Tools/Manuals/TS01

From EGIWiki
Jump to: navigation, search
Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators

Contents



Back to Troubleshooting Guide


7 authentication failed

Full message

$ glite-wms-job-logging-info -v 2 https://wms206.cern.ch:9000/9NpOfrIxvbgRMp8tYfinSw
[...]
---
Event: Transfer
- Arrived                    =    Wed Oct 29 02:01:24 2008 CET
- Dest host                  =    unavailable
- Dest instance              =    /var/glite/logmonitor/CondorG.log/CondorG.1225235393.log
- Dest jobid                 =    unavailable
- Destination                =    LRMS
- Host                       =    wms206.cern.ch
- Reason                     =    7 authentication failed: GSS Major Status:
 Authentication Failed GSS Minor Status Error Chain:  init.c:499:
 globus_gss_assist_init_sec_context_async:
 Error during context initialization init_sec_context
- Result                     =    FAIL
- Source                     =    LogMonitor
[...]

Diagnosis

There are 2 possibilities:

  1. The WMS (or RB) could not authenticate the CE.
  2. The CE could not authenticate or map the user's job proxy.

There can be various causes, either on the WMS (or RB) or on the CE:

 edg-gridftp-ls gsiftp://<CE-name>/
 uberftp <CE-name> pwd
 openssl x509 -in /etc/grid-security/hostcert.pem -noout -enddate

With globus-job-run <CE-name> /bin/hostname you may get an error like this:

GRAM Job submission failed because authentication failed:
GSS Major Status: Unexpected Gatekeeper or Service Name
GSS Minor Status Error Chain:

init.c:499: globus_gss_assist_init_sec_context_async: Error during context initialization
init_sec_context.c:251: gss_init_sec_context: Mutual authentication failed: The target name
(/C=IT/O=ORG/OU=Host/L=INST/CN=server02.domain.net) in the context, and the target name
(/CN=host/server01.domain.net) passed to the function do not match (error code 7)


Here the reverse resolution of the host IP address to its name (server01.domain.net) is not equal to what is found in the host certificate (server02.domain.net). In such cases the client side has a bad entry for the server. Check:


Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Print/export