On Fri, 4 May 2007, Yevgeniy Lyublev wrote:
> Dear Maarten.
> >
> >> Dear Owen.
> >> I have understood reason this problem.
> >>
> >> [root@se3 root]# grep ops /etc/group
> >> ops:x:45000:opssgm001
> >> opssgm:x:46001:
> >> [root@se3 root]# grep opssgm /etc/passwd
> >> opssgm:x:45000:45000:mapped user for group ID ops:/home/opssgm:/bin/bash
> >> opssgm001:x:18960:46001:mapped user for group ID
> >> ops:/home/opssgm001:/bin/bash
> >>
> >> opssgm001 in opssgm group, but directory
> >
> > opssgm001 must also be in the "ops" group. Check:
> >
> > grep opssgm001 /etc/group | fold -w 77
>
> I absolute agree with You, but default group opssgm001 is opssgm, but not
> ops.
> .
> [root@se3 root]# groups opssgm001
> opssgm001 : opssgm ops
>
> After opssgm001 login it must execute chgrp for moving in ops group/
> I have changed opssgm001 ID group in password file, and SAM tests are
> executed successfully now.
> From users.conf
> [root@se3 ORIG]# grep opssgm ../*
> ../users.conf:18960:opssgm001:46001,45000:opssgm,ops:ops:sgm:
Dear Yevgeniy,
I believe I now have a proper fix for the problem you reported.
Before we released the current version of YAIM, the dcache.kpwd file by
default mapped every DN to the first pool account of the corresponding VO:
ops001 used for: .ops opssgm
With the current YAIM the dcache.kpwd ended up like this:
ops001 used for: .ops
opssgm001 used for: .opssgm
I think the problem is due to /opt/d-cache/bin/grid-mapfile2dcache-kpwd.
I have attached a new version that produces the following result:
ops001 used for: .ops .opssgm
Please undo the change you put in /etc/passwd and run the new script.
If it works, you can already replace the old script with the new version,
which I will submit as a patch for the release.
Thanks,
Maarten
#!/usr/bin/perl -w
use strict;
use Getopt::Std;
# Looks at the gridmapfile located from /etc/sysconfig/edg
# and also uses the host certificate
# to create a dcache.kpwd file from the grid-mapfile.
#
# -c hostcert can be used to give the location of the host cert.
# -o output can be used to create the file in a different location.
# -u user can be used to map the host cert to the named user.
my %opts;
getopts('c:o:u:', \%opts);
my $hostcert = $opts{c} || "/etc/grid-security/hostcert.pem";
my $hostuser = $opts{u} || "edginfo";
my $dcacheKpwd = $opts{o} || "/opt/d-cache/etc/dcache.kpwd";
my $tmp = "$dcacheKpwd.tmp";
my ($uid, $gid) = (getpwnam($hostuser))[2, 3];
my $hostdn;
open(HOSTDN, "openssl x509 -subject -noout < $hostcert |");
while (<HOSTDN>) {
if (/^subject=\s*(.*CN=.*)/) {
$hostdn = $1;
last;
}
}
close(HOSTDN);
die "Could not determine host DN\n" unless $hostdn;
die "Could not find user '$hostuser' in passwd file\n" unless
defined($uid) && defined($gid);
my $globuscfg = '/etc/sysconfig/edg';
open(GLOBUSCFG, "<$globuscfg") or die "Could not open $globuscfg: $!\n";
my $gridmap = '/etc/grid-security/grid-mapfile';
while (<GLOBUSCFG>) {
$gridmap = $1 if (/^GRIDMAP\s*=\s*(\S*)\s*/);
}
close(GLOBUSCFG);
open(GRIDMAP, "<$gridmap") or die "Could not open $gridmap: $!\n";
my %map;
my %ac4gid;
my %gid4ac;
my %uid4ac;
while (<GRIDMAP>) {
if (/^"(.*CN=.*)"\s+(\S+)\s*$/) {
my $dn = $1;
my $ac = $2;
push( @{$map{$ac}} , $dn );
# Somewhere "Email=" is changed to "E=" or "EMAIL=" or "EMAILADDRESS=".
# For a DN with "Email=" or "emailAddress=" add the other variants too.
if ($dn =~ m/(Email|emailAddress)=/) {
if ($dn !~ s/Email=/emailAddress=/) {
$dn =~ s/emailAddress=/Email=/;
}
push( @{$map{$ac}} , $dn );
my $d;
for ('EMAILADDRESS', 'EMAIL', 'E') {
($d = $dn) =~ s/(Email|emailAddress)=/$_=/;
push( @{$map{$ac}} , $d );
}
# workaround for a bug in gsidcap (Lionel Schwarz)
if ($d =~ s/\@[-\w\.]+//) {
push( @{$map{$ac}} , $d );
}
}
}
}
open(DCACHE, ">$tmp") || die "Could not open $tmp: $!\n";
print DCACHE "# This was created by the grid-mapfile2dcache-kpwd command\n";
print DCACHE "# from the grid-mapfile\n\n";
print DCACHE "version 2.1\n\n";
my $hostlogin = "login $hostuser read-write $uid $gid / / /\n";
if ($hostdn) {
print DCACHE 'mapping "'.$hostdn.'" '."$hostuser\n";
$hostlogin .= "\t$hostdn\n";
}
if ($hostdn =~ m/(Email|emailAddress)=/) {
if ($hostdn !~ s/Email=/emailAddress=/) {
$hostdn =~ s/emailAddress=/Email=/;
}
print DCACHE 'mapping "'.$hostdn.'" '."$hostuser\n";
$hostlogin .= "\t$hostdn\n";
my $d;
for ('EMAILADDRESS', 'EMAIL', 'E') {
($d = $hostdn) =~ s/(Email|emailAddress)=/$_=/;
print DCACHE 'mapping "'.$d.'" '."$hostuser\n";
$hostlogin .= "\t$d\n";
}
# workaround for a bug in gsidcap (Lionel Schwarz)
if ($d =~ s/\@[-\w\.]+//) {
print DCACHE 'mapping "'.$d.'" '."$hostuser\n";
$hostlogin .= "\t$d\n";
}
}
print DCACHE "\n$hostlogin\n";
my (%login_map, %login_header, %login_users);
$ENV{LANG} = 'C';
for (sort keys %map) {
my $ac = $_;
my ($uid, $gid);
if ($ac =~ s/^\.//) {
# pool account
my $found = 0;
for ("001", "01", "0001") {
my $act = $ac . $_;
($uid, $gid) = (getpwnam($act))[2, 3];
if (defined($gid)) {
my $members;
(undef, undef, undef, $members) = getgrgid($gid);
for (split /\s+/, $members) {
my ($u, $g);
($u, $g) = (getpwnam($_))[2, 3];
if (defined($g) && $g != $gid && !exists($ac4gid{$g})) {
$ac4gid{$g} = $act;
if (!exists($ac4gid{$gid})) {
$ac4gid{$gid} = $act;
$uid4ac{$act} = $uid;
$gid4ac{$act} = $gid;
}
}
}
$found = 1;
last;
}
}
if (!$found) {
warn "$0: cannot find pool account for '.$ac'\n";
}
}
}
for (sort keys %map) {
my $ac = $_;
my ($uid, $gid);
if ($ac =~ s/^\.//) {
# pool account
my $found = 0;
for ("001", "01", "0001") {
my $act = $ac . $_;
($uid, $gid) = (getpwnam($act))[2, 3];
if (defined($gid)) {
if (exists $ac4gid{$gid}) {
$ac = $ac4gid{$gid};
$uid = $uid4ac{$ac};
$gid = $gid4ac{$ac};
} else {
$ac = $act;
}
$found = 1;
last;
}
}
if (!$found) {
warn "$0: cannot find pool account for '.$ac'\n";
}
} else {
# static account: use corresponding pool account if needed
($uid, $gid) = (getpwnam($ac))[2, 3];
if (defined($gid)) {
if (exists $ac4gid{$gid}) {
$ac = $ac4gid{$gid};
$uid = $uid4ac{$ac};
}
} else {
warn "$0: cannot find user '$ac'\n";
}
}
next unless defined $gid;
my @grp = sort @{$map{$_}};
print DCACHE "# Mappings for: $_\n";
for (@grp) {
print DCACHE "mapping \"$_\" $ac\n";
}
print DCACHE "\n";
push @{$login_map{$ac}}, $_;
$login_header{$ac} = "login $ac read-write $uid $gid / / /";
for (@grp) {
push @{$login_users{$ac}}, $_;
}
}
for my $ac (sort keys %login_map) {
print DCACHE "# Login for:";
for (@{$login_map{$ac}}) {
print DCACHE " $_";
}
print DCACHE "\n$login_header{$ac}\n";
my @grp = sort @{$login_users{$ac}};
for (@grp) {
print DCACHE "\t$_\n";
}
print DCACHE "\n";
}
close(DCACHE);
rename($tmp, $dcacheKpwd) or die "Error: cannot rename $tmp to $dcacheKpwd: $!\n";
|