When adding xrootd-auth-changeid to xrootd it causes kerberos authentication to fail the second time. A certain time must have passed since first disconnect ( 2s < 10s) in order for it to fail.
Problem seen in Xrootd v4.1.1 (epel-testing)
Using xrootd v4.1.1 without xrootd-auth-changeid the problem also disappears.
I have also tried making my keytab world-readable, but this did not help.
partial xrootd.cfg options to generate failure:
ofs.authorize 1
acc.authdb /etc/xrootd/Authfile
ofs.authlib /opt/lib/libAuthChangeFsUid.so
authchangefsuid.authlib default
xrootd acc options for success (ie.e remove change fs uid lib options):
ofs.authorize 1
acc.authdb /etc/xrootd/Authfile
client actions:
xrdfs localhost
ls /tmp
ctrl+c
sleep 10
xrdfs localhost
ls /tmp
[FATAL] Auth failed
Server transcript below for aove client actions:
[root@pplxint8 ~]# xrootd -c /etc/xrootd/xrootd.cfg -R xrootd
150210 07:39:12 21881 Starting on Linux 2.6.32-504.8.1.el6.x86_64
Copr. 2004-2012 Stanford University, xrd version v4.1.1
++++++ xrootd anon@pplxint8.physics.ox.ac.uk initialization started.
Config using configuration file /etc/xrootd/xrootd.cfg
=====> all.adminpath /var/spool/xrootd
=====> xrd.port 1094
=====> xrd.trace conn
=====> all.adminpath /var/run/xrootd
=====> xrd.report xrootd.t2.ucsd.edu:9931 every 60s all sync
Config maximum number of connections restricted to 4096
Copr. 2012 Stanford University, xrootd protocol 3.0.0 version v4.1.1
++++++ xrootd protocol initialization started.
=====> all.export /tmp
=====> all.pidpath /var/run/xrootd
=====> all.export / nostage
=====> xrootd.trace emsg login stall redirect
=====> xrootd.seclib /usr/lib64/libXrdSec.so
Config warning: ignoring fslib; libXrdOfs.so is built-in.
=====> xrootd.fslib /usr/lib64/libXrdOfs.so
=====> all.pidpath /var/run/xrootd
=====> xrootd.monitor all auth flush io 60s ident 5m mbuff 8k rbuff 4k rnums 3 window 10s dest files io info user redir xrootd.t2.ucsd.edu:9930
Config exporting /
Config exporting /tmp
Plugin loaded
++++++ Authentication system initialization started.
Plugin loaded
Template for exports not set
=====> sec.protocol krb5 /etc/xrootd/krb5keys host/pplxint8.physics.ox.ac.uk@PHYSICS.OX.AC.UK
Config 1 authentication directives processed in /etc/xrootd/xrootd.cfg
------ Authentication system initialization completed.
Config Routing for pplxint8.physics.ox.ac.uk: local pub4 prv4
Config Route all4: pplxint8.physics.ox.ac.uk Dest=[::163.1.136.8]:1094
++++++ File system initialization started.
=====> all.role server
Config warning: ignoring invalid trace option 'none'.
=====> ofs.trace none
=====> ofs.authorize
=====> ofs.authlib /opt/lib/libAuthChangeFsUid.so
++++++ Storage system initialization started.
=====> all.export /tmp
=====> all.export / nostage
Config effective /etc/xrootd/xrootd.cfg oss configuration:
oss.alloc 0 0 0
oss.cachescan 600
oss.fdlimit 2048 4096
oss.maxsize 0
oss.trace 0
oss.xfr 1 deny 10800 keep 1200
oss.memfile off max 33763682304
oss.defaults r/w nocheck nodread nomig norcreate nopurge nostage xattr
oss.path /tmp r/w nocheck nodread nomig norcreate nopurge nostage xattr
oss.path / r/w nocheck nodread nomig norcreate nopurge nostage xattr
------ Storage system initialization completed.
Plugin No such file or directory loading authlib /opt/lib/libAuthChangeFsUid-4.so
Config Falling back to using /opt/lib/libAuthChangeFsUid.so
Plugin loaded
++++++ Authorization system initialization started.
150210 07:39:12 21881 acc_Config: Authorization system using configuration in /etc/xrootd/xrootd.cfg
=====> acc.authdb /etc/xrootd/Authfile
=====> acc.audit deny grant
Config 2 authorization directives processed in /etc/xrootd/xrootd.cfg
Config 1 auth entries processed in /etc/xrootd/Authfile
------ Authorization system initialization completed.
++++++ Configuring server role. . .
=====> all.adminpath /var/spool/xrootd
=====> all.manager xrootd-itb.unl.edu:1213
=====> cms.trace all
=====> all.adminpath /var/run/xrootd
150210 07:39:12 21881 Configure Global System Identification: anon-s 1213xrootd-itb.unl.edu
Config effective /etc/xrootd/xrootd.cfg ofs configuration:
all.role server
ofs.authorize
ofs.maxdelay 60
ofs.persist manual hold 600 logdir /var/run/xrootd/.ofs/posc.log
ofs.trace 0
ofs.authlib /opt/lib/libAuthChangeFsUid.so
------ File system server initialization completed.
Config warning: 'xrootd.prepare logdir' not specified; prepare tracking disabled.
------ xrootd protocol initialization completed.
------ xrootd anon@pplxint8.physics.ox.ac.uk:1094 initialization completed.
150210 07:39:16 21885 XrootdXeq: brisbane.21903:22@localhost pvt IPv4 login as brisbane
------ AuthChangeFsUid: Updating uids cache...
------ AuthChangeFsUid: Setting FS uid from user=brisbane
150210 07:39:16 21885 acc_Audit: brisbane.21903:22@localhost grant krb5 brisbane@localhost stat /tmp
150210 07:39:16 21884 XrootdXeq: brisbane.21903:23@pplxint8 pub IPv4 login as brisbane
------ AuthChangeFsUid: Setting FS uid from user=brisbane
150210 07:39:16 21884 acc_Audit: brisbane.21903:23@pplxint8 grant krb5 brisbane@pplxint8.physics.ox.ac.uk readdir /tmp
150210 07:39:17 21884 XrootdXeq: brisbane.21903:23@pplxint8 disc 0:00:01
150210 07:39:17 21885 XrootdXeq: brisbane.21903:22@localhost disc 0:00:01
150210 07:39:27 21912 XrootdXeq: brisbane.21937:26@localhost pvt IPv4 login as brisbane
------ AuthChangeFsUid: Setting FS uid from user=brisbane
150210 07:39:27 21912 acc_Audit: brisbane.21937:26@localhost grant krb5 brisbane@localhost stat /tmp
150210 07:39:27 21884 XrootdXeq: User authentication failed; Seckrb5: Unable to authenticate credentials;; Permission denied (p=host/pplxint8.physics.ox.ac.uk@PHYSICS.OX.AC.UK).
150210 07:39:27 21884 brisbane.21937:22@pplxint8 XrootdResponse: sending err 3010: Seckrb5: Unable to authenticate credentials;; Permission denied (p=host/pplxint8.physics.ox.ac.uk@PHYSICS.OX.AC.UK).
150210 07:39:27 21884 XrootdXeq: brisbane.21937:22@pplxint8 disc 0:00:00
When adding xrootd-auth-changeid to xrootd it causes kerberos authentication to fail the second time. A certain time must have passed since first disconnect ( 2s < 10s) in order for it to fail.
Problem seen in Xrootd v4.1.1 (epel-testing)
Using xrootd v4.1.1 without xrootd-auth-changeid the problem also disappears.
I have also tried making my keytab world-readable, but this did not help.
partial xrootd.cfg options to generate failure:
ofs.authorize 1
acc.authdb /etc/xrootd/Authfile
ofs.authlib /opt/lib/libAuthChangeFsUid.so
authchangefsuid.authlib default
xrootd acc options for success (ie.e remove change fs uid lib options):
ofs.authorize 1
acc.authdb /etc/xrootd/Authfile
client actions:
Server transcript below for aove client actions:
[root@pplxint8 ~]# xrootd -c /etc/xrootd/xrootd.cfg -R xrootd
150210 07:39:12 21881 Starting on Linux 2.6.32-504.8.1.el6.x86_64
Copr. 2004-2012 Stanford University, xrd version v4.1.1
++++++ xrootd anon@pplxint8.physics.ox.ac.uk initialization started.
Config using configuration file /etc/xrootd/xrootd.cfg
=====> all.adminpath /var/spool/xrootd
=====> xrd.port 1094
=====> xrd.trace conn
=====> all.adminpath /var/run/xrootd
=====> xrd.report xrootd.t2.ucsd.edu:9931 every 60s all sync
Config maximum number of connections restricted to 4096
Copr. 2012 Stanford University, xrootd protocol 3.0.0 version v4.1.1
++++++ xrootd protocol initialization started.
=====> all.export /tmp
=====> all.pidpath /var/run/xrootd
=====> all.export / nostage
=====> xrootd.trace emsg login stall redirect
=====> xrootd.seclib /usr/lib64/libXrdSec.so
Config warning: ignoring fslib; libXrdOfs.so is built-in.
=====> xrootd.fslib /usr/lib64/libXrdOfs.so
=====> all.pidpath /var/run/xrootd
=====> xrootd.monitor all auth flush io 60s ident 5m mbuff 8k rbuff 4k rnums 3 window 10s dest files io info user redir xrootd.t2.ucsd.edu:9930
Config exporting /
Config exporting /tmp
Plugin loaded
++++++ Authentication system initialization started.
Plugin loaded
Template for exports not set
=====> sec.protocol krb5 /etc/xrootd/krb5keys host/pplxint8.physics.ox.ac.uk@PHYSICS.OX.AC.UK
Config 1 authentication directives processed in /etc/xrootd/xrootd.cfg
------ Authentication system initialization completed.
Config Routing for pplxint8.physics.ox.ac.uk: local pub4 prv4
Config Route all4: pplxint8.physics.ox.ac.uk Dest=[::163.1.136.8]:1094
++++++ File system initialization started.
=====> all.role server
Config warning: ignoring invalid trace option 'none'.
=====> ofs.trace none
=====> ofs.authorize
=====> ofs.authlib /opt/lib/libAuthChangeFsUid.so
++++++ Storage system initialization started.
=====> all.export /tmp
=====> all.export / nostage
Config effective /etc/xrootd/xrootd.cfg oss configuration:
oss.alloc 0 0 0
oss.cachescan 600
oss.fdlimit 2048 4096
oss.maxsize 0
oss.trace 0
oss.xfr 1 deny 10800 keep 1200
oss.memfile off max 33763682304
oss.defaults r/w nocheck nodread nomig norcreate nopurge nostage xattr
oss.path /tmp r/w nocheck nodread nomig norcreate nopurge nostage xattr
oss.path / r/w nocheck nodread nomig norcreate nopurge nostage xattr
------ Storage system initialization completed.
Plugin No such file or directory loading authlib /opt/lib/libAuthChangeFsUid-4.so
Config Falling back to using /opt/lib/libAuthChangeFsUid.so
Plugin loaded
++++++ Authorization system initialization started.
150210 07:39:12 21881 acc_Config: Authorization system using configuration in /etc/xrootd/xrootd.cfg
=====> acc.authdb /etc/xrootd/Authfile
=====> acc.audit deny grant
Config 2 authorization directives processed in /etc/xrootd/xrootd.cfg
Config 1 auth entries processed in /etc/xrootd/Authfile
------ Authorization system initialization completed.
++++++ Configuring server role. . .
=====> all.adminpath /var/spool/xrootd
=====> all.manager xrootd-itb.unl.edu:1213
=====> cms.trace all
=====> all.adminpath /var/run/xrootd
150210 07:39:12 21881 Configure Global System Identification: anon-s 1213xrootd-itb.unl.edu
Config effective /etc/xrootd/xrootd.cfg ofs configuration:
all.role server
ofs.authorize
ofs.maxdelay 60
ofs.persist manual hold 600 logdir /var/run/xrootd/.ofs/posc.log
ofs.trace 0
ofs.authlib /opt/lib/libAuthChangeFsUid.so
------ File system server initialization completed.
Config warning: 'xrootd.prepare logdir' not specified; prepare tracking disabled.
------ xrootd protocol initialization completed.
------ xrootd anon@pplxint8.physics.ox.ac.uk:1094 initialization completed.
150210 07:39:16 21885 XrootdXeq: brisbane.21903:22@localhost pvt IPv4 login as brisbane
------ AuthChangeFsUid: Updating uids cache...
------ AuthChangeFsUid: Setting FS uid from user=brisbane
150210 07:39:16 21885 acc_Audit: brisbane.21903:22@localhost grant krb5 brisbane@localhost stat /tmp
150210 07:39:16 21884 XrootdXeq: brisbane.21903:23@pplxint8 pub IPv4 login as brisbane
------ AuthChangeFsUid: Setting FS uid from user=brisbane
150210 07:39:16 21884 acc_Audit: brisbane.21903:23@pplxint8 grant krb5 brisbane@pplxint8.physics.ox.ac.uk readdir /tmp
150210 07:39:17 21884 XrootdXeq: brisbane.21903:23@pplxint8 disc 0:00:01
150210 07:39:17 21885 XrootdXeq: brisbane.21903:22@localhost disc 0:00:01
150210 07:39:27 21912 XrootdXeq: brisbane.21937:26@localhost pvt IPv4 login as brisbane
------ AuthChangeFsUid: Setting FS uid from user=brisbane
150210 07:39:27 21912 acc_Audit: brisbane.21937:26@localhost grant krb5 brisbane@localhost stat /tmp
150210 07:39:27 21884 XrootdXeq: User authentication failed; Seckrb5: Unable to authenticate credentials;; Permission denied (p=host/pplxint8.physics.ox.ac.uk@PHYSICS.OX.AC.UK).
150210 07:39:27 21884 brisbane.21937:22@pplxint8 XrootdResponse: sending err 3010: Seckrb5: Unable to authenticate credentials;; Permission denied (p=host/pplxint8.physics.ox.ac.uk@PHYSICS.OX.AC.UK).
150210 07:39:27 21884 XrootdXeq: brisbane.21937:22@pplxint8 disc 0:00:00