This may have solved Xavier assymetric problem, but his access continues
to be denied at LIP-Lisbon
TIME: Tue Jan 15 15:28:12 2008
PID: 23159 -- Notice: 6: Got connection 193.146.197.166 at Tue Jan 15
15:28:12 2008
TIME: Tue Jan 15 15:28:12 2008
PID: 23159 -- Notice: 5: Authenticated globus user:
/DC=es/DC=irisgrid/O=pic/CN=xavier-espinal
lcas client name: /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal
LCAS 0:
LCAS 1: Initialization LCAS version 1.3.7.0
allowing empty credentials
LCAS 2: LCAS authorization request
LCAS 0: lcas_userban.mod-plugin_confirm_authorization():
checking banned users in /opt/glite/etc/lcas/ban_users.db
LCAS 0:
lcas_plugin_voms-plugin_confirm_authorization_from_x509(): Generic
verification error for VOMS (failure): AC not yet (or not anymore) valid.
LCAS 0: 2008-01-15.15:28:12 :
lcas_plugin_voms-plugin_confirm_authorization_from_x509(): voms plugin
failed
LCAS 0: lcas.mod-lcas_run_va(): authorization failed for plugin
/opt/glite/lib/modules/lcas_voms.mod
LCAS 0: lcas.mod-lcas_run_va(): failed
Goncalo
Xavier Espinal wrote:
> Hi,
>
> I confirm that Stephen's way worked OK:
>
> [espinal@vobox05 PilotFactory]$ voms-proxy-init -voms
> atlas:/atlas/Role=production --hours 95 -vomslife 95:0
> Enter GRID pass phrase:
> Your identity: /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal
> Creating temporary proxy ....................................... Done
> Contacting lcg-voms.cern.ch:15001
> [/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch] "atlas" Done
> Creating proxy .............................................. Done
> Your proxy is valid until Sat Jan 19 15:18:44 2008
> [espinal@vobox05 PilotFactory]$ voms-proxy-info -all
> subject : /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal/CN=proxy
> issuer : /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal
> identity : /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal
> type : proxy
> strength : 512 bits
> path : /tmp/x509up_u50009
> timeleft : 94:59:53
> === VO atlas extension information ===
> VO : atlas
> subject : /DC=es/DC=irisgrid/O=pic/CN=xavier-espinal
> issuer : /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch
> attribute : /atlas/Role=production/Capability=NULL
> attribute : /atlas/Role=NULL/Capability=NULL
> attribute : /atlas/lcg1/Role=NULL/Capability=NULL
> timeleft : 94:59:53
>
>
> Maybe this info should be broadcasted until the bug is corrected.
>
> Thanks !
>
> Cheers,
> Xavi.
>
>
> ----------------------------------------------------------------------------
>
> Xavier Espinal Curull
> Port d'Informació Científica (PIC) &
> Institut de Física d'Altes Energies (IFAE)
> Universitat Autònoma de Barcelona
> Edifici D Campus UAB
> 08193 Bellaterra
> Barcelona-Spain
> ----------------------------------------------------------------------------
>
> Skype: xavier.espinal
> ----------------------------------------------------------------------------
>
> Avis - Aviso - Legal Notice: http://www.ifae.es/legal.html
> ----------------------------------------------------------------------------
>
>
>
>
> On Jan 15, 2008, at 4:03 PM, Burke, S (Stephen) wrote:
>
>>> possibly if you go over the maximum (which I
>>> guess is 96 hours) it falls back to the default (12)?
>>
>> Actually I think there's a bug here. The man page for voms-proxy-init
>> says:
>>
>> -vomslife H Tries to get a pseudo cert with information valid
>> for H
>> hours. The default is "as long as the proxy certificate". The
>> special
>> value 0 means as long as the server will allow.
>>
>> but in fact without the vomslife parameter it seems to always give me 12
>> hours - with the vomslife it works:
>>
>> voms-proxy-init --voms atlas --hours 95 -vomslife 95:0
>>
>> [...]
>>
>> === VO atlas extension information ===
>> VO : atlas
>> subject : /C=UK/O=eScience/OU=CLRC/L=RAL/CN=stephen burke
>> issuer : /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch
>> attribute : /atlas/Role=NULL/Capability=NULL
>> attribute : /atlas/lcg1/Role=NULL/Capability=NULL
>> timeleft : 94:59:57
>>
>> rpm -qf `which voms-proxy-init`
>> glite-security-voms-clients-1.7.16-2
>>
>> Stephen
|