From EGIWiki
< Tools(Redirected from Tools/Manuals/TS04)
Jump to: navigation, search
Main operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security

Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators


Back to Troubleshooting Guide

530 530 No local mapping for Globus ID

NOTE: various items on this page are historical and hence no longer relevant.


  1. A proxy with expired VOMS attributes was refused ("Login incorrect").
  2. Server has wrong VOMS configuration for VO.
  3. Problem in /etc/grid-security/grid-mapfile
  4. Problem in /etc/grid-security/groupmapfile (for VOMS mapping)
  5. Problem in /opt/glite/etc/lcmaps/{grid,group}mapfile (Quattor setup)
  6. Problem with pool accounts
  7. Problem with /etc/grid-security/gridmapdir
  8. Files for pool accounts absent from /etc/grid-security/gridmapdir
  9. Variable GRIDMAPDIR is not set correctly. Gatekeeper and GridFTP daemon need this to be able to use pool accounts, else only static accounts (like dteamsgm) work.
  10. GridFTP daemon does not have LCMAPS_DB_FILE properly defined.
  11. No free pool account in the correct set
  12. Stale entries in /etc/grid-security/gridmapdir
  13. DN is banned in /opt/glite/etc/lcas/ban_users.db
  14. Check {grid-,group}mapfile, gridmapdir, mapping policies of the Argus host (if used).

On the LCG-CE and other gLite services one may also want to check these files, whose contents normally are hardcoded by YAIM or Quattor:



 uberftp server.domain pwd
 globus-url-copy file:/etc/group gsiftp://server.domain/tmp/foo.$$
complains about CRLs in its long output, look here.
 [root@ce dteam]# pwd
 [root@ce dteam]# ls -l
 total 8
 -rw-r--r-- 1 root root 128 Sep 16 16:07
 -rw-r--r-- 1 root root 129 Sep 16 16:07
 [root@ce dteam]# cat 
 /C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006
 [root@ce dteam]# cat 
 /C=GR/O=HellasGrid/OU=Certification Authorities/CN=HellasGrid CA 2006
 $ voms-proxy-info -uri
The "uri" attribute can be set on the VOMS server in /opt/glite/etc/voms/*/voms.conf:
Check that it contains the right value for the DN that had a problem.
 # Map VO members (sgm)
 group vomss:// dteamsgm

 # Map VO members (prd)
 group vomss:// dteamprd

 # Map VO members (root group)
 group vomss:// .dteam
 drwxrwx---    2 root     root            8192 Nov 29 15:08 gridmapdir
On the LCG-RB:
 drwxrwx---    2 root     edguser         8192 Nov 29 15:08 gridmapdir
On the gLite WMS:
 drwxrwx---    2 root     glite          20480 Dec 20 12:51 gridmapdir
On the DPM:
 drwxrwx---    2 root     dpmmgr         20480 Dec 14 10:15 gridmapdir
 export LCMAPS_DB_FILE=/opt/glite/etc/lcmaps/lcmaps.db.gridftp
That needs to be in /etc/sysconfig/globus or /etc/sysconfig/globus-gridftp.
Check its logfile /var/log/lcg-expiregridmapdir.log e.g. as follows:
 # tail -999 /var/log/lcg-expiregridmapdir.log | grep ^VO | sort -u
 VO dteam: inuse / total = 70 / 99 = 0.71, thr = 0.8
 "/dteam/Role=lcgadmin/Capability=NULL" dteamsgm
 "/dteam/Role=lcgadmin" dteamsgm
 "/dteam/Role=production/Capability=NULL" dteamprd
 "/dteam/Role=production" dteamprd
 "/dteam/Role=NULL/Capability=NULL" .dteam
 "/dteam" .dteam
The /etc/grid-security/groupmapfile would have corresponding entries mapping VOMS attributes to groups:
 "/dteam/Role=lcgadmin/Capability=NULL" dteam
 "/dteam/Role=lcgadmin" dteam
 "/dteam/Role=production/Capability=NULL" dteam
 "/dteam/Role=production" dteam
 "/dteam/Role=NULL/Capability=NULL" dteam
 "/dteam" dteam

Personal tools