Will it not be the case that as long as the 1st ticket is the one we want then it will still work?
Luckily not - it seems to be the case that the ticket fetched last wins the race, at least that's what I observe in my example above, and also testing just now on Ubuntu 18.04 and Gentoo.
This means the most common case "works":
- Kerberos ticket from local institution.
- Fetch an addtional TGT from CERN.CH and use xrdcp against eosuser.
However, then any xrdcp to your local institution will fail, until you explicitly fetch a new TGT from them. So the nasty workaround would be to fetch a new, matching TGT directly before using xrdcp
, which kind of defeats the purpose of Kerberos (to prevent having to enter passwords over and over again), but at least makes things work until the bug is fixed.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
{"@context":"http://schema.org","@type":"EmailMessage","potentialAction":{"@type":"ViewAction","target":"https://github.com/xrootd/xrootd/issues/535#issuecomment-398229055","url":"https://github.com/xrootd/xrootd/issues/535#issuecomment-398229055","name":"View Issue"},"description":"View this Issue on GitHub","publisher":{"@type":"Organization","name":"GitHub","url":"https://github.com"}}
{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@olifre in #535: \u003e Will it not be the case that as long as the 1st ticket is the one we want then it will still work?\r\n\r\nLuckily not - it seems to be the case that the ticket fetched last wins the race, at least that's what I observe in my example above, and also testing just now on Ubuntu 18.04 and Gentoo. \r\n\r\nThis means the most common case \"works\":\r\n- Kerberos ticket from local institution. \r\n- Fetch an addtional TGT from CERN.CH and use xrdcp against eosuser. \r\n\r\nHowever, then any xrdcp to your local institution will fail, until you explicitly fetch a new TGT from them. So the nasty workaround would be to fetch a new, matching TGT directly before using `xrdcp`, which kind of defeats the purpose of Kerberos (to prevent having to enter passwords over and over again), but at least makes things work until the bug is fixed. "}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/535#issuecomment-398229055"}}}
{
"@type": "MessageCard",
"@context": "http://schema.org/extensions",
"hideOriginalBody": "false",
"originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB",
"title": "Re: [xrootd/xrootd] Kerberos fails with Credential Collection Cache (#535)",
"sections": [
{
"text": "",
"activityTitle": "**Oliver Freyermuth**",
"activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png",
"activitySubtitle": "@olifre",
"facts": [
]
}
],
"potentialAction": [
{
"name": "Add a comment",
"@type": "ActionCard",
"inputs": [
{
"isMultiLine": true,
"@type": "TextInput",
"id": "IssueComment",
"isRequired": false
}
],
"actions": [
{
"name": "Comment",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 535,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}"
}
]
},
{
"name": "Close issue",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"IssueClose\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 535\n}"
},
{
"targets": [
{
"os": "default",
"uri": "https://github.com/xrootd/xrootd/issues/535#issuecomment-398229055"
}
],
"@type": "OpenUri",
"name": "View on GitHub"
},
{
"name": "Unsubscribe",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 237419184\n}"
}
],
"themeColor": "26292E"
}
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1