I may misunderstand, but it seems to me that if the proxy (dtn2201) just passed the unix username to the origin, and if the origin trusted it, then the MutliUser plugin would be satisfied, wouldn't it?

Yeah, there's some complication here.

Tokens are evaluated at the time of request as they embed path-specific authorization. ZTN provides a "default" token for the session which is attached to the session object in the proxy -- but it's evaluation is still delayed. Hence, the token needs to be passed to the origin as part of the credential in the generated SSS session. That's the part which I'd naively guess is breaking.

—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1851#issuecomment-1343806956", "url": "https://github.com/xrootd/xrootd/issues/1851#issuecomment-1343806956", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1