[log in to unmask] wrote: > On Tue, 1 Jul 2008, Tomas Kouba wrote: > >> in /etc/grid-security/gridmapdir, there are files in following format: >> <DN>:<FIELD1>:<FIELD2> > > Each field following a ':' character is the UNIX group name corresponding > to a VOMS FQAN in a proxy whose primary FQAN is mapped to a pool account. > For example, if the proxy contains these FQANs: > > /atlas/Role=production/Capability=NULL > /atlas/Role=NULL/Capability=NULL > > If the ATLAS production users are mapped to their own pool accounts > (e.g. prdatl01 ... prdatl99), then such a proxy will have a corresponding > file in /etc/grid-security/gridmapdir of the form <DN>:<GROUP1>:<GROUP2>, > where <GROUP1> is the group for ATLAS production users (say "atlasprd") > and <GROUP2> the standard group for ATLAS users (say "atlas"). Hi all, thank you for the explanation Maarten. My problem is that we have a user that is mapped two times at our CE and only the groups are swapped: 66843 -rw-r--r-- 2 root root 0 Jun 30 14:48 %2fo%3dgermangrid%2fou%3dlmu%2fcn%3djohn%20kennedy:atlasprd:atlas 66843 -rw-r--r-- 2 root root 0 Jun 30 14:48 atlasprd020 66734 -rw-r--r-- 2 root root 0 Jul 1 13:14 %2fo%3dgermangrid%2fou%3dlmu%2fcn%3djohn%20kennedy:atlas:atlasprd 66734 -rw-r--r-- 2 root root 0 Jul 1 13:14 atlas111 Does it mean, that the user has had two proxies one with /atlas/Role=production/Capability=NULL /atlas/Role=NULL/Capability=NULL and the other with /atlas/Role=NULL/Capability=NULL /atlas/Role=production/Capability=NULL ? How can this be achieved? -- Tomas Kouba Institute of Physics, Academy of sciences of the Czech Republic