I am testing the xrootd 5.0-rc2 and having issues when turning TLS on. I have am using a cache -> origin architecture.

On the cache, I have no special configuration. It is OSG's build: xrootd-server-5.0.0-0.rc2.2.osgup.el7.x86_64. The cache has the proxy line removed, so it cannot use a proxy to force other authentication methods.

On the origin, I have the TLS lines:

xrd.tls /etc/grid-security/xrd/xrdcert.pem /etc/grid-security/xrd/xrdkey.pem
xrd.tlsca noverify
xrd.trace all
xrd.trace tls
xrd.protocol tls xrootd:1095 *

The origin also has gsi enabled. Same version of xrootd as the cache.

Cache Log

200501 00:14:32 13399 XrdInet: Accepted connection from 161@natnode
200501 00:14:32 13399 XrdProtLoad: matched port 8443 protocol http
200501 00:14:32 13399 anon:161@natnode XrdPoll: FD 161 attached to poller 0; num=1
200501 00:14:32 13399 XrootdBridge: unknown.1:161@natnode login as nobody
200501 00:14:32 13399 unknown.1:161@natnode ofs_stat:  fn=/hcc/PROTECTED/dweitzel-test/blah2.txt
[2020-05-01 00:14:33.148553 +0000][Error  ][XRootDTransport   ] [p0@origin:1095.0] No protocols left to try
[2020-05-01 00:14:33.148609 +0000][Error  ][AsyncSock         ] [p0@origin:1095.0] Socket error while handshaking: [FATAL] Auth failed
[2020-05-01 00:14:33.148660 +0000][Error  ][PostMaster        ] [p0@origin:1095] elapsed = 0, pConnectionWindow = 120 seconds.
[2020-05-01 00:14:33.148682 +0000][Error  ][PostMaster        ] [p0@origin:1095] Unable to recover: [FATAL] Auth failed.
[2020-05-01 00:14:33.148689 +0000][Error  ][XRootD            ] [p0@origin:1095] Impossible to send message kXR_stat (path: /hcc/PROTECTED/dweitzel-test/blah2.txt?authz=Bearer%20biglongbearertoken&oss.lcl=1&pss.tid=http, flags: none). Trying to recover.
200501 00:14:33 13399 ofs_stat: unknown.1:161@natnode Unable to locate /hcc/PROTECTED/dweitzel-test/blah2.txt; permission denied
200501 00:14:33 13399 unknown.1:161@natnode XrootdResponse: sending err 3010: Unable to locate /hcc/PROTECTED/dweitzel-test/blah2.txt; permission denied
200501 00:14:33 13399 unknown.1:161@natnode ofs_open: 0-600 fn=/hcc/PROTECTED/dweitzel-test/blah2.txt
[2020-05-01 00:14:33.174253 +0000][Error  ][XRootDTransport   ] [origin:1095.0] No protocols left to try
[2020-05-01 00:14:33.174280 +0000][Error  ][AsyncSock         ] origin:1095.0] Socket error while handshaking: [FATAL] Auth failed
[2020-05-01 00:14:33.174323 +0000][Error  ][PostMaster        ] [origin:1095] elapsed = 0, pConnectionWindow = 120 seconds.
[2020-05-01 00:14:33.174334 +0000][Error  ][PostMaster        ] [origin:1095] Unable to recover: [FATAL] Auth failed.
[2020-05-01 00:14:33.174339 +0000][Error  ][XRootD            ] [origin:1095] Impossible to send message kXR_open (file: /hcc/PROTECTED/dweitzel-test/blah2.txt?authz=Bearer%20biglongbearertoken&oss.lcl=1&pss.tid=http, mode: 00, flags: kXR_open_read kXR_async kXR_retstat ). Trying to recover.
200501 00:14:33 13399 Posix_Open: [FATAL] Auth failed open root://origin:1095//hcc/PROTECTED/dweitzel-test/blah2.txt?authz=Bearer%20biglongbearertoken&pss.tid=http&oss.lcl=1
200501 00:14:33 13399 ofs_open: unknown.1:161@natnode Unable to open /hcc/PROTECTED/dweitzel-test/blah2.txt; permission denied
200501 00:14:33 13399 unknown.1:161@natnode XrootdResponse: sending err 3010: Unable to open /hcc/PROTECTED/dweitzel-test/blah2.txt; permission denied
200501 00:14:33 13399 unknown.1:161@natnode ofs_close: use=0 fn=dummy
200501 00:14:33 13399 XrootdXeq: unknown.1:161@natnode disc 0:00:01 (send failure)
200501 00:14:33 13399 unknown.1:161@natnode XrdPoll: FD 161 detached from poller 0; num=0

Origin Log

200501 00:14:33 20363 XrdInet: Accepted connection from 141@cachenode
200501 00:14:33 20363 XrdProtLoad: matched port 1095 protocol xroot
200501 00:14:33 20363 anon:141@cachenode XrdPoll: FD 141 attached to poller 0; num=1
200501 00:14:33 20363 XrootdXeq: p0.13393:141@cachenode disc 0:00:00
200501 00:14:33 20363 p0.13393:141@cachenode XrdPoll: FD 141 detached from poller 0; num=0
200501 00:14:33 20364 XrdInet: Accepted connection from 143@cachenode
200501 00:14:33 20993 XrdSched: running main accept inq=0
200501 00:14:33 20364 XrdProtLoad: matched port 1095 protocol xroot
200501 00:14:33 20364 anon:143@cachenode XrdPoll: FD 143 attached to poller 0; num=1
200501 00:14:33 20364 XrootdXeq: xrootd.13393:143@cachenode disc 0:00:00
200501 00:14:33 20364 xrootd.13393:143@cachenode XrdPoll: FD 143 detached from poller 0; num=0

I'm not sure if the TLS is conflicting with gsi? What further debugging information would be useful?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1188", "url": "https://github.com/xrootd/xrootd/issues/1188", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1