Hi,
-crl:1 means xrootd’s GSI plugin won’t enforce CRL if it is messing. The error (from globus library) indicates that lcmaps plugin was checking CRL. Lcmap is a plugin and therefore may have its own control over the use of CRL.
regards,
--
Wei Yang | [log in to unmask]<mailto:[log in to unmask]> | 650-926-3338(O)
On 5/17/20, 1:10 PM, "pkramp" <[log in to unmask]<mailto:[log in to unmask]>> wrote:
Hi,
in my xrootd-dataserver v4.11.3, I have an inconsistent handling of x509 authentication.
The inconsistency is, that the first three xrdcp attempt are handled successfully (see [1]), while the following attempts get a failed authentication (see [2]).
In addition, once there has not been a request in a while, three attempts are again able to pass successfully. The service was not restarted.
This was reproduced multiple times with xrootd v4.11.3.
[1] This is the log in a successful authentication case:
200514 16:00:52 15437 secgsi_Authenticate: VOMS: Entity.endorsements: /escape/Role=NULL/Capability=NULL,/escape/fair/Role=NULL/Capability=NULL
INFO in AuthzKey: Returning '/C=DE/O=GermanGrid/OU=GSI/CN=Paul-Niklas Kramp::escape:/escape,/escape/fair,::' of length 78 as key.
200514 16:00:52 15437 pkramp.15543:40@dclxwp2dlds1 XrootdResponse: 0000 sending OK
[2] And this if it fails:
200514 16:01:00 15413 secgsi_Authenticate: VOMS: Entity.endorsements: /escape/Role=NULL/Capability=NULL,/escape/fair/Role=NULL/Capability=NULL
Failed to validate credentials.
Globus error: globus_credential: Error verifying credential: Failed to verify credential
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Invalid CRL: Couldn't verify that the available CRL is valid
OpenSSL Error: pem_lib.c:707: in library: PEM routines, function PEM_read_bio: no start line Expecting: ANY PRIVATE KEY
Globus chain verification failure.
ERROR in AuthzKey: Key verification failed.
200514 16:01:00 15413 secgsi_Authenticate: ERROR: unable to get the key associated to this user
The part of the config, tested with crl:0 and crl:1:
xrootd.seclib /usr/lib64/libXrdSec-4.so
sec.protocol /usr/lib64 gsi \
-certdir:/etc/grid-security/certificates/ \
-cert:/etc/grid-security/xrd//cert_31408_dclxwp2dlds1.gsi.de.pem \
-key:/etc/grid-security/xrd//privKey_31408_dclxwp2dlds1.gsi.de.pem \
-crl:1 \
-authzfun:libXrdLcmaps.so \
-authzfunparms:lcmapscfg=/etc/lcmaps.db,loglevel=5,policy=authorize_only \
-gmapopt:10 \
-gmapto:0
acc.authdb /etc/xrootd/auth_file
ofs.authorize
I wonder why I get a crl related error, with the config options 0 or 1.
Any ideas why it is behaving inconsistent?
Cheers,
Paul
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<https://github.com/xrootd/xrootd/issues/1197>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABHVGA6MQNVDJI3ZYK3BB5DRSBAC5ANCNFSM4NDRCQWQ>.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/xrootd/xrootd/issues/1197#issuecomment-629927879",
"url": "https://github.com/xrootd/xrootd/issues/1197#issuecomment-629927879",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1