Hi Luís,
there is nothing wrong with your mappings. Each mapping normally is _local_,
i.e. every service can decide itself how to map you. Only in some cases must
different services agree on the mapping. For example, when you have 2 CEs,
they both must agree on which local account to use for which proxy, otherwise
different users can interfere with each other via the batch system. Or when
an SE is mounted on the WN (i.e. it implements the "file" protocol), the CE
and the SE have to agree on the mapping.
Let's have a look at each case below.
> I believe the subject is clear. Please take a look in the following lines:
>
> From my UI:
>
> $ voms-proxy-info --all
> subject : /C=PT/O=LIPCA/O=IEETA/CN=Luis Filipe Sequeira Alves/CN=proxy
> issuer : /C=PT/O=LIPCA/O=IEETA/CN=Luis Filipe Sequeira Alves
> identity : /C=PT/O=LIPCA/O=IEETA/CN=Luis Filipe Sequeira Alves
> type : proxy
> strength : 1024 bits
> path : /tmp/x509up_u500
> timeleft : 11:55:59
> === VO dteam extension information ===
> VO : dteam
> subject : /C=PT/O=LIPCA/O=IEETA/CN=Luis Filipe Sequeira Alves
> issuer : /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch
> attribute : /dteam/Role=NULL/Capability=NULL
> attribute : /dteam/swe/Role=NULL/Capability=NULL
> attribute : /dteam/swe/ieeta/Role=NULL/Capability=NULL
> timeleft : 11:55:57
> uri : lcg-voms.cern.ch:15004
>
> UI -> CE
>
> $ uberftp axon-g01
> 220 axon-g01.ieeta.pt GridFTP Server 2.3 (gcc32dbg, 1144436882-63) ready.
> 230 User *dteam044* logged in.
Looks reasonable: a non-privileged dteam account.
> UI -> SE
>
> $ uberftp axon-g05
> 220 axon-g05.ieeta.pt GridFTP Server 2.3 (gcc32dbg, 1144436882-63) ready.
> 230 User *dteam027* logged in.
Another non-privileged dteam account.
> For prod.vo.eu-eela.eu:
>
> $ voms-proxy-info --all
> subject : /C=PT/O=LIPCA/O=IEETA/CN=Luis Filipe Sequeira Alves/CN=proxy
> issuer : /C=PT/O=LIPCA/O=IEETA/CN=Luis Filipe Sequeira Alves
> identity : /C=PT/O=LIPCA/O=IEETA/CN=Luis Filipe Sequeira Alves
> type : proxy
> strength : 1024 bits
> path : /tmp/x509up_u500
> timeleft : 11:39:50
> === VO prod.vo.eu-eela.eu extension information ===
> VO : prod.vo.eu-eela.eu
> subject : /C=PT/O=LIPCA/O=IEETA/CN=Luis Filipe Sequeira Alves
> issuer :
> /DC=es/DC=irisgrid/O=ceta-ciemat/CN=host/voms-eela.ceta-ciemat.es
> attribute : /prod.vo.eu-eela.eu/Role=NULL/Capability=NULL
> timeleft : 11:39:48
> uri : voms-eela.ceta-ciemat.es:15003
>
> UI -> CE
>
> $ uberftp axon-g01
> 220 axon-g01.ieeta.pt GridFTP Server 2.3 (gcc32dbg, 1144436882-63) ready.
> 230 User *eelaprod029* logged in.
A non-privileged prod.vo.eu-eela.eu account.
> UI -> SE
>
> $ uberftp axon-g05
> 220 axon-g05.ieeta.pt GridFTP Server 2.3 (gcc32dbg, 1144436882-63) ready.
> 230 User *dteam027* logged in.
Your SE is a DPM. For access _outside_ of the DPM name space, a classic
grid-mapfile determines the mapping:
$ uberftp axon-g05.ieeta.pt 'cat /etc/grid-security/grid-mapfile' | grep Sequeira
"/C=PT/O=LIPCA/O=IEETA/CN=Luis Filipe Sequeira Alves" .dteam
> UI -> WN
>
> $ uberftp axon-g04
> globus_xio: Unable to connect to axon-g04.ieeta.pt:2811
> globus_xio: System error in connect: Connection refused
> globus_xio: A system call failed: Connection refused
> Closing connection to service.
A WN does not run a GridFTP service.
|