Dear all,
I have added support for a new VO (belle) at our site (prague_cesnet_lcg2) but users are
unable to map to a pool account.
I can see the following lines in ce2.egee.cesnet.cz:/var/log/globus-gatekeeper.log
LCAS 0:
LCAS 1: Initialization LCAS version 1.3.7
allowing empty credentials
LCAS 2: LCAS authorization request
LCAS 0: lcas_userban.mod-plugin_confirm_authorization(): checking banned users in /opt/glite/etc/lcas/ban_users.db
LCAS 0: lcas_plugin_voms-plugin_confirm_authorization_from_x509(): VOMS Signature error (failure)!
LCAS 0: 2009-07-23.10:59:02 : lcas_plugin_voms-plugin_confirm_authorization_from_x509(): voms plugin failed
LCAS 0: lcas.mod-lcas_run_va(): authorization failed for plugin /opt/glite/lib/modules/lcas_voms.mod
LCAS 0: lcas.mod-lcas_run_va(): failed
LCAS failed authorization.
Failure in LCAS Authorization
Failure: globus_gss_assist_gridmap() failed authorization. globus_gss_assist: Error invoking callout
globus_callout_module: The callout returned an error
an unknown error occurred
I think I have the correct record in grid-security:
# cat /etc/grid-security/vomsdir/belle/voms.kek.jp.lsc
/C=JP/O=KEK/OU=CRC/CN=host/voms.kek.jp
/CN=KEK GRID Certificate Authority/OU=CRC/O=KEK/C=JP
Our crls are up to date.
The user's proxy seems to ok too (and it works with other servers):
[watase@kek2-ui01 demo]$ voms-proxy-info -all
subject : /C=JP/O=KEK/OU=CRC/CN=Yoshiyuki WATASE/CN=proxy
issuer : /C=JP/O=KEK/OU=CRC/CN=Yoshiyuki WATASE
identity : /C=JP/O=KEK/OU=CRC/CN=Yoshiyuki WATASE
type : proxy
strength : 1024 bits
path : /tmp/x509up_u13009
timeleft : 10:46:08
=== VO belle extension information ===
VO : belle
subject : /C=JP/O=KEK/OU=CRC/CN=Yoshiyuki WATASE
issuer : /C=JP/O=KEK/OU=CRC/CN=host/voms.kek.jp
attribute : /belle/Role=lcgadmin/Capability=NULL
attribute : /belle/Role=NULL/Capability=NULL
timeleft : 10:46:08
uri : voms.kek.jp:15020
What else can cause this problem?
Thank you for any help,
--
Tomas Kouba
Institute of Physics, Academy of sciences of the Czech Republic
|