LISTSERV 16.5 - XROOTD-L Archives

Hi Backjoo,

Thanks for the clarification. Could you please enable client side logging? Just "-d 3" option in xrdcp.

Cheers,
Michal

> On 25 Feb 2022, at 21:52, Bockjoo Kim <[log in to unmask]> wrote:
> 
> Hi Michal,
> 
> The server ztn sec.protocol is enabled.
> 
> The issue is one client is fine with it but the other client (built in the CMS softaware ) is not able to use ztn for some reason.
> 
> Here is the server log created by the client which can do the xrdcp with the token:
> 
> 220225 15:35:49 26362 Xrd_Inet: Accepted connection on port 1094 from [log in to unmask]
> 220225 15:35:49 26362 Xrd_ProtLoad: matched port 1094 protocol xroot
> 220225 15:35:49 26362 anon.0:[log in to unmask] Xrd_Poll: FD 34 attached to poller 0; num=1
> 220225 15:35:49 26362 anon.0:[log in to unmask] TLS_Accept: Accepting a TLS connection...
> 220225 15:35:49 26362 XrdLinkXeq: anon.0:[log in to unmask] connection upgraded to TLSv1.2
> 220225 15:35:49 26362 anon.0:[log in to unmask] TLS_Read: 24 out of 24 bytes.
> 220225 15:35:49 26362 anon.0:[log in to unmask] TLS_Read: 85 out of 85 bytes.
> 220225 15:35:49 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 8 out of 8 bytes.
> 220225 15:35:49 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 16 out of 16 bytes.
> 220225 15:35:49 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 59 out of 59 bytes.
> 220225 15:35:49 26421 Xrd_Sched: running monitor fstat inq=0
> 220225 15:35:49 26421 Xrd_Sched: scheduling monitor fstat in 60 seconds
> 220225 15:35:49 26340 Xrd_Sched: Now have 5 workers
> 220225 15:35:49 26340 Xrd_Sched: running monitor window clock inq=0
> 220225 15:35:49 26340 Xrd_Sched: scheduling monitor window clock in 5 seconds
> 220225 15:35:50 26362 bockjoo.2777317:[log in to unmask] TLS_Read: 24 out of 24 bytes.
> 220225 15:35:50 26362 bockjoo.2777317:[log in to unmask] TLS_Read: 722 out of 722 bytes.
> 220225 15:35:50 26421 Xrd_Sched: running stats reporter inq=0
> 220225 15:35:50 26421 Xrd_Sched: scheduling stats reporter in 60 seconds
> 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 8 out of 8 bytes.
> 220225 15:35:53 26362 XrootdXeq: bockjoo.2777317:[log in to unmask] pub IPv4 TLSv1.2 login as e5fbec89-437f-45b8-a852-8d2690d85fef
> 220225 15:35:53 26362 multiuser_UserSentry: Failed to lookup UID for username e5fbec89-437f-45b8-a852-8d2690d85fef Success
> 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Read: 24 out of 24 bytes.
> 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Read: 756 out of 756 bytes.
> 220225 15:35:53 26362 scitokens_Reconfig: Parsing configuration file: /etc/xrootd/scitokens.cfg
> 220225 15:35:53 26362 scitokens_Reconfig: Successfully parsed SciTokens mapfile: /etc/xrootd/scitokens-map.json
> 220225 15:35:53 26362 scitokens_Reconfig: Successfully parsed SciTokens mapfile: /etc/xrootd/scitokens-map.json
> 220225 15:35:53 26362 multiuser_UserSentry: Switching FS uid for user bockjoo
> 220225 15:35:53 26362 multiuser_Open: Will not create checksum
> 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 8 out of 8 bytes.
> 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 12 out of 12 bytes.
> 220225 15:35:53 26362 bockjoo.2777317:[log in to unmask] TLS_Write: 82 out of 82
> 
> .....
> 
> 
> 
> Here's the log created by the client that fails to use the ztn protocol:
> 
> 220225 15:34:38 26340 Xrd_Inet: Accepted connection on port 1094 from [log in to unmask]
> 220225 15:34:38 26340 Xrd_ProtLoad: matched port 1094 protocol xroot
> 220225 15:34:38 26340 anon.0:[log in to unmask] Xrd_Poll: FD 34 attached to poller 0; num=1
> 220225 15:34:38 26340 anon.0:[log in to unmask] TLS_Accept: Accepting a TLS connection...
> 220225 15:34:39 26340 XrdLinkXeq: anon.0:[log in to unmask] connection upgraded to TLSv1.2
> 220225 15:34:39 26340 anon.0:[log in to unmask] TLS_Read: 24 out of 24 bytes.
> 220225 15:34:39 26340 anon.0:[log in to unmask] TLS_Read: 93 out of 93 bytes.
> 220225 15:34:39 26340 bockjoo.467:[log in to unmask] TLS_Write: 8 out of 8 bytes.
> 220225 15:34:39 26340 bockjoo.467:[log in to unmask] TLS_Write: 16 out of 16 bytes.
> 220225 15:34:39 26340 bockjoo.467:[log in to unmask] TLS_Write: 59 out of 59 bytes.
> 220225 15:34:39 26340 XrdTLS: bockjoo.467:[log in to unmask] TLS error rc=0 ec=6 (zero_return) errno=0.
> 220225 15:34:39 26340 bockjoo.467:[log in to unmask] TLS_Shutdown: Doing fast shutdown.
> 220225 15:34:39 26340 XrootdXeq: bockjoo.467:[log in to unmask] disc 0:00:01
> 220225 15:34:39 26340 multiuser_UserSentry: Anonymous client; no user set, cannot change FS UIDs
> 220225 15:34:39 26340 bockjoo.467:[log in to unmask] Xrd_Poll: Poller 0 removing FD 34
> 220225 15:34:39 26340 bockjoo.467:[log in to unmask] Xrd_Poll: FD 34 detached from poller 0; num=0
> 220225 15:34:39 26339 Xrd_Sched: running monitor window clock inq=0
> 220225 15:34:39 26339 Xrd_Sched: scheduling monitor window clock in 5 seconds
> 220225 15:34:39 26362 Xrd_Sched: running main accept inq=0
> 220225 15:34:40 26421 Xrd_Inet: Accepted connection on port 1094 from [log in to unmask]
> 220225 15:34:40 26421 Xrd_ProtLoad: matched port 1094 protocol xroot
> 220225 15:34:40 26421 anon.0:[log in to unmask] Xrd_Poll: FD 37 attached to poller 0; num=1
> 220225 15:34:40 26421 anon.0:[log in to unmask] TLS_Accept: Accepting a TLS connection...
> 220225 15:34:40 26421 XrdLinkXeq: anon.0:[log in to unmask] connection upgraded to TLSv1.2
> 220225 15:34:40 26421 anon.0:[log in to unmask] TLS_Read: 24 out of 24 bytes.
> 220225 15:34:40 26421 anon.0:[log in to unmask] TLS_Read: 93 out of 93 bytes.
> 220225 15:34:40 26421 bockjoo.467:[log in to unmask] TLS_Write: 8 out of 8 bytes.
> 220225 15:34:40 26421 bockjoo.467:[log in to unmask] TLS_Write: 16 out of 16 bytes.
> 220225 15:34:40 26421 bockjoo.467:[log in to unmask] TLS_Write: 59 out of 59 bytes.
> 220225 15:34:40 26421 XrdTLS: bockjoo.467:[log in to unmask] TLS error rc=0 ec=6 (zero_return) errno=0.
> 220225 15:34:40 26421 bockjoo.467:[log in to unmask] TLS_Shutdown: Doing fast shutdown.
> 220225 15:34:40 26421 XrootdXeq: bockjoo.467:[log in to unmask] disc 0:00:00
> 220225 15:34:40 26421 multiuser_UserSentry: Anonymous client; no user set, cannot change FS UIDs
> 220225 15:34:40 26421 bockjoo.467:[log in to unmask] Xrd_Poll: Poller 0 removing FD 37
> 220225 15:34:40 26421 bockjoo.467:[log in to unmask] Xrd_Poll: FD 37 detached from poller 0; num=0
> 
> 
> Thanks,
> 
> Bockjoo
> 
> On 2/25/22 15:33, Michal Simon wrote:
>> Hi Bockjoo,
>> 
>> It is the server that decides what authentication protocols the client can use to authenticate. From the logs you posted it seems that the server only allows GSI authentication.
>> 
>> In order to use tokens it is recommended that the server enables ZTN authentication.
>> 
>> Cheers,
>> Michal
>> 
>>> On 25 Feb 2022, at 17:55, Bockjoo Kim <[log in to unmask]> wrote:
>>> 
>>> Hi,
>>> 
>>> CMS built xrdcp as the CMS software external.
>>> 
>>> When I run it, it does not look it recognizes the token passed and is looking for X509:
>>> 
>>> -bash-4.2$ ( export BEARER_TOKEN=$BEARER_TOKEN ; unset X509_USER_PROXY ; xrdcp -d 1 -f root://cmsio2.rc.ufl.edu//store/user/bockjoo/sitedb.list?authz=Bearer%20$BEARER_TOKEN $(pwd)/sitedb.list )
>>> [2022-02-25 17:53:35.503759 +0100][Info   ][AsyncSock         ] [cmsio2.rc.ufl.edu:1094.0] TLS hand-shake done.
>>> 220225 17:53:36 23215 cryptossl_X509CreateProxy: EEC certificate has expired
>>> [2022-02-25 17:53:36.972629 +0100][Error  ][XRootDTransport   ] [cmsio2.rc.ufl.edu:1094.0] No protocols left to try
>>> [2022-02-25 17:53:36.972675 +0100][Error  ][AsyncSock         ] [cmsio2.rc.ufl.edu:1094.0] Socket error while handshaking: [FATAL] Auth failed
>>> 
>>> How can I check why this xrdcp version 5.4.0 built from the CMS software does not behave?
>>> 
>>> Thanks,
>>> 
>>> Bockjoo
>>> 
>>> ########################################################################
>>> Use REPLY-ALL to reply to list
>>> 
>>> To unsubscribe from the XROOTD-L list, click the following link:
>>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1