Hi Andreas,
Thanks for the pointer to sss+keytab.
We’ve managed to enable sss with keytab for the fuse mountpoint, this seems to be working correctly, users get mapped to their respective unix ids, when doing ‘cat /eos/vbc/proc/whoami’
What we also noticed confusingly when testing the gsi authentication: it’s working fine with xrdfs/xrdcp tools. However, with the eos cli client, we get this:
[ebirngru@lxplus735 ~]$ eos root://eos.grid.vbc.ac.at
# ---------------------------------------------------------------------------
# EOS Copyright (C) 2011-2019 CERN/Switzerland
# This program comes with ABSOLUTELY NO WARRANTY; for details type `license'.
# This is free software, and you are welcome to redistribute it
# under certain conditions; type `license' for details.
# ---------------------------------------------------------------------------
error: errc=3010 msg="[ERROR] Error response: Permission denied" (errc=3010) (Unknown error 3010)
error: errc=3010 msg="[ERROR] Error response: Permission denied" (errc=3010) (Unknown error 3010)
EOS_CLIENT_VERSION=4.7.14 EOS_CLIENT_RELEASE=1
error: errc=3010 msg="[ERROR] Error response: Permission denied" (errc=3010) (Unknown error 3010)
EOS Console [root://eos.grid.vbc.ac.at] |/> ls
error: errc=3010 msg="[ERROR] Error response: Permission denied" (errc=3010) (Unknown error 3010)
EOS Console [root://eos.grid.vbc.ac.at] |/>
On the MGM we see in the logs, that authentication/user mapping seems to be going through ok, but then executing “/proc/user” fails?
200630 11:23:36 time=1593509016.681858 func=Emsg level=ERROR logid=605c9c24-bab3-11ea-afdd-3868dd28d0c0 unit=mgm@mgm-1.eos.grid.vbc.ac.at:1094 tid=00007fcddf5f8700 source=XrdMgmOfsFile:3094 tident=ebirngru.29536:407@lxplus735.cern.ch sec=gsi uid=10661 gid=1999 name=erich.birngruber geo="vbc" Unable to execute proc command - you don't have the requested permissions for that operation (1) /proc/user/; Operation not permitted
Some more lines for context show the gsi autg + user mapping are ok.
200630 11:23:36 224767 XrootdXeq: ebirngru.29536:407@lxplus735.cern.ch pub IP46 login as erich.birngruber
200630 11:23:36 time=1593509016.621246 func=IdMap level=INFO logid=static.............................. unit=mgm@mgm-1.eos.grid.vbc.ac.at:1094 tid=00007fcddf5f8700 source=Mapping:993 tident= sec=(null) uid=99 gid=99 name=- geo="" sec.prot=gsi sec.name="erich.birngruber" sec.host="lxplus735.cern.ch" sec.vorg="" sec.grps="" sec.role="" sec.info="/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=ebirngru/CN=845559/CN=Erich Birngruber" sec.app="" sec.tident="ebirngru.29536:407@lxplus735.cern.ch" vid.uid=10661 vid.gid=1999
200630 11:23:36 time=1593509016.621353 func=open level=INFO logid=60534944-bab3-11ea-afdd-3868dd28d0c0 unit=mgm@mgm-1.eos.grid.vbc.ac.at:1094 tid=00007fcddf5f8700 source=XrdMgmOfsFile:462 tident=ebirngru.29536:407@lxplus735.cern.ch sec=gsi uid=10661 gid=1999 name=erich.birngruber geo="vbc" op=read path=/proc/user/ info=mgm.cmd=motd
200630 11:23:36 time=1593509016.621479 func=Emsg level=ERROR logid=60534944-bab3-11ea-afdd-3868dd28d0c0 unit=mgm@mgm-1.eos.grid.vbc.ac.at:1094 tid=00007fcddf5f8700 source=XrdMgmOfsFile:3094 tident=ebirngru.29536:407@lxplus735.cern.ch sec=gsi uid=10661 gid=1999 name=erich.birngruber geo="vbc" Unable to execute proc command - you don't have the requested permissions for that operation (1) /proc/user/; Operation not permitted
200630 11:23:36 time=1593509016.627969 func=Convert level=INFO logid=static.............................. unit=mgm@mgm-1.eos.grid.vbc.ac.at:1094 tid=00007fcd84bfe700 source=Converter:678 tident= sec=(null) uid=99 gid=99 name=- geo="" converter is enabled ntx=2 nqueued=0
200630 11:23:36 time=1593509016.661224 func=IdMap level=INFO logid=static.............................. unit=mgm@mgm-1.eos.grid.vbc.ac.at:1094 tid=00007fcddf5f8700 source=Mapping:993 tident= sec=(null) uid=99 gid=99 name=- geo="" sec.prot=gsi sec.name="erich.birngruber" sec.host="lxplus735.cern.ch" sec.vorg="" sec.grps="" sec.role="" sec.info="/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=ebirngru/CN=845559/CN=Erich Birngruber" sec.app="" sec.tident="ebirngru.29536:407@lxplus735.cern.ch" vid.uid=10661 vid.gid=1999
200630 11:23:36 time=1593509016.661331 func=open level=INFO logid=60597daa-bab3-11ea-afdd-3868dd28d0c0 unit=mgm@mgm-1.eos.grid.vbc.ac.at:1094 tid=00007fcddf5f8700 source=XrdMgmOfsFile:462 tident=ebirngru.29536:407@lxplus735.cern.ch sec=gsi uid=10661 gid=1999 name=erich.birngruber geo="vbc" op=read path=/proc/user/ info=mgm.cmd=version
200630 11:23:36 time=1593509016.661480 func=Emsg level=ERROR logid=60597daa-bab3-11ea-afdd-3868dd28d0c0 unit=mgm@mgm-1.eos.grid.vbc.ac.at:1094 tid=00007fcddf5f8700 source=XrdMgmOfsFile:3094 tident=ebirngru.29536:407@lxplus735.cern.ch sec=gsi uid=10661 gid=1999 name=erich.birngruber geo="vbc" Unable to execute proc command - you don't have the requested permissions for that operation (1) /proc/user/; Operation not permitted
200630 11:23:36 time=1593509016.681666 func=IdMap level=INFO logid=static.............................. unit=mgm@mgm-1.eos.grid.vbc.ac.at:1094 tid=00007fcddf5f8700 source=Mapping:993 tident= sec=(null) uid=99 gid=99 name=- geo="" sec.prot=gsi sec.name="erich.birngruber" sec.host="lxplus735.cern.ch" sec.vorg="" sec.grps="" sec.role="" sec.info="/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=ebirngru/CN=845559/CN=Erich Birngruber" sec.app="" sec.tident="ebirngru.29536:407@lxplus735.cern.ch" vid.uid=10661 vid.gid=1999
200630 11:23:36 time=1593509016.681759 func=open level=INFO logid=605c9c24-bab3-11ea-afdd-3868dd28d0c0 unit=mgm@mgm-1.eos.grid.vbc.ac.at:1094 tid=00007fcddf5f8700 source=XrdMgmOfsFile:462 tident=ebirngru.29536:407@lxplus735.cern.ch sec=gsi uid=10661 gid=1999 name=erich.birngruber geo="vbc" op=read path=/proc/user/ info=mgm.cmd=cd&mgm.option=s&mgm.path=/
200630 11:23:36 time=1593509016.681858 func=Emsg level=ERROR logid=605c9c24-bab3-11ea-afdd-3868dd28d0c0 unit=mgm@mgm-1.eos.grid.vbc.ac.at:1094 tid=00007fcddf5f8700 source=XrdMgmOfsFile:3094 tident=ebirngru.29536:407@lxplus735.cern.ch sec=gsi uid=10661 gid=1999 name=erich.birngruber geo="vbc" Unable to execute proc command - you don't have the requested permissions for that operation (1) /proc/user/; Operation not permitted
200630 11:23:37 time=1593509017.552727 func=IdMap level=INFO logid=static.............................. unit=mgm@mgm-1.eos.grid.vbc.ac.at:1094 tid=00007fcddf5f8700 source=Mapping:993 tident= sec=(null) uid=99 gid=99 name=- geo="" sec.prot=gsi sec.name="erich.birngruber" sec.host="lxplus735.cern.ch" sec.vorg="" sec.grps="" sec.role="" sec.info="/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=ebirngru/CN=845559/CN=Erich Birngruber" sec.app="" sec.tident="ebirngru.29536:407@lxplus735.cern.ch" vid.uid=10661 vid.gid=1999
200630 11:23:37 time=1593509017.552834 func=open level=INFO logid=60e185e2-bab3-11ea-afdd-3868dd28d0c0 unit=mgm@mgm-1.eos.grid.vbc.ac.at:1094 tid=00007fcddf5f8700 source=XrdMgmOfsFile:462 tident=ebirngru.29536:407@lxplus735.cern.ch sec=gsi uid=10661 gid=1999 name=erich.birngruber geo="vbc" op=read path=/proc/user/ info=mgm.cmd=ls&mgm.option=&mgm.path=/
200630 11:23:37 time=1593509017.552936 func=Emsg level=ERROR logid=60e185e2-bab3-11ea-afdd-3868dd28d0c0 unit=mgm@mgm-1.eos.grid.vbc.ac.at:1094 tid=00007fcddf5f8700 source=XrdMgmOfsFile:3094 tident=ebirngru.29536:407@lxplus735.cern.ch sec=gsi uid=10661 gid=1999 name=erich.birngruber geo="vbc" Unable to execute proc command - you don't have the requested permissions for that operation (1) /proc/user/; Operation not permitted
This only happens with Alice tokens enabled, specifically “mgmofs.authorize 1” - as I understand otherwise the default auth stack is used anyways. On the MGM node itself, the eos client works fine for root, I assue due to “alicetokenacc.noauthzhost localhost”.
Is this EOS client behavior expected with Alice token auth config?
Best,
Erich