CERN Accelerating science

Instructions on typical Krb5 user setup

I have EOS now running on a server, but I’m curious if there is documentation on typical configuration of the authentication/ACL system for a new installation using KRB5.
(I’m thinking along the lines of a “best practices” document as well)

I’ve tried reading through the man pages for “eos vid” and Permission System — EOS CITRINE documentation but I’m not sure where to get started.

How would I setup a simple home directory structure for myself with write access when I get this output? (My kerberos identity is foley@CS.RU.IS)

eos whoami
Virtual Identity: uid=1298400006 (99,1298400006) gid=1298400000 (99,1298400000) [authz:krb5] host=localhost domain=localdomain

/cd/eos/foo/devtests/
eos acl -l .
# pre-configuring default route to /eos/user/f/foley/
# -use $EOSHOME variable to override
error: No data available

It looks like it’s asking me to create the first server as /eos/user but I’m not sure. What is more puzzling to me is the “No data available” but I don’t think I’ve ever setup any ACLs.

Next, how would I create a group, add members to that group, then give write access to another location?

Kind regards,
Joe

I re-read the XrootD authentication setup in Section 4 of
https://xrootd.slac.stanford.edu/doc/dev49/sec_config.htm#_Toc517294111
Which implies I need to setup the textfile database in order to control access.
If I installed the latest distribution via rpm, is any of the database already setup?

Hi Joe,

There is not much to configure to enable krb5 access to your instance - don’t go down the textfile db documentation from XRootD. Basically, you need to get the krb5 keytab for the eos service(host) and then with your krb5 ticket you should be mapped to the local identity.

What you need is some lines in /etc/xrd.cf.mgm like this (replace with your own realm):

# KRB  authentication
sec.protocol krb5 /etc/eos.krb5.keytab host/<host>@CERN.CH
# Enable krb5 binding
sec.protbind * only sss krb5 unix

The contents of /etc/eos.krb5.keytab is a host keytab that you can get from the KDC:

[esindril@esdss000 eos]$ sudo klist -kt /etc/eos.krb5.keytab
Keytab name: FILE:/etc/eos.krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   3 10/27/2016 10:37:28 esdss000$@CERN.CH
   3 10/27/2016 10:37:28 esdss000$@CERN.CH
   3 10/27/2016 10:37:28 esdss000$@CERN.CH
   3 10/27/2016 10:37:28 host/esdss000.cern.ch@CERN.CH
   3 10/27/2016 10:37:28 host/esdss000.cern.ch@CERN.CH
   3 10/27/2016 10:37:28 host/esdss000.cern.ch@CERN.CH

Once you have this you need to also enable krb5 from the vid mapping by doing:
eos vid enable krb5.

Then you should be good. Once you transfer something to your instance you should see a log similar to this at the MGM:

# Command to copy in a file
xrdcp -f /etc/passwd root://localhost//eos/dev/replica/file2.dat

# Contents of the MGM logs
210506 11:06:16 time=1620291976.364588 func=open                     level=INFO  logid=5057438e-ae4a-11eb-8362-dc4a3e6b9f27 unit=mgm@esdss000.cern.ch:1094 tid=00007f4e9600a700 source=XrdMgmOfsFile:498              tident=esindril.8687:390@localhost sec=krb5  uid=58602 gid=1028 name=esindril geo="" op=write trunc=512 path=/eos/dev/replica/file2.dat info=oss.asize=3314

Note the sec=krb5 bit and the uid/gid to which I was mapped.
Hope this helps!

Cheers,
Elvin