Hi all,
thank you for the answers.
With the /atlas/it proxy I'm not able to submit jobs to WMS, I get the
following : "LCMAPS failed to map user credential"
I've created *GGUS-Ticket 42612
*to ROC_Italy, I'm not sure if it's a general problem or it's a problem
with WMS I'm using.
ciao
Alessandra
Maarten Litmaath ha scritto:
> Ciao Alessandra,
>
>> we have implemented the VO group /atlas/it and I'm trying to map
>> italian users to atlitXYZ local users at my site.
>> The configuration of users.conf and groups.conf is like the one you
>> suggested,
>> ... but italian users are mapped to "normal" atlas user, not "atlit"
>>
>> users.conf:
>> 1501:atlit001:1350,1307:itatlas,atlas:atlas:atlit:
>> 1502:atlit002:1350,1307:itatlas,atlas:atlas:atlit:
>> 1503:atlit003:1350,1307:itatlas,atlas:atlas:atlit:
>> --------------------------------------------------
>> groups.conf:
>> "/atlas/ROLE=lcgadmin":::sgm:
>> "/atlas/ROLE=production":::prd:
>> "/atlas/it":::atlit:
>> "/atlas"::::
>> -------------------------------------------------
>>
>> from gatekeeper.log:
>> LCMAPS 1: 2008-10-20.15:26:28.0000014074.0000000000 :
>> lcmaps.mod-runPlugin(): running plugin
>> /opt/glite/lib/modules/lcmaps_posix_enf.mod
>> LCMAPS 6: 2008-10-20.15:26:28.0000014074.0000000000 :
>> lcmaps_plugin_posix_enf-log_cred():
>> uid=1083(atlas083):pgid=1307(atlas):sgid=1350(itatlas)
>> LCMAPS 0: 2008-10-20.15:26:28.0000014074.0000000000 :
>> lcmaps_plugin_posix_enf-plugin_run(): posix_enf plugin succeeded
>> LCMAPS 0: 2008-10-20.15:26:28.0000014074.0000000000 :
>> lcmaps.mod-lcmaps_run(): succeeded
>> LCMAPS 7: 2008-10-20.15:26:28.0000014074.0000000000 : Termination LCMAPS
>> LCMAPS 1: 2008-10-20.15:26:28.0000014074.0000000000 :
>> lcmaps.mod-lcmaps_term(): terminating
>> Successfull mapping done
>> Mapping service "LCMAPS" returned local user "atlas083"
>>
>> I don't know what to check... why mapping is done like
>> "pgid=1307(atlas):sgid=1350(itatlas)"?
>> Could it be related to the order of attributes in my proxy?
>>
>> === VO atlas extension information ===
>> VO : atlas
>> subject : /C=IT/O=INFN/OU=Personal
>> Certificate/L=Napoli/CN=Alessandra Doria
>> issuer : /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch
>> attribute : /atlas/Role=NULL/Capability=NULL
>> attribute : /atlas/lcg1/Role=NULL/Capability=NULL
>> attribute : /atlas/it/Role=NULL/Capability=NULL
>> --------------------------------------------------------------
>
> Indeed, the problem is the order in the proxy: the primary FQAN
> determines the UID and primary GID. Any other matching FQANs
> lead to secondary GIDs. The users would have to do this:
>
> voms-proxy-init -voms atlas:/atlas/it
>
> On an lcg-CE that does not have a rule for "/atlas/it" the VOMS
> mapping will fail, so that the user's DN will be mapped instead,
> according to the classic grid-mapfile. For unprivileged users
> this behavior is OK. For software and production managers this
> can have undesirable consequences: they will be unexpectedly
> elevated from "/atlas/it" account to "sgm" or "prd" account...
>
--
--------------------------------------------------
Dott. Alessandra Doria INFN sez. di Napoli
Complesso Universitario Monte S.Angelo (Room 1H22)
Via Cintia - 80125 - Napoli
Tel. +39 081 676176
--------------------------------------------------
|