Print

Print

Will it not be the case that as long as the 1st ticket is the one we want then it will still work?

Luckily not - it seems to be the case that the ticket fetched last wins the race, at least that's what I observe in my example above, and also testing just now on Ubuntu 18.04 and Gentoo.

This means the most common case "works":

However, then any xrdcp to your local institution will fail, until you explicitly fetch a new TGT from them. So the nasty workaround would be to fetch a new, matching TGT directly before using xrdcp, which kind of defeats the purpose of Kerberos (to prevent having to enter passwords over and over again), but at least makes things work until the bug is fixed.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"@context":"http://schema.org","@type":"EmailMessage","potentialAction":{"@type":"ViewAction","target":"https://github.com/xrootd/xrootd/issues/535#issuecomment-398229055","url":"https://github.com/xrootd/xrootd/issues/535#issuecomment-398229055","name":"View Issue"},"description":"View this Issue on GitHub","publisher":{"@type":"Organization","name":"GitHub","url":"https://github.com"}} {"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@olifre in #535: \u003e Will it not be the case that as long as the 1st ticket is the one we want then it will still work?\r\n\r\nLuckily not - it seems to be the case that the ticket fetched last wins the race, at least that's what I observe in my example above, and also testing just now on Ubuntu 18.04 and Gentoo. \r\n\r\nThis means the most common case \"works\":\r\n- Kerberos ticket from local institution. \r\n- Fetch an addtional TGT from CERN.CH and use xrdcp against eosuser. \r\n\r\nHowever, then any xrdcp to your local institution will fail, until you explicitly fetch a new TGT from them. So the nasty workaround would be to fetch a new, matching TGT directly before using `xrdcp`, which kind of defeats the purpose of Kerberos (to prevent having to enter passwords over and over again), but at least makes things work until the bug is fixed. "}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/535#issuecomment-398229055"}}} { "@type": "MessageCard", "@context": "http://schema.org/extensions", "hideOriginalBody": "false", "originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB", "title": "Re: [xrootd/xrootd] Kerberos fails with Credential Collection Cache (#535)", "sections": [ { "text": "", "activityTitle": "**Oliver Freyermuth**", "activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png", "activitySubtitle": "@olifre", "facts": [ ] } ], "potentialAction": [ { "name": "Add a comment", "@type": "ActionCard", "inputs": [ { "isMultiLine": true, "@type": "TextInput", "id": "IssueComment", "isRequired": false } ], "actions": [ { "name": "Comment", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 535,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}" } ] }, { "name": "Close issue", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueClose\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 535\n}" }, { "targets": [ { "os": "default", "uri": "https://github.com/xrootd/xrootd/issues/535#issuecomment-398229055" } ], "@type": "OpenUri", "name": "View on GitHub" }, { "name": "Unsubscribe", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 237419184\n}" } ], "themeColor": "26292E" }

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1