I have EOS now running on a server, but I’m curious if there is documentation on typical configuration of the authentication/ACL system for a new installation using KRB5.
(I’m thinking along the lines of a “best practices” document as well)
How would I setup a simple home directory structure for myself with write access when I get this output? (My kerberos identity is foley@CS.RU.IS)
eos whoami
Virtual Identity: uid=1298400006 (99,1298400006) gid=1298400000 (99,1298400000) [authz:krb5] host=localhost domain=localdomain
/cd/eos/foo/devtests/
eos acl -l .
# pre-configuring default route to /eos/user/f/foley/
# -use $EOSHOME variable to override
error: No data available
It looks like it’s asking me to create the first server as /eos/user but I’m not sure. What is more puzzling to me is the “No data available” but I don’t think I’ve ever setup any ACLs.
Next, how would I create a group, add members to that group, then give write access to another location?
I re-read the XrootD authentication setup in Section 4 of https://xrootd.slac.stanford.edu/doc/dev49/sec_config.htm#_Toc517294111
Which implies I need to setup the textfile database in order to control access.
If I installed the latest distribution via rpm, is any of the database already setup?
There is not much to configure to enable krb5 access to your instance - don’t go down the textfile db documentation from XRootD. Basically, you need to get the krb5 keytab for the eos service(host) and then with your krb5 ticket you should be mapped to the local identity.
What you need is some lines in /etc/xrd.cf.mgm like this (replace with your own realm):