Dear experts,

As far as I know, eos is using both kerbros and x509 authentication. I am wondering what the configuration looks like for setting up the dual authentication for eos xrootd?

I know separately it looks like:
sec.protocol krb5 /etc/eos.krb5.keytab host/<host>@CERN.CH

   sec.protocol /usr/lib64 gsi -certdir:/etc/grid-security/certificates \
                       -cert:/etc/grid-security/xrd/xrdcert.pem \
                       -key:/etc/grid-security/xrd/xrdkey.pem \
                       -crl:1 \
                       -vomsfun:libXrdVoms.so \
                       -vomsfunparms:certfmt=pem|grpopt=$(vomsfqans) \
                       -gmapopt:trymap -gmapto:0 \
                       -gridmap:/etc/grid-security/grid-mapfile

How can I use both authentications?

Sincerely,
Zhangqier Wang

Something like this:

define krb5 parameters

sec.protocol krb5 /etc/krb5.keytab.eostest xrootd/eostest.cern.ch@CERN.CH

define gsi parameters (change with yours) …

sec.protocol gsi -crl:0 -moninfo:1 -cert:/etc/grid-security/daemon/hostcert.pem -key:/etc/grid-security/daemon/hostkey.pem -gridmap:/etc/grid-security/grid-mapfile -gmapopt:2

define the default protocol order (here try first krb5, then gsi, then sss, then unix)

sec.protbind * only krb5 gsi sss unix

You find some info how to generate a kerberos V keytab file here:
https://xrootd.slac.stanford.edu/doc/dev56/sec_config.htm

Cheers Andreas.

Dear Andreas,

Thanks for the help. I have set up the kerberos on the xrootd server and it relies on a remote database.

For the eos set up, does it mean you need to have “xrootd” principal saved in the kerberos database. How do you get the keytab in this case, does it you need admin permission to the kerberos database?

Sincerely,
Zhangqier