 |
 |
Hi, -crl:1 means xrootd’s GSI plugin won’t enforce CRL if it is messing. The error (from globus library) indicates that lcmaps plugin was checking CRL. Lcmap is a plugin and therefore may have its own control over the use of CRL. regards, -- Wei Yang | [log in to unmask]<mailto:[log in to unmask]> | 650-926-3338(O) On 5/17/20, 1:10 PM, "pkramp" <[log in to unmask]<mailto:[log in to unmask]>> wrote: Hi, in my xrootd-dataserver v4.11.3, I have an inconsistent handling of x509 authentication. The inconsistency is, that the first three xrdcp attempt are handled successfully (see [1]), while the following attempts get a failed authentication (see [2]). In addition, once there has not been a request in a while, three attempts are again able to pass successfully. The service was not restarted. This was reproduced multiple times with xrootd v4.11.3. [1] This is the log in a successful authentication case: 200514 16:00:52 15437 secgsi_Authenticate: VOMS: Entity.endorsements: /escape/Role=NULL/Capability=NULL,/escape/fair/Role=NULL/Capability=NULL INFO in AuthzKey: Returning '/C=DE/O=GermanGrid/OU=GSI/CN=Paul-Niklas Kramp::escape:/escape,/escape/fair,::' of length 78 as key. 200514 16:00:52 15437 pkramp.15543:40@dclxwp2dlds1 XrootdResponse: 0000 sending OK [2] And this if it fails: 200514 16:01:00 15413 secgsi_Authenticate: VOMS: Entity.endorsements: /escape/Role=NULL/Capability=NULL,/escape/fair/Role=NULL/Capability=NULL Failed to validate credentials. Globus error: globus_credential: Error verifying credential: Failed to verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Invalid CRL: Couldn't verify that the available CRL is valid OpenSSL Error: pem_lib.c:707: in library: PEM routines, function PEM_read_bio: no start line Expecting: ANY PRIVATE KEY Globus chain verification failure. ERROR in AuthzKey: Key verification failed. 200514 16:01:00 15413 secgsi_Authenticate: ERROR: unable to get the key associated to this user The part of the config, tested with crl:0 and crl:1: xrootd.seclib /usr/lib64/libXrdSec-4.so sec.protocol /usr/lib64 gsi \ -certdir:/etc/grid-security/certificates/ \ -cert:/etc/grid-security/xrd//cert_31408_dclxwp2dlds1.gsi.de.pem \ -key:/etc/grid-security/xrd//privKey_31408_dclxwp2dlds1.gsi.de.pem \ -crl:1 \ -authzfun:libXrdLcmaps.so \ -authzfunparms:lcmapscfg=/etc/lcmaps.db,loglevel=5,policy=authorize_only \ -gmapopt:10 \ -gmapto:0 acc.authdb /etc/xrootd/auth_file ofs.authorize I wonder why I get a crl related error, with the config options 0 or 1. Any ideas why it is behaving inconsistent? Cheers, Paul — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<https://github.com/xrootd/xrootd/issues/1197>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABHVGA6MQNVDJI3ZYK3BB5DRSBAC5ANCNFSM4NDRCQWQ>. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1197#issuecomment-629927879 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1