[OpenAFS-devel] gssklog and globus 4.2.1 gssapi

Mike Coyne Mike.Coyne@PACCAR.com
Thu, 11 Feb 2010 14:10:58 -0600 

Thank you for the reply,=20
As it would turns out a combination of=20
globus_gssapi_gsi-5.17 and globus_openssl_module-0.8 I received from
the globus support team did fix  4.2.1 issue I ran into. I do have my
creds setup as gssklog/fqdn as you mentioned as a service key, the issue
seemed to be in how the service name was being parsed . I also verified
it works in the new 5.0.0.  One thing I ran head long into the 5.0
version is that the new gram5 uses sockets in the $HOME/.globus/job/...
This was a big problem for me as my home directory is on AFS (1.4.11). I
found in the jobmanager documentation that It was looking at the HOME
environ variable, so I tried "adjusting" the gatekeeper to redefine the
HOME to a spool directory in /var/.. so all the .globus/job/files...
would be spooled in a local directory and then reset the HOME directory
in the correct location in the job launch wrapper that gets passed to
PBS via  the pbs.in/pbs.pm perl module.. It's a bit messy but I think I
got it working so far..
Mike Coyne

-----Original Message-----
From: Douglas E. Engert [mailto:deengert@anl.gov]=20
Sent: Thursday, February 11, 2010 1:19 PM
To: Mike Coyne
Cc: openafs-devel@openafs.org
Subject: Re: [OpenAFS-devel] gssklog and globus 4.2.1 gssapi



mike coyne wrote:
> There seems to be problem with getting mutual auth to work for the
> globus service gssklog in the client application gssklog. the call to
> gss_init_sec_context() fails comparing the returned CN with the
expected
> service/fqdn.  After some tracing i found if i added the service
gssklog
> to the globus_i_gsi_gssapi_get_hostname() function ( see below ) the
> mutual auth worked as expected. This seemed to be a bit extreme to get
> the mutual auth to work for a generic service as the only services
> listed in the function were host/ and ftp/. I am wondering if i may
have
> missed something?=20


Yes I think you have missed something. The gssklog README says:
   With GSI the server's credential is a server certificate with
CN=3Dgssklog/hostname
   and a matching private key. These are defaulted to:
/etc/grid-security/afscert.pem
   and /etc/grid-security/afskey.pem.  The trusted certificates
directory:
   /etc/grid-security/certificates  is also needed. These can be
specified via
   the -C -K and -D options respecively.

It sounds like you are trying to use a server certificate with
CN=3Dhostname.
The gssklogd should have its own certificate with CN=3Dgssklog/hostname.

The GSI code would treat CN=3Dhostname as CN=3Dhost/hostname or
CN=3Dftp/hostname
much  the same as Kerberized FTP would use either host/hostname of
ftp/hostname.
i.e. both of these services are login or access to the file systems of a
host.


But the gssklog does not need to be run as root, and should not be using
root's
certificate. It should have its own certificate and key.

I have not looked at the newer versions of Globus in years, so don't
know what changes
have been made to the GSI. But suspect if you used the
CN=3Dgssklog/hostname things should
work without any changes.


>=20
> Mike Coyne=20
>=20
> -------------cut-line---------------
> Index:
>
trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_util
s.c
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> ---
>
trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_util
s.c (revision 540)
> +++
>
trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_util
s.c (revision 613)
> @@ -2530,7 +2530,12 @@
>          {
>              length =3D name_entry->value->length;
>              data =3D name_entry->value->data;
> -            if ( length > 5 && !strncasecmp((char *) data, "host/",
5))
> +	     if ( length > 8 && !strncasecmp((char *) data, "gssklog/",
8))
> +            {
> +                length -=3D 8;
> +                data +=3D 8;
> +            }
> +            else  if ( length > 5 && !strncasecmp((char *) data,
> "host/", 5))
>              {
>                  length -=3D 5;
>                  data +=3D 5;
> -------------cut-line---------------
>=20
>=20
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>=20
>=20

--=20

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444