The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "Tools/Manuals/TS01"
< Tools
Jump to navigation
Jump to search
| (5 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
{{Template:Op menubar}} | |||
{{Template:Doc_menubar}} | |||
[[Category:Operations Manuals]] | |||
{{TOC_right}} | {{TOC_right}} | ||
------ | ------ | ||
Back to [[Manuals | Back to [[Tools/Manuals/SiteProblemsFollowUp|Troubleshooting Guide]] | ||
------ | ------ | ||
| Line 34: | Line 38: | ||
There can be various causes, either on the WMS (or RB) or on the CE: | There can be various causes, either on the WMS (or RB) or on the CE: | ||
* Ensure both nodes have the '''correct time'''. Refer to [[Manuals/ | * Ensure both nodes have the '''correct time'''. Refer to [[Tools/Manuals/TS10|sslv3 alert bad certificate]]. | ||
* Refer to [[Manuals/ | * Refer to [[Tools/Manuals/TS03|530 530 No local mapping for Globus ID]] for many possible causes. | ||
* To get more information, try to access the server using GridFTP: | * To get more information, try to access the server using GridFTP: | ||
edg-gridftp-ls gsiftp://<CE-name>/ | |||
uberftp <CE-name> pwd | |||
* Check that the CRLs are up to date (less than 6 hours old) on both nodes. | * Check that the CRLs are up to date (less than 6 hours old) on both nodes. | ||
* Check that the host certificate is still valid: | * Check that the host certificate is still valid: | ||
openssl x509 -in /etc/grid-security/hostcert.pem -noout -enddate | |||
* Check that the grid-mapfile is up-to-date. | * Check that the grid-mapfile is up-to-date. | ||
Latest revision as of 13:22, 23 November 2012
| Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
| Documentation menu: | Home • | Manuals • | Procedures • | Training • | Other • | Contact ► | For: | VO managers • | Administrators |
Back to Troubleshooting Guide
7 authentication failed
Full message
$ glite-wms-job-logging-info -v 2 https://wms206.cern.ch:9000/9NpOfrIxvbgRMp8tYfinSw [...] --- Event: Transfer - Arrived = Wed Oct 29 02:01:24 2008 CET - Dest host = unavailable - Dest instance = /var/glite/logmonitor/CondorG.log/CondorG.1225235393.log - Dest jobid = unavailable - Destination = LRMS - Host = wms206.cern.ch - Reason = 7 authentication failed: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: init.c:499: globus_gss_assist_init_sec_context_async: Error during context initialization init_sec_context - Result = FAIL - Source = LogMonitor [...]
Diagnosis
There are 2 possibilities:
- The WMS (or RB) could not authenticate the CE.
- The CE could not authenticate or map the user's job proxy.
There can be various causes, either on the WMS (or RB) or on the CE:
- Ensure both nodes have the correct time. Refer to sslv3 alert bad certificate.
- Refer to 530 530 No local mapping for Globus ID for many possible causes.
- To get more information, try to access the server using GridFTP:
edg-gridftp-ls gsiftp://<CE-name>/ uberftp <CE-name> pwd
- Check that the CRLs are up to date (less than 6 hours old) on both nodes.
- Check that the host certificate is still valid:
openssl x509 -in /etc/grid-security/hostcert.pem -noout -enddate
- Check that the grid-mapfile is up-to-date.
With globus-job-run <CE-name> /bin/hostname you may get an error like this:
GRAM Job submission failed because authentication failed: GSS Major Status: Unexpected Gatekeeper or Service Name GSS Minor Status Error Chain: init.c:499: globus_gss_assist_init_sec_context_async: Error during context initialization init_sec_context.c:251: gss_init_sec_context: Mutual authentication failed: The target name (/C=IT/O=ORG/OU=Host/L=INST/CN=server02.domain.net) in the context, and the target name (/CN=host/server01.domain.net) passed to the function do not match (error code 7)
Here the reverse resolution of the host IP address to its name (server01.domain.net)
is not equal to what is found in the host certificate (server02.domain.net).
In such cases the client side has a bad entry for the server. Check:
- /etc/hosts
- bad caching by nscd or local named process
- DNS configuration.