RT for crt.cs.wisc.edu
RT for crt.cs.wisc.edu
Comments about this user:
No comment entered about this user This user's 10 highest priority tickets:
|
|
| # | Tue Oct 21 13:42:53 2008 | weigand@fnal.gov - Ticket created | [Reply] | |||||||||
VDT 1.10.1k VOMS 1.8.3p1 VOMS Admin 2.0.14-1 When attempting to get a voms proxy for a user that does not exist in the VO, the VOMS server shuts down and no longer processes any new requests. The only solution I have found is to re-cycle the server. The results shown later are the output from the following steps: 1. execute voms-proxy-init as myself (weigand) - this works 2. execute voms-proxy-init as root user - should fail as root host cert is not in the VO 3. execute voms-proxy-init as mysql (weigand) - should work, but fails with "globus_gss_assist token :3: failure: Connection closed " 4. re-cycle the server doing.. - vdt-control --off voms - vdt-control --on voms 5. execute voms-proxy-init as myself (weigand) - this now works again The other bizarre (to me) behavior I don't understand is the number of retries it is doing on each attempt. The messages indicate that it is trying another server but the vomses file has only one entry for the oiv_test1 VO. John Weigand ============================== 1. execute voms-proxy-init as myself (weigand)[weigand@cms-xen3 bin]$ voms-proxy-init -voms oiv_test1:/oiv_test1 Enter GRID pass phrase: Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 Creating temporary proxy ............................................. Done Contacting cms-xen3.fnal.gov:15000 [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1" Done Creating proxy .................................. Done Your proxy is valid until Wed Oct 22 01:32:46 2008 2. execute voms-proxy-init as root user [root@cms-xen3 osg-voms]# voms-proxy-init --voms oiv_test1:/oiv_test1 Your identity: /DC=org/DC=doegrids/OU=Services/CN=cms-xen3.fnal.gov Creating temporary proxy .................................................... Done Contacting cms-xen3.fnal.gov:15000 [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1" Failed Error: oiv_test1: Unable to satisfy Request! Trying next server for oiv_test1. Creating temporary proxy ............................................... Done Contacting cms-xen3.fnal.gov:15000 [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1"gss_assist_get_unwrap failure: globus_gss_assist token :3: failure: Connection closed Failed Error: GSS authentication failure globus_gss_assist token :3: failure: Connection closed Trying next server for oiv_test1. Creating temporary proxy ....................................... Done Contacting cms-xen3.fnal.gov:15000 [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1"gss_assist_get_unwrap failure: globus_gss_assist token :3: failure: Connection closed Failed Error: GSS authentication failure globus_gss_assist token :3: failure: Connection closed Trying next server for oiv_test1. Creating temporary proxy ............................ Done Contacting cms-xen3.fnal.gov:15000 [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1"gss_assist_get_unwrap failure: globus_gss_assist token :3: failure: Connection closed Failed Error: GSS authentication failure globus_gss_assist token :3: failure: Connection closed None of the contacted servers for oiv_test1 were capable of returning a valid AC for the user. 3. execute voms-proxy-init as mysql (weigand) [weigand@cms-xen3 bin]$ voms-proxy-init -voms oiv_test1:/oiv_test1 Enter GRID pass phrase: Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 Creating temporary proxy ................................. Done Contacting cms-xen3.fnal.gov:15000 [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1"gss_assist_get_unwrap failure: globus_gss_assist token :3: failure: Connection closed Failed Error: GSS authentication failure globus_gss_assist token :3: failure: Connection closed Trying next server for oiv_test1. Creating temporary proxy .................................. Done Contacting cms-xen3.fnal.gov:15000 [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1"gss_assist_get_unwrap failure: globus_gss_assist token :3: failure: Connection closed Failed Error: GSS authentication failure globus_gss_assist token :3: failure: Connection closed Trying next server for oiv_test1. Creating temporary proxy .......................................... Done Contacting cms-xen3.fnal.gov:15000 [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1"gss_assist_get_unwrap failure: globus_gss_assist token :3: failure: Connection closed Failed Error: GSS authentication failure globus_gss_assist token :3: failure: Connection closed Trying next server for oiv_test1. Creating temporary proxy ................................ Done Contacting cms-xen3.fnal.gov:15000 [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1"gss_assist_get_unwrap failure: globus_gss_assist token :3: failure: Connection closed Failed Error: GSS authentication failure globus_gss_assist token :3: failure: Connection closed None of the contacted servers for oiv_test1 were capable of returning a valid AC for the user. 4. re-cycle the server [root@cms-xen3 osg-voms]# vdt-control --off voms disabling init service voms... ok [root@cms-xen3 osg-voms]# vdt-control --on voms enabling init service voms... ok [root@cms-xen3 osg-voms]# 5. execute voms-proxy-init as myself (weigand) [weigand@cms-xen3 bin]$ voms-proxy-init -voms oiv_test1:/oiv_test1 Enter GRID pass phrase: Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 Creating temporary proxy ................................... Done Contacting cms-xen3.fnal.gov:15000 [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1" Done Creating proxy .............................................................. Done Your proxy is valid until Wed Oct 22 01:34:35 2008 |
||||||||||||
| # | Tue Oct 21 16:09:35 2008 | roy - Priority changed from (no value) to '3' | ||
| # | Tue Oct 21 16:09:36 2008 | roy - Fix scheduled CUR added | ||
| # | Tue Oct 21 16:09:44 2008 | roy - Given to cat | ||
| # | Tue Oct 21 16:12:29 2008 | roy - Correspondence added | [Reply] | |
|
Hi John, > When attempting to get a voms proxy for a user that does not exist in > the VO, the VOMS server shuts down and no longer processes any new > requests. This sounds really serious. Right now the VDT is short-handed. Tim is out for the week, and I'm out on Wednesday. So it will be a few days before we can dig into this. I know that we moved to VOMS 1.8.3 because we had to, but bugs were found in it by EGEE and they are currently certifying VOMS 1.8.8. So there is a chance that this is a known problem. We'll ask the VOMS folks. -alain ----------------------------------------------------------------- Alain Roy vdt-support@opensciencegrid.org VDT Support http://vdt.cs.wisc.edu/support.html |
||||
| # | Tue Oct 21 16:12:31 2008 | RT_System - Status changed from 'new' to 'open' | ||
| # | Tue Oct 21 16:17:46 2008 | roy - Correspondence added | [Reply] | |||
(Copying Vincenzo Ciaschini) Vincenzo-- The VDT team received this bug report today. We're a bit short-handed at the moment, so we haven't looked into it beyond reading the email. However, I know that you have made bug fixes since VOMS 1.8.3, so I thought I would just check with you: does this sound like something you might have fixed? Thanks, -alain p.s. VOMS "1.8.3p1" is VOMS 1.8.3 plus some patches, but they are patches we submitted to you and you accepted, so there is nothing surprising there, I hope. In particular, they are the OpenSSL patches, the patch to build on Mac OS X, the patch to make voms-proxy-init have a better return code, and to add the --dont-verify-ac option to voms-proxy-info. Oh, and the log permission patch. ----------------------------------------------------------------- Alain Roy vdt-support@opensciencegrid.org VDT Support http://vdt.cs.wisc.edu/support.html On Tue Oct 21 13:42:53 2008, weigand@fnal.gov wrote: > VDT 1.10.1k requests.> VOMS 1.8.3p1 > VOMS Admin 2.0.14-1 > > When attempting to get a voms proxy for a user that does not exist in > the VO, the VOMS server shuts down and no longer processes any new > Done> The only solution I have found is to re-cycle the server. > > The results shown later are the output from the following steps: > 1. execute voms-proxy-init as myself (weigand) > - this works > > 2. execute voms-proxy-init as root user > - should fail as root host cert is not in the VO > > 3. execute voms-proxy-init as mysql (weigand) > - should work, but fails with "globus_gss_assist token :3: failure: > Connection closed > " > > 4. re-cycle the server doing.. > - vdt-control --off voms > - vdt-control --on voms > > 5. execute voms-proxy-init as myself (weigand) > - this now works again > > The other bizarre (to me) behavior I don't understand is the number of > retries it is doing on each attempt. The messages indicate that it is > trying another server but the vomses file has only one entry for the > oiv_test1 VO. > > > John Weigand > > ============================== > 1. execute voms-proxy-init as myself (weigand)> > [weigand@cms-xen3 bin]$ voms-proxy-init -voms oiv_test1:/oiv_test1 > Enter GRID pass phrase: > Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 > Creating temporary proxy ............................................. > Contacting cms-xen3.fnal.gov:15000 "oiv_test1" Done> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] > Creating proxy .................................. Done "oiv_test1" Done> Your proxy is valid until Wed Oct 22 01:32:46 2008 > > > 2. execute voms-proxy-init as root user > > [root@cms-xen3 osg-voms]# voms-proxy-init --voms oiv_test1:/oiv_test1 > Your identity: /DC=org/DC=doegrids/OU=Services/CN=cms-xen3.fnal.gov > Creating temporary proxy > .................................................... Done > Contacting cms-xen3.fnal.gov:15000 > [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1" > Failed > > Error: oiv_test1: Unable to satisfy Request! > > Trying next server for oiv_test1. > Creating temporary proxy ............................................... > Done > Contacting cms-xen3.fnal.gov:15000 > [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] > "oiv_test1"gss_assist_get_unwrap failure: > globus_gss_assist token :3: failure: Connection closed > Failed > > Error: GSS authentication failure > globus_gss_assist token :3: failure: Connection closed > > > Trying next server for oiv_test1. > Creating temporary proxy ....................................... Done > Contacting cms-xen3.fnal.gov:15000 > [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] > "oiv_test1"gss_assist_get_unwrap failure: > globus_gss_assist token :3: failure: Connection closed > Failed > > Error: GSS authentication failure > globus_gss_assist token :3: failure: Connection closed > > > Trying next server for oiv_test1. > Creating temporary proxy ............................ Done > Contacting cms-xen3.fnal.gov:15000 > [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] > "oiv_test1"gss_assist_get_unwrap failure: > globus_gss_assist token :3: failure: Connection closed > Failed > > Error: GSS authentication failure > globus_gss_assist token :3: failure: Connection closed > > > None of the contacted servers for oiv_test1 were capable > of returning a valid AC for the user. > > > 3. execute voms-proxy-init as mysql (weigand) > > [weigand@cms-xen3 bin]$ voms-proxy-init -voms oiv_test1:/oiv_test1 > Enter GRID pass phrase: > Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 > Creating temporary proxy ................................. Done > Contacting cms-xen3.fnal.gov:15000 > [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] > "oiv_test1"gss_assist_get_unwrap failure: > globus_gss_assist token :3: failure: Connection closed > Failed > > Error: GSS authentication failure > globus_gss_assist token :3: failure: Connection closed > > > Trying next server for oiv_test1. > Creating temporary proxy .................................. Done > Contacting cms-xen3.fnal.gov:15000 > [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] > "oiv_test1"gss_assist_get_unwrap failure: > globus_gss_assist token :3: failure: Connection closed > Failed > > Error: GSS authentication failure > globus_gss_assist token :3: failure: Connection closed > > > Trying next server for oiv_test1. > Creating temporary proxy .......................................... Done > Contacting cms-xen3.fnal.gov:15000 > [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] > "oiv_test1"gss_assist_get_unwrap failure: > globus_gss_assist token :3: failure: Connection closed > Failed > > Error: GSS authentication failure > globus_gss_assist token :3: failure: Connection closed > > > Trying next server for oiv_test1. > Creating temporary proxy ................................ Done > Contacting cms-xen3.fnal.gov:15000 > [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] > "oiv_test1"gss_assist_get_unwrap failure: > globus_gss_assist token :3: failure: Connection closed > Failed > > Error: GSS authentication failure > globus_gss_assist token :3: failure: Connection closed > > > None of the contacted servers for oiv_test1 were capable > of returning a valid AC for the user. > > > 4. re-cycle the server > > [root@cms-xen3 osg-voms]# vdt-control --off voms > disabling init service voms... ok > [root@cms-xen3 osg-voms]# vdt-control --on voms > enabling init service voms... ok > [root@cms-xen3 osg-voms]# > > > > > 5. execute voms-proxy-init as myself (weigand) > > [weigand@cms-xen3 bin]$ voms-proxy-init -voms oiv_test1:/oiv_test1 > Enter GRID pass phrase: > Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 > Creating temporary proxy ................................... Done > Contacting cms-xen3.fnal.gov:15000 > [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] > Creating proxy > .............................................................. Done > Your proxy is valid until Wed Oct 22 01:34:35 2008 |
||||||
| # | Wed Oct 29 15:36:51 2008 | cat - Correspondence added | [Reply] | |||||||||
John: You wrote: > When attempting to get a voms proxy for a user that does not exist > in the VO, the VOMS server shuts down and no longer processes any > new requests. I just wanted to let you know that I have reproduced this behavior myself. I would add a few notes: * Saying that the "VOMS server shuts down" could be a bit misleading -- the server processes appear to continue running even after the failed proxy init attempt. But as you report, the running server fails to handle new requests correctly. * Not just any user can cause the failure -- I tried getting a proxy from another regular user certificate, and VOMS correctly rejected the request and continued to work for my own certificate thereafter. It was only when I tried getting a certificate as root that the server stopped functioning correctly. I will continue to investigate this problem. -- Tim |
||||||||||||
| # | Thu Oct 30 10:50:46 2008 | cat - Comments added | [Reply] | |||||||
Commit comment: New branch for building and testing VOMS 1.8.8. Changed files: A vdt/branches/vdt-1.10.1-voms-1.8.8/ To generate a diff: svn diff -c 8257 file:///p/condor/workspaces/vdt/svn |
||||||||||
| # | Thu Oct 30 11:58:23 2008 | weigand@fnal.gov - Correspondence added | [Reply] | |||||||||
Agree with your first point. Should have said "effectively shuts down".. it does have to be re-cycled in order to function again though. As to 2nd point... I tested it again just now and once a user (any user) gets rejected, the voms server for that VO does stop processing subsequent requests. This may be a matter of semantics again. When you say "... continued to work for my own certificate thereafter. " did you mean that when you did a voms-proxy-info that your proxy was still valid. If so, this is normal. voms-proxy-init never destroys your old proxy on failure. It only replaces it on success. Now if you meant that a subsequent voms-proxy-init request to that same VOMS VO server worked, then your VOMS and my VOMS may not be the same... as mine will NOT process any subsequent requests until it is re-cycled. John > |
||||||||||||
| # | Thu Oct 30 13:37:54 2008 | cat - Correspondence added | [Reply] | |||||||||
John: > I tested it again just now and once a user (any user) gets rejected, > the voms server for that VO does stop processing subsequent > requests. This may be a matter of semantics again. Hm, I think we are saying that we actually get different behavior. Here's what I did: [as cat:] voms-proxy-init -voms VDT # success [as vdt:] voms-proxy-init -voms VDT # failure [as cat:] voms-proxy-init -voms VDT # success (I think) [as root:] voms-proxy-init -voms VDT # failure [as cat:] voms-proxy-init -voms VDT # failure I would have to go through the whole sequence again to be 100% sure. -- Tim |
||||||||||||
| # | Fri Oct 31 10:30:12 2008 | vincenzo.ciaschini@cnaf.infn.it - Correspondence added | [Reply] | |||||||||
Hi Alain, sorry for being late. I only just noticed this. This is not a bug. What happens is that if you run voms-proxy-init as root on the voms server host, you may end up creating a proxy for root. When VOMS next searches for its credentials, globus sees a proxy and takes it. At that point, the solution would be to remove the root proxy. If this does not work, please get back to me. In general, running voms-proxy-init as root is not supported, due to the fact that Globus tends to ignore user parameters and get hardcoded names for certificates, proxys, and keys. This will change for 1.9 where globus will be removed as a dependency. In any way, creating a root proxy for a voms server will never be supported. Ciao, Vincenzo Alain Roy via RT wrote: > (Copying Vincenzo Ciaschini) > > Vincenzo-- > > The VDT team received this bug report today. We're a bit short-handed at > the moment, so we haven't looked into it beyond reading the email. > > However, I know that you have made bug fixes since VOMS 1.8.3, so I > thought I would just check with you: does this sound like something you > might have fixed? > > Thanks, > -alain > > p.s. VOMS "1.8.3p1" is VOMS 1.8.3 plus some patches, but they are > patches we submitted to you and you accepted, so there is nothing > surprising there, I hope. In particular, they are the OpenSSL patches, > the patch to build on Mac OS X, the patch to make voms-proxy-init have a > better return code, and to add the --dont-verify-ac option to > voms-proxy-info. Oh, and the log permission patch. > > ----------------------------------------------------------------- > Alain Roy vdt-support@opensciencegrid.org > VDT Support http://vdt.cs.wisc.edu/support.html > > > On Tue Oct 21 13:42:53 2008, weigand@fnal.gov wrote: > >> VDT 1.10.1k > requests.>> VOMS 1.8.3p1 >> VOMS Admin 2.0.14-1 >> >> When attempting to get a voms proxy for a user that does not exist in >> the VO, the VOMS server shuts down and no longer processes any new >> > >> The only solution I have found is to re-cycle the server. > Done>> >> The results shown later are the output from the following steps: >> 1. execute voms-proxy-init as myself (weigand) >> - this works >> >> 2. execute voms-proxy-init as root user >> - should fail as root host cert is not in the VO >> >> 3. execute voms-proxy-init as mysql (weigand) >> - should work, but fails with "globus_gss_assist token :3: failure: >> Connection closed >> " >> >> 4. re-cycle the server doing.. >> - vdt-control --off voms >> - vdt-control --on voms >> >> 5. execute voms-proxy-init as myself (weigand) >> - this now works again >> >> The other bizarre (to me) behavior I don't understand is the number of >> retries it is doing on each attempt. The messages indicate that it is >> trying another server but the vomses file has only one entry for the >> oiv_test1 VO. >> >> >> John Weigand >> >> ============================== >> 1. execute voms-proxy-init as myself (weigand)>> >> [weigand@cms-xen3 bin]$ voms-proxy-init -voms oiv_test1:/oiv_test1 >> Enter GRID pass phrase: >> Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 >> Creating temporary proxy ............................................. >> > >> Contacting cms-xen3.fnal.gov:15000 > "oiv_test1" Done>> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >> > >> Creating proxy .................................. Done > "oiv_test1" Done>> Your proxy is valid until Wed Oct 22 01:32:46 2008 >> >> >> 2. execute voms-proxy-init as root user >> >> [root@cms-xen3 osg-voms]# voms-proxy-init --voms oiv_test1:/oiv_test1 >> Your identity: /DC=org/DC=doegrids/OU=Services/CN=cms-xen3.fnal.gov >> Creating temporary proxy >> .................................................... Done >> Contacting cms-xen3.fnal.gov:15000 >> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] "oiv_test1" >> Failed >> >> Error: oiv_test1: Unable to satisfy Request! >> >> Trying next server for oiv_test1. >> Creating temporary proxy ............................................... >> Done >> Contacting cms-xen3.fnal.gov:15000 >> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >> "oiv_test1"gss_assist_get_unwrap failure: >> globus_gss_assist token :3: failure: Connection closed >> Failed >> >> Error: GSS authentication failure >> globus_gss_assist token :3: failure: Connection closed >> >> >> Trying next server for oiv_test1. >> Creating temporary proxy ....................................... Done >> Contacting cms-xen3.fnal.gov:15000 >> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >> "oiv_test1"gss_assist_get_unwrap failure: >> globus_gss_assist token :3: failure: Connection closed >> Failed >> >> Error: GSS authentication failure >> globus_gss_assist token :3: failure: Connection closed >> >> >> Trying next server for oiv_test1. >> Creating temporary proxy ............................ Done >> Contacting cms-xen3.fnal.gov:15000 >> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >> "oiv_test1"gss_assist_get_unwrap failure: >> globus_gss_assist token :3: failure: Connection closed >> Failed >> >> Error: GSS authentication failure >> globus_gss_assist token :3: failure: Connection closed >> >> >> None of the contacted servers for oiv_test1 were capable >> of returning a valid AC for the user. >> >> >> 3. execute voms-proxy-init as mysql (weigand) >> >> [weigand@cms-xen3 bin]$ voms-proxy-init -voms oiv_test1:/oiv_test1 >> Enter GRID pass phrase: >> Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 >> Creating temporary proxy ................................. Done >> Contacting cms-xen3.fnal.gov:15000 >> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >> "oiv_test1"gss_assist_get_unwrap failure: >> globus_gss_assist token :3: failure: Connection closed >> Failed >> >> Error: GSS authentication failure >> globus_gss_assist token :3: failure: Connection closed >> >> >> Trying next server for oiv_test1. >> Creating temporary proxy .................................. Done >> Contacting cms-xen3.fnal.gov:15000 >> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >> "oiv_test1"gss_assist_get_unwrap failure: >> globus_gss_assist token :3: failure: Connection closed >> Failed >> >> Error: GSS authentication failure >> globus_gss_assist token :3: failure: Connection closed >> >> >> Trying next server for oiv_test1. >> Creating temporary proxy .......................................... Done >> Contacting cms-xen3.fnal.gov:15000 >> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >> "oiv_test1"gss_assist_get_unwrap failure: >> globus_gss_assist token :3: failure: Connection closed >> Failed >> >> Error: GSS authentication failure >> globus_gss_assist token :3: failure: Connection closed >> >> >> Trying next server for oiv_test1. >> Creating temporary proxy ................................ Done >> Contacting cms-xen3.fnal.gov:15000 >> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >> "oiv_test1"gss_assist_get_unwrap failure: >> globus_gss_assist token :3: failure: Connection closed >> Failed >> >> Error: GSS authentication failure >> globus_gss_assist token :3: failure: Connection closed >> >> >> None of the contacted servers for oiv_test1 were capable >> of returning a valid AC for the user. >> >> >> 4. re-cycle the server >> >> [root@cms-xen3 osg-voms]# vdt-control --off voms >> disabling init service voms... ok >> [root@cms-xen3 osg-voms]# vdt-control --on voms >> enabling init service voms... ok >> [root@cms-xen3 osg-voms]# >> >> >> >> >> 5. execute voms-proxy-init as myself (weigand) >> >> [weigand@cms-xen3 bin]$ voms-proxy-init -voms oiv_test1:/oiv_test1 >> Enter GRID pass phrase: >> Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 >> Creating temporary proxy ................................... Done >> Contacting cms-xen3.fnal.gov:15000 >> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >> > >> Creating proxy >>> .............................................................. Done >> Your proxy is valid until Wed Oct 22 01:34:35 2008 >> > > > > |
||||||||||||
| # | Fri Oct 31 10:49:49 2008 | roy - Correspondence added | [Reply] | |||||||||
Vincenzo-- That makes sense to me, assuming everything is on the same computer. John-- Did you run your tests all on one computer? -alain On Oct 31, 2008, at 10:30 AM, Vincenzo Ciaschini via RT wrote: > http://crt.cs.wisc.edu/Ticket/Display.html?id=4246 > > Hi Alain, > > sorry for being late. I only just noticed this. > > > This is not a bug. What happens is that if you run voms-proxy-init as > root on the voms server host, you may end up creating a proxy for > root. > When VOMS next searches for its credentials, globus sees a proxy and > takes it. > > At that point, the solution would be to remove the root proxy. > > If this does not work, please get back to me. > > In general, running voms-proxy-init as root is not supported, due to > the > fact that Globus tends to ignore user parameters and get hardcoded > names > for certificates, proxys, and keys. This will change for 1.9 where > globus will be removed as a dependency. > > In any way, creating a root proxy for a voms server will never be > supported. > > Ciao, > Vincenzo > > Alain Roy via RT wrote: >> (Copying Vincenzo Ciaschini) >> >> Vincenzo-- >> >> The VDT team received this bug report today. We're a bit short- >> handed at >> the moment, so we haven't looked into it beyond reading the email. >> >> However, I know that you have made bug fixes since VOMS 1.8.3, so I >> thought I would just check with you: does this sound like something >> you >> might have fixed? >> >> Thanks, >> -alain >> >> p.s. VOMS "1.8.3p1" is VOMS 1.8.3 plus some patches, but they are >> patches we submitted to you and you accepted, so there is nothing >> surprising there, I hope. In particular, they are the OpenSSL >> patches, >> the patch to build on Mac OS X, the patch to make voms-proxy-init >> have a >> better return code, and to add the --dont-verify-ac option to >> voms-proxy-info. Oh, and the log permission patch. >> >> ----------------------------------------------------------------- >> Alain Roy vdt-support@opensciencegrid.org >> VDT Support http://vdt.cs.wisc.edu/support.html >> >> >> On Tue Oct 21 13:42:53 2008, weigand@fnal.gov wrote: >> >>> VDT 1.10.1k >> requests.>>> VOMS 1.8.3p1 >>> VOMS Admin 2.0.14-1 >>> >>> When attempting to get a voms proxy for a user that does not exist >>> in >>> the VO, the VOMS server shuts down and no longer processes any new >>> >> >>> The only solution I have found is to re-cycle the server. >> Done>>> >>> The results shown later are the output from the following steps: >>> 1. execute voms-proxy-init as myself (weigand) >>> - this works >>> >>> 2. execute voms-proxy-init as root user >>> - should fail as root host cert is not in the VO >>> >>> 3. execute voms-proxy-init as mysql (weigand) >>> - should work, but fails with "globus_gss_assist token :3: >>> failure: >>> Connection closed >>> " >>> >>> 4. re-cycle the server doing.. >>> - vdt-control --off voms >>> - vdt-control --on voms >>> >>> 5. execute voms-proxy-init as myself (weigand) >>> - this now works again >>> >>> The other bizarre (to me) behavior I don't understand is the >>> number of >>> retries it is doing on each attempt. The messages indicate that >>> it is >>> trying another server but the vomses file has only one entry for the >>> oiv_test1 VO. >>> >>> >>> John Weigand >>> >>> ============================== >>> 1. execute voms-proxy-init as myself (weigand)>>> >>> [weigand@cms-xen3 bin]$ voms-proxy-init -voms oiv_test1:/oiv_test1 >>> Enter GRID pass phrase: >>> Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 >>> Creating temporary >>> proxy ............................................. >>> >> >>> Contacting cms-xen3.fnal.gov:15000 >> "oiv_test1" Done>>> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >>> >> >>> Creating proxy .................................. Done >> "oiv_test1" Done>>> Your proxy is valid until Wed Oct 22 01:32:46 2008 >>> >>> >>> 2. execute voms-proxy-init as root user >>> >>> [root@cms-xen3 osg-voms]# voms-proxy-init --voms oiv_test1:/ >>> oiv_test1 >>> Your identity: /DC=org/DC=doegrids/OU=Services/CN=cms-xen3.fnal.gov >>> Creating temporary proxy >>> .................................................... Done >>> Contacting cms-xen3.fnal.gov:15000 >>> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >>> "oiv_test1" >>> Failed >>> >>> Error: oiv_test1: Unable to satisfy Request! >>> >>> Trying next server for oiv_test1. >>> Creating temporary >>> proxy ............................................... >>> Done >>> Contacting cms-xen3.fnal.gov:15000 >>> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >>> "oiv_test1"gss_assist_get_unwrap failure: >>> globus_gss_assist token :3: failure: Connection closed >>> Failed >>> >>> Error: GSS authentication failure >>> globus_gss_assist token :3: failure: Connection closed >>> >>> >>> Trying next server for oiv_test1. >>> Creating temporary proxy ....................................... >>> Done >>> Contacting cms-xen3.fnal.gov:15000 >>> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >>> "oiv_test1"gss_assist_get_unwrap failure: >>> globus_gss_assist token :3: failure: Connection closed >>> Failed >>> >>> Error: GSS authentication failure >>> globus_gss_assist token :3: failure: Connection closed >>> >>> >>> Trying next server for oiv_test1. >>> Creating temporary proxy ............................ Done >>> Contacting cms-xen3.fnal.gov:15000 >>> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >>> "oiv_test1"gss_assist_get_unwrap failure: >>> globus_gss_assist token :3: failure: Connection closed >>> Failed >>> >>> Error: GSS authentication failure >>> globus_gss_assist token :3: failure: Connection closed >>> >>> >>> None of the contacted servers for oiv_test1 were capable >>> of returning a valid AC for the user. >>> >>> >>> 3. execute voms-proxy-init as mysql (weigand) >>> >>> [weigand@cms-xen3 bin]$ voms-proxy-init -voms oiv_test1:/oiv_test1 >>> Enter GRID pass phrase: >>> Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 >>> Creating temporary proxy ................................. Done >>> Contacting cms-xen3.fnal.gov:15000 >>> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >>> "oiv_test1"gss_assist_get_unwrap failure: >>> globus_gss_assist token :3: failure: Connection closed >>> Failed >>> >>> Error: GSS authentication failure >>> globus_gss_assist token :3: failure: Connection closed >>> >>> >>> Trying next server for oiv_test1. >>> Creating temporary proxy .................................. Done >>> Contacting cms-xen3.fnal.gov:15000 >>> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >>> "oiv_test1"gss_assist_get_unwrap failure: >>> globus_gss_assist token :3: failure: Connection closed >>> Failed >>> >>> Error: GSS authentication failure >>> globus_gss_assist token :3: failure: Connection closed >>> >>> >>> Trying next server for oiv_test1. >>> Creating temporary >>> proxy .......................................... Done >>> Contacting cms-xen3.fnal.gov:15000 >>> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >>> "oiv_test1"gss_assist_get_unwrap failure: >>> globus_gss_assist token :3: failure: Connection closed >>> Failed >>> >>> Error: GSS authentication failure >>> globus_gss_assist token :3: failure: Connection closed >>> >>> >>> Trying next server for oiv_test1. >>> Creating temporary proxy ................................ Done >>> Contacting cms-xen3.fnal.gov:15000 >>> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >>> "oiv_test1"gss_assist_get_unwrap failure: >>> globus_gss_assist token :3: failure: Connection closed >>> Failed >>> >>> Error: GSS authentication failure >>> globus_gss_assist token :3: failure: Connection closed >>> >>> >>> None of the contacted servers for oiv_test1 were capable >>> of returning a valid AC for the user. >>> >>> >>> 4. re-cycle the server >>> >>> [root@cms-xen3 osg-voms]# vdt-control --off voms >>> disabling init service voms... ok >>> [root@cms-xen3 osg-voms]# vdt-control --on voms >>> enabling init service voms... ok >>> [root@cms-xen3 osg-voms]# >>> >>> >>> >>> >>> 5. execute voms-proxy-init as myself (weigand) >>> >>> [weigand@cms-xen3 bin]$ voms-proxy-init -voms oiv_test1:/oiv_test1 >>> Enter GRID pass phrase: >>> Your identity: /DC=org/DC=doegrids/OU=People/CN=John Weigand 458491 >>> Creating temporary proxy ................................... Done >>> Contacting cms-xen3.fnal.gov:15000 >>> [/DC=org/DC=doegrids/OU=Services/CN=http/cms-xen3.fnal.gov] >>> >> >>> Creating proxy >>>>> .............................................................. Done >>> Your proxy is valid until Wed Oct 22 01:34:35 2008 >>> >> >> >> >> |
||||||||||||
| # | Fri Oct 31 12:54:15 2008 | weigand@fnal.gov - Correspondence added | [Reply] | |||||||||
Yes... the original VOMS installation and test of the voms proxy was done on the same computer as the root user AND there is a root proxy in /tmp. HOWEVER, the problem still exists after I removed the root proxy from /tmp and tested from another machine using my own certificate. The sequence I followed was this ( I was already a member of the VO ) ... node/UI is shown first in each step ... VOMS server on cms-xen3 ... voms-proxy-init performed on cms-xen1 ... deleted all proxies from /tmp on cms-xen3 1. cms-xen1: voms-proxy-init successful 2. using UI: removed myself from the VO 3 cms-xen1: voms-proxy-init failed (expected as I was no longer in the VO) 4. cms-xen3: added myself back as user using command line voms-admin voms-admin --vo oiv_test1 --nousercert create-user "/DC=org/DC=doegrids/OU=People/CN=John Weigand 458491" "/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1" NONE OSG-DAILY-BUILD@opensciencegrid.org 5. cms-xen1: voms-proxy-init failed (the problem condition) 6. cms-xen3: recycled the edg-voms server 7. cms-xen1: voms-proxy-init successful Am I doing something wrong here? John Weigand John Weigand Alain Roy via RT wrote: > Vincenzo-- > > That makes sense to me, assuming everything is on the same computer. > > John-- > > Did you run your tests all on one computer? > > -alain > > > |
||||||||||||
| # | Fri Oct 31 14:33:49 2008 | cat - Correspondence added | [Reply] | |||||||||
Vincenzo: On 31 Oct 2008, you wrote: > This is not a bug. What happens is that if you run voms-proxy-init > as root on the voms server host, you may end up creating a proxy for > root. When VOMS next searches for its credentials, globus sees a > proxy and takes it. > > At that point, the solution would be to remove the root proxy. > > If this does not work, please get back to me. I think I understand your hypothesis, but I have evidence that suggests that it is not correct for the cases we're seeing. I started investigating the suggested workaround by reproducing the failure itself (all on the VOMS server machine): [as cat:] voms-proxy-init -voms VDT # success [as root:] voms-proxy-init -voms VDT # failure [as cat:] voms-proxy-init -voms VDT # failure This pattern *is* the bug pattern we've been seeing. So then I went to remove root's proxy. I expected to find it in /tmp/ x509up_u0, but that file didn't exist. Then Alain suggested running grid-proxy-info to find out where the proxy file was located. Here's its output: ERROR: Couldn't find a valid proxy. grid_proxy_info.c: 354 :globus_gsi_system_config .c:globus_gsi_sysconfig_get_proxy_filename_unix:6015: Could not find a valid proxy certificate file location globus_gsi_system_config.c:globus_i_gsi_sysconfig_create_key_string:477: Error with key filename globus_gsi_system_config.c:globus_i_gsi_sysconfig_check_keyfile_unix: 4668: File does not exist: /tmp/x509up_u0 is not a valid file So then I wondered if I could observe the server trying to find the root proxy. I started an strace on the running server (in its failure state) -- I used the '-f' option to trace all forked processes and I started the strace on both of the VOMS processes that I found using ps. Once the strace was running, I tried running voms-proxy-init from my user (cat) again. In a nutshell, I can find no evidence of the server trying to read something that looks like a proxy certificate. It does read the HTTP service certificate and key, which is what we configure the VOMS server to use to identify itself. And it reads a few CA certificates and related files. And it creates and unlinks a bunch of temporary files (but not any named /tmp/x509*). But that's about it. So if the idea is that the server tries to read its own certificate, but Globus forces it to find a proxy instead, I find no evidence to support that claim. Furthermore, I suggest that the pattern of errors and recovery we see -- i.e., that we must restart the VOMS server to restore functionality -- is more consistent with an inconsistent state in core, not on disk. Why would restarting the VOMS server clear out the root proxy on the machine? And then there's John's email, which preceded this one, that suggests that removing an existing root proxy does not cause the running server to suddenly recover. In sum, I think we have a real bug here, one that is worth investigating soon. In the meantime, I suppose, we can send out a warning to our users to avoid running voms-proxy-init as root. Longer term, even if the bug itself is fixed, why not add code to voms-proxy- init that detects when it is being run as root or is using a root- owned certificate, and simply have it print a clear error message and NOT contact the server at all? If that is a known unsupported use case, then I think the client should be more robust about preventing it. -- Tim |
||||||||||||
| # | Fri Oct 31 14:35:26 2008 | cat - Cc vincenzo.ciaschini@cnaf.infn.it added | ||
| # | Fri Oct 31 14:38:15 2008 | roy - Correspondence added | [Reply] | |||||||||
> And then there's John's email, which preceded this one, that suggests > that removing an existing root proxy does not cause the running server > to suddenly recover. John also noticed that running voms-proxy-init on a separate computer showed the same problem. This substantiate the theory that the problem is not a root proxy. -alain ----------------------------------------------------------------- Alain Roy vdt-support@opensciencegrid.org VDT Support http://vdt.cs.wisc.edu/support.html |
||||||||||||
| # | Fri Nov 14 10:09:07 2008 | cat - Comments added | [Reply] | |||||||
Commit comment: New build to fix #4246, including VOMS-MySQL 3.0.8. Removed all unused patch files and related code. Many small source code readability improvements. Renamed NMI input file extensions to reflect the method by which they are downloaded. Changed files: D vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/gcc4_ccapi.patch D vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/globus.in A vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/globus.nmi U vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/glue.in A vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/gpt.ftp D vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/gpt.in D vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/log-perm.patch U vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/nmi-remote-task.pl D vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/openssl-temp-1.patch D vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/openssl-temp-2.patch D vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/server_makefile.patch U vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/voms-mysql.in A vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/voms.cvs D vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/voms.in D vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/vpi_dont_verify.patch D vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/vpi_rc.patch To generate a diff: svn diff -c 8307 file:///p/condor/workspaces/vdt/svn |
||||||||||
| # | Fri Nov 14 10:11:54 2008 | cat - Comments added | [Reply] | |||||||
Commit comment: Two more file extension renamings. Changed files: D vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/mysql.in A vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/mysql.nmi A vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/voms-mysql.cvs D vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/voms-mysql.in To generate a diff: svn diff -c 8308 file:///p/condor/workspaces/vdt/svn |
||||||||||
| # | Fri Nov 14 10:16:05 2008 | cat - Comments added | [Reply] | |||||||
Commit comment: Last of file renamings, plus updated code to use new filenames. Changed files: U vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/cmdfile A vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/glue.ftp D vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/glue.in D vdt/branches/vdt-1.10.1-voms-1.8.8/VOMS/nmi/nmi-remote-declare.pl To generate a diff: svn diff -c 8309 file:///p/condor/workspaces/vdt/svn |
||||||||||
| # | Tue Nov 18 09:12:07 2008 | cat - Dependency on ticket #4408 added | ||
| # | Tue Nov 25 09:26:29 2008 | weigand@fnal.gov - Correspondence added | [Reply] | |||||||||||
I tested the VDT 1.10.1n containing VOMS 1.8.8-2 this morning. The problem identified in this ticket has been resolved. Thanks John Weigand |
||||||||||||||
| # | Tue Nov 25 09:53:12 2008 | cat - Correspondence added | [Reply] | |
|
Back on 21 October 2008, John Weigand wrote: > When attempting to get a voms proxy for a user that does not exist in the VO, > the VOMS server shuts down and no longer processes any new requests. As you seem to already know (!), this bug has been fixed in our latest build of VOMS 1.8.8-2 released in VDT 1.10.1n. Thanks again for finding the bug and helping us figure out the scope of the problem. In case you're interested, Vincenzo says that the bug is actually a problem with the MySQL connection. Some MySQL function call hangs or fails or something, and causes the behavior we were seeing. He updated the VOMS-MySQL connector to avoid that particular call, and that is the fix. I am closing this ticket now. -- Tim |
||||
| # | Tue Nov 25 09:54:03 2008 | cat - Status changed from 'open' to 'resolved' | ||
| # | Tue Nov 25 09:54:04 2008 | cat - Fixed in 1.10.1n added | ||
Time to display: 2.932658
»|« RT 3.8.2 Copyright 1996-2008 Best Practical Solutions, LLC.
