 |
 |
Hi, On Fri, 10 Mar 2017, Fabrizio Furano wrote: > Hi, > > my server was configured only to recognize atlas and dteam, I am not surprised that it rejects lsst... > Ok, that makes sense. I thought it would maybe at least print out what is coming in. > Anyway I see progress, your request came in fine and it's clearly a proxy even if from a VO that > my server does not know. > Ah, good. > Now my questions... > - Do you happen to be allowed to create an atlas or team proxy cert ? Then you may want to try with that one No, unfortunately not > - Was your server (the machine, not xrootd) configured to recognize gridpp or lsst proxies ? > [ it's the stuff in /etc/grid-security/vomsdir plus the ca-policy-egi-core package ] > Yes, it was configured for atlas, gridpp, lsst, lhcb, dteam. This also works when using xrdcp/xrdfs. When going through xrdcp, I see in my logs: 170310 15:04:14 21760 secgsiVOMS_Fun: proxy: /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert/CN=3266599870 170310 15:04:14 21760 secgsiVOMS_Fun: adding cert: /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert 170310 15:04:15 21760 secgsiVOMS_Fun: retrieval successful 170310 15:04:15 21760 secgsiVOMS_Fun: found VO: lsst 170310 15:04:15 21760 secgsiVOMS_Fun: ---> group: '/lsst', role: 'NULL', cap: 'NULL' 170310 15:04:15 21760 secgsiVOMS_Fun: ---> fqan: '/lsst/Role=NULL/Capability=NULL' Something similar is not in the log files when going through https. BTW:I think when you tried the error was because I had on the server still denied listing. It's allowed now and I also put atlas/testfile which should work to get? Cheers, Marcus > Cheers > Fabrizio > > > > On 03/10/2017 02:36 PM, Marcus Ebert wrote: >> Ok, getting the davix-tools was easier than I thought. They are available through a GridPP CernVM. >> However, doing so I get the output: >> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> >> <html xmlns="http://www.w3.org/1999/xhtml"> >> <head> >> <meta http-equiv="content-type" content="text/html;charset=utf-8"/> >> <link rel="stylesheet" type="text/css" href="/static/css/xrdhttp.css"/> >> <link rel="icon" type="image/png" href="/static/icons/xrdhttp.ico"/> >> <title>/</title> >> </head> >> <body> >> <h1>Listing of: /</h1> >> <div id="header"><table id="ft"> >> <thead><tr> >> <th class="mode">Mode</th><th class="flags">Flags</th><th class="size">Size</th><th class="datetime">Modified</th><th >> class="name">Name</th></tr></thead> >> <tr><td class="mode">d--rwx</td><td class="mode">51</td><td class="size">4096</td><td class="datetime">Wed, 26 Nov 2014 15:28:25 >> GMT</td><td class="name"><a href="atlas">atlas</a></td></tr><tr><td class="mode">d--rwx</td><td class="mode">51</td><td >> class="size">4096</td><td class="datetime">Thu, 27 Nov 2014 16:34:50 GMT</td><td class="name"><a >> href="dynafeds_demo">dynafeds_demo</a></td></tr><tr><td class="mode">d--rwx</td><td class="mode">51</td><td >> class="size">167936</td><td class="datetime">Tue, 28 Feb 2017 16:44:54 GMT</td><td class="name"><a >> href="georgios_test">georgios_test</a></td></tr></table></div><br><br><hr size=1><p><span id="requestby">Request by >> /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert/CN=157025827 ( DN: /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus >> ebert/CN=157025827 ) ( 94.197.120.22.threembb.co.uk )</span></p> >> <p>Powered by XrdHTTP v20170305-55a66d2 (CERN IT-SDC)</p> >> >> >> Which doesn't say anything about the VO. I tried with an LSST and GridPP proxy. >> voms info gives for example for gridpp VO: >> subject : /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert/CN=157025827 >> issuer : /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert >> identity : /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert >> type : RFC compliant proxy >> strength : 1024 bits >> path : /tmp/x509up_u501 >> timeleft : 11:59:33 >> key usage : Digital Signature, Key Encipherment, Data Encipherment >> === VO gridpp extension information === >> VO : gridpp >> subject : /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert >> issuer : /C=UK/O=eScience/OU=Manchester/L=HEP/CN=voms.gridpp.ac.uk >> attribute : /gridpp/Role=NULL/Capability=NULL >> timeleft : 11:59:33 >> uri : voms.gridpp.ac.uk:15000 >> >> >> Cheers, >> Marcus >> >> On Fri, 10 Mar 2017, Marcus Ebert wrote: >> >>> Thanks Fabrizio! >>> >>> I'll try to get the davix-tools made available first. >>> >>> Cheers, >>> Marcus >>> >>> On Fri, 10 Mar 2017, Fabrizio Furano wrote: >>> >>>> Hi, >>>> >>>> sorry, I missed the other questions, here they are... >>>> >>>> On 03/10/2017 11:08 AM, Marcus Ebert wrote: >>>>> Unfortunaely, I don't have davix-get available on the local desktop. Is > there any lsetup mode for Atlas to make that >>>> available >>>>> (or any other cvmfs path)? >>>> >>>> You can get davix from all the major Linux distributions with their own >>>> tools, apt, yum, ... >>>> >>>> cvmfs certainly has it because it's used, but I cannot help you there, I >>>> have no idea (others may chime in) >>>> >>>>>> Do you get any similar output if you do this with > https://dev2.gridpp.ecdf.ed.ac.uk:1094 ? >>>>> >>>> It gives to me 404 on the root directory, which is a sign of server >>>> misconfiguration (despite xrootd or http) >>>> >>>> >>>>> If I do so in a browser for your test server, it displays: >>>>> Request by /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus ebert ( DN: > /C=UK/O=eScience/OU=Edinburgh/L=NeSC/CN=marcus >>>> ebert ) ( >>>>> 94.197.120.22.threembb.co.uk ) >>>>>> Powered by XrdHTTP v20170305-55a66d2 (CERN IT-SDC) >>>>>> but no VO identification (probably because there is no voms-proxy > available to the browser and it doesn't do a lockup in >>>>> grid-mapfile?) >>>> >>>> Browsers do not support Grid proxies. >>>> The historical workaround for that is the use of a mapfile, as you cite. >>>> Xrdhttp uses the same mapfile >>>> of the rest of the xrootd framework, which is a bit original if one is >>>> used to the ones used e.g. by DPM. >>>> >>>> Anyway I would not go further that way until you have troubleshoot your >>>> client setup. You must be able >>>> to get from my server the same kind of output that I get. >>>> >>>> You can use curl, but it's more complex and less reliable. Please do an >>>> attempt at getting davix. >>>> >>>> Please let me know >>>> Fabrizio >>>> >>>> >>>> >>>> >>> >>> >> > > -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1