Print

Print


Hi Wei,

Thanks for replying. As far as I can see libXrdSecgsiVOMS-5.so is linked libXrdVoms-5.so

 /usr/lib64/libXrdSecgsiVOMS-5.so -> libXrdVoms-5.so

so it is libXrdVoms-5.so that I also use

Best,

George
________________________________
From: Yang, Wei <[log in to unmask]>
Sent: 16 April 2021 10:38
To: Patargias, George (STFC,RAL,SC) <[log in to unmask]>; xrootd-l <[log in to unmask]>
Subject: Re: XRootD 5.1.1 and GSI/VOMS authorisation problems

Hi George,

I believe /usr/lib64/libXrdSecgsiVOMS.so is obsolete in Xrootd 5.1.1, replaced by /usr/lib64/libXrdVOMS.so. All other config remain the same.

regards,
--
Wei Yang  |  mailto:[log in to unmask]  |  650-926-3338(O)

From: <[log in to unmask]> on behalf of George Patargias - STFC UKRI <[log in to unmask]>
Date: Friday, April 16, 2021 at 2:33 AM
To: xrootd-l <[log in to unmask]>
Subject: XRootD 5.1.1 and GSI/VOMS authorisation problems

Hello,


Is there any issue with XRootD 5 (5.1.1) and GSI/VOMS authorisation? When I try to copy a file out of Echo using a standard grid proxy, xrdcp hangs for some reason.  And I see a lot of these errors: secgsi_Authenticate: ERROR: user mapping required, but lookup failed - failure

I have noticed that the VOMS attributes are not extracted but I am not sure if this is important or not. At any rate, gsi grants access to the file but then nothing happens.

210416 10:27:07 525767 secgsi_XrdOucGMap::dn2user: mapping DN '/C=UK/O=eScience/OU=CLRC/L=RAL/CN=james walder' to 'atlasprod'
210416 10:27:07 525767  XrdVomsFun: proxy: /C=UK/O=eScience/OU=CLRC/L=RAL/CN=james walder/CN=1933687333
210416 10:27:07 525767  XrdVomsFun: adding cert: /C=UK/O=eScience/OU=CLRC/L=RAL/CN=james walder
210416 10:27:07 525767  XrdVomsFun: retrieval FAILED: Cannot verify AC signature!
210416 10:27:07 525767 secgsi_Authenticate: VOMS: Entity.vorg:         <none>
210416 10:27:07 525767 secgsi_Authenticate: VOMS: Entity.grps:         <none>
210416 10:27:07 525767 secgsi_Authenticate: VOMS: Entity.role:         <none>
210416 10:27:07 525767 secgsi_Authenticate: VOMS: Entity.endorsements: <none>
210416 10:27:07 525767 XrootdXeq: jwalder.23107:[log in to unmask] pub IP64 login as atlasprod
210416 10:27:07 525767 acc_Audit: jwalder.23107:[log in to unmask] grant gsi [log in to unmask] stat /dteam:test1/domatest/jwalder/ROOT_testM

Do you have any idea what the problem might be? Thanks.

My gsi config is

sec.protparm gsi -vomsfun:/usr/lib64/libXrdSecgsiVOMS.so -vomsfunparms:certfmt=pem|vos=atlas,dteam|grps=/atlas,/dteam|grpopt=10|dbg
sec.protocol unix
sec.protocol gsi -dlgpxy:1 -exppxy:=creds -crl:3 -cert:/etc/grid-security/xrootd/hostcert.pem -key:/etc/grid-security/xrootd/hostkey.pem -gridmap:/etc/grid-security/grid-mapfile -gmapopt:2 -gmapto:3600 -d:1
This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses. Opinions, conclusions or other information in this message and attachments that are not related directly to UKRI business are solely those of the author and do not represent the views of UKRI.


Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1


########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1