As a test, I reconfigured my proxy machine to be ZTN+MultiUser (no proxy, no sss, single machine doing it all) and that worked(!) On a single server I can authorize with ztn, map to a unix user, write a file with MultiUser. That validates the SciTokens and ztn config. This indicates to me a problem with the credential forwarding over sss to the origin, somehow I end up with the subject presented to Mutli as the username. Could be a bug, could be my sss config? Now, with that test done, returning to my original config: @bbockelm - putting the Bearer token on the URL doesn't change the behavior for me. @abh3 - I think this is the auth trace logging you were suggesting? on the origin it shows ztn, which is good, but the login not the unix username. ``` 221208 08:23:16 7265 XrootdXeq: U5.3400770:23@dtn2201 pub IP46 TLSv1.2 login as http://cilogon.org/serverA/users/XXXXXXX via ztn auth for bhess.244976:33@ifarm1802 ``` Here's the keytab I've been testing with: ``` # xrdsssadmin list /etc/xrootd/proxy.keytab Number Len Date/Time Created Expires Keyname User & Group ------ --- --------- ------- -------- ------- 1 32 12/07/22 06:45:08 -------- proxy+ allusers usrgroup ``` -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1851#issuecomment-1342842048 You are receiving this because you are subscribed to this thread. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1