I've been trying to figure out why sometimes authentication to our XRootD storage still fails whenever the VOMS-role "production" is required - which we require for writing. With debugging active and also `dbg` for `XrdSecgsiVOMSFun`, I finally found this in the logs: ``` secgsi_Authenticate: WARNING: user mapping lookup failed - use DN or DN-hash as name secgsiVOMS_Fun: proxy: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=ddmadmin/CN=531497/CN=Robot: ATLAS Data Management/CN=1987664213/CN=3833218252/CN=1560720301 secgsiVOMS_Fun: adding cert: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=ddmadmin/CN=531497/CN=Robot: ATLAS Data Management secgsiVOMS_Fun: adding cert: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=ddmadmin/CN=531497/CN=Robot: ATLAS Data Management/CN=1987664213 secgsiVOMS_Fun: adding cert: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=ddmadmin/CN=531497/CN=Robot: ATLAS Data Management/CN=1987664213/CN=3833218252 secgsiVOMS_Fun: retrieval successful secgsiVOMS_Fun: found VO: atlas secgsiVOMS_Fun: ---> group: '/atlas', role: 'production', cap: 'NULL' secgsiVOMS_Fun: ---> group: '/atlas', role: 'NULL', cap: 'NULL' secgsiVOMS_Fun: ---> group: '/atlas/lcg1', role: 'NULL', cap: 'NULL' secgsiVOMS_Fun: ---> group: '/atlas/usatlas', role: 'NULL', cap: 'NULL' secgsiVOMS_Fun: ---> fqan: '/atlas/Role=production/Capability=NULL' secgsiVOMS_Fun: ---> fqan: '/atlas/Role=NULL/Capability=NULL' secgsiVOMS_Fun: ---> fqan: '/atlas/lcg1/Role=NULL/Capability=NULL' secgsiVOMS_Fun: ---> fqan: '/atlas/usatlas/Role=NULL/Capability=NULL' secgsi_Authenticate: VOMS: Entity.vorg: atlas secgsi_Authenticate: VOMS: Entity.grps: /atlas secgsi_Authenticate: VOMS: Entity.role: NULL secgsi_Authenticate: VOMS: Entity.endorsements: /atlas/Role=production/Capability=NULL,/atlas/Role=NULL/Capability=NULL,/atlas/lcg1/Role=NULL/Capability=NULL,/atlas/usatlas/Role=NULL/Capability=NULL ``` So it seems the VOMS proxy authenticating to us has the `production` role and `XrdSecgsiVOMSFun` sees it just fine, but it does not show up in `secgsi_Authenticate`. It rather seems that the role `NULL` is used here. Now I am unsure whether the loss of information happens in the `vomsxrd` library (pinging @gganis on this) or later in XrdSecGSI. Our config file contains: ``` sec.protocol /usr/lib64 gsi -dlgpxy:1 -exppxy:=creds -ca:1 -crl:3 -gridmap:/dev/null -cert:/etc/grid-security/hostcert.pem -key:/etc/grid-security/hostkey.pem -certdir:/etc/grid-security/certificates -vomsfun:/usr/lib64/libXrdSecgsiVOMS.so -vomsfunparms:certfmt=raw|vos=atlas,ops|grps=/atlas,/ops ``` Any ideas what is going wrong here? Or is there a different library that should be used as drop-in replacement for `libXrdSecgsiVOMS` (is that one still maintained)? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1006 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1