Hi Geonme,

As Petr Vokac said in his reply, libXrdSecgsiAUTHZVO-4.so is a very old one and we are not even sure whether it works correctly in Xrootd 5. Apologies for the incompatibility.

If you will be using VOMS or gridmap file, we suggest that you switch to the new libXrdSecgsiVOMS.so library. An example here is

sec.protparm gsi -vomsfun:libXrdSecgsiVOMS.so -vomsfunparms:certfmt=pem|vos=cms|grps=/cms|grpopt=10

sec.protocol gsi -dlgpxy:1 -exppxy:=creds -ca:1 -crl:3 -gridmap:/etc/grid-security/grid-mapfile

Another thing you may want to pay attention is the library naming convention in xrootd. In generate, plugin libraries in xrootd release 5 look like libXrdABC-5.so. If you config file spec a plugin library libXrdABC.so, then xrootd will first try loading libXrdABC-5.so. If that can’t be found, it will try libXrdABC.so. But if your config file specify libXrdABC-5.so, xrootd will only look at libXrdABC-5.so, and will not search libXrdABC.so.

Similarly, xrootd release 4 will look at -4. So we suggest users to put libXrdABC.so in the config file to make them compatible across Xrootd major releases.

Wei Yang  |  [log in to unmask]  |  650-926-3338(O)

-----------------------원본 메세지-----------------------
보낸사람: "Yang, Wei "<[log in to unmask]>
받는사람: "Geonmo Ryu" <[log in to unmask]>,xrootd-l <[log in to unmask]>
보낸시간: 2020-11-02 17:28:45 GMT +0900 (ROK)
제목: Re: After updating XRootD Package, I would like to inquire about the failure of authentication using GSI certificate.

 

 

Hi Geonmo,

 

What version of Xrootd you were running (if that works) and what version of Xrootd you are running now that doesn’t work?

 

regards,

--

Wei Yang  |  [log in to unmask]  |  650-926-3338(O)

 

On 11/1/20, 10:46 PM, "[log in to unmask] on behalf of "Geonmo Ryu"" <[log in to unmask] on behalf of [log in to unmask]> wrote:

 

Hello, XRootD users,

 

I am contacting you because GSI has not been authenticated since the XRootD package was automatically updated.

 

We are using the XRootD Proxy Server for a global federation of CMS experiment.

 

The authentication of the server has problems.

 

The log is as follows: Please contact me if you need the entire log.

 

201102 15:33:21 6455 secgsi_Authenticate: ERROR: the authz plug-in reported failure

201102 15:33:21 6455 XrootdXeq: User authentication failed;

201102 15:33:21 6455 geonmo.11757:25@cms-t2-se01 XrootdResponse: sending err 3030: 

201102 15:33:21 6455 XrootdXeq: geonmo.11757:25@cms-t2-se01 disc 0:00:00

201102 15:33:21 44816 geonmo.11757:24@cms-t2-se01 XrootdProtocol: more auth requested; sz=2699

INFO in AuthzKey: Returning creds of len 7588 as key.

AuthzVO: Invalid cert; vo missing

 

The xrootd configuration for GSI auth is,

 

# X509 configuration, change nothing

xrootd.seclib /usr/lib64/libXrdSec.so

sec.protocol /usr/lib64 gsi -authzfun:/usr/lib64/libXrdSecgsiAUTHZVO-4.so -gmapopt:10 -gmapto:0 -ca:1 -crl:1 -authzfunparms:debug=1,valido=cms,vo2grp=%s

acc.authdb /etc/xrootd/auth_file

acc.authrefresh 60

ofs.authorize

 

Regards,

 

 

--------------------------------------------------------------------------------------------------
Geonmo Ryu / 류건모

Korea Institute of Science and Technology Information (KISTI)
Global Science experimental Data hub Center (GSDC)
245 Daehak-ro, Yuseong-gu, Daejeon, 305-806, Republic of Korea
Tel :  +82-42-869-1639
E-mail: (CMS Helpdesk) [log in to unmask] / (Contact) [log in to unmask]
-------------------------------------------------------------------------------------------------- 

 

 

 

 

 

 

---

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1

 

---

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1