Hi Stephen, Gonçalo, all,
The issue is the following, I had a long-term proxy at the beginning
of the debugging process (much more than 96h), then after Gonçalo sent
to me the output of the mapping I destroy the proxy and created a new
one with duration == 96h and voms role activated... maybe we are
fighting with a common problem with long-term proxies [i.e. problems
accessing the catalogues when the time overpass a limit (96h)].
I made:
voms-proxy-init -voms atlas:/atlas/Role=production -hours 96:00
But this seems not to work either:
The output of voms-proxy-info -all (asymmetry):
[espinal@vobox05 PilotFactory]$ voms-proxy-info -all
subject : /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal/CN=proxy
issuer : /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal
identity : /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal
type : proxy
strength : 512 bits
path : /tmp/x509up_u50009
timeleft : 93:35:42
=== VO atlas extension information ===
VO : atlas
subject : /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal
issuer : /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch
attribute : /atlas/Role=production/Capability=NULL
attribute : /atlas/Role=NULL/Capability=NULL
attribute : /atlas/lcg1/Role=NULL/Capability=NULL
timeleft : 9:36:49
Then I destroy everything and created a standard short-term proxy, and
discovered asymmetries again:
[espinal@vobox05 PilotFactory]$ voms-proxy-destroy
[espinal@vobox05 PilotFactory]$ voms-proxy-info -all
Couldn't find a valid proxy.
[espinal@vobox05 PilotFactory]$ voms-proxy-init -voms atlas:/atlas/
Role=production -hours 96:00
Enter GRID pass phrase:
[espinal@vobox05 PilotFactory]$ voms-proxy-init -voms atlas:/atlas/
Role=production
Enter GRID pass phrase:
Your identity: /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal
Creating temporary proxy ................................ Done
Contacting lcg-voms.cern.ch:15001 [/C=CH/O=CERN/OU=GRID/CN=host/lcg-
voms.cern.ch] "atlas" Failed
Error: Could not establish authenticated connection with the server.
GSS Major Status: Unexpected Gatekeeper or Service Name
GSS Minor Status Error Chain:
globus_gss_assist: Error during context initialization
globus_gsi_gssapi: Authorization denied: The name of the remote entity
(/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch), and the expected
name for the remote entity (/C=CH/O=CERN/OU=GRID/CN=host/lcg-
voms.cern.ch) do not match
Trying next server for atlas.
Creating temporary proxy ...........................................
Done
Contacting lcg-voms.cern.ch:15001 [/DC=ch/DC=cern/OU=computers/CN=lcg-
voms.cern.ch] "atlas" Done
Creating proxy .............................. Done
Your proxy is valid until Wed Jan 16 03:22:53 2008
[espinal@vobox05 PilotFactory]$ voms-proxy-info -all
subject : /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal/CN=proxy
issuer : /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal
identity : /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal
type : proxy
strength : 512 bits
path : /tmp/x509up_u50009
timeleft : 11:59:58
=== VO atlas extension information ===
VO : atlas
subject : /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal
issuer : /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch
attribute : /atlas/Role=production/Capability=NULL
attribute : /atlas/Role=NULL/Capability=NULL
attribute : /atlas/lcg1/Role=NULL/Capability=NULL
timeleft : 12:01:06
Hope this info can help, only remind that I'm happily running pilot-
jobs at PIC, IFAE, UAM, LIP-COIMBRA,... So only LIP-LISBON seems to be
sensitive to this, but we do need to understand it in order to prevent
further blockings !
Thanks !
Cheers,
Xavi.
----------------------------------------------------------------------------
Xavier Espinal Curull
Port d'Informació Científica (PIC) &
Institut de Física d'Altes Energies (IFAE)
Universitat Autònoma de Barcelona
Edifici D Campus UAB
08193 Bellaterra
Barcelona-Spain
----------------------------------------------------------------------------
Skype: xavier.espinal
----------------------------------------------------------------------------
Avis - Aviso - Legal Notice: http://www.ifae.es/legal.html
----------------------------------------------------------------------------
On Jan 15, 2008, at 3:16 PM, Gonçalo Borges wrote:
> Thanks Stephen,
> Let's see what the user says...
> Cheers
> Goncalo
>
> Burke, S (Stephen) wrote:
>> LHC Computer Grid - Rollout
>>> [mailto:[log in to unmask]] On Behalf Of Gonçalo Borges
>>> said:
>>> lcas_plugin_voms-plugin_confirm_authorization_from_x509(): Generic
>>> verification error for VOMS (failure): AC not yet (or not anymore)
>>> valid.
>>>
>>
>> This looks like a rare case of an error message being useful! The
>> VOMS part (AC) in the proxy has a lifetime separate from the proxy
>> itself, probably the AC is expired and the proxy not. Try voms-
>> proxy-info --all to check, or just recreate the proxy.
>>
>> Stephen
>>
|