[OpenAFS-devel] gssklog and globus 4.2.1 gssapi
Mike Coyne
Mike.Coyne@PACCAR.com
Thu, 11 Feb 2010 14:10:58 -0600
Thank you for the reply,=20
As it would turns out a combination of=20
globus_gssapi_gsi-5.17 and globus_openssl_module-0.8 I received from
the globus support team did fix 4.2.1 issue I ran into. I do have my
creds setup as gssklog/fqdn as you mentioned as a service key, the issue
seemed to be in how the service name was being parsed . I also verified
it works in the new 5.0.0. One thing I ran head long into the 5.0
version is that the new gram5 uses sockets in the $HOME/.globus/job/...
This was a big problem for me as my home directory is on AFS (1.4.11). I
found in the jobmanager documentation that It was looking at the HOME
environ variable, so I tried "adjusting" the gatekeeper to redefine the
HOME to a spool directory in /var/.. so all the .globus/job/files...
would be spooled in a local directory and then reset the HOME directory
in the correct location in the job launch wrapper that gets passed to
PBS via the pbs.in/pbs.pm perl module.. It's a bit messy but I think I
got it working so far..
Mike Coyne
-----Original Message-----
From: Douglas E. Engert [mailto:deengert@anl.gov]=20
Sent: Thursday, February 11, 2010 1:19 PM
To: Mike Coyne
Cc: openafs-devel@openafs.org
Subject: Re: [OpenAFS-devel] gssklog and globus 4.2.1 gssapi
mike coyne wrote:
> There seems to be problem with getting mutual auth to work for the
> globus service gssklog in the client application gssklog. the call to
> gss_init_sec_context() fails comparing the returned CN with the
expected
> service/fqdn. After some tracing i found if i added the service
gssklog
> to the globus_i_gsi_gssapi_get_hostname() function ( see below ) the
> mutual auth worked as expected. This seemed to be a bit extreme to get
> the mutual auth to work for a generic service as the only services
> listed in the function were host/ and ftp/. I am wondering if i may
have
> missed something?=20
Yes I think you have missed something. The gssklog README says:
With GSI the server's credential is a server certificate with
CN=3Dgssklog/hostname
and a matching private key. These are defaulted to:
/etc/grid-security/afscert.pem
and /etc/grid-security/afskey.pem. The trusted certificates
directory:
/etc/grid-security/certificates is also needed. These can be
specified via
the -C -K and -D options respecively.
It sounds like you are trying to use a server certificate with
CN=3Dhostname.
The gssklogd should have its own certificate with CN=3Dgssklog/hostname.
The GSI code would treat CN=3Dhostname as CN=3Dhost/hostname or
CN=3Dftp/hostname
much the same as Kerberized FTP would use either host/hostname of
ftp/hostname.
i.e. both of these services are login or access to the file systems of a
host.
But the gssklog does not need to be run as root, and should not be using
root's
certificate. It should have its own certificate and key.
I have not looked at the newer versions of Globus in years, so don't
know what changes
have been made to the GSI. But suspect if you used the
CN=3Dgssklog/hostname things should
work without any changes.
>=20
> Mike Coyne=20
>=20
> -------------cut-line---------------
> Index:
>
trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_util
s.c
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> ---
>
trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_util
s.c (revision 540)
> +++
>
trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_util
s.c (revision 613)
> @@ -2530,7 +2530,12 @@
> {
> length =3D name_entry->value->length;
> data =3D name_entry->value->data;
> - if ( length > 5 && !strncasecmp((char *) data, "host/",
5))
> + if ( length > 8 && !strncasecmp((char *) data, "gssklog/",
8))
> + {
> + length -=3D 8;
> + data +=3D 8;
> + }
> + else if ( length > 5 && !strncasecmp((char *) data,
> "host/", 5))
> {
> length -=3D 5;
> data +=3D 5;
> -------------cut-line---------------
>=20
>=20
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>=20
>=20
--=20
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444