Hi Alessandro

After further investigation I realized that I was missing the public  
key in /etc/grid-security/vomsdir/ directory for the VO (see) that I  
was using. By copying this public key from another CE I could remove  
the DN entry and use a pure vomsified gridmap file.

This might help you in locating your problem.

Thanks,
Harald Gjermundrod


On Oct 10, 2006, at 6:02 PM, Antun Balaz wrote:

> Hi,
> gliteCE is supposed to work just with voms proxies...
>
> Regards, Antun
>
> -----
> Antun Balaz
> Research Assistant
> E-mail: [log in to unmask]
> Web: http://scl.phy.bg.ac.yu/
>
> Phone: +381 11 3160260, Ext. 152
> Fax: +381 11 3162190
>
> Scientific Computing Laboratory
> Institute of Physics, Belgrade, Serbia
> -----
>
> ---------- Original Message -----------
> From: Jeremy Cook <[log in to unmask]>
> To: [log in to unmask]
> Sent: Tue, 10 Oct 2006 15:04:45 +0200
> Subject: Re: [LCG-ROLLOUT] SFT on glite CE
>
>> Hi,
>>
>> In my limited experience, this type of error occurs when the user of
>> the gliteCE does not use 'voms-proxy-init' to get their proxy.  Of
>> course the potential problem is that the user may get authenticated
>> on the gliteCE, but not on the SE, or vice versa, depending on which
>> '*-proxy-init' method they use, since one uses vomsified gridmap
>> file and the other uses edg_mkgridmapfile.
>>
>> Jeremy Cook
>>
>> On 10/10/06, Alessandro Paolini <[log in to unmask]>  
>> wrote:
>>>
>>>  Hi,
>>>  looking better at gatekeeper.log, (sorry, I attached it only in  
>>> the ggus
>>> ticket 13935) there is this line:
>>>
>>>  LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>> (in additio
>>>  n no VOMS info was found in user proxy)
>>>
>>>  so it seems there is a problem with the proxy voms used by SAM
>>>
>>>  Cheers,
>>>  Alessandro
>>>
>>>  from gatekeeper.log:
>>>
>>> -------------------------------------------------------------------- 
>>> -----
> ------
>>>  Notice: 5: Trying to use delegated user proxy
>>>  Notice: 5: Authenticated globus user: /C=PL/O=GRID/O=PSNC/CN=Rafal
> Lichwala
>>> - OPS
>>>  Notice: 0: GRID_SECURITY_HTTP_BODY_FD=9
>>>  Notice: 0: JOB_REPOSITORY_ID
>>> 2006-10-09.10:23:56.124862.0000023656.0000000348 (unique id used  
>>> for Job
>>> Repository)
>>>  Notice: 0: FORMAT:
>>> YYYY-MM-DD.hh:mm:ss.micros.pid.connection
>>>  Notice: 0: (Format: <date>.<time (with microsecs) 
>>> >.<pid>.<connection
>>> counter>)
>>>  Notice: 0: temporarily ALLOW empty credentials
>>>  Notice: 0: Using dlopen version of LCAS
>>>  Notice: 0: lcasmod_name = /opt/glite/lib/lcas.mod
>>>  LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>  LCAS 7: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
> Initialization
>>> LCAS version 1.3.1
>>>  LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas.mod-lcas_init(): Reading LCAS database /opt/glite/etc/lcas/ 
>>> lcas.db
>>>  LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>>  LCAS 5: 2006-10-09.10:23:56.124862.0000023656.0000000348 : LCAS
>>> authorization request
>>>  LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas.mod-lcas_run_va(): user is /C=PL/O=GRID/O=PSNC/CN=Rafal  
>>> Lichwala - O
>>>  PS
>>>  LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas_userban.mod-plugin_confirm_authorization(): checking
>>> banned users
>>>  in /opt/glite/etc/lcas/ban_users.db
>>>  LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas.mod-lcas_run_va(): authorization granted by plugin /opt/ 
>>> glite/lib/mo
>>>  dules/lcas_userban.mod
>>>  LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>> authorizati
>>>  on denied based on DN info for user
>>>  LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>> /C=PL/O=GRI
>>>  D/O=PSNC/CN=Rafal Lichwala - OPS in /etc/grid-security/grid-mapfile
>>>  LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>> (in additio
>>>  n no VOMS info was found in user proxy)
>>>  LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>> voms plugin
>>>  failed
>>>  LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas.mod-lcas_run_va(): authorization failed for plugin /opt/ 
>>> glite/lib/mo
>>>  dules/lcas_voms.mod
>>>  LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas.mod-lcas_run_va(): failed
>>>  Failure: LCAS failed authorization.
>>>  Failure: LCAS failed authorization.
>>>  ------------------------------------------------------
>>>
>>>  Alessandro Paolini ha scritto:
>>>  Antun Balaz ha scritto:
>>>  Hi Alessandro,
>>>
>>> What about your /etc/grid-security/gridmapdir ? Do you share your  
>>> pbs
> server
>>> by lcg-CE and gliteCE? Mappings in gridmapdir should then be  
>>> shared as
> well.
>>> Please take a look at the South Eastern Europe Wiki regarding the  
>>> gLite
>>> deployment for the details:
>>>
>>> http://wiki.egee-see.org/index.php/GLite30
>>>
>>> Maybe you can get new ideas after reading these deployment  
>>> instructions
> and
>>> experiences...
>>>
>>> Hope this helps,
>>> Antun
>>>
>>>  Hi Antun,
>>>  gridmapdir is already shared:
>>>
>>>  [root@glite-ce-01 root]# df -h
>>>  Filesystem            Size  Used Avail Use% Mounted on
>>>  /dev/md0              111G  1.8G  104G   2% /
>>>  /dev/sda1              99M   16M   79M  17% /boot
>>>  none                 1004M     0 1004M   0% /dev/shm
>>>  gridit-ce-001.cnaf.infn.it:/var/spool/pbs
>>>                         64G  2.4G   58G   4% /var/spool/pbs
>>>  gridit-ce-001.cnaf.infn.it:/etc/grid-security/gridmapdir
>>>                         64G  2.4G   58G   4% /etc/grid-
> security/gridmapdir
>>>
>>>  I'll continue to investigate,
>>>  thanks for the help.
>>>  Alessandro
>>>
>>>
>>>
>>> -----
>>> Antun Balaz
>>> Research Assistant
>>> E-mail: [log in to unmask]
>>> Web: http://scl.phy.bg.ac.yu/
>>>
>>> Phone: +381 11 3160260, Ext. 152
>>> Fax: +381 11 3162190
>>>
>>> Scientific Computing Laboratory
>>> Institute of Physics, Belgrade, Serbia
>>> -----
>>>
>>> ---------- Original Message -----------
>>> From: Alessandro Paolini <[log in to unmask]>
>>> To: [log in to unmask]
>>> Sent: Tue, 10 Oct 2006 12:03:36 +0200
>>> Subject: Re: [LCG-ROLLOUT] SFT on glite CE
>>>
>>>
>>>
>>>  Antun Balaz ha scritto:
>>>
>>>
>>>  Can you check on other nodes that have old-style grid-mapfile if it
>>>
>>>  contains
>>>
>>>
>>>
>>>  Rafal and how it is mapped?
>>>
>>>
>>>  on our lcg-CE:
>>>
>>> [root@gridit-ce-001 root]# grep Rafal /etc/grid-security/grid- 
>>> mapfile
>>> "/C=PL/O=GRID/O=PSNC/CN=Rafal Lichwala" .dteam
>>> "/C=PL/O=GRID/O=PSNC/CN=Rafal Lichwala - OPS" opssgm
>>>
>>> Cheers,
>>> Alex
>>>
>>>
>>>
>>>  Regards, Antun
>>>
>>> -----
>>> Antun Balaz
>>> Research Assistant
>>> E-mail: [log in to unmask]
>>> Web: http://scl.phy.bg.ac.yu/
>>>
>>> Phone: +381 11 3160260, Ext. 152
>>> Fax: +381 11 3162190
>>>
>>> Scientific Computing Laboratory
>>> Institute of Physics, Belgrade, Serbia
>>> -----
>>>
>>> ---------- Original Message -----------
>>> From: Alessandro Paolini <[log in to unmask]>
>>> To: [log in to unmask]
>>> Sent: Tue, 10 Oct 2006 11:46:07 +0200
>>> Subject: Re: [LCG-ROLLOUT] SFT on glite CE
>>>
>>>
>>>
>>>
>>>  Antun Balaz ha scritto:
>>>
>>>
>>>
>>>  Hi Alessandro,
>>>
>>> grid-mapfile on gliteCE should not contain any DNs. If tests doesn't
>>>
>>>
>>>  work
>>>
>>>
>>>
>>>
>>>  without it, this means that your gliteCE is wrongly configured...
>>>
>>>
>>>
>>>  Hi Antun,
>>> I'm agree with you, it isn't the correct way to solve the problem
>>> suddenly appeared some day ago only for ops (and I don't know if it
>>> is related only to that user). Isn't there anyone of the restricted
>>> members of ops (excluding Rafal) that can launch also a simple test
>>> (globus-job-run glite-ce-01.cnaf.infn.it /usr/bin/whoami ) ?
>>>
>>> Many thanks in advance,
>>> Alex
>>>
>>>
>>>
>>>
>>>  Regards, Antun
>>>
>>> -----
>>> Antun Balaz
>>> Research Assistant
>>> E-mail: [log in to unmask]
>>> Web: http://scl.phy.bg.ac.yu/
>>>
>>> Phone: +381 11 3160260, Ext. 152
>>> Fax: +381 11 3162190
>>>
>>> Scientific Computing Laboratory
>>> Institute of Physics, Belgrade, Serbia
>>> -----
>>>
>>> ---------- Original Message -----------
>>> From: Alessandro Paolini <[log in to unmask]>
>>> To: [log in to unmask]
>>> Sent: Tue, 10 Oct 2006 11:17:14 +0200
>>> Subject: Re: [LCG-ROLLOUT] SFT on glite CE
>>>
>>>
>>>
>>>
>>>
>>>  Hi Harald,
>>> thanks for the answer; I added certificate DN of Rafal in the
>>> grid-mapfile, and now that user is authenticated and authorized
>>> correctly, even though this thing should work without inserting any
>>> user DN in grid-mapfile, because CE glite is only voms compatible.
>>> I've also opened a ggus ticket (13935), so I hope to understand soon
>>> where is the problem :-)
>>>
>>> Cheers,
>>> Alex
>>>
>>> Harald Gjermundrod ha scritto:
>>>
>>>
>>>
>>>
>>>  Hi
>>>
>>> I have also had that problem in that the
>>> /etc/grid-security/grid-mapfile is vomsified, i.e. it only contains
>>> the following:
>>>
>>>
>>> "/see/Role=seeadmin/Capability=NULL" seesgm
>>> "/see/Role=seeadmin" seesgm
>>> "/see/Role=production/Capability=NULL" seeprd
>>> "/see/Role=production" seeprd
>>> "/see/Role=NULL/Capability=NULL" .see
>>> "/see" .see
>>> "/dteam/Role=lcgadmin/Capability=NULL" dteamsgm
>>> "/dteam/Role=lcgadmin" dteamsgm
>>> "/dteam/Role=production/Capability=NULL" dteamprd
>>> "/dteam/Role=production" dteamprd
>>> "/dteam/Role=NULL/Capability=NULL" .dteam
>>> "/dteam" .dteam
>>> "/ops/Role=lcgadmin/Capability=NULL" opssgm
>>> "/ops/Role=lcgadmin" opssgm
>>> "/ops/Role=NULL/Capability=NULL" .ops
>>> "/ops" .ops
>>>
>>>
>>> When I try to globus-job-run with a see proxy it fails (same error
>>> messages as you), but using dteam proxy it works. Now if I manually
>>> add the following entry to my grid-mapfile:
>>> "/C=CY/O=CyGrid/O=UCY/CN=Harald Gjermundrod" .see
>>>
>>> Then it also works using a see proxy.
>>>
>>> I'm not sure if this is the solution you are looking for, but it
>>>
>>>  works
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>  for our purpose.
>>>
>>> Thanks,
>>> Harald Gjermundrod
>>>
>>>
>>> On Oct 9, 2006, at 1:20 PM, Alessandro Paolini wrote:
>>>
>>>
>>>
>>>
>>>
>>>  Hi all,
>>> in last days SFT on our glite CE are failing, but it seems to be
>>>
>>>  OK,
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>  since jobs submitted by me as infngrid user run fine.
>>>
>>> I observed in /var/log/messages messages like this:
>>>
>>> Oct 9 10:38:28 glite-ce-01 GRAM gatekeeper[15961]: Authenticated
>>> globus user: /C=PL/O=GRID/O=PSNC/CN=Rafal Lichwala - OPS
>>> Oct 9 10:38:28 glite-ce-01 GRAM gatekeeper[15961]: LCAS failed
>>> authorization.
>>>
>>> I can't do tests as ops user (only from
>>> https://monitoring.egee.man.poznan.pl/admin2/index.php, but
>>> through
>>> Rafal certificate...), so I don't know if there is a general
>>>
>>>  problem
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>  with ops or only with that user on our glite CE (this is the only
>>>
>>>  ops
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>  user that sends jobs apparently).
>>> Instead on lcg CE SFT are always sent by other ops user, and there
>>> isn't any problem (our CEs share the same WNs, and lcg CE is the
>>> torque server).
>>>
>>> So my question is if anyone has observed a similar problem on his
>>> glite CE.
>>>
>>> Cheers,
>>> Alessandro
>>>
>>>
>>>
>>>
>>>  --
>>> Dr. Alessandro Paolini
>>> INFN - CNAF
>>> Viale Berti Pichat 6/2
>>> 40127 Bologna
>>> Italy
>>> tel: +39 051 6092723
>>> fax: +39 051 6092746
>>> ICQ: 192172027
>>>
>>
>> -- 
>> [log in to unmask]                        tlf: +47 55 58 40 65
>> Parallab                  Bergen Centre for Computational Science
> ------- End of Original Message -------
>