As a test, I reconfigured my proxy machine to be ZTN+MultiUser (no proxy, no sss, single machine doing it all) and that worked(!) On a single server I can authorize with ztn, map to a unix user, write a file with MultiUser. That validates the SciTokens and ztn config.
This indicates to me a problem with the credential forwarding over sss to the origin, somehow I end up with the subject presented to Mutli as the username. Could be a bug, could be my sss config?
Now, with that test done, returning to my original config:
@bbockelm - putting the Bearer token on the URL doesn't change the behavior for me.
@abh3 - I think this is the auth trace logging you were suggesting? on the origin it shows ztn, which is good, but the login not the unix username.
221208 08:23:16 7265 XrootdXeq: U5.3400770:23@dtn2201 pub IP46 TLSv1.2 login as http://cilogon.org/serverA/users/XXXXXXX via ztn auth for bhess.244976:33@ifarm1802
Here's the keytab I've been testing with:
# xrdsssadmin list /etc/xrootd/proxy.keytab
Number Len Date/Time Created Expires Keyname User & Group
------ --- --------- ------- -------- -------
1 32 12/07/22 06:45:08 -------- proxy+ allusers usrgroup
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1