 |
 |
Dear all, I have added support for a new VO (belle) at our site (prague_cesnet_lcg2) but users are unable to map to a pool account. I can see the following lines in ce2.egee.cesnet.cz:/var/log/globus-gatekeeper.log LCAS 0: LCAS 1: Initialization LCAS version 1.3.7 allowing empty credentials LCAS 2: LCAS authorization request LCAS 0: lcas_userban.mod-plugin_confirm_authorization(): checking banned users in /opt/glite/etc/lcas/ban_users.db LCAS 0: lcas_plugin_voms-plugin_confirm_authorization_from_x509(): VOMS Signature error (failure)! LCAS 0: 2009-07-23.10:59:02 : lcas_plugin_voms-plugin_confirm_authorization_from_x509(): voms plugin failed LCAS 0: lcas.mod-lcas_run_va(): authorization failed for plugin /opt/glite/lib/modules/lcas_voms.mod LCAS 0: lcas.mod-lcas_run_va(): failed LCAS failed authorization. Failure in LCAS Authorization Failure: globus_gss_assist_gridmap() failed authorization. globus_gss_assist: Error invoking callout globus_callout_module: The callout returned an error an unknown error occurred I think I have the correct record in grid-security: # cat /etc/grid-security/vomsdir/belle/voms.kek.jp.lsc /C=JP/O=KEK/OU=CRC/CN=host/voms.kek.jp /CN=KEK GRID Certificate Authority/OU=CRC/O=KEK/C=JP Our crls are up to date. The user's proxy seems to ok too (and it works with other servers): [watase@kek2-ui01 demo]$ voms-proxy-info -all subject : /C=JP/O=KEK/OU=CRC/CN=Yoshiyuki WATASE/CN=proxy issuer : /C=JP/O=KEK/OU=CRC/CN=Yoshiyuki WATASE identity : /C=JP/O=KEK/OU=CRC/CN=Yoshiyuki WATASE type : proxy strength : 1024 bits path : /tmp/x509up_u13009 timeleft : 10:46:08 === VO belle extension information === VO : belle subject : /C=JP/O=KEK/OU=CRC/CN=Yoshiyuki WATASE issuer : /C=JP/O=KEK/OU=CRC/CN=host/voms.kek.jp attribute : /belle/Role=lcgadmin/Capability=NULL attribute : /belle/Role=NULL/Capability=NULL timeleft : 10:46:08 uri : voms.kek.jp:15020 What else can cause this problem? Thank you for any help, -- Tomas Kouba Institute of Physics, Academy of sciences of the Czech Republic