Hello again,
After yesterday's storage meeting I had a poke around the t2k(.org)
storage pool and found nothing out of the ordinary. I then asked the
user to provide some more information which they swiftly obliged me
with, I'll stick a summary for you to peruse:
Firstly the credentials used to make the transfers where using the
t2k.org production role:
=== VO t2k.org extension information ===
VO : t2k.org
subject : /C=UK/O=eScience/OU=Sheffield/L=CICS/CN=*the user with no name*
issuer : [log in to unmask]
attribute : /t2k.org/Role=production/Capability=NULL
attribute : /t2k.org/Role=NULL/Capability=NULL
timeleft : 21:43:48
uri : voms.gridpp.ac.uk:15003
The verbose lcg-cr output didn't give us much extra information:
srm://fal-pygrid-30.lancs.ac.uk/dpm/lancs.ac.uk/home/t2k.org/lcgCrTestFile:
Permission denied
lcg_cr: Permission denied
I also asked him to uberftp to the pool node, which worked. But
interestingly enough mapped him to a sgm user. Looking in the
grid-mapfile on both the headnode and pool node he's down as an
sgmuser for both (the lcg-dm files just map him to "t2k", the same
with the other roles). Could this mismatch be the problem
On the pool node there is no sign of the user's DN in the gridftp logs
until the uberftp test. A further point, some cheeky chap from
Liverpool, using a "normal" t2k proxy, has been merrily accessing data
without trouble for the last couple of days.
Cheers,
Matt
On 26 October 2011 10:26, Matt Doidge <[log in to unmask]> wrote:
> Thanks for the replies,
> Hmm, things are curious here. First up I don't have any mappings in
> /etc/grid-security/gridmapdir (just the pool user names), so there's
> nothing to wipe there. Secondly this is what I see in my various
> gridmap configs:
>
> group vomss://voms.gridpp.ac.uk:8443/voms/t2k.org?/t2k.org/Role=lcgadmin t2k
> group vomss://voms.gridpp.ac.uk:8443/voms/t2k.org?/t2k.org/Role=production t2k
> group vomss://voms.gridpp.ac.uk:8443/voms/t2k.org?/t2k.org t2k
> [root@fal-pygrid-30 ~]# grep t2k /opt/edg/etc/edg-mkgridmap.conf
> group vomss://voms.gridpp.ac.uk:8443/voms/t2k.org?/t2k.org/Role=lcgadmin .sgmt2k
> group vomss://voms.gridpp.ac.uk:8443/voms/t2k.org?/t2k.org/Role=production
> .prdt2k
> group vomss://voms.gridpp.ac.uk:8443/voms/t2k.org?/t2k.org .t2k
>
> And finally looking at my dpns groups these are the t2k relevent bits:
> 115 t2k
> 205 t2k/Role=lcgadmin
> 207 t2k.org/Role=lcgadmin
> 208 t2k.org
> 232 t2k.org/Role=production
>
> and finally looking at the dpns directory for t2k.org it looks like
> they should be able to see it:
> dpns-getacl /dpm/lancs.ac.uk/home/t2k.org
> # file: /dpm/lancs.ac.uk/home/t2k.org
> # owner: root
> # group: t2k
> user::rwx
> group::rwx #effective:rwx
> other::r-x
> default:user::rwx
> default:group::rwx
> default:other::r-x
>
> So I'm not sure why a t2k user being mapped to a t2k group was having
> problems making dpns entries. I'll try reordering the entries in the
> configs and see how that affects things. I think things are messed up
> from the move from t2k -> t2k.org ages back, but it did work for a
> time. I don't know why it's broken now.
>
> Thanks,
> Matt
>
>
>
> On 26 October 2011 08:56, <[log in to unmask]> wrote:
>> Sounds like you are suffering from the issue of a single DN wanting to be in two VOs. In the gridmapfile-maker you only get associated with the VO which comes alphabetically ( well actually the order you have the VOs in the makegridmapfile.) Though I thought DPM was fully voms aware? Is it the make gridmap executable is not voms aware on your DPM?
>> Brian
>>
>> -----Original Message-----
>> From: GRIDPP2: Deployment and support of SRM and local storage management [mailto:[log in to unmask]] On Behalf Of Wahid Bhimji
>> Sent: 25 October 2011 20:05
>> To: [log in to unmask]
>> Subject: Re: dpns user/group operations
>>
>> Hmmm - if he is coming in with a t2k.org voms role then he should get mapped to t2k.org.
>> Does anything with the old t2k appear in
>> /opt/lcg/etc/lcgdm-mkgridmap.conf
>> or
>> /opt/edg/etc/edg-mkgridmap.conf
>>
>> maybe you need to remove the link in
>> /etc/grid-security/gridmapdir
>>
>> if you force him to get mapped to a t2k.org group account in
>> /opt/edg/etc/grid-mapfile-local
>> does that work.
>>
>> Given the other user is mapped to atlas - maybe the voms mapping is not working at all for t2k. Does that user appear as .atlas in the gridmapfile?
>>
>> Cheers
>>
>> Wahid
>>
>> On 25 Oct 2011, at 17:36, Matt Doidge wrote:
>>
>>> Thanks Wahid, 115 is the dpns gid of "old" t2k, but I don't think
>>> modifying it will work as the t2k.org area is owned by the t2k.org
>>> group with the t2k.org gid. What I need is the dpns equivilent of
>>> `usermod -g t2k.org t2kuser` but it doesn't look like there's a clean
>>> way of doing that.
>>>
>>> I've got a similar problem with another t2k user, but this time he's
>>> being mapped to the "atlas" dpns group. It's like t2k are cursed on
>>> our srm!
>>>
>>> Thanks,
>>> Matt
>>>
>>> On 25 October 2011 15:26, Wahid Bhimji <[log in to unmask]> wrote:
>>>>
>>>> Matt
>>>>
>>>> Does dpns-listgrpmap
>>>> list the old t2k as gid 115?
>>>>
>>>> You might get something useful by doing
>>>> dpm-modifygrpmap 115 t2k.org
>>>>
>>>> (replacing 115 with whatever the number is if it isn't 115)
>>>>
>>>> BUT WARNING: IT JUST A GUESS AND MAY NOT DO WHAT YOU WANT.
>>>>
>>>> Do mappings to the old t2k group exist on the system anywhere - (like in edg-mkgridmap.conf etc. ) or is it just in the db?
>>>>
>>>> Wahid
>>>>
>>>>
>>>> On 25 Oct 2011, at 14:13, Matt Doidge wrote:
>>>>
>>>>> Hey y'all,
>>>>> t2k(.org) have been having some trouble accessing our SE, getting
>>>>> permission denied errors on their operations. The cause of this
>>>>> appears to be that the t2k user (he knows who he is) is being mapped
>>>>> to a bad group:
>>>>>
>>>>> 10/25 08:16:25 11022,0 Cns_srv_getgrpbygid: NS098 - getgrpbygid 115
>>>>>
>>>>> This is the old (very old) t2k group, not the new t2k.org group. I
>>>>> have several options before me, including just destroying the old t2k
>>>>> group, but the best course I could figure out would be to simply alter
>>>>> the group mapping for the user. But I suspect this group mapping is in
>>>>> a table in the dpm database. Is there a "clean" way of altering a
>>>>> user/group mapping without breaking out the sql operations?
>>>>>
>>>>> Thanks in advance,
>>>>> Matt
>>>>>
>>>>
>>>>
>>>> --
>>>> The University of Edinburgh is a charitable body, registered in
>>>> Scotland, with registration number SC005336.
>>>>
>>>>
>>>
>>
>>
>> --
>> The University of Edinburgh is a charitable body, registered in
>> Scotland, with registration number SC005336.
>>
>
|