On Mon, 2005-05-02 at 06:32, Maarten Litmaath, CERN wrote:
> On Fri, 29 Apr 2005, Joseph L. Kaiser wrote:
>
> > Hi,
> >
> > I have upgraded to LCG-2_4_0. I am using Condor 6.7.6 with the
> > jobmanager-lcgcondor. I am attempting to submit jobs to my condor queue
> > but I keep getting this:
> >
> > [jlkaiser@hotdog47 jlkaiser]$ globus-url-copy file:/etc/group
> > gsiftp://cmslcgce /tmp/testit
> > error: the server sent an error response: 535 535-FTPD GSSAPI error: GSS
> > Major S tatus: Authentication Failed
> > 535-FTPD GSSAPI error: GSS Minor Status Error Chain:
> > 535-FTPD GSSAPI error:
> > 535-FTPD GSSAPI error: accept_sec_context.c:170: gss_accept_sec_context:
> > SSLv3 h andshake problems
> > 535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:881:
> > globus_i_gsi_gss_handshake: Unable to verify remote side's credentials
> > 535-FTPD GSSAPI error: globus_i_gsi_gss_utils.c:854:
> > globus_i_gsi_gss_handshake: SSLv3 handshake problems: Couldn't do ssl
> > handshake
> > 535-FTPD GSSAPI error: OpenSSL Error: s3_srvr.c:1816: in library: SSL
> > routines, function SSL3_GET_CLIENT_CERTIFICATE: no certificate returned
> > 535-FTPD GSSAPI error: globus_gsi_callback.c:351:
> > globus_i_gsi_callback_handshak e_callback: Could not verify credential
> > 535-FTPD GSSAPI error: globus_gsi_callback.c:477:
> > globus_i_gsi_callback_cred_ver ify: Could not verify credential
> > 535-FTPD GSSAPI error: globus_gsi_callback.c:769:
> > globus_i_gsi_callback_check_re voked: Invalid CRL: The available CRL has
> > expired
> > 535 FTPD GSSAPI error: accepting context
> >
> >
> > I have followed the instructions on the wiki for this problem and the
> > problem persists. I have run the edg-fetc-url cron script on every node
> > in the cluster including the CE.
>
> The problem must be on the CE, since everyone gets the error. See below.
>
> > My CE, cmslcgce, is a submit node to the condor batch system. The
> > collector and negotiator sit on cmssrv14. The jobmanager-fork works
> > fine.
> >
> > Attempts to make a globus-url-copy produce the same error.
> >
> > I see these errors in /var/log/messages, the /var/log/globus-gridftp.log
> > does NOT seem to be getting messages from gridftp.
> >
> > restart works fine:
> >
> > Apr 29 14:41:23 cmslcgce globus-gridftp: edg-gridftpd -TERM succeeded
> > Apr 29 14:41:23 cmslcgce gridftpd[20156]: FTP server (GridFTP Server
> > 1.12 GSSAPI type Globus/GSI wu-2.6.2 (gcc32dbg, 1062606889-42)) ready.
> > Apr 29 14:41:23 cmslcgce globus-gridftp: globus-gridftp.log startup
> > succeeded
> >
> >
> >
> > now a
> > globus-url-copy file:/etc/group gsiftp://cmslcgce.fnal.gov/tmp/testit:
> >
> > Apr 29 14:42:36 cmslcgce kernel: application bug: edg-gridftpd(20156)
> > has SIGCHLD set to SIG_IGN but calls wait().
> > Apr 29 14:42:36 cmslcgce kernel: (see the NOTES section of 'man 2
> > wait'). Workaround activated.
> > Apr 29 14:42:36 cmslcgce gridftpd[20186]: failed accepting context
>
> That is not what I see:
>
> -----------------------------------------------------------------------------
> $ globus-url-copy -dbg file:/etc/group gsiftp://cmslcgce.fnal.gov/tmp/test.$$
> debug: starting to put gsiftp://cmslcgce.fnal.gov/tmp/test.2429
> debug: connecting to gsiftp://cmslcgce.fnal.gov/tmp/test.2429
> debug: response from gsiftp://cmslcgce.fnal.gov/tmp/test.2429:
> 220 cmslcgce.fnal.gov GridFTP Server 1.17 CAS/SAML enabled GSSAPI type
> Globus/GSI wu-2.6.2 (gcc32dbg, 1083879869-52) ready.
> [...]
> -----------------------------------------------------------------------------
>
> Er? LCG does not distribute such a GridFTP daemon; I suppose it is something
> that Fermilab wants to use instead of the edg-gridftpd?
>
No, we are tryig to use the edg-gridftp. I searched the path for an a
ftpd that may have thought it was being started but that does not seem
to be the cause. Perhaps I missed something. I shall try again.
Thanks,
Joe
> I would not be surprised if the problem had to do with this difference;
> the folks who are responsible for the "CAS/SAML" gridftpd should have a look
> at your problem.
|