You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
this is a feature, we removed the functionality that allowed the daemon to change its effective UID, and thus be able to read these files. In master, the keytab (and ssh certificate chains) needs to be readable by the xrootd deamon process. You need to adjust your filesystem ACLs.
Recompiling the Castor-XRootD plugin against the current master branch of XRootD, I get the following error:
Plugin loaded unreleased secunix v20140224-6a25b71 from sec.protocol /usr/lib64/libXrdSecunix.so
=====> sec.protocol /usr/lib64/ unix
Plugin loaded unreleased seckrb5 v20140224-6a25b71 from sec.protocol /usr/lib64/libXrdSeckrb5.so
Template for exports not set
Seckrb5: Unable to start sequence on the keytab file FILE:/etc/krb5.keytab;
Permission denied
=====> sec.protocol /usr/lib64 krb5 host/@CERN.CH
Plugin loaded unreleased secgsi v20140224-6a25b71 from sec.protocol libXrdSecgsi.so
And in /etc/ I have:
[root@lxc2dev6 Castor_git]> ls -lrt /etc/krb5.keytab
-rw------- 1 root root 842 Jun 20 2012 /etc/krb5.keytab
Before (using XRootD 3.3.x) this was not an issue. I assume the problem comes from this commit:
http://xrootd.cern.ch/cgi-bin/cgit.cgi/xrootd/commit/src/XrdSeckrb5?id=f44d455d78109794a46714764cd57e79bc105969
Could you please have a look and let me know if I need to change anything on my side ( i.e. in the plugin) ?
Thanks,
Elvin
The text was updated successfully, but these errors were encountered: