Hi,
in my xrootd-dataserver v4.11.3, I have an inconsistent handling of x509 authentication.
The inconsistency is, that the first three xrdcp attempt are handled successfully (see [1]), while the following attempts get a failed authentication (see [2]).
In addition, once there has not been a request in a while, three attempts are again able to pass successfully. The service was not restarted.
This was reproduced multiple times with xrootd v4.11.3.
[1] This is the log in a successful authentication case:
200514 16:00:52 15437 secgsi_Authenticate: VOMS: Entity.endorsements: /escape/Role=NULL/Capability=NULL,/escape/fair/Role=NULL/Capability=NULL
INFO in AuthzKey: Returning '/C=DE/O=GermanGrid/OU=GSI/CN=Paul-Niklas Kramp::escape:/escape,/escape/fair,::' of length 78 as key.
200514 16:00:52 15437 pkramp.15543:40@dclxwp2dlds1 XrootdResponse: 0000 sending OK
[2] And this if it fails:
200514 16:01:00 15413 secgsi_Authenticate: VOMS: Entity.endorsements: /escape/Role=NULL/Capability=NULL,/escape/fair/Role=NULL/Capability=NULL
Failed to validate credentials.
Globus error: globus_credential: Error verifying credential: Failed to verify credential
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Invalid CRL: Couldn't verify that the available CRL is valid
OpenSSL Error: pem_lib.c:707: in library: PEM routines, function PEM_read_bio: no start line Expecting: ANY PRIVATE KEY
Globus chain verification failure.
ERROR in AuthzKey: Key verification failed.
200514 16:01:00 15413 secgsi_Authenticate: ERROR: unable to get the key associated to this user
The part of the config, tested with crl:0 and crl:1:
xrootd.seclib /usr/lib64/libXrdSec-4.so
sec.protocol /usr/lib64 gsi \
-certdir:/etc/grid-security/certificates/ \
-cert:/etc/grid-security/xrd//cert_31408_dclxwp2dlds1.gsi.de.pem \
-key:/etc/grid-security/xrd//privKey_31408_dclxwp2dlds1.gsi.de.pem \
-crl:1 \
-authzfun:libXrdLcmaps.so \
-authzfunparms:lcmapscfg=/etc/lcmaps.db,loglevel=5,policy=authorize_only \
-gmapopt:10 \
-gmapto:0
acc.authdb /etc/xrootd/auth_file
ofs.authorize
I wonder why I get a crl related error, with the config options 0 or 1.
Any ideas why it is behaving inconsistent?
Cheers,
Paul
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1