Dear community,
I would like to understand for myself how sss keys work.
This question is not much different from the one I asked before:User accessing via SSS authentication
I have an EOS installation (EOS_SERVER_VERSION=4.8.69) containing two MGMs and some FSTs:
Both MGM and FST machines have a keytab (/etc/eos.keytab) key containing one key:
for user daemon (service)
This is fine.
. vm1-eos-mgm1.domain.com Number Len Date/Time Created Expires Keyname User & Group ------ --- --------- ------- -------- ------- 1 32 11/22/18 16:27:36 -------- eos daemon daemon vm2-eos-mgm2.domain.com Number Len Date/Time Created Expires Keyname User & Group ------ --- --------- ------- -------- ------- 1 32 11/22/18 16:27:36 -------- eos daemon daemon vm3-eos-fst0.domain.com Number Len Date/Time Created Expires Keyname User & Group ------ --- --------- ------- -------- ------- 1 32 11/22/18 16:27:36 -------- eos daemon daemon ... vm10-eos-fst10.domain.com Number Len Date/Time Created Expires Keyname User & Group ------ --- --------- ------- -------- ------- 1 32 11/22/18 16:27:36 -------- eos daemon daemon.
r--------. 1 daemon daemon 272 dec 10 11:10 //etc/eos.keytab
Then I want to add another key on both MGMs e.g. sss authorization for user eos_user.
On FST I did not add a user key.
I.e. now the following situation with the keys:
. vm1-eos-mgm1.domain.com Number Len Date/Time Created Expires Keyname User & Group ------ --- --------- ------- -------- ------- 1 32 12/02/21 13:05:26 -------- eos eos_user eos_user 1 32 11/22/18 16:27:36 -------- eos daemon daemon vm2-eos-mgm2.domain.com Number Len Date/Time Created Expires Keyname User & Group ------ --- --------- ------- -------- ------- 1 32 12/02/21 13:05:26 -------- eos eos_user eos_user 1 32 11/22/18 16:27:36 -------- eos daemon daemon vm3-eos-fst0.domain.com Number Len Date/Time Created Expires Keyname User & Group ------ --- --------- ------- -------- ------- 1 32 11/22/18 16:27:36 -------- eos daemon daemon ... vm10-eos-fst10.domain.com Number Len Date/Time Created Expires Keyname User & Group ------ --- --------- ------- -------- ------- 1 32 11/22/18 16:27:36 -------- eos daemon daemon
r--------. 1 daemon daemon 420 dec 14 13:16 //etc/eos.keytab
After a while, I mean as the key is read on all FST I see errors like:
211203 01:39:28 140870 XrootdXeq: User authentication failed; Decryption key not found. 211203 01:39:28 140870 XrootdXeq: daemon.2388:50@eos disc 0:00:00.
Which says that there is now a key issue between MGM and FST.
Clearly if you add the user’s key to all FSTs the problem might go away, but in my opinion not logical if you draw the analogy with ssh keys.
Can you please explain why keys work this way?