Hi Torsten,
the grid-mapfile on 'grid-ce5.physik.uni-wuppertal.de' shows
"/DC=es/DC=irisgrid/O=ugr/CN=Julio.Lozano.Bahilo" augersgm
so this user is always mapped to 'augersgm' ... (this line is present
before the generic voms lines)
hope this helps,
JJK / Jan Just Keijser
Nikhef
Amsterdam
Torsten Harenberg wrote:
> Dear all,
>
> (thanks for all your replies concerning the lcg-CA package :-) )
>
> now I have a problem with one single user from Auger. He has both access to the SoftwareManager and to the Production Role.
>
> While all other Auger users (also some with production role) are mapped correctly to one of the augerXXX or augerprdXXX accounts, this one get's always mapped to the augersgm account (for auger we only have a single augersgm account).
>
> I already checked with the Auger VO support and so far it seems that our settings are correct, but I couldn't find the problem.
>
> The logs say:
>
>
> Feb 14 14:26:44 grid-ce5 GRAM gatekeeper[1968]: Got connection 134.158.72.175 at Mon Feb 14 14:26:44 2011
> Feb 14 14:26:45 grid-ce5 GRAM gatekeeper[1968]: Authenticated globus user: /DC=es/DC=irisgrid/O=ugr/CN=Julio.Lozano.Bahilo
> Feb 14 14:26:45 grid-ce5 GRAM gatekeeper[1968]: Requested service: jobmanager-lcgpbs
> Feb 14 14:26:45 grid-ce5 GRAM gatekeeper[1968]: Authorized as local user: augersgm
> Feb 14 14:26:45 grid-ce5 GRAM gatekeeper[1968]: Authorized as local uid: 29991
> Feb 14 14:26:46 grid-ce5 GRAM gatekeeper[1968]: and local gid: 2990
> Feb 14 14:26:46 grid-ce5 GRAM gatekeeper[1968]: "/DC=es/DC=irisgrid/O=ugr/CN=Julio.Lozano.Bahilo" mapped to augersgm (29991/2990)
> Feb 14 14:26:46 grid-ce5 GRAM gatekeeper[1968]: JMA 2011/02/14 14:26:46 GATEKEEPER_JM_ID 2011-02-14.14:26:45.0000001968.0000000000 has EDG_WL_JOBID ''
>
>
> PID: 7507 -- Notice: 6: Got connection 195.113.219.92 at Mon Feb 14 14:08:36 2011
>
> TIME: Mon Feb 14 14:08:37 2011
> PID: 7507 -- Notice: 5: Authenticated globus user: /DC=es/DC=irisgrid/O=ugr/CN=Julio.Lozano.Bahilo
> lcas client name: /DC=es/DC=irisgrid/O=ugr/CN=Julio.Lozano.Bahilo
> LCAS 0:
> LCAS 1: Initialization LCAS version 1.3.11.2
> allowing empty credentials
> LCAS 2: LCAS authorization request
> LCAS 0: lcas_userban.mod-plugin_confirm_authorization(): checking banned users in /opt/glite/etc/lcas/ban_users.db
> LCAS 0: 2011-02-14.13:08:37 : lcas_plugin_voms-plugin_confirm_authorization_from_x509(): voms plugin succeeded
> LCAS 0: lcas.mod-lcas_run_va(): succeeded
> LCAS 1: Termination LCAS
> lcmaps client name: /DC=es/DC=irisgrid/O=ugr/CN=Julio.Lozano.Bahilo
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 :
> LCMAPS 7: 2011-02-14.14:08:37.0000007507.0000000000 : Initialization LCMAPS version 1.4.7
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-startPluginManager(): Reading LCMAPS database /opt/glite/etc/lcmaps/lcmaps.db
> LCMAPS 5: 2011-02-14.14:08:37.0000007507.0000000000 : LCMAPS credential mapping request
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_voms_localgroup.mod
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_voms_localgroup.mod
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_voms_localgroup-plugin_run(): voms_localgroup plugin succeeded
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_voms_localaccount.mod
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_voms_localaccount.mod
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_voms_localaccount-plugin_run(): Could not find a VOMS localaccount in /etc/grid-security/grid-map
> file (failure)
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_voms_localaccount-plugin_run(): voms_localaccount plugin failed
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_voms_poolaccount.mod
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_voms_poolaccount.mod
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_voms_poolaccount-plugin_run(): warning: no primary group found !
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_voms_poolaccount-plugin_run(): no primary group found (failure)
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_voms_poolaccount-plugin_run(): voms_poolaccount plugin failed
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_localaccount.mod
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_localaccount.mod
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_localaccount-plugin_run(): localaccount plugin succeeded
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_posix_enf.mod
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_posix_enf.mod
> LCMAPS 6: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_posix_enf-log_cred(): uid=29991(augersgm):pgid=2990(auger)
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_posix_enf-plugin_run(): posix_enf plugin succeeded
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-lcmaps_run(): succeeded
> LCMAPS 7: 2011-02-14.14:08:37.0000007507.0000000000 : Termination LCMAPS
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-lcmaps_term(): terminating
> Successfull mapping done
> Mapping service "LCMAPS" returned local user "augersgm"
> TIME: Mon Feb 14 14:08:37 2011
> PID: 7507 -- Notice: 0: GRID_SECURITY_HTTP_BODY_FD=8
> TIME: Mon Feb 14 14:08:37 2011
> PID: 7507 -- Notice: 5: Requested service: jobmanager-fork
> TIME: Mon Feb 14 14:08:37 2011
> PID: 7507 -- Notice: 5: Authorized as local user: augersgm
> TIME: Mon Feb 14 14:08:37 2011
> PID: 7507 -- Notice: 5: Authorized as local uid: 29991
> TIME: Mon Feb 14 14:08:37 2011
> PID: 7507 -- Notice: 5: and local gid: 2990
> TIME: Mon Feb 14 14:08:37 2011
> PID: 7507 -- Notice: 5: "/DC=es/DC=irisgrid/O=ugr/CN=Julio.Lozano.Bahilo" mapped to augersgm (29991/2990)
>
> config is:
>
> [root@grid-ce5 grid-security]# grep auger voms-grid-mapfile
> "/auger/Role=Production/Capability=NULL" .augerprd
> "/auger/Role=Production" .augerprd
> "/auger/Role=SoftwareManager/Capability=NULL" augersgm
> "/auger/Role=SoftwareManager" augersgm
> "/auger/Role=NULL/Capability=NULL" .auger
> "/auger" .auger
>
>
>
/auger/Role=Production/Capability=NULL
> [root@grid-ce5 auger]# pwd
> /etc/grid-security/vomsdir/auger
> [root@grid-ce5 auger]# ls
> voms1.egee.cesnet.cz.lsc
> [root@grid-ce5 auger]# cat voms1.egee.cesnet.cz.lsc
> /DC=cz/DC=cesnet-ca/O=CESNET/CN=voms1.egee.cesnet.cz
> /DC=cz/DC=cesnet-ca/CN=CESNET CA
>
>
> Here is the globus-gatekeeper.log from another Auger user, mapped correctly to augerprd004:
>
> PID: 17654 -- Notice: 6: Got connection 192.108.45.128 at Mon Feb 14 14:09:45 2011
>
> TIME: Mon Feb 14 14:09:45 2011
> PID: 17654 -- Notice: 5: Authenticated globus user: /DC=es/DC=irisgrid/O=ugr/CN=mdserrano
> lcas client name: /DC=es/DC=irisgrid/O=ugr/CN=mdserrano
> LCAS 0:
> LCAS 1: Initialization LCAS version 1.3.11.2
> allowing empty credentials
> LCAS 2: LCAS authorization request
> LCAS 0: lcas_userban.mod-plugin_confirm_authorization(): checking banned users in /opt/glite/etc/lcas/ban_users.db
> LCAS 0: 2011-02-14.13:09:46 : lcas_plugin_voms-plugin_confirm_authorization_from_x509(): voms plugin succeeded
> LCAS 0: lcas.mod-lcas_run_va(): succeeded
> LCAS 1: Termination LCAS
> lcmaps client name: /DC=es/DC=irisgrid/O=ugr/CN=mdserrano
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 :
> LCMAPS 7: 2011-02-14.14:09:46.0000017654.0000000000 : Initialization LCMAPS version 1.4.7
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-startPluginManager(): Reading LCMAPS database /opt/glite/etc/lcmaps/lcmaps.db
> LCMAPS 5: 2011-02-14.14:09:46.0000017654.0000000000 : LCMAPS credential mapping request
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_voms_localgroup.mod
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_voms_localgroup.mod
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_voms_localgroup-plugin_run(): voms_localgroup plugin succeeded
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_voms_localaccount.mod
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_voms_localaccount.mod
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_voms_localaccount-plugin_run(): Could not find a VOMS localaccount in /etc/grid-security/grid-map
> file (failure)
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_voms_localaccount-plugin_run(): voms_localaccount plugin failed
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_voms_poolaccount.mod
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_voms_poolaccount.mod
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_voms_poolaccount-plugin_run(): warning: no primary group found !
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_voms_poolaccount-plugin_run(): no primary group found (failure)
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_voms_poolaccount-plugin_run(): voms_poolaccount plugin failed
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_localaccount.mod
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_localaccount.mod
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_localaccount-plugin_run(): No entry found for /DC=es/DC=irisgrid/O=ugr/CN=mdserrano in /etc/grid-
> security/grid-mapfile
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_localaccount-plugin_run(): localaccount plugin failed
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_poolaccount.mod
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_poolaccount.mod
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_poolaccount-plugin_run(): poolaccount plugin succeeded
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_posix_enf.mod
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_posix_enf.mod
> LCMAPS 6: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_posix_enf-log_cred(): uid=29954(augerprd004):pgid=2991(augerprd):sgid=2990(auger)
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_posix_enf-plugin_run(): posix_enf plugin succeeded
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-lcmaps_run(): succeeded
> LCMAPS 7: 2011-02-14.14:09:46.0000017654.0000000000 : Termination LCMAPS
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-lcmaps_term(): terminating
> Successfull mapping done
> Mapping service "LCMAPS" returned local user "augerprd004"
>
>
> I asked the User to send a globus-job-run directly to our CE and he returned:
>
> """
>
> I suppose this the globus command you wanted me to execute (within our UI at Granada) :
> [12:49][juliolb@ui-cafpegrid:tmp]$ globus-job-run grid-ce5.physik.uni-wuppertal.de/jobmanager-fork /usr/bin/id
> uid=29991(augersgm) gid=2990(auger) groups=2990(auger)
> And as you can see I'm mapped as augersgm ....
> whereas :
> [13:34][juliolb@ui-cafpegrid:tmp]$ globus-job-run ce-4-fzk.gridka.de:2119 /usr/bin/id
> uid=26399(augerprd) gid=5580(auger) groups=5580(auger)
> or :
> [13:34][juliolb@ui-cafpegrid:tmp]$ globus-job-run grid-ce.physik.rwth-aachen.de:2119 /usr/bin/id
> uid=34028(aug023) gid=34005(auger) groups=34005(auger) context=user_u:system_r:initrc_t
>
> """
>
>
>
> Anybody a clue on this one? I'm a bit lost...
>
> Best regards,
>
> Torsten
>
>
> --
> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
> <> <>
> <> Dr. Torsten Harenberg [log in to unmask] <>
> <> Bergische Universitaet <>
> <> FB C - Physik Tel.: +49 (0)202 439-3521 <>
> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <>
> <> 42097 Wuppertal <>
> <> <>
> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><>
>
|