Https and x509 authedication failed when macarons are enabled in eos eos-server-5.0.2-1.el7

Dear Elvin and Andreas
I can not authenticated on eos-server-5.0.2-1.el7 with x509 cerfificate for https protocol on xrdhttp plug-in ( gfal-ls , gfal-copy , … , same for the curl equivalent command)
only the token request is working

export MACAROON=$(curl --silent --cert /tmp/x509up_u$(id -u) --key /tmp/x509up_u$(id -u) --cacert /tmp/x509up_u$(id -u) --capath /etc/grid-security/certificates -X POST -H ‘Content-Type: application/macaroon-request’ -d ‘{“caveats”: [“activity:UPLOAD,DELETE,LIST”], “validity”: “PT3000M”}’ “$DST” | jq -r ‘.macaroon’)

I do not have a problem with xrootd and x509 authentication method
thank you in advance
best
e.v.
PS
a) /etc/xrootd/scitoken.cfg is configured

b) See the log for 1 gfal-cat https://grid21.lal.in2p3.fr:9000/eos/lab/dteam/file.grid21.30172

211028 12:12:44 31158 anon.0:409@aaubervilliers-154-1-2-114.w82-121.abo.wanadoo.fr sysXrdHttp: Extracting auth info.
211028 12:12:44 31158 XrdVomsFun: retrieval successful
211028 12:12:44 31158 XrdVomsFun: found VO: dteam
211028 12:12:44 31158 XrdVomsFun: —> group: ‘/dteam’, role: ‘NULL’, cap: ‘NULL’
211028 12:12:44 31158 XrdVomsFun: —> fqan: ‘/dteam/Role=NULL/Capability=NULL’
211028 12:12:44 31158 XrdVomsFun: —> group: ‘/dteam/france’, role: ‘NULL’, cap: ‘NULL’
211028 12:12:44 31158 XrdVomsFun: —> fqan: ‘/dteam/france/Role=NULL/Capability=NULL’
211028 12:12:44 31158 anon.0:409@aaubervilliers-154-1-2-114.w82-121.abo.wanadoo.fr sysXrdHttp: Mapping name: ‘/O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=Emmanouil Vamvakopoulos’ → dte
http Protocol ‘gsi’
http Name ‘dte’
http Host ‘[::ffff:82.121.149.114]’
http Vorg ‘dteam’
http Role ‘NULL’
http Grps ‘/dteam’
http Caps ‘’
http Pidn ‘’
http Crlen 0
http ueid 0
http uid 0
http gid 0
211028 12:12:44 31158 sysXrdHttp: getDataOneShot BuffAvailable: 1048576 maxread: 1048576
211028 12:12:44 31158 sysXrdHttp: getDataOneShot sslavail: 1048576
211028 12:12:44 31158 sysXrdHttp: read 224 of 1048576 bytes
211028 12:12:44 31158 sysXrdHttp: rc:48 got hdr line: HEAD /eos/lab/dteam/file.grid21.30172 HTTP/1.1

211028 12:12:44 31158 sysXrdHttp: Parsing first line: HEAD /eos/lab/dteam/file.grid21.30172 HTTP/1.1

211028 12:12:44 31158 sysXrdHttp: rc:55 got hdr line: User-Agent: gfal2-util/1.5.3 gfal2/2.18.2 neon/0.0.29

211028 12:12:44 31158 sysXrdHttp: rc:14 got hdr line: Keep-Alive:

211028 12:12:44 31158 sysXrdHttp: rc:24 got hdr line: Connection: Keep-Alive

211028 12:12:44 31158 sysXrdHttp: rc:14 got hdr line: TE: trailers

211028 12:12:44 31158 sysXrdHttp: rc:32 got hdr line: Host: grid21.lal.in2p3.fr:9000

211028 12:12:44 31158 sysXrdHttp: rc:35 got hdr line: Accept: application/metalink4+xml

211028 12:12:44 31158 sysXrdHttp: rc:2 got hdr line:

211028 12:12:44 31158 sysXrdHttp: rc:2 detected header end.
211028 12:12:44 time=1635415964.679200 func=MatchesPath level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007f88dbffd700 source=EosMgmHttpHandler:325 tident= sec=(null) uid=99 gid=99 name=- geo="" verb=HEAD path=/eos/lab/dteam/file.grid21.30172
211028 12:12:44 time=1635415964.679226 func=MatchesPath level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007f88dbffd700 source=EosMgmHttpHandler:325 tident= sec=(null) uid=99 gid=99 name=- geo="" verb=HEAD path=/eos/lab/dteam/file.grid21.30172
211028 12:12:44 time=1635415964.679255 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007f88dbffd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“Accept” value=“application/metalink4+xml”
211028 12:12:44 time=1635415964.679268 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007f88dbffd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“Connection” value=“Keep-Alive”
211028 12:12:44 time=1635415964.679279 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007f88dbffd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“Host” value=“grid21.lal.in2p3.fr:9000
211028 12:12:44 time=1635415964.679290 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007f88dbffd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“Keep-Alive” value=""
211028 12:12:44 time=1635415964.679300 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007f88dbffd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“TE” value=“trailers”
211028 12:12:44 time=1635415964.679310 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007f88dbffd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“User-Agent” value=“gfal2-util/1.5.3 gfal2/2.18.2 neon/0.0.29”
211028 12:12:44 time=1635415964.679321 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007f88dbffd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“xrd-http-fullresource” value="/eos/lab/dteam/file.grid21.30172"
211028 12:12:44 time=1635415964.679332 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007f88dbffd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“xrd-http-prot” value=“https”
211028 12:12:44 time=1635415964.679342 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007f88dbffd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“xrd-http-query” value=""
211028 12:12:44 31158 anon.0:409@aaubervilliers-154-1-2-114.w82-121.abo.wanadoo.fr sysXrdHttp: Sending resp: 403211028 12:12:44 time=1635415964.679386 func=ProcessReq level=ERROR logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007f88dbffd700 source=EosMgmHttpHandler:406 tident= sec=(null) uid=99 gid=99 name=- geo="" msg="(token) authorization failed" path="/eos/lab/dteam/file.grid21.30172"
header len:89
211028 12:12:44 31158 sysXrdHttp: Sending 89 bytes
211028 12:12:44 31158 sysXrdHttp: Sending 26 bytes
211028 12:12:44 31158 sysXrdHttp: XrdHttpReq request ended.

c) eos vid ls
[root@grid21 mgm]# eos vid ls
gsi:"":gid => root
gsi:"":uid => root
https:"":gid => root
https:"":uid => root
publicaccesslevel: => 1024
sss:"":gid => root
sss:"":uid => root
sudoer => uids()
unix:"":gid => nobody
unix:"":uid => nobody
voms:"/dteam:NULL":gid => dteam
voms:"/dteam:NULL":uid => dte

Hi Emmanouil,

Could you try with the latest 5.0.4 version and let me know the outcome?

Thanks,
Elvin

Hello Elvin
I got the same issue with 5.0.4
I run
curl -v --cert /tmp/x509up_u$(id -u) --key /tmp/x509up_u$(id -u) --cacert /tmp/x509up_u$(id -u) --capath /etc/grid-security/certificates $ENDPOINT/${FILENAME}.${RANDOM}-${C} --upload-file $name
which failed
and I got in the log of MGM

211028 14:50:52 7651 anon.0:362@vpn-205032.ijclab.in2p3.fr sysXrdHttp: Process. lp:0x7fd2d5ce3f58 reqstate: 0
211028 14:50:52 7651 anon.0:362@vpn-205032.ijclab.in2p3.fr sysXrdHttp: Setting host: [::ffff:134.158.205.32]
211028 14:50:52 7651 anon.0:362@vpn-205032.ijclab.in2p3.fr sysXrdHttp: Entering SSL_accept…
211028 14:50:52 7651 anon.0:362@vpn-205032.ijclab.in2p3.fr sysXrdHttp: SSL_accept returned :1
211028 14:50:52 7651 cryptossl_X509::CertType: certificate has 3 extensions
211028 14:50:52 7651 cryptossl_X509::CertType: Found RFC 382{0,1}compliant proxyCertInfo extension
211028 14:50:52 7651 cryptossl_X509::CertType: certificate has 9 extensions
211028 14:50:52 7651 cryptossl_X509::CertType: certificate has 7 extensions
211028 14:50:52 7651 cryptossl_X509::CertType: CA certificate
211028 14:50:52 7651 anon.0:362@vpn-205032.ijclab.in2p3.fr sysXrdHttp: Subject name is : ‘/O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=Emmanouil Vamvakopoulos’
211028 14:50:52 7651 anon.0:362@vpn-205032.ijclab.in2p3.fr sysXrdHttp: Extracting auth info.
211028 14:50:52 7651 XrdVomsFun: retrieval successful
211028 14:50:52 7651 XrdVomsFun: found VO: dteam
211028 14:50:52 7651 XrdVomsFun: —> group: ‘/dteam’, role: ‘NULL’, cap: ‘NULL’
211028 14:50:52 7651 XrdVomsFun: —> fqan: ‘/dteam/Role=NULL/Capability=NULL’
211028 14:50:52 7651 XrdVomsFun: —> group: ‘/dteam/france’, role: ‘NULL’, cap: ‘NULL’
211028 14:50:52 7651 XrdVomsFun: —> fqan: ‘/dteam/france/Role=NULL/Capability=NULL’
211028 14:50:52 7651 anon.0:362@vpn-205032.ijclab.in2p3.fr sysXrdHttp: Mapping name: ‘/O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=Emmanouil Vamvakopoulos’ → dte
http Protocol ‘gsi’
http Name ‘dte’
http Host ‘[::ffff:134.158.205.32]’
http Vorg ‘dteam’
http Role ‘NULL’
http Grps ‘/dteam’
http Caps ‘’
http Pidn ‘’
http Crlen 0
http ueid 0
http uid 0
http gid 0
211028 14:50:52 7651 sysXrdHttp: getDataOneShot BuffAvailable: 1048576 maxread: 1048576
211028 14:50:52 7651 sysXrdHttp: getDataOneShot sslavail: 1048576
211028 14:50:52 7651 sysXrdHttp: read 167 of 1048576 bytes
211028 14:50:52 7651 sysXrdHttp: rc:49 got hdr line: PUT //eos/lab/dteam//XXXXXXXXL.16681-1 HTTP/1.1

211028 14:50:52 7651 sysXrdHttp: Parsing first line: PUT //eos/lab/dteam//XXXXXXXXL.16681-1 HTTP/1.1

211028 14:50:52 7651 sysXrdHttp: rc:25 got hdr line: User-Agent: curl/7.29.0

211028 14:50:52 7651 sysXrdHttp: rc:32 got hdr line: Host: grid21.lal.in2p3.fr:9000

211028 14:50:52 7651 sysXrdHttp: rc:13 got hdr line: Accept: /

211028 14:50:52 7651 sysXrdHttp: rc:24 got hdr line: Content-Length: 117608

211028 14:50:52 7651 sysXrdHttp: rc:22 got hdr line: Expect: 100-continue

211028 14:50:52 7651 sysXrdHttp: rc:2 got hdr line:

211028 14:50:52 7651 sysXrdHttp: rc:2 detected header end.
211028 14:50:52 time=1635425452.836323 func=MatchesPath level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007fd31b7fd700 source=EosMgmHttpHandler:325 tident= sec=(null) uid=99 gid=99 name=- geo="" verb=PUT path=/eos/lab/dteam/XXXXXXXXL.16681-1
211028 14:50:52 time=1635425452.836350 func=MatchesPath level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007fd31b7fd700 source=EosMgmHttpHandler:325 tident= sec=(null) uid=99 gid=99 name=- geo="" verb=PUT path=/eos/lab/dteam/XXXXXXXXL.16681-1
211028 14:50:52 time=1635425452.836382 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007fd31b7fd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“Accept” value="/"
211028 14:50:52 time=1635425452.836407 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007fd31b7fd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“Content-Length” value=“117608”
211028 14:50:52 time=1635425452.836417 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007fd31b7fd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“Expect” value=“100-continue”
211028 14:50:52 time=1635425452.836426 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007fd31b7fd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“Host” value=“grid21.lal.in2p3.fr:9000
211028 14:50:52 time=1635425452.836435 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007fd31b7fd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“User-Agent” value=“curl/7.29.0”
211028 14:50:52 time=1635425452.836444 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007fd31b7fd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“xrd-http-fullresource” value="//eos/lab/dteam//XXXXXXXXL.16681-1"
211028 14:50:52 time=1635425452.836453 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007fd31b7fd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“xrd-http-prot” value=“https”
211028 14:50:52 time=1635425452.836461 func=ProcessReq level=INFO logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007fd31b7fd700 source=EosMgmHttpHandler:379 tident= sec=(null) uid=99 gid=99 name=- geo="" msg=“normalize hdr” key=“xrd-http-query” value=""
211028 14:50:52 time=1635425452.836544 func=ProcessReq level=ERROR logid=static… unit=mgm@grid21.lal.in2p3.fr:1094 tid=00007fd31b7fd700 source=EosMgmHttpHandler:406 tident= sec=(null) uid=99 gid=99 name=- geo="" msg="(token) authorization failed" path="/eos/lab/dteam/XXXXXXXXL.16681-1"
211028 14:50:52 7651 anon.0:362@vpn-205032.ijclab.in2p3.fr sysXrdHttp: Sending resp: 403 header len:89
211028 14:50:52 7651 sysXrdHttp: Sending 89 bytes
211028 14:50:52 7651 sysXrdHttp: Sending 26 bytes
211028 14:50:52 7651 sysXrdHttp: XrdHttpReq request ended.
211028 14:50:52 7651 anon.0:362@vpn-205032.ijclab.in2p3.fr sysXrdHttp: Process is exiting rc:1
211028 14:50:52 8216 sysXrdHttp: Cleanup
FYI
best
e.v.

hello Elvin again
just for those test, I have one single machine one 1 mgm 1 mq 1 fst and 3 quarkdb ( all role on the same machine).
first I would like to verify that the authentication and authorization it works for various protocols
plus the TPC
and later test the failover with multiple MGM
FYI
e.v.

Can you paste your /etc/xrd.cf.mgm configuration file?

Thanks,
Elvin

##########################################################
XrdSecDEBUG=4
xrootd.fslib libXrdEosMgm.so
xrootd.seclib libXrdSec.so
xrootd.async off nosf
xrootd.chksum adler32
###########################################################
xrd.sched mint 8 maxt 256 idle 64
###########################################################
all.export / nolock
all.role manager
###########################################################
/gss.fdlimit 16384 32768
###########################################################
# UNIX authentication
sec.protocol unix
# SSS authentication
sec.protocol sss -c /etc/eos.keytab -s /etc/eos.keytab
# KRB  authentication
#sec.protocol krb5 -exptkn:/var/eos/auth/krb5#<uid> host/<host>@CERN.CH
#sec.protocol krb5 host/<host>@CERN.CH

# GSI authentication
#
sec.protparm gsi -vomsfun:/opt/eos/xrootd/lib64/libXrdSecgsiVOMS.so -vomsfunparms:certfmt=pem|grps=/atlas,/cms,/dteam,/vo.grif.fr|grpopt=useall|dbg
sec.protocol gsi -crl:try -cert:/etc/grid-security/daemon/hostcert.pem -key:/etc/grid-security/daemon/hostkey.pem  -d:2  -trustdns:true -gmapopt:trymap -dlgpxy:request -exppxy:=creds
#
###########################################################
sec.protbind localhost.localdomain sss unix
sec.protbind localhost sss unix
sec.protbind * only gsi sss
###########################################################
mgmofs.fs /
mgmofs.targetport 1095
#mgmofs.authlib libXrdAliceTokenAcc.so
#mgmofs.authorize 1
###########################################################
#mgmofs.trace all debug
# this URL can be overwritten by EOS_BROKER_URL defined in /etc/sysconfig/eos
mgmofs.broker root://localhost:1097//eos/
# this name can be overwritten by EOS_INSTANCE_NAME defined in /etc/sysconfig/eos

mgmofs.instance eosdev

# configuration, namespace , transfer and authentication export directory
mgmofs.configdir /var/eos/config
mgmofs.metalog /var/eos/md
mgmofs.txdir /var/eos/tx
mgmofs.authdir /var/eos/auth
mgmofs.archivedir /var/eos/archive
mgmofs.qosdir /var/eos/qos

# report store path
mgmofs.reportstorepath /var/eos/report

# this defines the default config to load
mgmofs.autoloadconfig default

# QoS configuration file
mgmofs.qoscfg /var/eos/qos/qos.conf

#-------------------------------------------------------------------------------
# Config Engine Configuration
#-------------------------------------------------------------------------------
mgmofs.cfgtype quarkdb

# this has to be defined if we have a failover configuration via alias - can be overwritten by EOS_MGM_ALIAS in /etc/sysconfig/eos
#mgmofs.alias eosdev.cern.ch

#-------------------------------------------------------------------------------
# Configuration for the authentication plugin EosAuth
#-------------------------------------------------------------------------------
# Set the number of authentication worker threads running on the MGM
#mgmofs.auththreads 10

# Set the front end port number for incoming authentication requests
#mgmofs.authport 15555

###########################################################
# Set the FST gateway host and port
mgmofs.fstgw someproxy.cern.ch:3001

#-------------------------------------------------------------------------------
# Configuration for the authentication plugin EosAuth
#-------------------------------------------------------------------------------
# Set the number of authentication worker threads running on the MGM
#mgmofs.auththreads 10

# Set the front end port number for incoming authentication requests
#mgmofs.authport 15555

#-------------------------------------------------------------------------------
# Set the namespace plugin implementation
#-------------------------------------------------------------------------------
#mgmofs.nslib /usr/lib64/libEosNsInMemory.so
mgmofs.nslib /usr/lib64/libEosNsQuarkdb.so

# Quarkdb custer configuration used for the namespace
mgmofs.qdbcluster  localhost:7001 localhost:7002 localhost:7003
mgmofs.qdbpassword f178a242fba30c247ed1872efbd462e3xxxxrootd-quarkdb.cfg

#-------------------------------------------------------------------------------
# Configuration for the MGM workflow engine
#-------------------------------------------------------------------------------

# The SSI protocol buffer endpoint for notification messages from "proto" workflow actions
#mgmofs.protowfendpoint HOSTNAME.2NDLEVEL.TOPLEVEL:10955
#mgmofs.protowfresource /SSI_RESOURCE

#-------------------------------------------------------------------------------
# Confguration parameters for tape
#-------------------------------------------------------------------------------

#mgmofs.tapeenabled false
#mgmofs.prepare.dest.space default

#-------------------------------------------------------------------------------
# Configuration for the tape aware garbage collector
#-------------------------------------------------------------------------------

# EOS spaces for which the tape aware garbage collector should be enabled
#mgmofs.tgc.enablespace space1 space2 ...
#
#------------------------------------------------------------------------------------------------------------------------------
xrd.protocol XrdHttp:443 /opt/eos/xrootd/lib64/libXrdHttp.so
http.cadir /etc/grid-security/certificates
http.cert /etc/grid-security/daemon/hostcert.pem
http.key /etc/grid-security/daemon/hostkey.pem
http.gridmap /etc/grid-security/grid-mapfile
http.secxtractor  /opt/eos/xrootd/lib64/libXrdVoms.so -vomsfun:/opt/eos/xrootd/lib64/libXrdSecgsiVOMS.so -vomsfunparms:certfmt=pem|grps=/atlas,/cms,/dteam,/vo.grif.fr|grpopt=useall|dbg
http.trace all
http.exthandler xrdtpc /opt/eos/xrootd/lib64/libXrdHttpTPC.so
http.exthandler EosMgmHttp /usr/lib64/libEosMgmHttp.so eos::mgm::http::redirect-to-https=1
mgmofs.macaroonslib /usr/lib64/libXrdMacaroons.so /usr/lib64/libXrdAccSciTokens.so
macaroons.secretkey /etc/eos.macaroon.secret
macaroons.trace all
all.sitename eosgrif

Hi Emmanouil,

You need to use the eos scitokens library so your configuration needs to be modified like this:

mgmofs.macaroonslib  libXrdMacaroons.so libEosAccSciTokens.so

You can also specify the absolute path, if you want. Let me know how it works.

Cheers,
Elvin

Hello Elvin
thank you for your reply
I fix the path in dynamic libraries
(e.g. mgmofs.macaroonslib /opt/eos/xrootd/lib64/libXrdMacaroons.so /usr/lib64/libEosAccSciTokens.so)
and now the authentication works nice for xroot or https protocol
thank you
best
e.v.