Hi Torsten,
in my experience this is usually a problem with the user proxy, i.e.
he first gets a proxy with the sgm extension, but the next time
doesn't use the proper voms extension and gets assigned to the last
known one.
I can recreate the effect you see (I think):
lx06:grid_job :-> voms-proxy-init --debug --voms
vo.londongrid.ac.uk:/vo.londongrid.ac.uk/Role=lcgadmin
[password]
lx06:grid_job :-> uberftp ceprod04
220 ceprod04.grid.hep.ph.ic.ac.uk GridFTP Server 2.3 (gcc32dbg,
1144436882-63) ready.
230 User lt2-londonsgm logged in.
lx06:grid_job :-> voms-proxy-init --debug
[password]
lx06:grid_job :-> uberftp ceprod04
220 ceprod04.grid.hep.ph.ic.ac.uk GridFTP Server 2.3 (gcc32dbg,
1144436882-63) ready.
230 User lt2-londonsgm logged in.
(I am sgm again !)
(Now with the voms extension.)
lx06:grid_job :-> voms-proxy-init --debug --voms vo.londongrid.ac.uk
lx06:grid_job :-> uberftp ceprod04
220 ceprod04.grid.hep.ph.ic.ac.uk GridFTP Server 2.3 (gcc32dbg,
1144436882-63) ready.
230 User lt2-london411 logged in.
Can you ask the user to send you the output of voms-proxy-info --all
before each step, that might shed some light on what's going on.
Cheers,
Daniela
On 14 February 2011 13:45, Torsten Harenberg
<[log in to unmask]> wrote:
> Dear all,
>
> (thanks for all your replies concerning the lcg-CA package :-) )
>
> now I have a problem with one single user from Auger. He has both access to the SoftwareManager and to the Production Role.
>
> While all other Auger users (also some with production role) are mapped correctly to one of the augerXXX or augerprdXXX accounts, this one get's always mapped to the augersgm account (for auger we only have a single augersgm account).
>
> I already checked with the Auger VO support and so far it seems that our settings are correct, but I couldn't find the problem.
>
> The logs say:
>
>
> Feb 14 14:26:44 grid-ce5 GRAM gatekeeper[1968]: Got connection 134.158.72.175 at Mon Feb 14 14:26:44 2011
> Feb 14 14:26:45 grid-ce5 GRAM gatekeeper[1968]: Authenticated globus user: /DC=es/DC=irisgrid/O=ugr/CN=Julio.Lozano.Bahilo
> Feb 14 14:26:45 grid-ce5 GRAM gatekeeper[1968]: Requested service: jobmanager-lcgpbs
> Feb 14 14:26:45 grid-ce5 GRAM gatekeeper[1968]: Authorized as local user: augersgm
> Feb 14 14:26:45 grid-ce5 GRAM gatekeeper[1968]: Authorized as local uid: 29991
> Feb 14 14:26:46 grid-ce5 GRAM gatekeeper[1968]: and local gid: 2990
> Feb 14 14:26:46 grid-ce5 GRAM gatekeeper[1968]: "/DC=es/DC=irisgrid/O=ugr/CN=Julio.Lozano.Bahilo" mapped to augersgm (29991/2990)
> Feb 14 14:26:46 grid-ce5 GRAM gatekeeper[1968]: JMA 2011/02/14 14:26:46 GATEKEEPER_JM_ID 2011-02-14.14:26:45.0000001968.0000000000 has EDG_WL_JOBID ''
>
>
> PID: 7507 -- Notice: 6: Got connection 195.113.219.92 at Mon Feb 14 14:08:36 2011
>
> TIME: Mon Feb 14 14:08:37 2011
> PID: 7507 -- Notice: 5: Authenticated globus user: /DC=es/DC=irisgrid/O=ugr/CN=Julio.Lozano.Bahilo
> lcas client name: /DC=es/DC=irisgrid/O=ugr/CN=Julio.Lozano.Bahilo
> LCAS 0:
> LCAS 1: Initialization LCAS version 1.3.11.2
> allowing empty credentials
> LCAS 2: LCAS authorization request
> LCAS 0: lcas_userban.mod-plugin_confirm_authorization(): checking banned users in /opt/glite/etc/lcas/ban_users.db
> LCAS 0: 2011-02-14.13:08:37 : lcas_plugin_voms-plugin_confirm_authorization_from_x509(): voms plugin succeeded
> LCAS 0: lcas.mod-lcas_run_va(): succeeded
> LCAS 1: Termination LCAS
> lcmaps client name: /DC=es/DC=irisgrid/O=ugr/CN=Julio.Lozano.Bahilo
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 :
> LCMAPS 7: 2011-02-14.14:08:37.0000007507.0000000000 : Initialization LCMAPS version 1.4.7
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-startPluginManager(): Reading LCMAPS database /opt/glite/etc/lcmaps/lcmaps.db
> LCMAPS 5: 2011-02-14.14:08:37.0000007507.0000000000 : LCMAPS credential mapping request
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_voms_localgroup.mod
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_voms_localgroup.mod
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_voms_localgroup-plugin_run(): voms_localgroup plugin succeeded
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_voms_localaccount.mod
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_voms_localaccount.mod
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_voms_localaccount-plugin_run(): Could not find a VOMS localaccount in /etc/grid-security/grid-map
> file (failure)
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_voms_localaccount-plugin_run(): voms_localaccount plugin failed
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_voms_poolaccount.mod
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_voms_poolaccount.mod
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_voms_poolaccount-plugin_run(): warning: no primary group found !
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_voms_poolaccount-plugin_run(): no primary group found (failure)
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_voms_poolaccount-plugin_run(): voms_poolaccount plugin failed
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_localaccount.mod
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_localaccount.mod
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_localaccount-plugin_run(): localaccount plugin succeeded
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_posix_enf.mod
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_posix_enf.mod
> LCMAPS 6: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_posix_enf-log_cred(): uid=29991(augersgm):pgid=2990(auger)
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps_plugin_posix_enf-plugin_run(): posix_enf plugin succeeded
> LCMAPS 0: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-lcmaps_run(): succeeded
> LCMAPS 7: 2011-02-14.14:08:37.0000007507.0000000000 : Termination LCMAPS
> LCMAPS 1: 2011-02-14.14:08:37.0000007507.0000000000 : lcmaps.mod-lcmaps_term(): terminating
> Successfull mapping done
> Mapping service "LCMAPS" returned local user "augersgm"
> TIME: Mon Feb 14 14:08:37 2011
> PID: 7507 -- Notice: 0: GRID_SECURITY_HTTP_BODY_FD=8
> TIME: Mon Feb 14 14:08:37 2011
> PID: 7507 -- Notice: 5: Requested service: jobmanager-fork
> TIME: Mon Feb 14 14:08:37 2011
> PID: 7507 -- Notice: 5: Authorized as local user: augersgm
> TIME: Mon Feb 14 14:08:37 2011
> PID: 7507 -- Notice: 5: Authorized as local uid: 29991
> TIME: Mon Feb 14 14:08:37 2011
> PID: 7507 -- Notice: 5: and local gid: 2990
> TIME: Mon Feb 14 14:08:37 2011
> PID: 7507 -- Notice: 5: "/DC=es/DC=irisgrid/O=ugr/CN=Julio.Lozano.Bahilo" mapped to augersgm (29991/2990)
>
> config is:
>
> [root@grid-ce5 grid-security]# grep auger voms-grid-mapfile
> "/auger/Role=Production/Capability=NULL" .augerprd
> "/auger/Role=Production" .augerprd
> "/auger/Role=SoftwareManager/Capability=NULL" augersgm
> "/auger/Role=SoftwareManager" augersgm
> "/auger/Role=NULL/Capability=NULL" .auger
> "/auger" .auger
>
>
> [root@grid-ce5 auger]# pwd
> /etc/grid-security/vomsdir/auger
> [root@grid-ce5 auger]# ls
> voms1.egee.cesnet.cz.lsc
> [root@grid-ce5 auger]# cat voms1.egee.cesnet.cz.lsc
> /DC=cz/DC=cesnet-ca/O=CESNET/CN=voms1.egee.cesnet.cz
> /DC=cz/DC=cesnet-ca/CN=CESNET CA
>
>
> Here is the globus-gatekeeper.log from another Auger user, mapped correctly to augerprd004:
>
> PID: 17654 -- Notice: 6: Got connection 192.108.45.128 at Mon Feb 14 14:09:45 2011
>
> TIME: Mon Feb 14 14:09:45 2011
> PID: 17654 -- Notice: 5: Authenticated globus user: /DC=es/DC=irisgrid/O=ugr/CN=mdserrano
> lcas client name: /DC=es/DC=irisgrid/O=ugr/CN=mdserrano
> LCAS 0:
> LCAS 1: Initialization LCAS version 1.3.11.2
> allowing empty credentials
> LCAS 2: LCAS authorization request
> LCAS 0: lcas_userban.mod-plugin_confirm_authorization(): checking banned users in /opt/glite/etc/lcas/ban_users.db
> LCAS 0: 2011-02-14.13:09:46 : lcas_plugin_voms-plugin_confirm_authorization_from_x509(): voms plugin succeeded
> LCAS 0: lcas.mod-lcas_run_va(): succeeded
> LCAS 1: Termination LCAS
> lcmaps client name: /DC=es/DC=irisgrid/O=ugr/CN=mdserrano
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 :
> LCMAPS 7: 2011-02-14.14:09:46.0000017654.0000000000 : Initialization LCMAPS version 1.4.7
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-startPluginManager(): Reading LCMAPS database /opt/glite/etc/lcmaps/lcmaps.db
> LCMAPS 5: 2011-02-14.14:09:46.0000017654.0000000000 : LCMAPS credential mapping request
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_voms_localgroup.mod
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_voms_localgroup.mod
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_voms_localgroup-plugin_run(): voms_localgroup plugin succeeded
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_voms_localaccount.mod
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_voms_localaccount.mod
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_voms_localaccount-plugin_run(): Could not find a VOMS localaccount in /etc/grid-security/grid-map
> file (failure)
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_voms_localaccount-plugin_run(): voms_localaccount plugin failed
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_voms_poolaccount.mod
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_voms_poolaccount.mod
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_voms_poolaccount-plugin_run(): warning: no primary group found !
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_voms_poolaccount-plugin_run(): no primary group found (failure)
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_voms_poolaccount-plugin_run(): voms_poolaccount plugin failed
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_localaccount.mod
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_localaccount.mod
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_localaccount-plugin_run(): No entry found for /DC=es/DC=irisgrid/O=ugr/CN=mdserrano in /etc/grid-
> security/grid-mapfile
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_localaccount-plugin_run(): localaccount plugin failed
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_poolaccount.mod
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_poolaccount.mod
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_poolaccount-plugin_run(): poolaccount plugin succeeded
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_posix_enf.mod
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_posix_enf.mod
> LCMAPS 6: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_posix_enf-log_cred(): uid=29954(augerprd004):pgid=2991(augerprd):sgid=2990(auger)
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps_plugin_posix_enf-plugin_run(): posix_enf plugin succeeded
> LCMAPS 0: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-lcmaps_run(): succeeded
> LCMAPS 7: 2011-02-14.14:09:46.0000017654.0000000000 : Termination LCMAPS
> LCMAPS 1: 2011-02-14.14:09:46.0000017654.0000000000 : lcmaps.mod-lcmaps_term(): terminating
> Successfull mapping done
> Mapping service "LCMAPS" returned local user "augerprd004"
>
>
> I asked the User to send a globus-job-run directly to our CE and he returned:
>
> """
>
> I suppose this the globus command you wanted me to execute (within our UI at Granada) :
> [12:49][juliolb@ui-cafpegrid:tmp]$ globus-job-run grid-ce5.physik.uni-wuppertal.de/jobmanager-fork /usr/bin/id
> uid=29991(augersgm) gid=2990(auger) groups=2990(auger)
> And as you can see I'm mapped as augersgm ....
> whereas :
> [13:34][juliolb@ui-cafpegrid:tmp]$ globus-job-run ce-4-fzk.gridka.de:2119 /usr/bin/id
> uid=26399(augerprd) gid=5580(auger) groups=5580(auger)
> or :
> [13:34][juliolb@ui-cafpegrid:tmp]$ globus-job-run grid-ce.physik.rwth-aachen.de:2119 /usr/bin/id
> uid=34028(aug023) gid=34005(auger) groups=34005(auger) context=user_u:system_r:initrc_t
>
> """
>
>
>
> Anybody a clue on this one? I'm a bit lost...
>
> Best regards,
>
> Torsten
>
>
> --
> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
> <> <>
> <> Dr. Torsten Harenberg [log in to unmask] <>
> <> Bergische Universitaet <>
> <> FB C - Physik Tel.: +49 (0)202 439-3521 <>
> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <>
> <> 42097 Wuppertal <>
> <> <>
> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><>
>
--
-----------------------------------------------------------
[log in to unmask]
HEP Group/Physics Dep
Imperial College
Tel: +44-(0)20-75947810
http://www.hep.ph.ic.ac.uk/~dbauer/
|