Using a credential collection, xrootd seems to try to use the first identity it finds (apparently the latest in the collection?) instead of the one matching the domain, leading to an authentication error.

How to reproduce:
My /etc/krb5.conf contains:

[libdefaults]
        default_realm = PHYSIK.UNI-BONN.DE
        default_ccache_name = KEYRING:persistent:%{uid}

etc.

Now, I do:

$ kdestroy -A
$ kinit [log in to unmask] -V
Using default cache: persistent:1000:krb_ccache_6Z2D9yK
Using principal: [log in to unmask]
Password for [log in to unmask]: 
Authenticated to Kerberos v5
$ kinit [log in to unmask] -V         
Using new cache: persistent:1000:krb_ccache_PDaIPUf
Using principal: [log in to unmask]
Password for [log in to unmask]: 
Authenticated to Kerberos v5
$ xrdcp some_local.file root://eosuser.cern.ch//eos/user/o/ofreyerm/some_dest_file
zsh: correct 'root://eosuser.cern.ch//eos/user/o/ofreyerm/some_dest_file' to 'root//eosuser.cern.ch//eos/user/o/ofreyerm/some_dest_file' [nyae]? n
[0B/0B][100%][==================================================][0B/s]  
Run: [ERROR] Server responded with an error: [3006] Unable to create file /eos/user/o/ofreyerm/some_dest_file; File exists

Ok, so that works.
Now, I do:

$ kdestroy -A
$ kinit [log in to unmask] -V
Using default cache: persistent:1000:krb_ccache_PDaIPUf
Using principal: [log in to unmask]
Password for [log in to unmask]: 
Authenticated to Kerberos v5
$ kinit [log in to unmask] -V
Using new cache: persistent:1000:krb_ccache_F4NVxI4
Using principal: [log in to unmask]
Password for [log in to unmask]: 
Authenticated to Kerberos v5
$ xrdcp some_local.file root://eosuser.cern.ch//eos/user/o/ofreyerm/some_dest_file
zsh: correct 'root://eosuser.cern.ch//eos/user/o/ofreyerm/some_dest_file' to 'root//eosuser.cern.ch//eos/user/o/ofreyerm/some_dest_file' [nyae]? n
[0B/0B][100%][==================================================][0B/s]  
Run: [ERROR] Server responded with an error: [3010] Unable to give access - user access restricted - unauthorized identity used ; Permission denied

So this does not work.

I am using xrootd 4.5.0 here, and mit-krb5 in version 1.14.2.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"Kerberos fails with Credential Collection Cache (#535)"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/535"}}}

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1