As a test, I reconfigured my proxy machine to be ZTN+MultiUser (no proxy, no sss, single machine doing it all) and that worked(!) On a single server I can authorize with ztn, map to a unix user, write a file with MultiUser. That validates the SciTokens and ztn config.

This indicates to me a problem with the credential forwarding over sss to the origin, somehow I end up with the subject presented to Mutli as the username. Could be a bug, could be my sss config?

Now, with that test done, returning to my original config:

@bbockelm - putting the Bearer token on the URL doesn't change the behavior for me.

@abh3 - I think this is the auth trace logging you were suggesting? on the origin it shows ztn, which is good, but the login not the unix username.

221208 08:23:16 7265 XrootdXeq: U5.3400770:23@dtn2201 pub IP46 TLSv1.2 login as http://cilogon.org/serverA/users/XXXXXXX via ztn auth for bhess.244976:33@ifarm1802

Here's the keytab I've been testing with:

# xrdsssadmin list /etc/xrootd/proxy.keytab
     Number Len Date/Time Created Expires  Keyname User & Group
     ------ --- --------- ------- -------- -------
          1  32 12/07/22 06:45:08 -------- proxy+ allusers usrgroup


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <xrootd/xrootd/issues/1851/1342842048@github.com>

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1851#issuecomment-1342842048", "url": "https://github.com/xrootd/xrootd/issues/1851#issuecomment-1342842048", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1