OK, I think I got the traces right this time. Apologies for the delay. Below are two configs and two traces. First, here is the proxy config ``` all.export / ofs.osslib libXrdPss.so ofs.ckslib * libXrdPss.so pss.origin sciwork1802.jlab.org:1094 pss.persona client http.header2cgi Authorization authz xrd.tls /etc/grid-security/xrd/hostcert.pem /etc/grid-security/xrd/hostkey.pem xrd.tlsca certdir /etc/grid-security/certificates xrootd.seclib default ofs.authorize acc.authdb /etc/xrootd/Authfile acc.authrefresh 60 ofs.authlib ++ libXrdAccSciTokens.so sec.protocol ztn sec.protbind *jlab.org ztn sec.protocol ztn sec.protocol sss -k -s /etc/xrootd/proxy.keytab -c /etc/xrootd/proxy.keytab --getcreds --proxy ztn sec.protbind dtn*jlab.org sss sec.protbind xrdmgr*jlab.org sss all.adminpath /var/spool/xrootd all.pidpath /var/run/xrootd sec.trace debug ofs.trace -all xrootd.trace all scitokens.trace all debug ztn.trace all debug auth.trace all debug ``` Next, the origin config: ``` all.export /gluex oss.localroot /export/test-xrootd xrd.port 1094 all.role server xrootd.seclib default xrd.tls /etc/grid-security/xrd/hostcert.pem /etc/grid-security/xrd/hostkey.pem xrd.tlsca certdir /etc/grid-security/certificates ofs.osslib ++ libXrdMultiuser.so ofs.ckslib ++ libXrdMultiuser.so xrootd.trace all auth.trace all debug scitokens.trace all #all.manager xrdmgr1 3121 sec.protocol ztn sec.protocol sss -k -s /etc/xrootd/proxy.keytab -c /etc/xrootd/proxy.keytab --getcreds --proxy ztn sec.protbind dtn*jlab.org sss sec.protbind xrdmgr*jlab.org sss all.adminpath /var/spool/xrootd all.pidpath /var/run/xrootd ``` Here's the trace on the proxy: ``` ------ xrootd [log in to unmask]:1094 initialization completed. 221212 08:42:22 29319 anon.0:22@dtn2201 Xrootd_Protocol: 0000 req=protocol dlen=0 221212 08:42:22 29319 anon.0:22@dtn2201 Xrootd_Response: 0000 sending 8 data bytes; status=0 221212 08:42:22 29319 XrdLinkXeq: anon.0:22@dtn2201 connection upgraded to TLSv1.2 221212 08:42:22 29319 anon.0:22@dtn2201 Xrootd_Protocol: 0000 req=login dlen=92 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Response: 0000 sending 54 data bytes; status=0 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Protocol: 0000 req=auth dlen=218 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Response: 0000 sending OK p0.3575346:22@dtn2201 Protocol 'sss' p0.3575346:22@dtn2201 Name 'xrootd' p0.3575346:22@dtn2201 Host 'dtn2201.jlab.org' p0.3575346:22@dtn2201 Vorg '' p0.3575346:22@dtn2201 Role '' p0.3575346:22@dtn2201 Grps '' p0.3575346:22@dtn2201 Caps '' p0.3575346:22@dtn2201 Pidn 'p0.3575346:22@dtn2201' p0.3575346:22@dtn2201 Crlen 0 p0.3575346:22@dtn2201 ueid 1 p0.3575346:22@dtn2201 uid 985 p0.3575346:22@dtn2201 gid 933 221212 08:42:22 29319 XrootdXeq: p0.3575346:22@dtn2201 pub IP46 TLSv1.2 login as xrootd 221212 08:42:22 29319 multiuser_UserSentry: Switching FS uid for user xrootd 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Protocol: 0000 req=endsess dlen=0 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Protocol: 0000 endsess 24999:23.8 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Response: 0000 sending OK 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Protocol: 0100 req=stat dlen=10 221212 08:42:22 29319 multiuser_UserSentry: Switching FS uid for user xrootd 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Protocol: 0100 rc=0 stat /gluex/fff 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Response: 0100 sending 83 data bytes 221212 08:42:22 29318 anon.0:23@dtn2201 Xrootd_Protocol: 0000 req=protocol dlen=0 221212 08:42:22 29318 anon.0:23@dtn2201 Xrootd_Response: 0000 sending 8 data bytes; status=0 221212 08:42:22 29318 XrdLinkXeq: anon.0:23@dtn2201 connection upgraded to TLSv1.2 221212 08:42:22 29318 anon.0:23@dtn2201 Xrootd_Protocol: 0000 req=login dlen=92 221212 08:42:22 29318 U2.3575346:23@dtn2201 Xrootd_Response: 0000 sending 54 data bytes; status=0 221212 08:42:22 29318 U2.3575346:23@dtn2201 Xrootd_Protocol: 0000 req=auth dlen=1260 221212 08:42:22 29318 U2.3575346:23@dtn2201 Xrootd_Response: 0000 sending OK U2.3575346:23@dtn2201 Protocol 'ztn' U2.3575346:23@dtn2201 Name 'http://cilogon.org/serverA/users/6772316' U2.3575346:23@dtn2201 Host 'dtn2201.jlab.org' U2.3575346:23@dtn2201 Vorg '' U2.3575346:23@dtn2201 Role '' U2.3575346:23@dtn2201 Grps '' U2.3575346:23@dtn2201 Caps '' 221212 08:42:22 3575352 scitokens_Reconfig: Parsing configuration file: /etc/xrootd/scitokens.cfg 221212 08:42:22 3575352 scitokens_Reconfig: Configuring issuer https://cilogon.org/jlab 221212 08:42:22 3575352 scitokens_Reconfig: Successfully parsed SciTokens mapfile: /etc/xrootd/scitokens-map.json 221212 08:42:22 3575352 scitokens_Access: Token not found in recent cache; parsing. 221212 08:42:22 3575352 scitokens_Access: New valid token mapped_username=xrootd, subject=http://cilogon.org/serverA/users/6772316, issuer=https://cilogon.org/jlab, authorizations=/gluex:read,dir,stat,create,mkdir,mv,insert,update,chmod,del 221212 08:42:22 3575352 scitokens_Access: Grant authorization based on scopes for operation=stat, path=/gluex/fff 221212 08:42:22 3575352 scitokens_Access: Request username bhess 221212 08:42:22 3575352 bhess.154395:34@ifarm1802 Xrootd_Protocol: 0100 rc=0 stat /gluex/fff 221212 08:42:22 3575352 bhess.154395:34@ifarm1802 Xrootd_Response: 0100 sending 71 data bytes 221212 08:42:22 3575352 bhess.154395:34@ifarm1802 Xrootd_Protocol: 0100 req=open dlen=23 221212 08:42:22 3575352 bhess.154395:34@ifarm1802 Xrootd_Protocol: 0100 open udmat /gluex/fff?oss.asize=12 221212 08:42:22 3575352 scitokens_Access: Trying token-based access control 221212 08:42:22 3575352 scitokens_Access: Cached token mapped_username=xrootd, subject=http://cilogon.org/serverA/users/6772316, issuer=https://cilogon.org/jlab, authorizations=/gluex:read,dir,stat,create,mkdir,mv,insert,update,chmod,del 221212 08:42:22 3575352 scitokens_Access: Grant authorization based on scopes for operation=create, path=/gluex/fff 221212 08:42:22 3575352 scitokens_Access: Request username bhess 221212 08:42:22 3575352 ofs_open: bhess.154395:34@ifarm1802 Unable to open /gluex/fff; permission denied 221212 08:42:22 3575352 bhess.154395:34@ifarm1802 Xrootd_Response: 0100 sending err 3010: Unable to open /gluex/fff; permission denied 221212 08:42:22 3575352 XrootdXeq: bhess.154395:34@ifarm1802 disc 0:00:00 ``` Here's the auth trace on the origin ``` ------ xroot protocol initialization completed. ------ xrootd [log in to unmask]:1094 initialization completed. 221212 08:42:22 29319 anon.0:22@dtn2201 Xrootd_Protocol: 0000 req=protocol dlen=0 221212 08:42:22 29319 anon.0:22@dtn2201 Xrootd_Response: 0000 sending 8 data bytes; status=0 221212 08:42:22 29319 XrdLinkXeq: anon.0:22@dtn2201 connection upgraded to TLSv1.2 221212 08:42:22 29319 anon.0:22@dtn2201 Xrootd_Protocol: 0000 req=login dlen=92 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Response: 0000 sending 54 data bytes; status=0 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Protocol: 0000 req=auth dlen=218 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Response: 0000 sending OK p0.3575346:22@dtn2201 Protocol 'sss' p0.3575346:22@dtn2201 Name 'xrootd' p0.3575346:22@dtn2201 Host 'dtn2201.jlab.org' p0.3575346:22@dtn2201 Vorg '' p0.3575346:22@dtn2201 Role '' p0.3575346:22@dtn2201 Grps '' p0.3575346:22@dtn2201 Caps '' p0.3575346:22@dtn2201 Pidn 'p0.3575346:22@dtn2201' p0.3575346:22@dtn2201 Crlen 0 p0.3575346:22@dtn2201 ueid 1 p0.3575346:22@dtn2201 uid 985 p0.3575346:22@dtn2201 gid 933 221212 08:42:22 29319 XrootdXeq: p0.3575346:22@dtn2201 pub IP46 TLSv1.2 login as xrootd 221212 08:42:22 29319 multiuser_UserSentry: Switching FS uid for user xrootd 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Protocol: 0000 req=endsess dlen=0 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Protocol: 0000 endsess 24999:23.8 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Response: 0000 sending OK 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Protocol: 0100 req=stat dlen=10 221212 08:42:22 29319 multiuser_UserSentry: Switching FS uid for user xrootd 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Protocol: 0100 rc=0 stat /gluex/fff 221212 08:42:22 29319 p0.3575346:22@dtn2201 Xrootd_Response: 0100 sending 83 data bytes 221212 08:42:22 29318 anon.0:23@dtn2201 Xrootd_Protocol: 0000 req=protocol dlen=0 221212 08:42:22 29318 anon.0:23@dtn2201 Xrootd_Response: 0000 sending 8 data bytes; status=0 221212 08:42:22 29318 XrdLinkXeq: anon.0:23@dtn2201 connection upgraded to TLSv1.2 221212 08:42:22 29318 anon.0:23@dtn2201 Xrootd_Protocol: 0000 req=login dlen=92 221212 08:42:22 29318 U2.3575346:23@dtn2201 Xrootd_Response: 0000 sending 54 data bytes; status=0 221212 08:42:22 29318 U2.3575346:23@dtn2201 Xrootd_Protocol: 0000 req=auth dlen=1260 221212 08:42:22 29318 U2.3575346:23@dtn2201 Xrootd_Response: 0000 sending OK U2.3575346:23@dtn2201 Protocol 'ztn' U2.3575346:23@dtn2201 Name 'http://cilogon.org/serverA/users/6772316' U2.3575346:23@dtn2201 Host 'dtn2201.jlab.org' U2.3575346:23@dtn2201 Vorg '' U2.3575346:23@dtn2201 Role '' U2.3575346:23@dtn2201 Grps '' U2.3575346:23@dtn2201 Caps '' U2.3575346:23@dtn2201 Pidn 'bhess.154395:34@ifarm1802' U2.3575346:23@dtn2201 Crlen 986 U2.3575346:23@dtn2201 ueid 2 U2.3575346:23@dtn2201 uid 0 U2.3575346:23@dtn2201 gid 0 U2.3575346:23@dtn2201Attr xrd.appname = 'xrdcp' U2.3575346:23@dtn2201Attr = '' 221212 08:42:22 29318 XrootdXeq: U2.3575346:23@dtn2201 pub IP46 TLSv1.2 login as http://cilogon.org/serverA/users/6772316 via ztn auth for bhess.154395:34@ifarm1802 221212 08:42:22 29318 multiuser_UserSentry: XRootD mapped request to username that does not exist: http://cilogon.org/serverA/users/6772316 221212 08:42:22 29318 U2.3575346:23@dtn2201 Xrootd_Protocol: 0100 req=open dlen=23 221212 08:42:22 29318 U2.3575346:23@dtn2201 Xrootd_Protocol: 0100 open udmt /gluex/fff?oss.asize=12 221212 08:42:22 29318 multiuser_UserSentry: XRootD mapped request to username that does not exist: http://cilogon.org/serverA/users/6772316 221212 08:42:22 29318 ofs_open: U2.3575346:23@dtn2201 Unable to create /gluex/fff; permission denied 221212 08:42:22 29318 U2.3575346:23@dtn2201 Xrootd_Response: 0100 sending err 3010: Unable to create /gluex/fff; permission denied 221212 08:42:22 29318 XrdTLS: U2.3575346:23@dtn2201 TLS error rc=0 ec=6 (zero_return) errno=0. 221212 08:42:22 29318 XrootdXeq: U2.3575346:23@dtn2201 disc 0:00:00 221212 08:42:22 29318 multiuser_UserSentry: XRootD mapped request to username that does not exist: http://cilogon.org/serverA/users/6772316 221212 08:42:25 29319 p0.3575346:22@dtn2201 Xrootd_Protocol: 0100 request timeout; read 0 of 24 bytes ``` -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1851#issuecomment-1346546187 You are receiving this because you commented. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1