Thank you for the reply, As it would turns out a combination of globus_gssapi_gsi-5.17 and globus_openssl_module-0.8 I received from the globus support team did fix 4.2.1 issue I ran into. I do have my creds setup as gssklog/fqdn as you mentioned as a service key, the issue seemed to be in how the service name was being parsed . I also verified it works in the new 5.0.0. One thing I ran head long into the 5.0 version is that the new gram5 uses sockets in the $HOME/.globus/job/... This was a big problem for me as my home directory is on AFS (1.4.11). I found in the jobmanager documentation that It was looking at the HOME environ variable, so I tried "adjusting" the gatekeeper to redefine the HOME to a spool directory in /var/.. so all the .globus/job/files... would be spooled in a local directory and then reset the HOME directory in the correct location in the job launch wrapper that gets passed to PBS via the pbs.in/pbs.pm perl module.. It's a bit messy but I think I got it working so far.. Mike Coyne
-----Original Message----- From: Douglas E. Engert [mailto:[email protected]] Sent: Thursday, February 11, 2010 1:19 PM To: Mike Coyne Cc: [email protected] Subject: Re: [OpenAFS-devel] gssklog and globus 4.2.1 gssapi mike coyne wrote: > There seems to be problem with getting mutual auth to work for the > globus service gssklog in the client application gssklog. the call to > gss_init_sec_context() fails comparing the returned CN with the expected > service/fqdn. After some tracing i found if i added the service gssklog > to the globus_i_gsi_gssapi_get_hostname() function ( see below ) the > mutual auth worked as expected. This seemed to be a bit extreme to get > the mutual auth to work for a generic service as the only services > listed in the function were host/ and ftp/. I am wondering if i may have > missed something? Yes I think you have missed something. The gssklog README says: With GSI the server's credential is a server certificate with CN=gssklog/hostname and a matching private key. These are defaulted to: /etc/grid-security/afscert.pem and /etc/grid-security/afskey.pem. The trusted certificates directory: /etc/grid-security/certificates is also needed. These can be specified via the -C -K and -D options respecively. It sounds like you are trying to use a server certificate with CN=hostname. The gssklogd should have its own certificate with CN=gssklog/hostname. The GSI code would treat CN=hostname as CN=host/hostname or CN=ftp/hostname much the same as Kerberized FTP would use either host/hostname of ftp/hostname. i.e. both of these services are login or access to the file systems of a host. But the gssklog does not need to be run as root, and should not be using root's certificate. It should have its own certificate and key. I have not looked at the newer versions of Globus in years, so don't know what changes have been made to the GSI. But suspect if you used the CN=gssklog/hostname things should work without any changes. > > Mike Coyne > > -------------cut-line--------------- > Index: > trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_util s.c > =================================================================== > --- > trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_util s.c (revision 540) > +++ > trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_util s.c (revision 613) > @@ -2530,7 +2530,12 @@ > { > length = name_entry->value->length; > data = name_entry->value->data; > - if ( length > 5 && !strncasecmp((char *) data, "host/", 5)) > + if ( length > 8 && !strncasecmp((char *) data, "gssklog/", 8)) > + { > + length -= 8; > + data += 8; > + } > + else if ( length > 5 && !strncasecmp((char *) data, > "host/", 5)) > { > length -= 5; > data += 5; > -------------cut-line--------------- > > > _______________________________________________ > OpenAFS-devel mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-devel > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
