xrootd log file: 120419 12:20:08 1879 XrootdXeq: d580.29342:79@atl008 login as goshaw 120419 12:20:08 1879 acc_Audit: d580.29342:79@atl008 grant sss goshaw@? stat /atlas/local 120419 12:20:08 1879 acc_Audit: d580.29342:79@atl008 grant sss goshaw@? stat /atlas/local/goshaw 120419 12:20:08 1879 ofs_stat: d580.29342:79@atl008 Unable to locate /atlas/local/goshaw; No such file or directory 120419 12:20:08 1879 acc_Audit: d580.29342:79@atl008 deny sss goshaw@? mkdir /atlas/local/goshaw 120419 12:20:08 1879 ofs_mkdir: d580.29342:79@atl008 Unable to mkdir /atlas/local/goshaw; Permission denied 120419 12:20:08 1879 acc_Audit: d580.29342:79@atl008 deny sss goshaw@? create /atlas/local/goshaw 120419 12:20:08 1879 ofs_open: d580.29342:79@atl008 Unable to create /atlas/local/goshaw; Permission denied 120419 12:20:08 1879 acc_Audit: d580.29342:79@atl008 deny sss goshaw@? mkdir /atlas/local/goshaw 120419 12:20:08 1879 ofs_mkdir: d580.29342:79@atl008 Unable to mkdir /atlas/local/goshaw; Permission denied _______________________________________________________ Reply to this item at: <http://savannah.cern.ch/bugs/?93876> _______________________________________________ Message sent via/by LCG Savannah http://savannah.cern.ch/ ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1