Short update: We modified the `sec.protocol gsi` line in our EOS mgm server to enable debugging added following parameters: `-vomsfun:libXrdVoms.so -vomsfunparms:dbg` After this change we can see that the attributes of the proxy certs is properly extracted now (see below), however it seems that EOS cannot handle multi valued attributes (see `IdMap` line): ``` sec.vorg="cms cms cms cms cms" sec.grps="/cms /cms/ALARM /cms/GGUSExpert /cms /cms/TEAM" sec.role="production NULL NULL NULL NULL" ``` We defined a VID mapping in EOS to map certain cert attributes to local unix accounts, however EOS seems to map it to the nobody user. So it would be interesting to know what xrootd is using when not specifiying `-vomsfun:libXrdVoms.so` in the `sec.protocol gsi` configuration because without that parameter it seems to fail to extract the attributes for some of the proxy certs. ``` 210114 17:46:21 102681 XrootdXeq: etf.200922:[log in to unmask] disc 0:00:00 210114 17:46:21 106362 XrootdXeq: alitrain.3959:[log in to unmask] disc 0:00:00 210114 17:46:21 105414 cryptossl_X509::CertType: certificate has 3 extensions 210114 17:46:21 105414 cryptossl_X509::CertType: certificate has 3 extensions 210114 17:46:21 105414 cryptossl_X509::CertType: certificate has 3 extensions 210114 17:46:21 105414 cryptossl_X509::CertType: certificate has 3 extensions 210114 17:46:21 105414 cryptossl_X509::CertType: certificate has 11 extensions 210114 17:46:21 105414 secgsi_XrdOucGMap::dn2user: no valid match found for DN '/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba' 210114 17:46:21 105414 secgsi_Authenticate: WARNING: user mapping lookup failed - use DN or DN-hash as name 210114 17:46:21 105414 XrdVomsFun: proxy: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba/CN=286408489/CN=1110273571/CN=365680754/CN=283434044 210114 17:46:21 105414 XrdVomsFun: adding cert: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba 210114 17:46:21 105414 XrdVomsFun: adding cert: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba/CN=286408489 210114 17:46:21 105414 XrdVomsFun: adding cert: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba/CN=286408489/CN=1110273571 210114 17:46:21 105414 XrdVomsFun: adding cert: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba/CN=286408489/CN=1110273571/CN=365680754 210114 17:46:21 105414 XrdVomsFun: retrieval successful 210114 17:46:21 105414 XrdVomsFun: found VO: cms 210114 17:46:21 105414 XrdVomsFun: ---> group: '/cms', role: 'production', cap: 'NULL' 210114 17:46:21 105414 XrdVomsFun: ---> fqan: '/cms/Role=production/Capability=NULL' 210114 17:46:21 105414 XrdVomsFun: ---> group: '/cms/ALARM', role: 'NULL', cap: 'NULL' 210114 17:46:21 105414 XrdVomsFun: ---> fqan: '/cms/ALARM/Role=NULL/Capability=NULL' 210114 17:46:21 105414 XrdVomsFun: ---> group: '/cms/GGUSExpert', role: 'NULL', cap: 'NULL' 210114 17:46:21 105414 XrdVomsFun: ---> fqan: '/cms/GGUSExpert/Role=NULL/Capability=NULL' 210114 17:46:21 105414 XrdVomsFun: ---> group: '/cms', role: 'NULL', cap: 'NULL' 210114 17:46:21 105414 XrdVomsFun: ---> fqan: '/cms/Role=NULL/Capability=NULL' 210114 17:46:21 105414 XrdVomsFun: ---> group: '/cms/TEAM', role: 'NULL', cap: 'NULL' 210114 17:46:21 105414 XrdVomsFun: ---> fqan: '/cms/TEAM/Role=NULL/Capability=NULL' 210114 17:46:21 105414 secgsi_Authenticate: VOMS: Entity.vorg: cms cms cms cms cms 210114 17:46:21 105414 secgsi_Authenticate: VOMS: Entity.grps: /cms /cms/ALARM /cms/GGUSExpert /cms /cms/TEAM 210114 17:46:21 105414 secgsi_Authenticate: VOMS: Entity.role: production NULL NULL NULL NULL 210114 17:46:21 105414 secgsi_Authenticate: VOMS: Entity.endorsements: /cms/Role=production/Capability=NULL,/cms/ALARM/Role=NULL/Capability=NULL,/cms/GGUSExpert/Role=NULL/Capability=NULL,/cms/Role=NULL/Ca pability=NULL,/cms/TEAM/Role=NULL/Capability=NULL 210114 17:46:21 105414 XrootdXeq: etf.200920:[log in to unmask] pub IPv4 login as /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba 210114 17:46:21 106363 XrootdXeq: aliprod.17382:1183@[::ffff:192.188.182.204] disc 0:00:00 210114 17:46:21 time=1610642781.808426 func=IdMap level=INFO logid=static.............................. [log in to unmask]:1094 tid=00007f8b955f7700 source=Mapping:993 tident= sec=(null) uid=99 gid=99 name=- geo="" sec.prot=gsi sec.name="/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba" sec.host="etf-28.cern.ch" sec.vorg="c ms cms cms cms cms" sec.grps="/cms /cms/ALARM /cms/GGUSExpert /cms /cms/TEAM" sec.role="production NULL NULL NULL NULL" sec.info="/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sci aba" sec.app="" sec.tident="etf.200920:[log in to unmask]" vid.uid=99 vid.gid=99 ``` -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1369#issuecomment-760323693 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1