On 24 Feb 2021, at 16:36, Adrian Sevcenco <[log in to unmask]> wrote:

On 3/2/20 5:13 PM, Michal Kamil Simon wrote:

Hi Adrian,

Hi Michal!

It is the server that tells the client which authentication protocol should be used,
if you enable loging (e.g. XRD_LOGLEVEL=Dump) you will see in the logs something
like:
[Debug ][XRootDTransport ] [your-favourite-host:1094.0] Authentication is required: &P=*gsi*,v:10400,c:ssl,ca:5168735f.0|4339b4bc.0
in this example you can see that the server requested gsi authentication. It may
also give the client a list of authentication protocols that are accepted by the server,
in this cased they are tried in the order specified by the server. You can force the
client to use authentication protocol by adding xrd.wantprot cgi element to your url,
e.g. xrd.wantprot=sss.

so, i delayed this until i received too many emails that they have strange messages when the copy is from eos.
So, this is a tag that is added to the actual uri?
and the form is like "?xrd.wantprot=unix" ?
(as ALICE use tokenauthz envelopes)

The question is, will this work with eos? will this be stripped correctly my mgm and then proceed forward with the new token for the fst?

Thanks a lot!
Adrian

Hop[e this helps!
Cheers,
Michal
________________________________________
From: Adrian Sevcenco
Sent: 28 February 2020 14:02
To: Michal Kamil Simon; [log in to unmask]
Subject: Re: xrdfs :: request for x509 proxy???
On 2/28/20 1:11 PM, Michal Kamil Simon wrote:
> Hi Adrian,
Hi!
> It's a feature not a bug ;-)
:))
> Now more seriously, if you detach your script from the terminal,
> it wont be prompted to give a password in order to create a
> new proxy cert (it will rather simply fail).
>
> To summarize, we check if stdin/stdout are attach to a terminal:
> https://github.com/xrootd/xrootd/blob/master/src/XrdSecgsi/XrdSecProtocolgsi.cc#L4793-L4796
> and only then we try to generate the proxy cert if it's absent,
> otherwise the client simply fails to authenticate.
ok, got it, but the main problem is that such a request is made!
why would an xrdfs query request a proxy cert?
I would like to deny any kind of proxy cert requests and throw an error
because i would say that if the server request a proxy cert than from
the perspective of ALICE usage, the server is mis-configured... so, i
would like to find out why this is requested and how to eliminate the
need of proxy cert.
Thanks a lot!!
Adrian
>
> Hope that helps.
>
> Cheers,
> Michal
> ________________________________________
> From: [log in to unmask] [[log in to unmask]] on behalf
> of Adrian Sevcenco [[log in to unmask]]
> Sent: 28 February 2020 10:54
> To: [log in to unmask]
> Subject: xrdfs :: request for x509 proxy???
>
> Hi! While doing an stat with xrdfs i encountered this :
>
> 200228 10:55:42 1030664 cryptossl_X509CreateProxy: Your identity:
> /DC=RO/DC=RomanianGRID/O=ISS/CN=Adrian SEVCENCO
> Enter PEM pass phrase:
>
> Why would the xrdfs ask to create proxy?
> Also, this happened when doing cp operation within python ..
>
> While on the issue of required or not i cannot say anything, the fact
> that i get a dialogue instead of a direct failure is a huge bug!!!
> It breaks any script that do automatic tasks or a sequence of tasks
>
> Thanks!
> Adrian
>
>
>
> ########################################################################
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
--
----------------------------------------------
Adrian Sevcenco, Ph.D. |
Institute of Space Science - ISS, Romania |
adrian.sevcenco at {cern.ch,spacescience.ro} |
----------------------------------------------

-- 
----------------------------------------------
Adrian Sevcenco, Ph.D.                       |
Institute of Space Science - ISS, Romania    |
adrian.sevcenco at {cern.ch,spacescience.ro} |
----------------------------------------------