Hi Harald,
it seems that th eproblem is relatedi to Rafal certificate, because with
Piotr certificate the authentication works fine. From gatekeeper.log:
LCMAPS 0: 2006-10-12.14:17:15.373831.0000023656.0000001344 :
lcmaps.mod-lcmaps_run(): succeeded
LCMAPS 7: 2006-10-12.14:17:15.373831.0000023656.0000001344 : Termination
LCMAPS
LCMAPS 0: 2006-10-12.14:17:15.373831.0000023656.0000001344 :
lcmaps.mod-lcmaps_term(): terminating
Notice: 5: Requested service: jobmanager-fork
Notice: 5: Authorized as local user: ops002
Notice: 5: Authorized as local uid: 3302
Notice: 5: and local gid: 2422
Notice: 5: "/C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217" mapped to ops002
(3302/2422)
Notice: 0: executing /opt/globus/libexec/globus-job-manager
Notice: 0: GATEKEEPER_JM_ID 2006-10-12.14:17:15.0000023656.0000001344
for /C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217 on 128.142.160.93
Notice: 0: GRID_SECURITY_CONTEXT_FD=12
Notice: 0: Child 27008 started
JMA 2006/10/12 14:17:17 GATEKEEPER_JM_ID
2006-10-12.14:17:15.0000023656.0000001344 for
/C=CH/O=CERN/OU=GRID/CN=Piotr Nyczyk 6217 on 128.142.160.93
JMA 2006/10/12 14:17:17 GATEKEEPER_JM_ID
2006-10-12.14:17:15.0000023656.0000001344 mapped to ops002 (3302, 2422)
JMA 2006/10/12 14:17:17 GATEKEEPER_JM_ID
2006-10-12.14:17:15.0000023656.0000001344 has GRAM_SCRIPT_JOB_ID 27197
manager type fork
Notice: 6: Got connection 131.154.100.148 at Thu Oct 12 14:18:39 2006
Notice: 5: Trying to use delegated user proxy
Notice: 5: Authenticated globus user: /C=PL/O=GRID/O=PSNC/CN=Rafal
Lichwala - OPS
Notice: 0: GRID_SECURITY_HTTP_BODY_FD=9
Notice: 0: JOB_REPOSITORY_ID
2006-10-12.14:18:39.251085.0000023656.0000001345 (unique id used for Job
Repository)
Notice: 0: FORMAT: YYYY-MM-DD.hh:mm:ss.micros.pid.connection
Notice: 0: (Format: <date>.<time (with
microsecs)>.<pid>.<connection counter>)
Notice: 0: temporarily ALLOW empty credentials
Notice: 0: Using dlopen version of LCAS
Notice: 0: lcasmod_name = /opt/glite/lib/lcas.mod
LCAS 0: 2006-10-12.14:18:39.251085.0000023656.0000001345 :
LCAS 7: 2006-10-12.14:18:39.251085.0000023656.0000001345 :
Initialization LCAS version 1.3.1
LCAS 0: 2006-10-12.14:18:39.251085.0000023656.0000001345 :
lcas.mod-lcas_init(): Reading LCAS database /opt/glite/etc/lcas/lcas.db
LCAS 0: 2006-10-12.14:18:39.251085.0000023656.0000001345 :
LCAS 5: 2006-10-12.14:18:39.251085.0000023656.0000001345 : LCAS
authorization request
LCAS 0: 2006-10-12.14:18:39.251085.0000023656.0000001345 :
lcas.mod-lcas_run_va(): user is /C=PL/O=GRID/O=PSNC/CN=Rafal Lichwala - OPS
LCAS 0: 2006-10-12.14:18:39.251085.0000023656.0000001345 :
lcas_userban.mod-plugin_confirm_authorization(): checking banned users
in /opt/gli
te/etc/lcas/ban_users.db
LCAS 0: 2006-10-12.14:18:39.251085.0000023656.0000001345 :
lcas.mod-lcas_run_va(): authorization granted by plugin
/opt/glite/lib/modules/lcas_u
serban.mod
LCAS 0: 2006-10-12.14:18:39.251085.0000023656.0000001345 :
lcas_plugin_voms-plugin_confirm_authorization_from_x509(): authorization
denied ba
sed on DN info for user
LCAS 0: 2006-10-12.14:18:39.251085.0000023656.0000001345 :
lcas_plugin_voms-plugin_confirm_authorization_from_x509():
/C=PL/O=GRID/O=PSNC/CN=
Rafal Lichwala - OPS in /etc/grid-security/grid-mapfile
LCAS 0: 2006-10-12.14:18:39.251085.0000023656.0000001345 :
lcas_plugin_voms-plugin_confirm_authorization_from_x509(): (in addition
no VOMS in
fo was found in user proxy)
LCAS 0: 2006-10-12.14:18:39.251085.0000023656.0000001345 :
lcas_plugin_voms-plugin_confirm_authorization_from_x509(): voms plugin
failed
LCAS 0: 2006-10-12.14:18:39.251085.0000023656.0000001345 :
lcas.mod-lcas_run_va(): authorization failed for plugin
/opt/glite/lib/modules/lcas_v
oms.mod
LCAS 0: 2006-10-12.14:18:39.251085.0000023656.0000001345 :
lcas.mod-lcas_run_va(): failed
Failure: LCAS failed authorization.
Cheers,
Alessandro
Harald Gjermundrod ha scritto:
> Hi Alessandro
>
> After further investigation I realized that I was missing the public
> key in /etc/grid-security/vomsdir/ directory for the VO (see) that I
> was using. By copying this public key from another CE I could remove
> the DN entry and use a pure vomsified gridmap file.
>
> This might help you in locating your problem.
>
> Thanks,
> Harald Gjermundrod
>
>
> On Oct 10, 2006, at 6:02 PM, Antun Balaz wrote:
>
>> Hi,
>> gliteCE is supposed to work just with voms proxies...
>>
>> Regards, Antun
>>
>> -----
>> Antun Balaz
>> Research Assistant
>> E-mail: [log in to unmask]
>> Web: http://scl.phy.bg.ac.yu/
>>
>> Phone: +381 11 3160260, Ext. 152
>> Fax: +381 11 3162190
>>
>> Scientific Computing Laboratory
>> Institute of Physics, Belgrade, Serbia
>> -----
>>
>> ---------- Original Message -----------
>> From: Jeremy Cook <[log in to unmask]>
>> To: [log in to unmask]
>> Sent: Tue, 10 Oct 2006 15:04:45 +0200
>> Subject: Re: [LCG-ROLLOUT] SFT on glite CE
>>
>>> Hi,
>>>
>>> In my limited experience, this type of error occurs when the user of
>>> the gliteCE does not use 'voms-proxy-init' to get their proxy. Of
>>> course the potential problem is that the user may get authenticated
>>> on the gliteCE, but not on the SE, or vice versa, depending on which
>>> '*-proxy-init' method they use, since one uses vomsified gridmap
>>> file and the other uses edg_mkgridmapfile.
>>>
>>> Jeremy Cook
>>>
>>> On 10/10/06, Alessandro Paolini <[log in to unmask]>
>>> wrote:
>>>>
>>>> Hi,
>>>> looking better at gatekeeper.log, (sorry, I attached it only in
>>>> the ggus
>>>> ticket 13935) there is this line:
>>>>
>>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>>> (in additio
>>>> n no VOMS info was found in user proxy)
>>>>
>>>> so it seems there is a problem with the proxy voms used by SAM
>>>>
>>>> Cheers,
>>>> Alessandro
>>>>
>>>> from gatekeeper.log:
>>>>
>>>> -------------------------------------------------------------------------
>>>>
>> ------
>>>> Notice: 5: Trying to use delegated user proxy
>>>> Notice: 5: Authenticated globus user: /C=PL/O=GRID/O=PSNC/CN=Rafal
>> Lichwala
>>>> - OPS
>>>> Notice: 0: GRID_SECURITY_HTTP_BODY_FD=9
>>>> Notice: 0: JOB_REPOSITORY_ID
>>>> 2006-10-09.10:23:56.124862.0000023656.0000000348 (unique id used
>>>> for Job
>>>> Repository)
>>>> Notice: 0: FORMAT:
>>>> YYYY-MM-DD.hh:mm:ss.micros.pid.connection
>>>> Notice: 0: (Format: <date>.<time (with microsecs)>.<pid>.<connection
>>>> counter>)
>>>> Notice: 0: temporarily ALLOW empty credentials
>>>> Notice: 0: Using dlopen version of LCAS
>>>> Notice: 0: lcasmod_name = /opt/glite/lib/lcas.mod
>>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>> LCAS 7: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>> Initialization
>>>> LCAS version 1.3.1
>>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>> lcas.mod-lcas_init(): Reading LCAS database
>>>> /opt/glite/etc/lcas/lcas.db
>>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>> LCAS 5: 2006-10-09.10:23:56.124862.0000023656.0000000348 : LCAS
>>>> authorization request
>>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>> lcas.mod-lcas_run_va(): user is /C=PL/O=GRID/O=PSNC/CN=Rafal
>>>> Lichwala - O
>>>> PS
>>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>> lcas_userban.mod-plugin_confirm_authorization(): checking
>>>> banned users
>>>> in /opt/glite/etc/lcas/ban_users.db
>>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>> lcas.mod-lcas_run_va(): authorization granted by plugin
>>>> /opt/glite/lib/mo
>>>> dules/lcas_userban.mod
>>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>>> authorizati
>>>> on denied based on DN info for user
>>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>>> /C=PL/O=GRI
>>>> D/O=PSNC/CN=Rafal Lichwala - OPS in /etc/grid-security/grid-mapfile
>>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>>> (in additio
>>>> n no VOMS info was found in user proxy)
>>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>>> voms plugin
>>>> failed
>>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>> lcas.mod-lcas_run_va(): authorization failed for plugin
>>>> /opt/glite/lib/mo
>>>> dules/lcas_voms.mod
>>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>> lcas.mod-lcas_run_va(): failed
>>>> Failure: LCAS failed authorization.
>>>> Failure: LCAS failed authorization.
>>>> ------------------------------------------------------
>>>>
>>>> Alessandro Paolini ha scritto:
>>>> Antun Balaz ha scritto:
>>>> Hi Alessandro,
>>>>
>>>> What about your /etc/grid-security/gridmapdir ? Do you share your pbs
>> server
>>>> by lcg-CE and gliteCE? Mappings in gridmapdir should then be shared as
>> well.
>>>> Please take a look at the South Eastern Europe Wiki regarding the
>>>> gLite
>>>> deployment for the details:
>>>>
>>>> http://wiki.egee-see.org/index.php/GLite30
>>>>
>>>> Maybe you can get new ideas after reading these deployment
>>>> instructions
>> and
>>>> experiences...
>>>>
>>>> Hope this helps,
>>>> Antun
>>>>
>>>> Hi Antun,
>>>> gridmapdir is already shared:
>>>>
>>>> [root@glite-ce-01 root]# df -h
>>>> Filesystem Size Used Avail Use% Mounted on
>>>> /dev/md0 111G 1.8G 104G 2% /
>>>> /dev/sda1 99M 16M 79M 17% /boot
>>>> none 1004M 0 1004M 0% /dev/shm
>>>> gridit-ce-001.cnaf.infn.it:/var/spool/pbs
>>>> 64G 2.4G 58G 4% /var/spool/pbs
>>>> gridit-ce-001.cnaf.infn.it:/etc/grid-security/gridmapdir
>>>> 64G 2.4G 58G 4% /etc/grid-
>> security/gridmapdir
>>>>
>>>> I'll continue to investigate,
>>>> thanks for the help.
>>>> Alessandro
>>>>
>>>>
>>>>
>>>> -----
>>>> Antun Balaz
>>>> Research Assistant
>>>> E-mail: [log in to unmask]
>>>> Web: http://scl.phy.bg.ac.yu/
>>>>
>>>> Phone: +381 11 3160260, Ext. 152
>>>> Fax: +381 11 3162190
>>>>
>>>> Scientific Computing Laboratory
>>>> Institute of Physics, Belgrade, Serbia
>>>> -----
>>>>
>>>> ---------- Original Message -----------
>>>> From: Alessandro Paolini <[log in to unmask]>
>>>> To: [log in to unmask]
>>>> Sent: Tue, 10 Oct 2006 12:03:36 +0200
>>>> Subject: Re: [LCG-ROLLOUT] SFT on glite CE
>>>>
>>>>
>>>>
>>>> Antun Balaz ha scritto:
>>>>
>>>>
>>>> Can you check on other nodes that have old-style grid-mapfile if it
>>>>
>>>> contains
>>>>
>>>>
>>>>
>>>> Rafal and how it is mapped?
>>>>
>>>>
>>>> on our lcg-CE:
>>>>
>>>> [root@gridit-ce-001 root]# grep Rafal /etc/grid-security/grid-mapfile
>>>> "/C=PL/O=GRID/O=PSNC/CN=Rafal Lichwala" .dteam
>>>> "/C=PL/O=GRID/O=PSNC/CN=Rafal Lichwala - OPS" opssgm
>>>>
>>>> Cheers,
>>>> Alex
>>>>
>>>>
>>>>
>>>> Regards, Antun
>>>>
>>>> -----
>>>> Antun Balaz
>>>> Research Assistant
>>>> E-mail: [log in to unmask]
>>>> Web: http://scl.phy.bg.ac.yu/
>>>>
>>>> Phone: +381 11 3160260, Ext. 152
>>>> Fax: +381 11 3162190
>>>>
>>>> Scientific Computing Laboratory
>>>> Institute of Physics, Belgrade, Serbia
>>>> -----
>>>>
>>>> ---------- Original Message -----------
>>>> From: Alessandro Paolini <[log in to unmask]>
>>>> To: [log in to unmask]
>>>> Sent: Tue, 10 Oct 2006 11:46:07 +0200
>>>> Subject: Re: [LCG-ROLLOUT] SFT on glite CE
>>>>
>>>>
>>>>
>>>>
>>>> Antun Balaz ha scritto:
>>>>
>>>>
>>>>
>>>> Hi Alessandro,
>>>>
>>>> grid-mapfile on gliteCE should not contain any DNs. If tests doesn't
>>>>
>>>>
>>>> work
>>>>
>>>>
>>>>
>>>>
>>>> without it, this means that your gliteCE is wrongly configured...
>>>>
>>>>
>>>>
>>>> Hi Antun,
>>>> I'm agree with you, it isn't the correct way to solve the problem
>>>> suddenly appeared some day ago only for ops (and I don't know if it
>>>> is related only to that user). Isn't there anyone of the restricted
>>>> members of ops (excluding Rafal) that can launch also a simple test
>>>> (globus-job-run glite-ce-01.cnaf.infn.it /usr/bin/whoami ) ?
>>>>
>>>> Many thanks in advance,
>>>> Alex
>>>>
>>>>
>>>>
>>>>
>>>> Regards, Antun
>>>>
>>>> -----
>>>> Antun Balaz
>>>> Research Assistant
>>>> E-mail: [log in to unmask]
>>>> Web: http://scl.phy.bg.ac.yu/
>>>>
>>>> Phone: +381 11 3160260, Ext. 152
>>>> Fax: +381 11 3162190
>>>>
>>>> Scientific Computing Laboratory
>>>> Institute of Physics, Belgrade, Serbia
>>>> -----
>>>>
>>>> ---------- Original Message -----------
>>>> From: Alessandro Paolini <[log in to unmask]>
>>>> To: [log in to unmask]
>>>> Sent: Tue, 10 Oct 2006 11:17:14 +0200
>>>> Subject: Re: [LCG-ROLLOUT] SFT on glite CE
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Hi Harald,
>>>> thanks for the answer; I added certificate DN of Rafal in the
>>>> grid-mapfile, and now that user is authenticated and authorized
>>>> correctly, even though this thing should work without inserting any
>>>> user DN in grid-mapfile, because CE glite is only voms compatible.
>>>> I've also opened a ggus ticket (13935), so I hope to understand soon
>>>> where is the problem :-)
>>>>
>>>> Cheers,
>>>> Alex
>>>>
>>>> Harald Gjermundrod ha scritto:
>>>>
>>>>
>>>>
>>>>
>>>> Hi
>>>>
>>>> I have also had that problem in that the
>>>> /etc/grid-security/grid-mapfile is vomsified, i.e. it only contains
>>>> the following:
>>>>
>>>>
>>>> "/see/Role=seeadmin/Capability=NULL" seesgm
>>>> "/see/Role=seeadmin" seesgm
>>>> "/see/Role=production/Capability=NULL" seeprd
>>>> "/see/Role=production" seeprd
>>>> "/see/Role=NULL/Capability=NULL" .see
>>>> "/see" .see
>>>> "/dteam/Role=lcgadmin/Capability=NULL" dteamsgm
>>>> "/dteam/Role=lcgadmin" dteamsgm
>>>> "/dteam/Role=production/Capability=NULL" dteamprd
>>>> "/dteam/Role=production" dteamprd
>>>> "/dteam/Role=NULL/Capability=NULL" .dteam
>>>> "/dteam" .dteam
>>>> "/ops/Role=lcgadmin/Capability=NULL" opssgm
>>>> "/ops/Role=lcgadmin" opssgm
>>>> "/ops/Role=NULL/Capability=NULL" .ops
>>>> "/ops" .ops
>>>>
>>>>
>>>> When I try to globus-job-run with a see proxy it fails (same error
>>>> messages as you), but using dteam proxy it works. Now if I manually
>>>> add the following entry to my grid-mapfile:
>>>> "/C=CY/O=CyGrid/O=UCY/CN=Harald Gjermundrod" .see
>>>>
>>>> Then it also works using a see proxy.
>>>>
>>>> I'm not sure if this is the solution you are looking for, but it
>>>>
>>>> works
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> for our purpose.
>>>>
>>>> Thanks,
>>>> Harald Gjermundrod
>>>>
>>>>
>>>> On Oct 9, 2006, at 1:20 PM, Alessandro Paolini wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Hi all,
>>>> in last days SFT on our glite CE are failing, but it seems to be
>>>>
>>>> OK,
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> since jobs submitted by me as infngrid user run fine.
>>>>
>>>> I observed in /var/log/messages messages like this:
>>>>
>>>> Oct 9 10:38:28 glite-ce-01 GRAM gatekeeper[15961]: Authenticated
>>>> globus user: /C=PL/O=GRID/O=PSNC/CN=Rafal Lichwala - OPS
>>>> Oct 9 10:38:28 glite-ce-01 GRAM gatekeeper[15961]: LCAS failed
>>>> authorization.
>>>>
>>>> I can't do tests as ops user (only from
>>>> https://monitoring.egee.man.poznan.pl/admin2/index.php, but
>>>> through
>>>> Rafal certificate...), so I don't know if there is a general
>>>>
>>>> problem
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> with ops or only with that user on our glite CE (this is the only
>>>>
>>>> ops
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> user that sends jobs apparently).
>>>> Instead on lcg CE SFT are always sent by other ops user, and there
>>>> isn't any problem (our CEs share the same WNs, and lcg CE is the
>>>> torque server).
>>>>
>>>> So my question is if anyone has observed a similar problem on his
>>>> glite CE.
>>>>
>>>> Cheers,
>>>> Alessandro
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Dr. Alessandro Paolini
>>>> INFN - CNAF
>>>> Viale Berti Pichat 6/2
>>>> 40127 Bologna
>>>> Italy
>>>> tel: +39 051 6092723
>>>> fax: +39 051 6092746
>>>> ICQ: 192172027
>>>>
>>>
>>> [log in to unmask] tlf: +47 55 58 40 65
>>> Parallab Bergen Centre for Computational Science
>> ------- End of Original Message -------
>>
>
--
Dr. Alessandro Paolini
INFN - CNAF
Viale Berti Pichat 6/2
40127 Bologna
Italy
tel: +39 051 6092723
fax: +39 051 6092746
ICQ: 192172027
|