Re: [gt-user] Problem with gsiftp and globus-url-copy

Sun, 30 Mar 2008 17:28:09 -0700 

On Mar 30, 2008, at 7:01 PM, Bryan Esbaugh wrote:
I have the gsiftp server recognizing the mapping in the grid-map file on one machine okay and I can do a transfer as such: 


[EMAIL PROTECTED]:~$ globus-url-copy -dbg gsiftp://junkpile.esbaugh.com/etc/group 
 file:///tmp/from-bryan3.test


This works fine.


Good!


However if I try going the other way, where I use "besbaugh- 
craptop"'s  gsiftp server then I still run into the grid-map error:



[EMAIL PROTECTED]:~$ globus-url-copy gsiftp://besbaugh-craptop.esbaugh.com/etc/group 
 file:///tmp/from-bryan2.test


error: globus_ftp_client: the server responded with an error

530 530-Login incorrect. : globus_gss_assist: Gridmap lookup  
failure: Could not map /O=Grid/OU=GlobusTest/OU=simpleCA- 
junkpile.esbaugh.com/OU=esbaugh.com/CN=Bryan Esbaugh

530-
530 End.


So I figure the problem is with the grid-map file that is on  
"besbaugh-craptop" being accessed by its gsiftp server. The  
credential being the same I figure I could simply copy the grid- 
mapfile from "junkpile" to "besbaugh-craptop".



Is there a way to check that my gsiftp server is checking the right  
location for the grid-mapfile? It is running as root and should then  
check /etc/grid-security/grid-mapfile, no? Does the local username  
affect the credential?



For example , the local username for the usercerts on junkpile is  
"bryan" while on "besbaugh-craptop" is "besbaugh", does this affect  
the mapping since I figured it wouldn't matter since you only use  
the usercert for authorization.



Yes, that's the problem.  The grid-mapfile is used for authentication  
and authorization.  Your authentication step is fine, because your  
certificate subject shows up in the grid-mapfile and has a user  
account listed next to it.  But then the gridftp server needs to  
setuid to your account - that's how it lets you access files.  When  
the gridftp server looks up your destination account, it finds that it  
doesn't exist on the craptop, so it doesn't have anyone to setuid to,  
and fails your authorization attempt.



That's the long way of saying that yes, for gridftp the destination  
user account is important.  You're correct that some other services  
(particularly ones that don't need to setuid to establish user  
privileges) just care about you being listed in the grid-mapfile and  
not who you're mapped to.  Not the case for gridftp though.



Charles


Gridmap file on "besbaugh-craptop"


"/O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.com/OU=esbaugh.com/ 
CN=Bryan Esbaugh" bryan


Gridmap file on "junkpile"


"/O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.com/OU=esbaugh.com/ 
CN=Bryan Esbaugh" bryan






On Sun, 2008-03-30 at 10:36 -0500, Charles Bacon wrote:


Did you get yourself two different usercerts?  The idea is that the
one usercert is for the one person, you don't need a second one when
you go to a different machine.  The grid-mapfile is only being
consulted on the machine hosting the gridftp server.  So whatever
credential your client is presenting needs to be present in the grid-
mapfile.  It doesn't help to have it mapped on the client machine,
since the server is the once doing the mapfile authorization.

So, my advice for one-user realism - get rid of the second usercert.

If you're wanting to pretend to be multiple people, you'll need to  
add

to the gridftp server machine's grid-mapfile.


Charles

On Mar 30, 2008, at 9:41 AM, Bryan Esbaugh wrote:
> I'm trying to set up the gsiftp part of the quickstart guide across
> two

> machines but am running into a security problem, I think. I am  
pretty

> sure I have set up the CA correctly and everything works on one
> machine
> as far as gsiftp and rft and the web services container. However
> once I
> set up the toolkit on another machine and then try to test it using
> globus-url-copy I get the following error.
>

> I think it is a problem with my Grid-map files but I have no idea  
what
> is wrong. Any help? Here is a copy of the output and my grid-map  
files

> on each machine.
>
> [EMAIL PROTECTED]:~$ globus-url-copy -dbg
> gsiftp://besbaugh-craptop.esbaugh.com/etc/group
> gsiftp://junkpile.esbaugh.com/tmp/from-craptop
> debug: starting to size gsiftp://besbaugh-craptop.esbaugh.com/etc/
> group

> debug: connecting to gsiftp://besbaugh-craptop.esbaugh.com/etc/ 
group
> debug: response from gsiftp://besbaugh-craptop.esbaugh.com/etc/group 
:

> 220 besbaugh-craptop.esbaugh.com GridFTP Server 2.7 (gcc32,
> 1197331989-63) [Globus Toolkit 4.0.6] ready.
>
> debug: authenticating with
> gsiftp://besbaugh-craptop.esbaugh.com/etc/group

> debug: response from gsiftp://besbaugh-craptop.esbaugh.com/etc/group 
:

> 530-Login incorrect. : globus_gss_assist: Gridmap lookup failure:
> Could
> not map /O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.esbaugh.com/
> CN=Brock
> 530-
> 530 End.
>
> debug: fault on connection to
> gsiftp://besbaugh-craptop.esbaugh.com/etc/group
> debug: operation complete
> debug: starting to transfer
> gsiftp://besbaugh-craptop.esbaugh.com/etc/group to
> gsiftp://junkpile.esbaugh.com/tmp/from-craptop
> debug: connecting to gsiftp://junkpile.esbaugh.com/tmp/from-craptop

> debug: response from gsiftp://junkpile.esbaugh.com/tmp/from- 
craptop:

> 220 junkpile.esbaugh.com GridFTP Server 2.7 (gcc32, 1197331989-63)
> [Globus Toolkit 4.0.6] ready.
>
> debug: authenticating with
> gsiftp://junkpile.esbaugh.com/tmp/from-craptop

> debug: response from gsiftp://junkpile.esbaugh.com/tmp/from- 
craptop:

> 530-Login incorrect. : globus_gss_assist: Gridmap lookup failure:
> Could
> not map /O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.esbaugh.com/
> CN=Brock
> 530-
> 530 End.
>
> debug: fault on connection to
> gsiftp://junkpile.esbaugh.com/tmp/from-craptop
> debug: operation complete
>
> error: globus_ftp_client: the server responded with an error

> 530 530-Login incorrect. : globus_gss_assist: Gridmap lookup  
failure:

> Could not
> map /O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.esbaugh.com/CN=Brock
> 530-
> 530 End.
>
>
> Gridmap on besbaugh-craptop
>
> "/O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.com/OU=esbaugh.com/
> CN=Brock"
> besbaugh
>
> Gridmap on junkpile (the first machine I set up which I run the
> simpleCA
> from)
>
> "/O=Grid/OU=GlobusTest/OU=simpleCA-junkpile.com/OU=esbaugh.com/
> CN=Bryan
> Esbaugh" bryan
>
> I've checked the two grid-map files using
> grid-mapfile-check-consistency , which says they are okay....hmmm
>
> Thanks.
>
> -Bryan
>
>

























					Reply via email to