Hi Alessandro
After further investigation I realized that I was missing the public
key in /etc/grid-security/vomsdir/ directory for the VO (see) that I
was using. By copying this public key from another CE I could remove
the DN entry and use a pure vomsified gridmap file.
This might help you in locating your problem.
Thanks,
Harald Gjermundrod
On Oct 10, 2006, at 6:02 PM, Antun Balaz wrote:
> Hi,
> gliteCE is supposed to work just with voms proxies...
>
> Regards, Antun
>
> -----
> Antun Balaz
> Research Assistant
> E-mail: [log in to unmask]
> Web: http://scl.phy.bg.ac.yu/
>
> Phone: +381 11 3160260, Ext. 152
> Fax: +381 11 3162190
>
> Scientific Computing Laboratory
> Institute of Physics, Belgrade, Serbia
> -----
>
> ---------- Original Message -----------
> From: Jeremy Cook <[log in to unmask]>
> To: [log in to unmask]
> Sent: Tue, 10 Oct 2006 15:04:45 +0200
> Subject: Re: [LCG-ROLLOUT] SFT on glite CE
>
>> Hi,
>>
>> In my limited experience, this type of error occurs when the user of
>> the gliteCE does not use 'voms-proxy-init' to get their proxy. Of
>> course the potential problem is that the user may get authenticated
>> on the gliteCE, but not on the SE, or vice versa, depending on which
>> '*-proxy-init' method they use, since one uses vomsified gridmap
>> file and the other uses edg_mkgridmapfile.
>>
>> Jeremy Cook
>>
>> On 10/10/06, Alessandro Paolini <[log in to unmask]>
>> wrote:
>>>
>>> Hi,
>>> looking better at gatekeeper.log, (sorry, I attached it only in
>>> the ggus
>>> ticket 13935) there is this line:
>>>
>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>> (in additio
>>> n no VOMS info was found in user proxy)
>>>
>>> so it seems there is a problem with the proxy voms used by SAM
>>>
>>> Cheers,
>>> Alessandro
>>>
>>> from gatekeeper.log:
>>>
>>> --------------------------------------------------------------------
>>> -----
> ------
>>> Notice: 5: Trying to use delegated user proxy
>>> Notice: 5: Authenticated globus user: /C=PL/O=GRID/O=PSNC/CN=Rafal
> Lichwala
>>> - OPS
>>> Notice: 0: GRID_SECURITY_HTTP_BODY_FD=9
>>> Notice: 0: JOB_REPOSITORY_ID
>>> 2006-10-09.10:23:56.124862.0000023656.0000000348 (unique id used
>>> for Job
>>> Repository)
>>> Notice: 0: FORMAT:
>>> YYYY-MM-DD.hh:mm:ss.micros.pid.connection
>>> Notice: 0: (Format: <date>.<time (with microsecs)
>>> >.<pid>.<connection
>>> counter>)
>>> Notice: 0: temporarily ALLOW empty credentials
>>> Notice: 0: Using dlopen version of LCAS
>>> Notice: 0: lcasmod_name = /opt/glite/lib/lcas.mod
>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> LCAS 7: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
> Initialization
>>> LCAS version 1.3.1
>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas.mod-lcas_init(): Reading LCAS database /opt/glite/etc/lcas/
>>> lcas.db
>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> LCAS 5: 2006-10-09.10:23:56.124862.0000023656.0000000348 : LCAS
>>> authorization request
>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas.mod-lcas_run_va(): user is /C=PL/O=GRID/O=PSNC/CN=Rafal
>>> Lichwala - O
>>> PS
>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas_userban.mod-plugin_confirm_authorization(): checking
>>> banned users
>>> in /opt/glite/etc/lcas/ban_users.db
>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas.mod-lcas_run_va(): authorization granted by plugin /opt/
>>> glite/lib/mo
>>> dules/lcas_userban.mod
>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>> authorizati
>>> on denied based on DN info for user
>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>> /C=PL/O=GRI
>>> D/O=PSNC/CN=Rafal Lichwala - OPS in /etc/grid-security/grid-mapfile
>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>> (in additio
>>> n no VOMS info was found in user proxy)
>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509():
>>> voms plugin
>>> failed
>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas.mod-lcas_run_va(): authorization failed for plugin /opt/
>>> glite/lib/mo
>>> dules/lcas_voms.mod
>>> LCAS 0: 2006-10-09.10:23:56.124862.0000023656.0000000348 :
>>> lcas.mod-lcas_run_va(): failed
>>> Failure: LCAS failed authorization.
>>> Failure: LCAS failed authorization.
>>> ------------------------------------------------------
>>>
>>> Alessandro Paolini ha scritto:
>>> Antun Balaz ha scritto:
>>> Hi Alessandro,
>>>
>>> What about your /etc/grid-security/gridmapdir ? Do you share your
>>> pbs
> server
>>> by lcg-CE and gliteCE? Mappings in gridmapdir should then be
>>> shared as
> well.
>>> Please take a look at the South Eastern Europe Wiki regarding the
>>> gLite
>>> deployment for the details:
>>>
>>> http://wiki.egee-see.org/index.php/GLite30
>>>
>>> Maybe you can get new ideas after reading these deployment
>>> instructions
> and
>>> experiences...
>>>
>>> Hope this helps,
>>> Antun
>>>
>>> Hi Antun,
>>> gridmapdir is already shared:
>>>
>>> [root@glite-ce-01 root]# df -h
>>> Filesystem Size Used Avail Use% Mounted on
>>> /dev/md0 111G 1.8G 104G 2% /
>>> /dev/sda1 99M 16M 79M 17% /boot
>>> none 1004M 0 1004M 0% /dev/shm
>>> gridit-ce-001.cnaf.infn.it:/var/spool/pbs
>>> 64G 2.4G 58G 4% /var/spool/pbs
>>> gridit-ce-001.cnaf.infn.it:/etc/grid-security/gridmapdir
>>> 64G 2.4G 58G 4% /etc/grid-
> security/gridmapdir
>>>
>>> I'll continue to investigate,
>>> thanks for the help.
>>> Alessandro
>>>
>>>
>>>
>>> -----
>>> Antun Balaz
>>> Research Assistant
>>> E-mail: [log in to unmask]
>>> Web: http://scl.phy.bg.ac.yu/
>>>
>>> Phone: +381 11 3160260, Ext. 152
>>> Fax: +381 11 3162190
>>>
>>> Scientific Computing Laboratory
>>> Institute of Physics, Belgrade, Serbia
>>> -----
>>>
>>> ---------- Original Message -----------
>>> From: Alessandro Paolini <[log in to unmask]>
>>> To: [log in to unmask]
>>> Sent: Tue, 10 Oct 2006 12:03:36 +0200
>>> Subject: Re: [LCG-ROLLOUT] SFT on glite CE
>>>
>>>
>>>
>>> Antun Balaz ha scritto:
>>>
>>>
>>> Can you check on other nodes that have old-style grid-mapfile if it
>>>
>>> contains
>>>
>>>
>>>
>>> Rafal and how it is mapped?
>>>
>>>
>>> on our lcg-CE:
>>>
>>> [root@gridit-ce-001 root]# grep Rafal /etc/grid-security/grid-
>>> mapfile
>>> "/C=PL/O=GRID/O=PSNC/CN=Rafal Lichwala" .dteam
>>> "/C=PL/O=GRID/O=PSNC/CN=Rafal Lichwala - OPS" opssgm
>>>
>>> Cheers,
>>> Alex
>>>
>>>
>>>
>>> Regards, Antun
>>>
>>> -----
>>> Antun Balaz
>>> Research Assistant
>>> E-mail: [log in to unmask]
>>> Web: http://scl.phy.bg.ac.yu/
>>>
>>> Phone: +381 11 3160260, Ext. 152
>>> Fax: +381 11 3162190
>>>
>>> Scientific Computing Laboratory
>>> Institute of Physics, Belgrade, Serbia
>>> -----
>>>
>>> ---------- Original Message -----------
>>> From: Alessandro Paolini <[log in to unmask]>
>>> To: [log in to unmask]
>>> Sent: Tue, 10 Oct 2006 11:46:07 +0200
>>> Subject: Re: [LCG-ROLLOUT] SFT on glite CE
>>>
>>>
>>>
>>>
>>> Antun Balaz ha scritto:
>>>
>>>
>>>
>>> Hi Alessandro,
>>>
>>> grid-mapfile on gliteCE should not contain any DNs. If tests doesn't
>>>
>>>
>>> work
>>>
>>>
>>>
>>>
>>> without it, this means that your gliteCE is wrongly configured...
>>>
>>>
>>>
>>> Hi Antun,
>>> I'm agree with you, it isn't the correct way to solve the problem
>>> suddenly appeared some day ago only for ops (and I don't know if it
>>> is related only to that user). Isn't there anyone of the restricted
>>> members of ops (excluding Rafal) that can launch also a simple test
>>> (globus-job-run glite-ce-01.cnaf.infn.it /usr/bin/whoami ) ?
>>>
>>> Many thanks in advance,
>>> Alex
>>>
>>>
>>>
>>>
>>> Regards, Antun
>>>
>>> -----
>>> Antun Balaz
>>> Research Assistant
>>> E-mail: [log in to unmask]
>>> Web: http://scl.phy.bg.ac.yu/
>>>
>>> Phone: +381 11 3160260, Ext. 152
>>> Fax: +381 11 3162190
>>>
>>> Scientific Computing Laboratory
>>> Institute of Physics, Belgrade, Serbia
>>> -----
>>>
>>> ---------- Original Message -----------
>>> From: Alessandro Paolini <[log in to unmask]>
>>> To: [log in to unmask]
>>> Sent: Tue, 10 Oct 2006 11:17:14 +0200
>>> Subject: Re: [LCG-ROLLOUT] SFT on glite CE
>>>
>>>
>>>
>>>
>>>
>>> Hi Harald,
>>> thanks for the answer; I added certificate DN of Rafal in the
>>> grid-mapfile, and now that user is authenticated and authorized
>>> correctly, even though this thing should work without inserting any
>>> user DN in grid-mapfile, because CE glite is only voms compatible.
>>> I've also opened a ggus ticket (13935), so I hope to understand soon
>>> where is the problem :-)
>>>
>>> Cheers,
>>> Alex
>>>
>>> Harald Gjermundrod ha scritto:
>>>
>>>
>>>
>>>
>>> Hi
>>>
>>> I have also had that problem in that the
>>> /etc/grid-security/grid-mapfile is vomsified, i.e. it only contains
>>> the following:
>>>
>>>
>>> "/see/Role=seeadmin/Capability=NULL" seesgm
>>> "/see/Role=seeadmin" seesgm
>>> "/see/Role=production/Capability=NULL" seeprd
>>> "/see/Role=production" seeprd
>>> "/see/Role=NULL/Capability=NULL" .see
>>> "/see" .see
>>> "/dteam/Role=lcgadmin/Capability=NULL" dteamsgm
>>> "/dteam/Role=lcgadmin" dteamsgm
>>> "/dteam/Role=production/Capability=NULL" dteamprd
>>> "/dteam/Role=production" dteamprd
>>> "/dteam/Role=NULL/Capability=NULL" .dteam
>>> "/dteam" .dteam
>>> "/ops/Role=lcgadmin/Capability=NULL" opssgm
>>> "/ops/Role=lcgadmin" opssgm
>>> "/ops/Role=NULL/Capability=NULL" .ops
>>> "/ops" .ops
>>>
>>>
>>> When I try to globus-job-run with a see proxy it fails (same error
>>> messages as you), but using dteam proxy it works. Now if I manually
>>> add the following entry to my grid-mapfile:
>>> "/C=CY/O=CyGrid/O=UCY/CN=Harald Gjermundrod" .see
>>>
>>> Then it also works using a see proxy.
>>>
>>> I'm not sure if this is the solution you are looking for, but it
>>>
>>> works
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> for our purpose.
>>>
>>> Thanks,
>>> Harald Gjermundrod
>>>
>>>
>>> On Oct 9, 2006, at 1:20 PM, Alessandro Paolini wrote:
>>>
>>>
>>>
>>>
>>>
>>> Hi all,
>>> in last days SFT on our glite CE are failing, but it seems to be
>>>
>>> OK,
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> since jobs submitted by me as infngrid user run fine.
>>>
>>> I observed in /var/log/messages messages like this:
>>>
>>> Oct 9 10:38:28 glite-ce-01 GRAM gatekeeper[15961]: Authenticated
>>> globus user: /C=PL/O=GRID/O=PSNC/CN=Rafal Lichwala - OPS
>>> Oct 9 10:38:28 glite-ce-01 GRAM gatekeeper[15961]: LCAS failed
>>> authorization.
>>>
>>> I can't do tests as ops user (only from
>>> https://monitoring.egee.man.poznan.pl/admin2/index.php, but
>>> through
>>> Rafal certificate...), so I don't know if there is a general
>>>
>>> problem
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> with ops or only with that user on our glite CE (this is the only
>>>
>>> ops
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> user that sends jobs apparently).
>>> Instead on lcg CE SFT are always sent by other ops user, and there
>>> isn't any problem (our CEs share the same WNs, and lcg CE is the
>>> torque server).
>>>
>>> So my question is if anyone has observed a similar problem on his
>>> glite CE.
>>>
>>> Cheers,
>>> Alessandro
>>>
>>>
>>>
>>>
>>> --
>>> Dr. Alessandro Paolini
>>> INFN - CNAF
>>> Viale Berti Pichat 6/2
>>> 40127 Bologna
>>> Italy
>>> tel: +39 051 6092723
>>> fax: +39 051 6092746
>>> ICQ: 192172027
>>>
>>
>> --
>> [log in to unmask] tlf: +47 55 58 40 65
>> Parallab Bergen Centre for Computational Science
> ------- End of Original Message -------
>
|