File created empty with an error when forcing XrdSecPROTOCOL=gsi within EOS with gsi + alice token authentication

Site Administrators
1

When I copy a file (using xrdcp or eoscp) forcing gsi within an EOS configuration with gsi and alice tokens activated , the file is empty :

Client configuration :

$ rpm -qf $(which xrdcp) $(which eoscp)
xrootd-client-4.9.1-1.el7.x86_64
eos-client-4.8.15-1.el7.cern.x86_64

Server configuration (MGM & FST) :

[root@lyoeosmgm1 ~]# rpm -q eos-server

eos-server-4.8.15-1.el7.cern.x86_64

Copying a file without forcing authentication, the file is ok, no problem both for xrdcp or eoscp :

[pugnere@lyoui4:~] $ xrdfs root://lyoeosmgm1.in2p3.fr mkdir  /eos/lyoeos.in2p3.fr/home/pugnere/test
[pugnere@lyoui4:~] $ XrdSecDEBUG=1 xrdcp /scratch/denis/dd root://lyoeosmgm1.in2p3.fr//eos/lyoeos.in2p3.fr/home/pugnere/test/test1-xrdcp
sec_Client: protocol request for host lyoeosmgm1.in2p3.fr token='&P=gsi,v:10400,c:ssl,ca:5e02f50a.0|14e86c33.0&P=sss,0.13:/etc/eos.keytab&P=unix'
sec_PM: Loaded gsi protocol object from libXrdSecgsi.so
200914 14:00:23 46957 secgsi_InitOpts: *** ------------------------------------------------------------ ***
200914 14:00:23 46957 secgsi_InitOpts:  Mode: client
200914 14:00:23 46957 secgsi_InitOpts:  Debug: 1
200914 14:00:23 46957 secgsi_InitOpts:  CA dir: /etc/grid-security/certificates
200914 14:00:23 46957 secgsi_InitOpts:  CA verification level: 1
200914 14:00:23 46957 secgsi_InitOpts:  CRL dir: /etc/grid-security/certificates
200914 14:00:23 46957 secgsi_InitOpts:  CRL extension: .r0
200914 14:00:23 46957 secgsi_InitOpts:  CRL check level: 1
200914 14:00:23 46957 secgsi_InitOpts:  CRL refresh time: 86400
200914 14:00:23 46957 secgsi_InitOpts:  Certificate: /home/infor/pugnere/.globus/usercert.pem
200914 14:00:23 46957 secgsi_InitOpts:  Key: /home/infor/pugnere/.globus/userkey.pem
200914 14:00:23 46957 secgsi_InitOpts:  Proxy file: /tmp/x509up_u2059
200914 14:00:23 46957 secgsi_InitOpts:  Proxy validity: 12:00
200914 14:00:23 46957 secgsi_InitOpts:  Proxy dep length: 0
200914 14:00:23 46957 secgsi_InitOpts:  Proxy bits: 512
200914 14:00:23 46957 secgsi_InitOpts:  Proxy sign option: 1
200914 14:00:23 46957 secgsi_InitOpts:  Proxy delegation option: 0
200914 14:00:23 46957 secgsi_InitOpts:  Allowed server names: [*/]<target host name>[/*]
200914 14:00:23 46957 secgsi_InitOpts:  Crypto modules: ssl
200914 14:00:23 46957 secgsi_InitOpts:  Ciphers: aes-128-cbc:bf-cbc:des-ede3-cbc
200914 14:00:23 46957 secgsi_InitOpts:  MDigests: sha1:md5
200914 14:00:23 46957 secgsi_InitOpts:  Trusting DNS for hostname checking
200914 14:00:23 46957 secgsi_InitOpts: *** ------------------------------------------------------------ ***
sec_PM: Using gsi protocol, args='v:10400,c:ssl,ca:5e02f50a.0|14e86c33.0'
200914 14:00:23 46957 cryptossl_X509::CertType: certificate has 7 extensions
200914 14:00:23 46957 secgsi_VerifyCA: Warning: CA certificate not self-signed and integrity not checked: assuming OK (5e02f50a.0)
200914 14:00:23 46957 cryptossl_X509::CertType: certificate has 7 extensions
200914 14:00:23 46957 cryptossl_X509::CertType: certificate has 9 extensions
200914 14:00:23 46957 cryptossl_X509::CertType: certificate has 9 extensions
200914 14:00:23 46957 cryptossl_X509::CertType: certificate has 9 extensions
sec_Client: protocol request for host lyostorage19.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Loaded unix protocol object from libXrdSecunix.so
sec_PM: Using unix protocol, args=''
[1024MB/1024MB][100%][==================================================][113.8MB/s]  

[pugnere@lyoui4:~] $ XrdSecDEBUG=1 eoscp /scratch/denis/dd root://lyoeosmgm1.in2p3.fr//eos/lyoeos.in2p3.fr/home/pugnere/test/test1-eoscp
sec_Client: protocol request for host lyoeosmgm1.in2p3.fr token='&P=gsi,v:10400,c:ssl,ca:5e02f50a.0|14e86c33.0&P=sss,0.13:/etc/eos.keytab&P=unix'
sec_PM: Loaded gsi protocol object from libXrdSecgsi.so
200914 14:00:44 47029 secgsi_InitOpts: *** ------------------------------------------------------------ ***
200914 14:00:44 47029 secgsi_InitOpts:  Mode: client
200914 14:00:44 47029 secgsi_InitOpts:  Debug: 1
200914 14:00:44 47029 secgsi_InitOpts:  CA dir: /etc/grid-security/certificates
200914 14:00:44 47029 secgsi_InitOpts:  CA verification level: 1
200914 14:00:44 47029 secgsi_InitOpts:  CRL dir: /etc/grid-security/certificates
200914 14:00:44 47029 secgsi_InitOpts:  CRL extension: .r0
200914 14:00:44 47029 secgsi_InitOpts:  CRL check level: 1
200914 14:00:44 47029 secgsi_InitOpts:  CRL refresh time: 86400
200914 14:00:44 47029 secgsi_InitOpts:  Certificate: /home/infor/pugnere/.globus/usercert.pem
200914 14:00:44 47029 secgsi_InitOpts:  Key: /home/infor/pugnere/.globus/userkey.pem
200914 14:00:44 47029 secgsi_InitOpts:  Proxy file: /tmp/x509up_u2059
200914 14:00:44 47029 secgsi_InitOpts:  Proxy validity: 12:00
200914 14:00:44 47029 secgsi_InitOpts:  Proxy dep length: 0
200914 14:00:44 47029 secgsi_InitOpts:  Proxy bits: 512
200914 14:00:44 47029 secgsi_InitOpts:  Proxy sign option: 1
200914 14:00:44 47029 secgsi_InitOpts:  Proxy delegation option: 0
200914 14:00:44 47029 secgsi_InitOpts:  Allowed server names: [*/]<target host name>[/*]
200914 14:00:44 47029 secgsi_InitOpts:  Crypto modules: ssl
200914 14:00:44 47029 secgsi_InitOpts:  Ciphers: aes-128-cbc:bf-cbc:des-ede3-cbc
200914 14:00:44 47029 secgsi_InitOpts:  MDigests: sha1:md5
200914 14:00:44 47029 secgsi_InitOpts:  Trusting DNS for hostname checking
200914 14:00:44 47029 secgsi_InitOpts: *** ------------------------------------------------------------ ***
sec_PM: Using gsi protocol, args='v:10400,c:ssl,ca:5e02f50a.0|14e86c33.0'
200914 14:00:44 47029 cryptossl_X509::CertType: certificate has 7 extensions
200914 14:00:44 47029 secgsi_VerifyCA: Warning: CA certificate not self-signed and integrity not checked: assuming OK (5e02f50a.0)
200914 14:00:44 47029 cryptossl_X509::CertType: certificate has 7 extensions
200914 14:00:44 47029 cryptossl_X509::CertType: certificate has 9 extensions
200914 14:00:44 47029 cryptossl_X509::CertType: certificate has 9 extensions
200914 14:00:44 47029 cryptossl_X509::CertType: certificate has 9 extensions
sec_Client: protocol request for host lyostorage21.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Loaded unix protocol object from libXrdSecunix.so
sec_PM: Using unix protocol, args=''
[eoscp]                          Total 1024.00 MB	|====================| 100.00 % [115.8 MB/s]
[eoscp] #################################################################
[eoscp] # Date                     : ( 1600084854 ) Mon Sep 14 14:00:54 2020
[eoscp] # auth forced=<none> krb5=<none> gsi=/tmp/x509up_u2059
[eoscp] # Source Name [00]         : /scratch/denis/dd
[eoscp] # Destination Name [00]    : root://lyoeosmgm1.in2p3.fr//eos/lyoeos.in2p3.fr/home/pugnere/test/test1-eoscp
[eoscp] # Data Copied [bytes]      : 1073741824
[eoscp] # Realtime [s]             : 9.271000
[eoscp] # Eff.Copy. Rate[MB/s]     : 115.817258
[eoscp] # Write Start Position     : 0
[eoscp] # Write Stop  Position     : 1073741824

But when forcing gsi authentication, there is an error (“File exists”) which is not the case, and the file copied is empty :

[pugnere@lyoui4:~] $ XrdSecPROTOCOL=gsi XrdSecDEBUG=1 xrdcp /scratch/denis/dd root://lyoeosmgm1.in2p3.fr//eos/lyoeos.in2p3.fr/home/pugnere/test/test2-xrdcp
sec_Client: protocol request for host lyoeosmgm1.in2p3.fr token='&P=gsi,v:10400,c:ssl,ca:5e02f50a.0|14e86c33.0&P=sss,0.13:/etc/eos.keytab&P=unix'
sec_PM: Loaded gsi protocol object from libXrdSecgsi.so
200914 14:01:50 47075 secgsi_InitOpts: *** ------------------------------------------------------------ ***
200914 14:01:50 47075 secgsi_InitOpts:  Mode: client
200914 14:01:50 47075 secgsi_InitOpts:  Debug: 1
200914 14:01:50 47075 secgsi_InitOpts:  CA dir: /etc/grid-security/certificates
200914 14:01:50 47075 secgsi_InitOpts:  CA verification level: 1
200914 14:01:50 47075 secgsi_InitOpts:  CRL dir: /etc/grid-security/certificates
200914 14:01:50 47075 secgsi_InitOpts:  CRL extension: .r0
200914 14:01:50 47075 secgsi_InitOpts:  CRL check level: 1
200914 14:01:50 47075 secgsi_InitOpts:  CRL refresh time: 86400
200914 14:01:50 47075 secgsi_InitOpts:  Certificate: /home/infor/pugnere/.globus/usercert.pem
200914 14:01:50 47075 secgsi_InitOpts:  Key: /home/infor/pugnere/.globus/userkey.pem
200914 14:01:50 47075 secgsi_InitOpts:  Proxy file: /tmp/x509up_u2059
200914 14:01:50 47075 secgsi_InitOpts:  Proxy validity: 12:00
200914 14:01:50 47075 secgsi_InitOpts:  Proxy dep length: 0
200914 14:01:50 47075 secgsi_InitOpts:  Proxy bits: 512
200914 14:01:50 47075 secgsi_InitOpts:  Proxy sign option: 1
200914 14:01:50 47075 secgsi_InitOpts:  Proxy delegation option: 0
200914 14:01:50 47075 secgsi_InitOpts:  Allowed server names: [*/]<target host name>[/*]
200914 14:01:50 47075 secgsi_InitOpts:  Crypto modules: ssl
200914 14:01:50 47075 secgsi_InitOpts:  Ciphers: aes-128-cbc:bf-cbc:des-ede3-cbc
200914 14:01:50 47075 secgsi_InitOpts:  MDigests: sha1:md5
200914 14:01:50 47075 secgsi_InitOpts:  Trusting DNS for hostname checking
200914 14:01:50 47075 secgsi_InitOpts: *** ------------------------------------------------------------ ***
sec_PM: Using gsi protocol, args='v:10400,c:ssl,ca:5e02f50a.0|14e86c33.0'
200914 14:01:50 47075 cryptossl_X509::CertType: certificate has 7 extensions
200914 14:01:50 47075 secgsi_VerifyCA: Warning: CA certificate not self-signed and integrity not checked: assuming OK (5e02f50a.0)
200914 14:01:50 47075 cryptossl_X509::CertType: certificate has 7 extensions
200914 14:01:50 47075 cryptossl_X509::CertType: certificate has 9 extensions
200914 14:01:50 47075 cryptossl_X509::CertType: certificate has 9 extensions
200914 14:01:50 47075 cryptossl_X509::CertType: certificate has 9 extensions
sec_Client: protocol request for host lyostorage20.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
[0B/0B][100%][==================================================][0B/s]  
Run: [ERROR] Server responded with an error: [3006] Unable to create file (O_EXCL) /eos/lyoeos.in2p3.fr/home/pugnere/test/test2-xrdcp; File exists

[pugnere@lyoui4:~] $ XrdSecPROTOCOL=gsi XrdSecDEBUG=1 eoscp /scratch/denis/dd root://lyoeosmgm1.in2p3.fr//eos/lyoeos.in2p3.fr/home/pugnere/test/test2-eoscp
sec_Client: protocol request for host lyoeosmgm1.in2p3.fr token='&P=gsi,v:10400,c:ssl,ca:5e02f50a.0|14e86c33.0&P=sss,0.13:/etc/eos.keytab&P=unix'
sec_PM: Loaded gsi protocol object from libXrdSecgsi.so
200914 14:02:03 47082 secgsi_InitOpts: *** ------------------------------------------------------------ ***
200914 14:02:03 47082 secgsi_InitOpts:  Mode: client
200914 14:02:03 47082 secgsi_InitOpts:  Debug: 1
200914 14:02:03 47082 secgsi_InitOpts:  CA dir: /etc/grid-security/certificates
200914 14:02:03 47082 secgsi_InitOpts:  CA verification level: 1
200914 14:02:03 47082 secgsi_InitOpts:  CRL dir: /etc/grid-security/certificates
200914 14:02:03 47082 secgsi_InitOpts:  CRL extension: .r0
200914 14:02:03 47082 secgsi_InitOpts:  CRL check level: 1
200914 14:02:03 47082 secgsi_InitOpts:  CRL refresh time: 86400
200914 14:02:03 47082 secgsi_InitOpts:  Certificate: /home/infor/pugnere/.globus/usercert.pem
200914 14:02:03 47082 secgsi_InitOpts:  Key: /home/infor/pugnere/.globus/userkey.pem
200914 14:02:03 47082 secgsi_InitOpts:  Proxy file: /tmp/x509up_u2059
200914 14:02:03 47082 secgsi_InitOpts:  Proxy validity: 12:00
200914 14:02:03 47082 secgsi_InitOpts:  Proxy dep length: 0
200914 14:02:03 47082 secgsi_InitOpts:  Proxy bits: 512
200914 14:02:03 47082 secgsi_InitOpts:  Proxy sign option: 1
200914 14:02:03 47082 secgsi_InitOpts:  Proxy delegation option: 0
200914 14:02:03 47082 secgsi_InitOpts:  Allowed server names: [*/]<target host name>[/*]
200914 14:02:03 47082 secgsi_InitOpts:  Crypto modules: ssl
200914 14:02:03 47082 secgsi_InitOpts:  Ciphers: aes-128-cbc:bf-cbc:des-ede3-cbc
200914 14:02:03 47082 secgsi_InitOpts:  MDigests: sha1:md5
200914 14:02:03 47082 secgsi_InitOpts:  Trusting DNS for hostname checking
200914 14:02:03 47082 secgsi_InitOpts: *** ------------------------------------------------------------ ***
sec_PM: Using gsi protocol, args='v:10400,c:ssl,ca:5e02f50a.0|14e86c33.0'
200914 14:02:03 47082 cryptossl_X509::CertType: certificate has 7 extensions
200914 14:02:03 47082 secgsi_VerifyCA: Warning: CA certificate not self-signed and integrity not checked: assuming OK (5e02f50a.0)
200914 14:02:03 47082 cryptossl_X509::CertType: certificate has 7 extensions
200914 14:02:03 47082 cryptossl_X509::CertType: certificate has 9 extensions
200914 14:02:03 47082 cryptossl_X509::CertType: certificate has 9 extensions
200914 14:02:03 47082 cryptossl_X509::CertType: certificate has 9 extensions
sec_Client: protocol request for host lyostorage22.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage18.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab
                                                                                                      �'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage18.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage21.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage20.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage17.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage17.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage17.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage19.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage19.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage22.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage20.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage17.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage21.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage21.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
sec_Client: protocol request for host lyostorage21.in2p3.fr token='&P=unix&P=sss,0.13:/etc/eos.keytab'
sec_PM: Skipping unix only want gsi
sec_PM: Skipping sss only want gsi
error: target file open failed - errno=22 : Invalid argument

[pugnere@lyoui4:~] $ xrdfs root://lyoeosmgm1.in2p3.fr ls -l /eos/lyoeos.in2p3.fr/home/pugnere/test
---- 2020-09-14 12:00:54  1073741824 /eos/lyoeos.in2p3.fr/home/pugnere/test/test1-eoscp
-r-- 2020-09-14 12:00:32  1073741824 /eos/lyoeos.in2p3.fr/home/pugnere/test/test1-xrdcp
---- 2020-09-14 12:02:03           0 /eos/lyoeos.in2p3.fr/home/pugnere/test/test2-eoscp
-r-- 2020-09-14 12:01:50           0 /eos/lyoeos.in2p3.fr/home/pugnere/test/test2-xrdcp

Is this a bug or a missconfiguration ?
Cheers,
Denis

2

You have to use XrdSecPROTOCL=gsi,unix
because the FSTs only offer unix + CGI token.

Cheers Andreas.

3

Thanks Andreas,
Denis