Understanding EOS vid


I have set a small EOS cluster for training and I am lcurrently trying to understand what can be done with the command “eos vid”. If we exclude the geotag setting and the gateway, we are left with these subcommands:


Main questions are:

  1. I do not understand what is the membership command for and in which case one want to use it
  2. if the “map” command is to assign an EOS virtual uid/gid based on certain attributes of the incoming
    request, what is the difference between “unix” and “tident”, how is a unix uid/gid transported from the client to the EOS manager ? What is the role of the /etc/passwd on the EOS manger ? What about the map with “sss” ? Is it always mapped to “root” ?
  3. What does “vid enable” ?
  4. What is the link between EOS vid ans the underlying xrootd auth config sec.protbind

Thank you, this is of course non urgent matter, just trying to understand EOS.


Hi Jean Michel,
here are you answers:

you can map a unix authenticated users which just sends (uid,gid) to the same (uid,gid) (this happens when the target of the mapping is 0 = root) or to a hard coded uid e.g. 99. In other authentication methods users are identified by they name (a user name) and in this cases you can enable that these names are translated using the password database
vid enable sss : the sss user name gets translated using the configured getpwd method (e.g. /etc/passwd)
vid enable krb5: the krb5 identity <name> from <name>@<cell> is translated using the configured getpwd method
vid enable gsi: the mapped identity <dn>=><name> is translated using the configured getpwd method
vid enable unix: by default maps to nobody user (can be changed)

Using the tidents (trace identifier) which are formed in XrootD like .::[.]
you can allow single machines to use a certain user name translation. For example you can allow a gateway machine to translate uid,gid using UNIX authentication (this saves you the hassle to delegete user credentials in a gateway service) and just accept the uid,gid which show up on the gateway service, which you don’t want to allow to other machines, because you can impersonate anyone.

sec.protbind defines which authentication the client will apply. You can set this for all (*), certain domains, certain machines and you give your prefered order. XRootD then calls EOS with a security object which contains the protocol (unix,krb5,gsi,sss) and the identity (name or uid,gid) and EOS then applies the mapping rule you have defined.

Cheers Andreas.