LISTSERV 16.5 - XROOTD-DEV Archives

Short update:

We modified the sec.protocol gsi line in our EOS mgm server to enable debugging added following parameters: -vomsfun:libXrdVoms.so -vomsfunparms:dbg

After this change we can see that the attributes of the proxy certs is properly extracted now (see below), however it seems that EOS cannot handle multi valued attributes (see IdMap line):

sec.vorg="cms cms cms cms cms" sec.grps="/cms /cms/ALARM /cms/GGUSExpert /cms /cms/TEAM" sec.role="production NULL NULL NULL NULL"

We defined a VID mapping in EOS to map certain cert attributes to local unix accounts, however EOS seems to map it to the nobody user.

So it would be interesting to know what xrootd is using when not specifiying -vomsfun:libXrdVoms.so in the sec.protocol gsi configuration because without that parameter it seems to fail to extract the attributes for some of the proxy certs.

210114 17:46:21 102681 XrootdXeq: etf.200922:[log in to unmask] disc 0:00:00
210114 17:46:21 106362 XrootdXeq: alitrain.3959:[log in to unmask] disc 0:00:00
210114 17:46:21 105414 cryptossl_X509::CertType: certificate has 3 extensions
210114 17:46:21 105414 cryptossl_X509::CertType: certificate has 3 extensions
210114 17:46:21 105414 cryptossl_X509::CertType: certificate has 3 extensions
210114 17:46:21 105414 cryptossl_X509::CertType: certificate has 3 extensions
210114 17:46:21 105414 cryptossl_X509::CertType: certificate has 11 extensions
210114 17:46:21 105414 secgsi_XrdOucGMap::dn2user: no valid match found for DN '/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba'
210114 17:46:21 105414 secgsi_Authenticate: WARNING: user mapping lookup failed - use DN or DN-hash as name
210114 17:46:21 105414  XrdVomsFun: proxy: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba/CN=286408489/CN=1110273571/CN=365680754/CN=283434044
210114 17:46:21 105414  XrdVomsFun: adding cert: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba
210114 17:46:21 105414  XrdVomsFun: adding cert: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba/CN=286408489
210114 17:46:21 105414  XrdVomsFun: adding cert: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba/CN=286408489/CN=1110273571
210114 17:46:21 105414  XrdVomsFun: adding cert: /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba/CN=286408489/CN=1110273571/CN=365680754
210114 17:46:21 105414  XrdVomsFun: retrieval successful
210114 17:46:21 105414  XrdVomsFun: found VO: cms
210114 17:46:21 105414  XrdVomsFun:  ---> group: '/cms', role: 'production', cap: 'NULL'
210114 17:46:21 105414  XrdVomsFun:  ---> fqan: '/cms/Role=production/Capability=NULL'
210114 17:46:21 105414  XrdVomsFun:  ---> group: '/cms/ALARM', role: 'NULL', cap: 'NULL'
210114 17:46:21 105414  XrdVomsFun:  ---> fqan: '/cms/ALARM/Role=NULL/Capability=NULL'
210114 17:46:21 105414  XrdVomsFun:  ---> group: '/cms/GGUSExpert', role: 'NULL', cap: 'NULL'
210114 17:46:21 105414  XrdVomsFun:  ---> fqan: '/cms/GGUSExpert/Role=NULL/Capability=NULL'
210114 17:46:21 105414  XrdVomsFun:  ---> group: '/cms', role: 'NULL', cap: 'NULL'
210114 17:46:21 105414  XrdVomsFun:  ---> fqan: '/cms/Role=NULL/Capability=NULL'
210114 17:46:21 105414  XrdVomsFun:  ---> group: '/cms/TEAM', role: 'NULL', cap: 'NULL'
210114 17:46:21 105414  XrdVomsFun:  ---> fqan: '/cms/TEAM/Role=NULL/Capability=NULL'
210114 17:46:21 105414 secgsi_Authenticate: VOMS: Entity.vorg:         cms cms cms cms cms
210114 17:46:21 105414 secgsi_Authenticate: VOMS: Entity.grps:         /cms /cms/ALARM /cms/GGUSExpert /cms /cms/TEAM
210114 17:46:21 105414 secgsi_Authenticate: VOMS: Entity.role:         production NULL NULL NULL NULL
210114 17:46:21 105414 secgsi_Authenticate: VOMS: Entity.endorsements: /cms/Role=production/Capability=NULL,/cms/ALARM/Role=NULL/Capability=NULL,/cms/GGUSExpert/Role=NULL/Capability=NULL,/cms/Role=NULL/Ca
pability=NULL,/cms/TEAM/Role=NULL/Capability=NULL
210114 17:46:21 105414 XrootdXeq: etf.200920:[log in to unmask] pub IPv4 login as /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba
210114 17:46:21 106363 XrootdXeq: aliprod.17382:1183@[::ffff:192.188.182.204] disc 0:00:00
210114 17:46:21 time=1610642781.808426 func=IdMap                    level=INFO  logid=static.............................. [log in to unmask]:1094 tid=00007f8b955f7700 source=Mapping:993
                  tident= sec=(null) uid=99 gid=99 name=- geo="" sec.prot=gsi sec.name="/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sciaba" sec.host="etf-28.cern.ch" sec.vorg="c
ms cms cms cms cms" sec.grps="/cms /cms/ALARM /cms/GGUSExpert /cms /cms/TEAM" sec.role="production NULL NULL NULL NULL" sec.info="/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=sciaba/CN=430796/CN=Andrea Sci
aba" sec.app="" sec.tident="etf.200920:[log in to unmask]" vid.uid=99 vid.gid=99

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1369#issuecomment-760323693", "url": "https://github.com/xrootd/xrootd/issues/1369#issuecomment-760323693", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1