Thanks for the help. I have the gsiftp server recognizing the mapping in the grid-map file on one machine okay and I can do a transfer as such:
[EMAIL PROTECTED]:~$ globus-url-copy -dbg gsiftp://junkpile.esbaugh.com/etc/group file:///tmp/from-bryan3.test This works fine. However if I try going the other way, where I use "besbaugh-craptop"'s gsiftp server then I still run into the grid-map error: [EMAIL PROTECTED]:~$ globus-url-copy gsiftp://besbaugh-craptop.esbaugh.com/etc/group file:///tmp/from-bryan2.test error: globus_ftp_client: the server responded with an error 530 530-Login incorrect. : globus_gss_assist: Gridmap lookup failure: Could not map /O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.esbaugh.com/OU=esbaugh.com/CN=Bryan Esbaugh 530- 530 End. So I figure the problem is with the grid-map file that is on "besbaugh-craptop" being accessed by its gsiftp server. The credential being the same I figure I could simply copy the grid-mapfile from "junkpile" to "besbaugh-craptop". Is there a way to check that my gsiftp server is checking the right location for the grid-mapfile? It is running as root and should then check /etc/grid-security/grid-mapfile, no? Does the local username affect the credential? For example , the local username for the usercerts on junkpile is "bryan" while on "besbaugh-craptop" is "besbaugh", does this affect the mapping since I figured it wouldn't matter since you only use the usercert for authorization. Gridmap file on "besbaugh-craptop" "/O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.com/OU=esbaugh.com/CN=Bryan Esbaugh" bryan Gridmap file on "junkpile" "/O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.com/OU=esbaugh.com/CN=Bryan Esbaugh" bryan On Sun, 2008-03-30 at 10:36 -0500, Charles Bacon wrote: > Did you get yourself two different usercerts? The idea is that the > one usercert is for the one person, you don't need a second one when > you go to a different machine. The grid-mapfile is only being > consulted on the machine hosting the gridftp server. So whatever > credential your client is presenting needs to be present in the grid- > mapfile. It doesn't help to have it mapped on the client machine, > since the server is the once doing the mapfile authorization. > > So, my advice for one-user realism - get rid of the second usercert. > If you're wanting to pretend to be multiple people, you'll need to add > to the gridftp server machine's grid-mapfile. > > > Charles > > On Mar 30, 2008, at 9:41 AM, Bryan Esbaugh wrote: > > I'm trying to set up the gsiftp part of the quickstart guide across > > two > > machines but am running into a security problem, I think. I am pretty > > sure I have set up the CA correctly and everything works on one > > machine > > as far as gsiftp and rft and the web services container. However > > once I > > set up the toolkit on another machine and then try to test it using > > globus-url-copy I get the following error. > > > > I think it is a problem with my Grid-map files but I have no idea what > > is wrong. Any help? Here is a copy of the output and my grid-map files > > on each machine. > > > > [EMAIL PROTECTED]:~$ globus-url-copy -dbg > > gsiftp://besbaugh-craptop.esbaugh.com/etc/group > > gsiftp://junkpile.esbaugh.com/tmp/from-craptop > > debug: starting to size gsiftp://besbaugh-craptop.esbaugh.com/etc/ > > group > > debug: connecting to gsiftp://besbaugh-craptop.esbaugh.com/etc/group > > debug: response from gsiftp://besbaugh-craptop.esbaugh.com/etc/group: > > 220 besbaugh-craptop.esbaugh.com GridFTP Server 2.7 (gcc32, > > 1197331989-63) [Globus Toolkit 4.0.6] ready. > > > > debug: authenticating with > > gsiftp://besbaugh-craptop.esbaugh.com/etc/group > > debug: response from gsiftp://besbaugh-craptop.esbaugh.com/etc/group: > > 530-Login incorrect. : globus_gss_assist: Gridmap lookup failure: > > Could > > not map /O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.esbaugh.com/ > > CN=Brock > > 530- > > 530 End. > > > > debug: fault on connection to > > gsiftp://besbaugh-craptop.esbaugh.com/etc/group > > debug: operation complete > > debug: starting to transfer > > gsiftp://besbaugh-craptop.esbaugh.com/etc/group to > > gsiftp://junkpile.esbaugh.com/tmp/from-craptop > > debug: connecting to gsiftp://junkpile.esbaugh.com/tmp/from-craptop > > debug: response from gsiftp://junkpile.esbaugh.com/tmp/from-craptop: > > 220 junkpile.esbaugh.com GridFTP Server 2.7 (gcc32, 1197331989-63) > > [Globus Toolkit 4.0.6] ready. > > > > debug: authenticating with > > gsiftp://junkpile.esbaugh.com/tmp/from-craptop > > debug: response from gsiftp://junkpile.esbaugh.com/tmp/from-craptop: > > 530-Login incorrect. : globus_gss_assist: Gridmap lookup failure: > > Could > > not map /O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.esbaugh.com/ > > CN=Brock > > 530- > > 530 End. > > > > debug: fault on connection to > > gsiftp://junkpile.esbaugh.com/tmp/from-craptop > > debug: operation complete > > > > error: globus_ftp_client: the server responded with an error > > 530 530-Login incorrect. : globus_gss_assist: Gridmap lookup failure: > > Could not > > map /O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.esbaugh.com/CN=Brock > > 530- > > 530 End. > > > > > > Gridmap on besbaugh-craptop > > > > "/O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.com/OU=esbaugh.com/ > > CN=Brock" > > besbaugh > > > > Gridmap on junkpile (the first machine I set up which I run the > > simpleCA > > from) > > > > "/O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.com/OU=esbaugh.com/ > > CN=Bryan > > Esbaugh" bryan > > > > I've checked the two grid-map files using > > grid-mapfile-check-consistency , which says they are okay....hmmm > > > > Thanks. > > > > -Bryan > > > > >
