PROOF password authentication

kobla · April 30, 2010, 7:58am

Hi all!

I have simple PROOF cluster (one master and several nodes).
Master and nodes have file /etc/passwd with all users.

I’d like to configure password-based authentication and to enable checking against /etc/passwd.

For this purpose I added next strings in config file on master:

xrootd.seclib /opt/root/lib/root/5.26/libXrdSec.so
xpd.sec.protocol pwd -keepcreds -syspwd

But I have problem. I connect to PROOF from remote machine. (for example my user name xrootd01).

But I wrote another user name (for example xrootd02). Both of these users are added in /etc/passwd on master and all nodes.
And system allows me connect with PROOF as another user.

[code][xrootd01[@xxx]~% root
Couldn’t find font “-adobe-helvetica-medium-r---10-----*-iso8859-1”,
trying “fixed”. Please fix your system so helvetica can be found,
this font typically is in the rpm (or pkg equivalent) package
XFree86-[75,100]dpi-fonts or fonts-xorg-[75,100]dpi.

```
                                    *
```
```
   W E L C O M E  to  R O O T       *
```
```
                                    *
```
Version 5.26/00 14 December 2009 *
```
                                    *
```
You are welcome to visit our Web site *
```
     http://root.cern.ch            *
```
```
                                    *
```

ROOT 5.26/00 (trunk@31882, Dec 14 2009, 20:18:36 on linuxx8664gcc)

CINT/ROOT C/C++ Interpreter version 5.17.00, Dec 21, 2008
Type ? for help. Commands must be C++ statements.
Enclose multiple statements between { }.
root [0] TProof *p1 = TProof::Open("xrootd02@proof.xxx")
Starting master: opening connection …
Starting master: OK
Opening connections to workers: OK (34 workers)
Setting up worker servers: OK (34 workers)
PROOF set to parallel mode (34 workers)
root [1]
[/code]

I think in this situation message permission denied must be appeared. Connection must be denied.
What should I do to prevent situation when one user can connect to PROOF as another user?

Thanks in advance.

ganis · May 4, 2010, 11:34am

Dear Kobla,

Once activated, password-authentication via /etc/passwd will allow to connect all the user having an entry, if they provide the password.
You can restrict the users allowed to connect with the xpd.allowedusers directive; see root.cern.ch/drupal/content/conf … lowedusers.

G. Ganis

kobla · May 5, 2010, 9:43am

I read about xpd.allowedusers. In my case it can not help me.

I have many users on User Interface and all of them are added in file /etc/passwd on master and nodes.
If I restrict the users allowed to connect with the xpd.allowedusers directive some users can not connect with PROOF.

But I need that all of them can send task on PROOF cluster. But user from UI must start PROOF task only himself.
User must not start PROOF session as another user.

ganis · May 5, 2010, 12:44pm

Well, that is controlled by the authentication, which I thought you switched on.
Is the authentication working?
If not, can you post the error?

G. Ganis

kobla · May 6, 2010, 9:32am

I have next strings in config file on master:

xrootd.seclib /opt/root/lib/root/5.26/libXrdSec.so 
xpd.sec.protocol pwd -keepcreds -syspwd

Does it mean that I switched on authentication?
Maybe should I configure root with some options for switch on authentication?

Home dirs for my users are AFS dirs.

At least I have next error:

root [0] TAuthenticate::PrintHostAuth()
Error: Function PrintHostAuth() is not defined in current scope  (tmpfile):1:
*** Interpreter error recovered ***
*** Interpreter error recovered ***

ganis · May 7, 2010, 8:57am

Dear Kobla,

I have overlooked the way you specified the authentication directives: the first one is wrong (see also root.cern.ch/drupal/content/enab … entication): it must be ‘xpd.seclib’ not ‘xrootd.seclib’ (this is to allow to control differently security for the xrootd and xproofd protocols in case one runs the two protocols in the same daemon).

When starting the daemon it should notify you in the log that authentication is enabled.

G. Ganis

kobla · May 11, 2010, 9:32am

Dear Gerri,

Thank you very much for your help!

I have corrected strings in config file

xpd.seclib /opt/root/lib/root/5.26/libXrdSec.so
xpd.sec.protocol pwd -keepcreds -syspwd

Authentication is enabled.

Log file

++++++ Authentication system initialization started.
100511 13:28:18 001 secpwd_Init: Exporting client creds to internal buffer
=====> sec.protocol pwd -keepcreds -syspwd
Config 1 authentication directives processed in /tmp/xpdcfn_cOae3X
------ Authentication system initialization completed.

But I’d like enable uid/gid authentication.
Is it possible?
What should I do to enable uid/gid authentication?

Cheers, Kobla

kobla · June 17, 2010, 11:53am

Dear Gerry,

I have next problem.
Could you help me please?

I enable authentication.
In config file:

xpd.seclib /opt/root/lib/root/5.26/libXrdSec.so
xpd.sec.protocol pwd -keepcreds -syspwd

In log file:

100617 15:25:58 001 xpd.seclib /opt/root/lib/root/5.26/libXrdSec.so
100617 15:25:58 001 xpd-I: ClientMgr::Config: configuring
100617 15:25:58 001 xpd-I: ClientMgr::Config: clients admin path set to: /tmp/.xproofd.1093/clients
++++++ Authentication system initialization started.
100617 15:25:58 001 secpwd_Init: Exporting client creds to internal buffer
=====> sec.protocol pwd -keepcreds -syspwd
Config 1 authentication directives processed in /tmp/xpdcfn_m0YPlQ
------ Authentication system initialization completed.
100617 15:25:58 001 xpd-I: ClientMgr::LoadSecurity: strong authentication enabled
100617 15:25:58 001 xpd-I: ClientMgr::Config: security library loaded

But when I try open connection from another machine I have error:

root [0] TProof *p1 = TProof::Open(“proof.xxx.xxx”)
100617 15:26:35 001 Proofx-E: Conn::CheckResp: server [proof.xxx.xxx:1093] did not return OK replying to last request
100617 15:26:35 001 Proofx-E: Conn::CheckErrorStatus: error 3010: 'Secpwd: wrong credentials: : user : xxx: kXPC_normal’
100617 15:26:35 001 Proofx-E: Conn::Authenticate: proof.xxx.xxx: Secpwd: wrong credentials: : user : xxx: kXPC_normal
XrdSec: No authentication protocols are available.
100617 15:26:35 001 Proofx-E: Conn::Authenticate: unable to get protocol object.
100617 15:26:35 001 Proofx-E: Conn::GetAccessToSrv: client could not login at [proof.xxx.xxx:1093]
100617 15:26:35 001 Proofx-E: Conn::Connect: failure: Secpwd: wrong credentials: : user : xxx: kXPC_normal
100617 15:26:35 001 Proofx-E: XrdProofConn: XrdProofConn: severe error occurred while opening a connection to server [proof.xxx.xxx:1093]

And in log file in the same time:

00617 15:26:35 20860 xpd-E: xxx.29622:41@ui0004-int: ClientMgr::Auth: user authentication failed; Secpwd: wrong credentials: : user : xxx: kXPC_no
rmal
100617 15:26:35 20860 xpd-I: xxx.29622:41@ui0004-int: Protocol: user xxx disconnected; type: ClientMaster

What do I wrong?
Thanks in advance.

ganis · June 22, 2010, 8:37am

Dear Kobla,

Can you set some client debugging before trying to open the PROOF session

root [] gEnv->SetValue("XProof.Debug", 2)
root [] TProof *p1 = TProof::Open("proof.xxx.xxx")

and post the output that you get on the screen?

Thanks,
Gerri

kobla · June 30, 2010, 7:06am

Dear Gerri,

Thank you very much for your help.
Now everything is OK.
It was my mistake. My file passwd was empty (without passwords).

Cheers, Kobla