Print

Print
Hi,

XRootD 5 (together with dmlite 1.14.1) was pushed in EPEL and for CMS you'll probably need at least compatible xrootd-cmstfc plugin compiled for this XRootD version. In dpm-users mailing list there was a link to OSG build system https://koji.chtc.wisc.edu/koji/buildinfo?buildID=13957

Also libXrdSecgsiAUTHZVO-4.so doesn't look like right library for XRootD 5 but XRootD is probably clever enough to find right version. On the other side we use libXrdSecgsiVOMS.so from xrootd-voms package with
sec.protocol /usr/lib64 gsi -crl:3 -key:/etc/grid-security/dpmmgr/dpmkey.pem -cert:/etc/grid-security/dpmmgr/dpmcert.pem -md:sha256:sha1 -ca:2 -gmapopt:10 -vomsfun:/usr/lib64/libXrdSecgsiVOMS.so
but our site doesn't provide storage for CMS experiment so I can't 100% guarantee this is right configuration also for you.

I just tried libXrdSecgsiAUTHZVO on our testbed and I'm getting same error:
201102 10:28:17 25907 XrdInet: Accepted connection from [log in to unmask]
201102 10:28:17 25907 XrdProtLoad: matched port 1094 protocol xroot
201102 10:28:17 25907 anon.0:31@ui1 XrdPoll: FD 31 attached to poller 0; num=2
201102 10:28:17 25906 XrdSched: running main accept inq=0
INFO in AuthzKey: Returning creds of len 9396 as key.
AuthzVO: Invalid cert; vo missing
201102 10:28:17 25907 secgsi_Authenticate: ERROR: the authz plug-in reported failure
201102 10:28:17 25907 XrootdXeq: User authentication failed;

Petr

On 11/2/20 9:47 AM, "Geonmo Ryu" wrote:
[log in to unmask]">

Hello, Yang.

 

Our XRootD version is, 

 

Old version is "4.12.2-1.el7" 

New version is : "5.0.2-1.el7"

 

By the way, it doesn't work well with non-eXtended attribute (NoXA) storage after the upgrade.

 

I know xrootd team warned me to change it for a long time, but can't you still set it up to be compatible?

 

Regards,

 


--------------------------------------------------------------------------------------------------
Geonmo Ryu / 류건모

Korea Institute of Science and Technology Information (KISTI)
Global Science experimental Data hub Center (GSDC)
245 Daehak-ro, Yuseong-gu, Daejeon, 305-806, Republic of Korea
Tel :  +82-42-869-1639
E-mail: (CMS Helpdesk) [log in to unmask] / (Contact) [log in to unmask]
-------------------------------------------------------------------------------------------------- 

 

 

 

 

 

 

-----------------------원본 메세지-----------------------
보낸사람: "Yang, Wei "<[log in to unmask]>
받는사람: "Geonmo Ryu" <[log in to unmask]>,xrootd-l <[log in to unmask]>
보낸시간: 2020-11-02 17:28:45 GMT +0900 (ROK)
제목: Re: After updating XRootD Package, I would like to inquire about the failure of authentication using GSI certificate.

 

 

Hi Geonmo,

 

What version of Xrootd you were running (if that works) and what version of Xrootd you are running now that doesn’t work?

 

regards,

--

Wei Yang  |  [log in to unmask]  |  650-926-3338(O)

 

On 11/1/20, 10:46 PM, "[log in to unmask] on behalf of "Geonmo Ryu"" <[log in to unmask] on behalf of [log in to unmask]> wrote:

 

Hello, XRootD users,

 

I am contacting you because GSI has not been authenticated since the XRootD package was automatically updated.

 

We are using the XRootD Proxy Server for a global federation of CMS experiment.

 

The authentication of the server has problems.

 

The log is as follows: Please contact me if you need the entire log.

 

201102 15:33:21 6455 secgsi_Authenticate: ERROR: the authz plug-in reported failure

201102 15:33:21 6455 XrootdXeq: User authentication failed;

201102 15:33:21 6455 geonmo.11757:25@cms-t2-se01 XrootdResponse: sending err 3030: 

201102 15:33:21 6455 XrootdXeq: geonmo.11757:25@cms-t2-se01 disc 0:00:00

201102 15:33:21 44816 geonmo.11757:24@cms-t2-se01 XrootdProtocol: more auth requested; sz=2699

INFO in AuthzKey: Returning creds of len 7588 as key.

AuthzVO: Invalid cert; vo missing

 

The xrootd configuration for GSI auth is,

 

# X509 configuration, change nothing

xrootd.seclib /usr/lib64/libXrdSec.so

sec.protocol /usr/lib64 gsi -authzfun:/usr/lib64/libXrdSecgsiAUTHZVO-4.so -gmapopt:10 -gmapto:0 -ca:1 -crl:1 -authzfunparms:debug=1,valido=cms,vo2grp=%s

acc.authdb /etc/xrootd/auth_file

acc.authrefresh 60

ofs.authorize

 

Regards,

 

 

--------------------------------------------------------------------------------------------------
Geonmo Ryu / 류건모

Korea Institute of Science and Technology Information (KISTI)
Global Science experimental Data hub Center (GSDC)
245 Daehak-ro, Yuseong-gu, Daejeon, 305-806, Republic of Korea
Tel :  +82-42-869-1639
E-mail: (CMS Helpdesk) [log in to unmask] / (Contact) [log in to unmask]
-------------------------------------------------------------------------------------------------- 

 

 

 

 

 

 

Image removed by sender.

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1

 

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1

 


Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1



Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1