Hi David,
I'll ask the user how did he generate his proxy, when did he generate
his proxy and what VOMS certificate did he used...
I'll report back to the list his answer.
Cheers
Goncalo Borges
david bouvet wrote:
> Hi Gonçalo,
>
> Yes you need to replace it as the certificate on the VOMS server has
> been replaced.
> So the one provide by lcg-vomscerts-4.4.0-1 is no more valid.
>
> About your problem, do you know if your biomed user have a full
> voms-proxy?
> If the UI, he used to generate his proxy, still refers to the old VOMS
> certificate, his proxy will not be a full voms-proxy, and the VOMS
> authentication will fail.
>
> Cheers,
> David.
>
> Gonçalo Borges wrote:
>> Hi Maarten,
>>
>> Yes, I replace it because in the mail I refer to, it is explicitly
>> said that we should substitute it...
>> So, I'm a little bit confused now. Was the EGEE BROADCAST incorrect
>> and I have to go back to the one distributed by lcg-vomscerts?
>> I forward here the EGEE message I refer to:
>>
>> ------------------------------------------------------------------------------------
>>
>> Publication from : David Bouvet <[log in to unmask]> (IN2P3-CC)
>> This mail has been sent using the broadcasting tool available at
>> http://cic.gridops.org
>> ------------------------------------------------------------------------------------
>>
>>
>> Dear all,
>>
>> Yesterday the new host certificate of VOMS server
>>
>> cclcgvomsli01.in2p3.fr
>>
>> was changed.
>>
>> Unfortunetly, this certificate is not the same as the one provided by
>> RPM lcg-vomscerts-4.4.0-1.
>> It has been renewed by mistake after the RPM creation.
>>
>> The following VOs are affected:
>>
>> biomed
>> auvergrid
>> embrace
>> egeode
>> vo.ipnl.in2p3.fr
>>
>> To all sites supporting these VOs, please update the host certificate
>> of VOMS server cclcgvomsli01.in2p3.fr.
>> The new one is available on the CIC portal at:
>> https://cic.gridops.org/common/all/documents/VOMS/biomed-VOMSPublicKey-20070328-143040.txt
>>
>>
>> or using the following command:
>> openssl s_client -CApath /etc/grid-security/certificates -prexit
>> -connect cclcgvomsli01.in2p3.fr:8443 2>/dev/null | openssl x509
>>
>>
>> Sorry for the inconvenience,
>> Regards,
>>
>>
>> David.
>>
>>
>> Cheers
>> Goncalo Borges
>>
>>> Gonçalo Borges wrote:
>>>
>>>> Hi All,
>>>>
>>>> As you probably know (mail sent on 28/03/2007 bu EGEE BROADCAST)
>>>> the cclcgvomsli01.in2p3.fr VOMS certificate was been renewed.
>>>> I have update it on our CE and I just sent you the beginning of the
>>>> certificate info:
>>>>
>>>> [root@ce02 vomsdir]# openssl x509 -text -noout -in
>>>> cclcgvomsli01.in2p3.fr.1864
>>>> Certificate:
>>>> Data:
>>>> Version: 3 (0x2)
>>>> Serial Number: 1881 (0x759)
>>>> Signature Algorithm: sha1WithRSAEncryption
>>>> Issuer: C=FR, O=CNRS, CN=GRID-FR
>>>> Validity
>>>> Not Before: Mar 1 14:01:52 2007 GMT
>>>> Not After : Mar 1 14:01:52 2008 GMT
>>>> Subject: O=GRID-FR, C=FR, O=CNRS, OU=CC-LYON,
>>>> CN=cclcgvomsli01.in2p3.fr
>>>> (...)
>>>
>>> That is the wrong cert! It should be like this:
>>>
>>> Validity
>>> Not Before: Feb 28 10:22:35 2007 GMT
>>> Not After : Feb 28 10:22:35 2008 GMT
>>> Subject: O=GRID-FR, C=FR, O=CNRS, OU=CC-LYON,
>>> CN=cclcgvomsli01.in2p3.fr
>>>
>>> That is the cert provided by lcg-vomscerts-4.4.0-1.
>>> I suppose you replaced it after the accidental extra renewal on the
>>> server?
>>> Please put the original cert back and retry.
>>>
>>>> After this update, I have a biomed user, which although starting
>>>> it's proxy as biomed, he is always mapped as cmsprd in our local
>>>> cluster.
>>>> This is happening because the VOMS authentication fails, and since
>>>> he also belongs to cms, the gridmapfile is used instead. Here is
>>>> part of the /var/log/globus-gatekeper.log:
>>>>
>>>> (...)
>>>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>>>> lcmaps.mod-runPlugin(): running plugin
>>>> /opt/edg/lib/lcmaps/modules/lcmaps_voms.mod
>>>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>>>> lcmaps_plugin_voms-plugin_run(): Generic verification error for
>>>> VOMS (failure)!
>>>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>>>> lcmaps_plugin_voms-plugin_run(): voms plugin failed
>>>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>>>> lcmaps.mod-runPlugin(): found plugin
>>>> /opt/edg/lib/lcmaps/modules/lcmaps_localaccount.mod
>>>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>>>> lcmaps.mod-runPlugin(): running plugin
>>>> /opt/edg/lib/lcmaps/modules/lcmaps_localaccount.mod
>>>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>>>> lcmaps_plugin_localaccount-plugin_run(): localaccount plugin succeeded
>>>> LCMAPS 0: 2007-04-02.14:22:45.198065.0000021996.0000065337 :
>>>> lcmaps.mod-runPlugin(): found plugin
>>>> /opt/edg/lib/lcmaps/modules/lcmaps_posix_enf.mod
>>>> (...)
>>>>
>>>> Any suggestion to where should I look further?
>>>>
>>>> Thanks in advance
>>>> Best Regards
>>>> Goncalo Borges
>>
>
|