Hey Petr, I'm not talking about the server configuration of the exernal site (Munich), but about the configuration of the forward proxy server I have set up in Freiburg. Sorry if this wasn't clear. Cheers Dirk On 6/11/21 6:06 PM, Petr Vokac wrote: > This doesn't look like server configuration issue, because transfers > works for me from lxplus.cern.ch with same client, e.g. > *$ source /cvmfs/sft.cern.ch/lcg/views/setupViews.sh LCG_99 > x86_64-centos7-gcc8-opt****$ voms-proxy-init -voms atlas***Enter GRID pass phrase for this identity: > Contacting voms2.cern.ch:15001 [/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch] "atlas"... > Remote VOMS server contacted succesfully. > Created proxy in /tmp/x509up_u45277. > Your proxy is valid until Sat Jun 12 06:01:58 CEST 2021 > *$ which xrdcp***/cvmfs/sft.cern.ch/lcg/views/LCG_99/x86_64-centos7-gcc8-opt/bin/xrdcp > *$ ls -la > /cvmfs/sft.cern.ch/lcg/views/LCG_99/x86_64-centos7-gcc8-opt/bin/xrdcp***lrwxrwxrwx. 1 cvmfs cvmfs 85 Jan 10 23:07 /cvmfs/sft.cern.ch/lcg/views/LCG_99/x86_64-centos7-gcc8-opt/bin/xrdcp -> /cvmfs/sft.cern.ch/lcg/releases/xrootd/4.12.3-61acf/x86_64-centos7-gcc8-opt/bin/xrdcp > *$ xrdcp > root://lcg-lrz-rootd.grid.lrz.de:1094/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasscratchdisk/rucio/user/dsammel/04/71/large.root > .***[12.16GB/12.16GB][100%][==================================================][136.9MB/s] > > Petr > > On 6/11/21 5:09 PM, Dirk Sammel wrote: >> Dear experts, >> >> I'm having trouble with using the proxy delegation feature. My setup >> is as follows: >> >> I have a client that wants to download files from an external site, >> therefore authentication is required. The request is forwarded to a >> proxy server (which is running in forwarding mode and also caches the >> files). I see the following error in the proxy server log (the full >> log is attached): >> >> ofs_open: ds1034.9382:[log in to unmask] Unable to open >> /root:/lcg-lrz-rootd.grid.lrz.de:1094/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasscratchdisk/rucio/user/dsammel/04/71/large.root; >> invalid exchange >> >> At one point before that, the proxy server tries to create a user >> proxy for user xrootd. If I put my userkey and usercert on the proxy >> server and manually create a user proxy for user xrootd, the >> authentication works, but this is of course not a reasonable solution. >> >> Client: >> >> XRootD version: 4.12.3 >> >> $XrdSecGSIDELEGPROXY=2 >> $XrdSecGSIPROXYDEPLEN=-1 >> $X509_USER_PROXY=/tmp/x509up_u52246 >> $X509_USER_KEY=/home/ds1034/.globus/userkey.pem >> $X509_USER_CERT=/home/ds1034/.globus/usercert.pem >> >> Server: >> >> XRootD version: 5.1.1 >> >> xrootd.seclib libXrdSec.so >> sec.protocol gsi -certdir:/etc/grid-security/certificates >> -cert:/etc/grid-security/hostcert.pem >> -key:/etc/grid-security/hostkey.pem -dlgpxy:request -d:3 >> >> >> The complete server config is attached. >> >> >> I also attached the debug logs for the client and the server when >> running >> >> xrdcp -f -d 3 >> root://lcg-lrz-rootd.grid.lrz.de:1094/pnfs/lrz-muenchen.de/data/atlas/dq2/atlasscratchdisk/rucio/user/dsammel/04/71/large.root >> . >> >> Two things I noticed: in the client log "Proxy delegation option: 0", >> in the server log "Secgsi Proxy delegation option: ignore", it seems >> that these settings are not applied? >> >> Is anything missing in my configuration or is anything wrong? >> Just tell me if I need to provide any missing information! >> >> Cheers >> Dirk >> >> ######################################################################## >> Use REPLY-ALL to reply to list >> >> To unsubscribe from the XROOTD-L list, click the following link: >> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1