This appears to be an issue with the new client only. The client gets the IP address via XrdNetUtils::IPFormat(). In the past, it used to call XrdSysDNS::IPFormat(). The SysDNS method always returned the address in the old ‘[::’ IPV6 format. The NetUtils method always returns it in the new ‘[::ffff’ IPV6 format *unless* you specify the “oldFmt” option. Protocol sss uses the old format as the code originated in that era. So, here the new client is providing the IP address in new format but the protocol expects it in old format.
The simplest fix it would have been to specify the ‘olfFmt’ option in XrdClSocket::GetSockName() but that likely would cause other issues since that sets a generic variable used for many other things; some of which likely require the new format to be set.
The other option is to change XrdProtocolsss to check if the new format is specified and convert it to the old format before sending it out, or perhaps checking both formats on the receiving end. I will look into it.
Lukasz to you agree with my analysis?
Andy
From: Lukasz Janyst
Sent: Tuesday, October 08, 2013 8:27 AM
To: xrootd/xrootd
Subject: [xrootd] SSS auth fails with "IP address mismatch." error message on master (#48)
It looks like the two IP addresses it compares are formated differently:
sec_PM: Using sss protocol, args='0.13:/etc/eos.keytab'
sec_sss: pcitdss1400.cern.ch [::137.138.33.80]:51183 must match pcitdss1400.cern.ch [::ffff:137.138.33.80]:51183
sec_sss: Authenticate: IP address mismatch.
—
Reply to this email directly or view it on GitHub.
—
Reply to this email directly or view it on GitHub.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
