Hi Gonçalo,
> > I have a situation where WMS in mapping a user in one pool account via globus-gridftp and in
> > another via wmproxy.
> >
> > Jun 2 16:58:55 wms01 glite_wms_wmproxy_server: submission from ui1.egee.cesnet.cz,
> > DN=/DC=es/DC=irisgrid/O=ugr/CN=mdserrano, FQAN=/auger/Role=SoftwareManager/Capability=NULL,
> > userid=3050056 for jobid=https://wms01.ncg.ingrid.pt:9000/_X3gcUtlQBNxElj4ckIGkw
> > Jun 2 16:58:56 wms01 globus-gridftp-server[15516]: LCAS authorization request
> > Jun 2 16:58:56 wms01 globus-gridftp-server[15516]:
> > lcas_userban.mod-plugin_confirm_authorization(): checking banned users in /etc/lcas/ban_users.db
> > Jun 2 16:58:56 wms01 globus-gridftp-server[15516]:
> > lcas_plugin_voms-plugin_confirm_authorization_from_x509(): voms plugin succeeded
> > Jun 2 16:58:56 wms01 globus-gridftp-server[15516]: lcas.mod-lcas_run_va(): succeeded
> > Jun 2 16:58:56 wms01 globus-gridftp-server[15516]: llgt_run_lcas: The user is authorized by
> > LCAS
> > Jun 2 16:58:56 wms01 globus-gridftp-server[15516]: Termination LCAS
> > Jun 2 16:58:56 wms01 globus-gridftp-server[15516]: Mapping service "LCMAPS" returned local user
> > "augersgm"
> >
> > # id augersgm
> > uid=3059000(augersgm) gid=3050000(auger) groups=3050000(auger)
> >
> > This has been seen only for a single user and in a special situation where he invokes the
> > Role=SoftwareManager. Other roles are working fine for the same user.
>
> You cannot use static accounts on a WMS:
>
> https://savannah.cern.ch/bugs/index.php?36669
In fact, the problem is due to a slight variation of that bug;
to get it to work, you would need to apply this patch (tested):
-----------------------------------------------------------------------------
--- /etc/lcmaps/lcmaps.db.orig 2013-05-22 15:13:07.000000000 +0200
+++ /etc/lcmaps/lcmaps.db 2013-06-06 22:41:54.000000000 +0200
@@ -36,7 +36,7 @@
# DN-local -> DN-pool -> VO-pool
voms:
-localaccount -> good | poolaccount
-poolaccount -> good | vomslocalgroup
-vomslocalgroup -> vomspoolaccount
+vomslocalgroup -> vomslocalaccount
+vomslocalaccount -> good | vomspoolaccount
+vomspoolaccount -> good
-----------------------------------------------------------------------------
But it would be better simply to use only pool accounts.
On our WMS the grid-mapfile looks like this:
-----------------------------------------------------------------------------
"/alice/Role=NULL/Capability=NULL" .alice
"/alice" .alice
"/alice/*/Role=NULL/Capability=NULL" .alice
"/alice/*" .alice
"/atlas/Role=NULL/Capability=NULL" .atlas
"/atlas" .atlas
"/atlas/*/Role=NULL/Capability=NULL" .atlas
"/atlas/*" .atlas
[...]
-----------------------------------------------------------------------------
YAIM's groups.conf:
-----------------------------------------------------------------------------
"/alice"::::
"/alice/*"::::
"/atlas"::::
"/atlas/*"::::
[...]
-----------------------------------------------------------------------------
|