Hi Maarten,
The script has fixed the problem.
> On your DPM server as root run the attached script like this:
>
> sh dpns-fix-acl.txt alice atlas biomed cms dteam lhcb ops
one thing is that the script does not check is, if both the lcgadmin & production
really exist for the specific VO. (like in case with OPS vo)
>
> With DPM version 1.6.4 one will no longer need to do that.
>
but who should be responible for running 'dpns-entergrpmap --group "$VO/Role=lcgadmin"'
YAIM or the group is auto created then sgm user tries to access the dpm,
(and this is why only atlas/Role=lcgadmin & ops/Role=lcgadmin were created)?
and shouldn't the YAIM run
dpns-setacl -m "g:$VO/Role=lcgadmin:rwx,m:rwx" /dpm/$domain/home/$VO
for each vo?
ps.
Also yesterday i've upgraded to yaim-3.0.1-x
and added new VOs to the site
and there were errors ,at most of the node types, during configuration like:
group atlasprd,atlas does not exists
*althought i have wiped out all the existing vo accounts on all nodes
before configuration from /etc/group /etc/gshadow /etc/passwd /etc/shadow and /home/*)
these errors were present only for the new VOs i've added.
The users.conf has enties like:
43001:atlassgm001:43001,43000:atlassgm,atlas:atlas:sgm:
43002:atlassgm002:43001,43000:atlassgm,atlas:atlas:sgm:
43003:atlassgm003:43001,43000:atlassgm,atlas:atlas:sgm:
43004:atlasprd001:43004,43000:atlasprd,atlas:atlas:prd:
43005:atlasprd002:43004,43000:atlasprd,atlas:atlas:prd:
43006:atlasprd003:43004,43000:atlasprd,atlas:atlas:prd:
43007:atlas001:43000:atlas:atlas::
...
The unix group were correctly defined
atlas:x:43000:atlas001,atlas002,atlas003,atlas004,...,atlasprd001,atlasprd002,atlasprd003,atlassgm001,atlassgm002,atlassgm003
atlasprd:x:43004:
atlassgm:x:43001:
but at least on gCE the groupmapfile has different entries for old and new VOs
----------------------------------
old vo
# fgrep dteam groupmapfile
"/dteam/Role=lcgadmin/Capability=NULL" dteamsgm
"/dteam/Role=lcgadmin" dteamsgm
"/dteam/Role=production/Capability=NULL" dteamprd
"/dteam/Role=production" dteamprd
"/dteam/Role=NULL/Capability=NULL" dteam
"/dteam" dteam
/dteam dteam
/dteam/* dteam
new vo
# fgrep atlas groupmapfile
"/atlas/Role=lcgadmin/Capability=NULL" atlassgm
"/atlas/Role=lcgadmin" atlassgm
"/atlas/Role=production/Capability=NULL" atlasprd
"/atlas/Role=production" atlasprd
"/atlas/Role=NULL/Capability=NULL" atlas
"/atlas" atlas
/atlas atlassgm,atlas
/atlas/* atlassgm,atlas
----------------------------------
and it looks like the
/atlas atlassgm,atlas
/atlas/* atlassgm,atlas
are not correct, and were created probably since yaim does not split the
group field :atlassgm,atlas: from entries like
43001:atlassgm001:43001,43000:atlassgm,atlas:atlas:sgm:
40001:dteamsgm001:40001,40000:dteamsgm,dteam:dteam:sgm:
and thus the error messages like:
group atlasprd,atlas does not exists
during configuration
previously i had older entries like
40001:dteamprd:40001:dteam:dteam:prd:
so it worked ok.
Thanks
Alex
|