Sorry for not addressing this sooner. This may be due to the way keys are added and how they are identified. In the old scheme, the client would send he keyid (a internally generated id) to the server and the server would try to find the keyid in its keytab. The problem we found (see closed issues 592 and 590) that it's possible the wrong key or no key would be found if the same keyid was assigned to different keys. This was fixed in R5 by adding the --keyname config option for the server:
https://xrootd.slac.stanford.edu/doc/dev54/sec_config.htm#_Toc79102014
which also uses the keyname used by the client along with the keyid to pick up the correct key. This only works for r5.x clients. So, this ay be the problem as I see that the --keyname option was not specified in the server's config.

Since you have a reproducible case, could you specify this option on the affected servers and see if it solves the issue? If not, then it is truly a bug.

As for selecting the key via cgi, based on my reading of old closed tickets we decided not to support that but, instead, support setting which key to use via a client-side envar.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <xrootd/xrootd/issues/1683/1188400275@github.com>

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1683#issuecomment-1188400275", "url": "https://github.com/xrootd/xrootd/issues/1683#issuecomment-1188400275", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1