Enable AFS password authentification

Hello,

As a first step, I would like to enable AFS password authentification on my proof cluster. However it fails with the following error message:

============================================

root -l
root [0] TProof * p = TProof::Open("@xxxx.yyy.zz")
090525 12:56:14 001 secpwd_Init: server public key file /<path_to_home_directory>/.xrd/pwdsrvpuk non existing: creating
090525 12:56:14 001 secpwd_Init: Autologin file /<path_to_home_directory>/.xrd/pwdnetrc non existing: creating
090525 12:56:14 001 Proofx-E: Conn::CheckResp: server [ccapl0001.in2p3.fr:1093] did not return OK replying to last request
090525 12:56:14 001 Proofx-E: Conn::CheckErrorStatus: error 3010: 'Secpwd: wrong credentials: insufficient credentials - contact : kXPC_autoreg’
090525 12:56:14 001 Proofx-E: Conn::Authenticate: xxxx.yyy.zz: Secpwd: wrong credentials: insufficient credentials - contact : kXPC_autoreg
090525 12:56:14 001 Proofx-E: Conn::GetAccessToSrv: client could not login at [xxxx.yyy.zz:1093]
090525 12:56:14 001 Proofx-E: Conn::Connect: failure: Secpwd: wrong credentials: insufficient credentials - contact
090525 12:56:14 001 Proofx-E: XrdProofConn: XrdProofConn: severe error occurred while opening a connection to server [xxxx.yyy.zz:1093]
root [1]
============================================

In the master proof log file, I got:

============================================
090525 13:07:52 4021 xpd-E: .32373:27@: ClientMgr::Auth: user authentication failed; Secpwd: wrong credentials: insufficient credentials - contact : kXPC_autoreg
090525 13:07:52 4021 xpd-I: .32373:27@: Protocol::recycle: user ycalas disconnected; type: ClientMaster
090525 13:07:52 4021 xpd-E: ClientCron: kClientDisconnect: problems parsing message: ‘0x69dcc0 -1 32373’; errno: 1
090525 13:07:56 4021 xpd-I: ProofServCron: 0 sessions are currently active
090525 13:07:56 4021 xpd-I: ProofServCron: next sessions check in 30 secs

In my xrd.cf configuration file, I put:

============================================
xpd.seclib /opt/root/lib/libXrdSec.so /opt/root/lib/libXrdCrypto.so /opt/root/lib/libXrdCryptossl.so
xpd.sec.protocol pwd -keepcreds -syspwd

Your help is welcome :wink:

Thanks,

Yvan

Hi Yvan,

Just to make sure:
Did you build ROOT with --enable-afs ?
Was there any error while configuring?

Cheers,
Gerri

Hi Gerri,

In fact I am not sure. I took the tarball from the ROOT web site (root_v5.22.00.Linux-slc4_amd64-gcc3.4.tar.gz from root.cern.ch/root/Version522.html). I don’t know if it as been compiled with the -enable-afs option however…

Yvan

Hi Yvan,

These tarballs do not have AFS enabled, the main reason is that the AFS authentication libraries are in the ‘openafs-devel’ rpm, which is not installed by default on the build machines.

One additional difficulty for SLC on AMD64 is that only static AFS libs are provided and these are not compiled with PIC support.
This makes the build of the relevant xrootd plug-in to fail with a relocation error.
However there are sites providing shared versions of the relevant libraries for SLC, so this problem can be overcome.

The AFS libraries needed by PROOF are ‘libafsrpc.so’ and ‘libafsauthent.so’; these are typically located under /usr/lib64.
If you have these libraries, or you are in the position to install them, I can provide a version of libXrdSecpwd.so with AFS support enabled that you can use in your installation.

Cheers, Gerri

Hi Gerri,

The machines installed at CC are on SL4. The AFS libraries you mentioned in your previous email (libafsrpc.so and libafsauthent.so) are also available. So if I understand you well, I only need a libXrdSecpwd.so library which should be put in the ROOT lib directory. So if you could tell me where to find it (from a public AFS area at Cern for example), it would be nice :wink:

Cheers,

Yvan

Sorry, I was not notified of your reply.
Good that the libraries are there.
I will build the plug-in and let you know how to get it.

Cheers, Gerri

Hi Yvan,

Sorry for the delay. By trying out on our SLC4 machines, I have realized that default AFS shared libraries lack a symbol; on some distributions - e.g. Gentoo - the symbols are made available explicitily by modifying the openafs makefiles … what a mess.

So, I have found another solutions consisting in building the plug-ins with the proper static libraries, so that one does not need to link to anything else.

I have put the tarballs with the plug-ins for {5.22.00, SLC4, amd64, gcc34} under

/afs/cern.ch/sw/lcg/contrib/proof/root/afs-plugins/

There are two tarballs:

a. root-5-22-00-afs-etc_slc4_amd64_gcc43.tar.gz
b. root-5-22-00-afs-transarc_slc4_amd64_gcc43.tar.gz

The reason is an additional complication due to the fact that the config directory seems to be hard-coded in AFS and needs to be specified at building time.
Version a) expects the files like ThisCell to be under /etc/openafs; version b) uses the Transarc classic convention, with ThisCell under /usr/vice/etc .
(since there was no additional work I have put the two versions, though a symlink maybe enough to interconnect the two).

The script installAFStar.sh is a first version of an installer (still very basic; just to give you an idea of what to do).

Once you have the new plug-ins in place, you should use the following directives to activate AFS authentication:

xpd.seclib libXrdSec.so
xpd.sec.protocol pwd -keepcreds -syspwd -expcreds:<workdir>/<user>/.creds/.afs -dir:<dir-with-the-pwdadmin-file>

If you do not have yet a pwdadmin-file just create one running ‘xrdpwdadmin’ and put it somewhere visible for all the machines: it contains the server side key to initiate the session ciphers.

Please try and let me know.

Cheers, Gerri