I've been trying to figure out why sometimes authentication to our XRootD storage still fails whenever the VOMS-role "production" is required - which we require for writing.
With debugging active and also dbg
for XrdSecgsiVOMSFun
, I finally found this in the logs:
secgsi_Authenticate: WARNING: user mapping lookup failed - use DN or DN-hash as name
secgsiVOMS_Fun: proxy: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=ddmadmin/CN=531497/CN=Robot: ATLAS Data Management/CN=1987664213/CN=3833218252/CN=1560720301
secgsiVOMS_Fun: adding cert: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=ddmadmin/CN=531497/CN=Robot: ATLAS Data Management
secgsiVOMS_Fun: adding cert: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=ddmadmin/CN=531497/CN=Robot: ATLAS Data Management/CN=1987664213
secgsiVOMS_Fun: adding cert: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=ddmadmin/CN=531497/CN=Robot: ATLAS Data Management/CN=1987664213/CN=3833218252
secgsiVOMS_Fun: retrieval successful
secgsiVOMS_Fun: found VO: atlas
secgsiVOMS_Fun: ---> group: '/atlas', role: 'production', cap: 'NULL'
secgsiVOMS_Fun: ---> group: '/atlas', role: 'NULL', cap: 'NULL'
secgsiVOMS_Fun: ---> group: '/atlas/lcg1', role: 'NULL', cap: 'NULL'
secgsiVOMS_Fun: ---> group: '/atlas/usatlas', role: 'NULL', cap: 'NULL'
secgsiVOMS_Fun: ---> fqan: '/atlas/Role=production/Capability=NULL'
secgsiVOMS_Fun: ---> fqan: '/atlas/Role=NULL/Capability=NULL'
secgsiVOMS_Fun: ---> fqan: '/atlas/lcg1/Role=NULL/Capability=NULL'
secgsiVOMS_Fun: ---> fqan: '/atlas/usatlas/Role=NULL/Capability=NULL'
secgsi_Authenticate: VOMS: Entity.vorg: atlas
secgsi_Authenticate: VOMS: Entity.grps: /atlas
secgsi_Authenticate: VOMS: Entity.role: NULL
secgsi_Authenticate: VOMS: Entity.endorsements: /atlas/Role=production/Capability=NULL,/atlas/Role=NULL/Capability=NULL,/atlas/lcg1/Role=NULL/Capability=NULL,/atlas/usatlas/Role=NULL/Capability=NULL
So it seems the VOMS proxy authenticating to us has the production
role and XrdSecgsiVOMSFun
sees it just fine, but it does not show up in secgsi_Authenticate
.
It rather seems that the role NULL
is used here.
Now I am unsure whether the loss of information happens in the vomsxrd
library (pinging @gganis on this) or later in XrdSecGSI.
Our config file contains:
sec.protocol /usr/lib64 gsi -dlgpxy:1 -exppxy:=creds -ca:1 -crl:3 -gridmap:/dev/null -cert:/etc/grid-security/hostcert.pem -key:/etc/grid-security/hostkey.pem -certdir:/etc/grid-security/certificates -vomsfun:/usr/lib64/libXrdSecgsiVOMS.so -vomsfunparms:certfmt=raw|vos=atlas,ops|grps=/atlas,/ops
Any ideas what is going wrong here?
Or is there a different library that should be used as drop-in replacement for libXrdSecgsiVOMS
(is that one still maintained)?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1