LISTSERV 16.5 - XROOTD-DEV Archives

Using a credential collection, xrootd seems to try to use the first identity it finds (apparently the latest in the collection?) instead of the one matching the domain, leading to an authentication error. 

How to reproduce:
My `/etc/krb5.conf` contains:
```
[libdefaults]
        default_realm = PHYSIK.UNI-BONN.DE
        default_ccache_name = KEYRING:persistent:%{uid}
```
etc. 

Now, I do:
```
$ kdestroy -A
$ kinit [log in to unmask] -V
Using default cache: persistent:1000:krb_ccache_6Z2D9yK
Using principal: [log in to unmask]
Password for [log in to unmask]: 
Authenticated to Kerberos v5
$ kinit [log in to unmask] -V         
Using new cache: persistent:1000:krb_ccache_PDaIPUf
Using principal: [log in to unmask]
Password for [log in to unmask]: 
Authenticated to Kerberos v5
$ xrdcp some_local.file root://eosuser.cern.ch//eos/user/o/ofreyerm/some_dest_file
zsh: correct 'root://eosuser.cern.ch//eos/user/o/ofreyerm/some_dest_file' to 'root//eosuser.cern.ch//eos/user/o/ofreyerm/some_dest_file' [nyae]? n
[0B/0B][100%][==================================================][0B/s]  
Run: [ERROR] Server responded with an error: [3006] Unable to create file /eos/user/o/ofreyerm/some_dest_file; File exists
```
Ok, so that works. 
Now, I do:
```
$ kdestroy -A
$ kinit [log in to unmask] -V
Using default cache: persistent:1000:krb_ccache_PDaIPUf
Using principal: [log in to unmask]
Password for [log in to unmask]: 
Authenticated to Kerberos v5
$ kinit [log in to unmask] -V
Using new cache: persistent:1000:krb_ccache_F4NVxI4
Using principal: [log in to unmask]
Password for [log in to unmask]: 
Authenticated to Kerberos v5
$ xrdcp some_local.file root://eosuser.cern.ch//eos/user/o/ofreyerm/some_dest_file
zsh: correct 'root://eosuser.cern.ch//eos/user/o/ofreyerm/some_dest_file' to 'root//eosuser.cern.ch//eos/user/o/ofreyerm/some_dest_file' [nyae]? n
[0B/0B][100%][==================================================][0B/s]  
Run: [ERROR] Server responded with an error: [3010] Unable to give access - user access restricted - unauthorized identity used ; Permission denied
```
So this does not work. 

I am using xrootd 4.5.0 here, and mit-krb5 in version 1.14.2. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/535

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1