LISTSERV 16.5 - XROOTD-L Archives

Hi Adrian,

I think yes, it should work. Why don’t you give it a try?

Cheers,
Michal

> On 24 Feb 2021, at 16:36, Adrian Sevcenco <[log in to unmask]> wrote:
> 
> On 3/2/20 5:13 PM, Michal Kamil Simon wrote:
>> Hi Adrian,
> Hi Michal!
> 
>> It is the server that tells the client which authentication protocol should be used,
>> if you enable loging (e.g. XRD_LOGLEVEL=Dump) you will see in the logs something
>> like:
>> [Debug ][XRootDTransport ] [your-favourite-host:1094.0] Authentication is required: &P=*gsi*,v:10400,c:ssl,ca:5168735f.0|4339b4bc.0
>> in this example you can see that the server requested gsi authentication. It may
>> also give the client a list of authentication protocols that are accepted by the server,
>> in this cased they are tried in the order specified by the server. You can force the
>> client to use authentication protocol by adding xrd.wantprot cgi element to your url,
>> e.g. xrd.wantprot=sss.
> so, i delayed this until i received too many emails that they have strange messages when the copy is from eos.
> So, this is a tag that is added to the actual uri?
> and the form is like "?xrd.wantprot=unix" ?
> (as ALICE use tokenauthz envelopes)
> 
> The question is, will this work with eos? will this be stripped correctly my mgm and then proceed forward with the new token for the fst?
> 
> Thanks a lot!
> Adrian
> 
>> Hop[e this helps!
>> Cheers,
>> Michal
>> ________________________________________
>> From: Adrian Sevcenco
>> Sent: 28 February 2020 14:02
>> To: Michal Kamil Simon; [log in to unmask]
>> Subject: Re: xrdfs :: request for x509 proxy???
>> On 2/28/20 1:11 PM, Michal Kamil Simon wrote:
>> > Hi Adrian,
>> Hi!
>> > It's a feature not a bug ;-)
>> :))
>> > Now more seriously, if you detach your script from the terminal,
>> > it wont be prompted to give a password in order to create a
>> > new proxy cert (it will rather simply fail).
>> >
>> > To summarize, we check if stdin/stdout are attach to a terminal:
>> > https://github.com/xrootd/xrootd/blob/master/src/XrdSecgsi/XrdSecProtocolgsi.cc#L4793-L4796
>> > and only then we try to generate the proxy cert if it's absent,
>> > otherwise the client simply fails to authenticate.
>> ok, got it, but the main problem is that such a request is made!
>> why would an xrdfs query request a proxy cert?
>> I would like to deny any kind of proxy cert requests and throw an error
>> because i would say that if the server request a proxy cert than from
>> the perspective of ALICE usage, the server is mis-configured... so, i
>> would like to find out why this is requested and how to eliminate the
>> need of proxy cert.
>> Thanks a lot!!
>> Adrian
>> >
>> > Hope that helps.
>> >
>> > Cheers,
>> > Michal
>> > ________________________________________
>> > From: [log in to unmask] [[log in to unmask]] on behalf
>> > of Adrian Sevcenco [[log in to unmask]]
>> > Sent: 28 February 2020 10:54
>> > To: [log in to unmask]
>> > Subject: xrdfs :: request for x509 proxy???
>> >
>> > Hi! While doing an stat with xrdfs i encountered this :
>> >
>> > 200228 10:55:42 1030664 cryptossl_X509CreateProxy: Your identity:
>> > /DC=RO/DC=RomanianGRID/O=ISS/CN=Adrian SEVCENCO
>> > Enter PEM pass phrase:
>> >
>> > Why would the xrdfs ask to create proxy?
>> > Also, this happened when doing cp operation within python ..
>> >
>> > While on the issue of required or not i cannot say anything, the fact
>> > that i get a dialogue instead of a direct failure is a huge bug!!!
>> > It breaks any script that do automatic tasks or a sequence of tasks
>> >
>> > Thanks!
>> > Adrian
>> >
>> >
>> >
>> > ########################################################################
>> > Use REPLY-ALL to reply to list
>> >
>> > To unsubscribe from the XROOTD-L list, click the following link:
>> > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>> --
>> ----------------------------------------------
>> Adrian Sevcenco, Ph.D. |
>> Institute of Space Science - ISS, Romania |
>> adrian.sevcenco at {cern.ch,spacescience.ro} |
>> ----------------------------------------------
> 
> 
> -- 
> ----------------------------------------------
> Adrian Sevcenco, Ph.D.                       |
> Institute of Space Science - ISS, Romania    |
> adrian.sevcenco at {cern.ch <http://cern.ch/>,spacescience.ro <http://spacescience.ro/>} |
> ----------------------------------------------


########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1