Print

Print


The libXrdVoms man page for 5.1.1 says the same thing. We don't set X509_VOMS_DIR: /etc/grid-security/vomsdir/
is empty on all our gateways.

It looks like the entry is found in the gridmap file

210416 12:31:21 530227 secgsi_XrdOucGMap::dn2user: mapping DN '/C=UK/O=eScience/OU=CLRC/L=RAL/CN=george patargias' to 'dteamuser'
210416 12:31:21 530227  XrdVomsFun: proxy: /C=UK/O=eScience/OU=CLRC/L=RAL/CN=george patargias/CN=1232870735
210416 12:31:21 530227  XrdVomsFun: adding cert: /C=UK/O=eScience/OU=CLRC/L=RAL/CN=george patargias

so I am not sure what is happening here.

George



From: Yang, Wei <[log in to unmask]>
Sent: 16 April 2021 11:04
To: James William Walder <[log in to unmask]>; [log in to unmask] <[log in to unmask]>
Cc: Patargias, George (STFC,RAL,SC) <[log in to unmask]>; xrootd-l <[log in to unmask]>
Subject: Re: XRootD 5.1.1 and GSI/VOMS authorisation problems
 
I see one issue and have one question but none explain the hanging:

You have both Gridmap file and VOMS. In the old vomsxrd, Gridmapfile will be searched first. If a matching entry is found, VOMS is ignored. Note sure about the new XrdVOMS.

Do you set X509_VOMS_DIR before starting xrootd? libXrdVoms man page says this is needed.
 


regards,
--
Wei Yang  |  mailto:[log in to unmask]  |  650-926-3338(O)

From: James William Walder <[log in to unmask]>
Date: Friday, April 16, 2021 at 2:57 AM
To: "[log in to unmask]" <[log in to unmask]>
Cc: George Patargias <[log in to unmask]>, Wei Yang <[log in to unmask]>, xrootd-l <[log in to unmask]>
Subject: Re: XRootD 5.1.1 and GSI/VOMS authorisation problems

Hi,
 Let me add some information on the proxy.
It was created on lxplus:

voms-proxy-info --version
voms-proxy-info v. 3.3.2 (voms-api-java/3.3.2 canl/2.6.0 bcprov/1.58.0 bcpkix/1.58.0.0)


[jwalder@lxplus745]~/TPC% voms-proxy-info --all
subject   : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=james walder/CN=1933687333
issuer    : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=james walder
identity  : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=james walder
type      : RFC3820 compliant impersonation proxy
strength  : 2048
path      : /tmp/x509up_u28239
timeleft  : 11:01:30
key usage : Digital Signature, Key Encipherment, Data Encipherment
=== VO dteam extension information ===
VO        : dteam
subject   : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=james walder
issuer    : /C=GR/O=HellasGrid/OU=http://hellasgrid.gr/CN=voms2.hellasgrid.gr
attribute : /dteam/Role=NULL/Capability=NULL
timeleft  : 11:01:30
uri       : http://voms2.hellasgrid.gr:15004


Here it’s dteam; but  the situation is the same with atlas user role




Cheers,
James







On 16 Apr 2021, at 10:50, Oliver Freyermuth <mailto:[log in to unmask]> wrote:

Hi George,

Am 16.04.21 um 11:43 schrieb George Patargias - STFC UKRI:

Hi Wei,
Thanks for replying. As far as I can see libXrdSecgsiVOMS-5.so is linked libXrdVoms-5.so
 /usr/lib64/libXrdSecgsiVOMS-5.so -> libXrdVoms-5.so
so it is libXrdVoms-5.so that I also use

indeed, this symbolic link is kept in XRootD 5 to ease the transition. To be future-proof, you should still adapt your configuration as Wei outlined.

Can you elaborate how the VOMS proxy was created? Is it maybe too short (<2048 bits) or not an RFC proxy? How does "voms-proxy-info" look like?

Cheers,
Oliver


Best,
George
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
*From:* Yang, Wei <mailto:[log in to unmask]>
*Sent:* 16 April 2021 10:38
*To:* Patargias, George (STFC,RAL,SC) <mailto:[log in to unmask]>; xrootd-l <mailto:[log in to unmask]>
*Subject:* Re: XRootD 5.1.1 and GSI/VOMS authorisation problems
Hi George,
I believe /usr/lib64/libXrdSecgsiVOMS.so is obsolete in Xrootd 5.1.1, replaced by /usr/lib64/libXrdVOMS.so. All other config remain the same.
regards,
--
Wei Yang  | mailto:[log in to unmask] <mailto:[log in to unmask]>  |  650-926-3338(O)
From: <mailto:[log in to unmask]> on behalf of George Patargias - STFC
UKRI <mailto:[log in to unmask]>

Date: Friday, April 16, 2021 at 2:33 AM
To: xrootd-l <mailto:[log in to unmask]>
Subject: XRootD 5.1.1 and GSI/VOMS authorisation problems
Hello,
Is there any issue with XRootD 5 (5.1.1) and GSI/VOMS authorisation? When I try to copy a file out of Echo using a standard grid proxy, xrdcp hangs for some reason.  And I see a lot of these errors: secgsi_Authenticate: ERROR: user mapping required, but lookup failed - failure
I have noticed that the VOMS attributes are not extracted but I am not sure if this is important or not. At any rate, gsi grants access to the file but then nothing happens.
210416 10:27:07 525767 secgsi_XrdOucGMap::dn2user: mapping DN '/C=UK/O=eScience/OU=CLRC/L=RAL/CN=james walder' to 'atlasprod'
210416 10:27:07 525767  XrdVomsFun: proxy: /C=UK/O=eScience/OU=CLRC/L=RAL/CN=james walder/CN=1933687333
210416 10:27:07 525767  XrdVomsFun: adding cert: /C=UK/O=eScience/OU=CLRC/L=RAL/CN=james walder
210416 10:27:07 525767  XrdVomsFun: retrieval FAILED: Cannot verify AC signature!
210416 10:27:07 525767 secgsi_Authenticate: VOMS: Entity.vorg:         <none>
210416 10:27:07 525767 secgsi_Authenticate: VOMS: Entity.grps:         <none>
210416 10:27:07 525767 secgsi_Authenticate: VOMS: Entity.role:         <none>
210416 10:27:07 525767 secgsi_Authenticate: VOMS: Entity.endorsements: <none>
210416 10:27:07 525767 XrootdXeq: jwalder.23107:mailto:[log in to unmask] pub IP64 login as atlasprod
210416 10:27:07 525767 acc_Audit: jwalder.23107:mailto:[log in to unmask] grant gsi mailto:[log in to unmask] stat /dteam:test1/domatest/jwalder/ROOT_testM
Do you have any idea what the problem might be? Thanks.
My gsi config is
sec.protparm gsi -vomsfun:/usr/lib64/libXrdSecgsiVOMS.so -vomsfunparms:certfmt=pem|vos=atlas,dteam|grps=/atlas,/dteam|grpopt=10|dbg
sec.protocol unix
sec.protocol gsi -dlgpxy:1 -exppxy:=creds -crl:3 -cert:/etc/grid-security/xrootd/hostcert.pem -key:/etc/grid-security/xrootd/hostkey.pem -gridmap:/etc/grid-security/grid-mapfile -gmapopt:2 -gmapto:3600 -d:1
This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system.
UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses. Opinions, conclusions or other information in this message and attachments that are not related directly to UKRI business are solely those of the author and do not represent the views of UKRI.

Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 <https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 <https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1>


--
Oliver Freyermuth
Universität Bonn
Physikalisches Institut, Raum 1.047
Nußallee 12
53115 Bonn
--
Tel.: +49 228 73 2367
Fax:  +49 228 73 7869
--


########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1




Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1