CTA/EOS-XrootD SSi Connection Error

Hi there,

We’ve been playing around with CTA/EOS following the docs on https://eoscta.docs.cern.ch. The documentation for the set up has been pretty straightforward but we now hit a snag.

As an example, trying to run a command like cta-admin drive ls, we get a Error from XRootD SSI Framework: [FATAL] Connection error. Mind you at this point, the xrootd daemons, cta-rmcd e.t.c are already running.
This is confirmed by running the cta-frontend-xrootd.conf file; it starts well then fails with a 11606 ssi_Config: Provider initialization failed.---- ssi initialization failed. Can’t see anything concrete in the logs pointing to another error.

Might you have an idea how this can be resolved? Or is it a problem with a particular config file?

Many thanks,

Hi Mwai,

cta-admin authorises using Kerberos, does the user running cta-admin have a valid Kerberos token?

If that’s not the problem, switch on debug logging in the CTA Frontend conf file:

cta.log.level DEBUG

Depending on the problem it may also be helpful to switch on verbose logging of the contents of the protocol buffers used to communicate between cta-admin and the Frontend:

cta.log.ssi protobuf

or for low-level debugging of SSI problems (unlikely) :

cta.log.ssi debug protobuf

Hi Michael,

Thanks for response.

By user do you mean the user created by:
cta-catalogue-admin-user-create /etc/cta/cta-catalogue.conf -u user or the user under whoami? The latter has a kerberos.

Also, what is the main CTA frontend conf file?
cta-frontend.conf or cta-frontend-xrootd.conf?

It could possibly well be an authentication problem. Checking the frontend log, i have:

=====> sec.protocol sss -s /etc/cta/eos.sss.keytab
201119 12:42:39 5920 sec_Config: protbind sss protocol not previously defined.
=====> sec.protbind * only sss
Config 3 authentication directives processed in /etc/cta/cta-frontend-xrootd.conf
------ Authentication system initialization failed.
Config Unable to create security framework via libXrdSec.so

Does this ring a bell?

You need both: the whoami user needs to have a krb5 token (to identify the user to CTA) and that same username must be added using cta-catalogue-admin-user-create (to authorize that user to run admin commands).

There is only one CTA frontend conf file, cta-frontend-xrootd,conf. If you also have cta-frontend.conf this is deprecated and should be removed.

Looks like you are missing krb5 authentication in this conf file, the line should be:

sec.protbind * only sss krb5

There is an example conf file distributed in the RPM, if you are installing from source take a look in CTA/xroot_plugins and you should find it. Check that the options set there match what is in your configuration.

Hope that helps!

Hi Michael,

Was able to do away with one of the xrootd errors…still seems to be something missing.
the cta-frontend starts well then terminates, generating a core dump when it gets to this point. Might you have an idea what this could point to?

++++++ ssi initialization started.
=====> ssi.svclib libXrdSsiCta.so
Config Configuring standalone server.
201124 15:46:53 28056 ssi_Config: Provider initialization failed.
------ ssi initialization failed.

Also, which is the correct sss key that should be used in the cta-frontend-xrootd.conf file? is it
/etc/cta/eos.sss.keytab or /etc/cta/eos.keytab? And what would be the correct ownership? cta:cta or daemon:daemon

Everything else (Eos - mgm, fst, mq) is running okay.

Thank you!

I think the core dump is due to XRootD issue #751, which is fixed in XRootD 5. In XRootD 4, if your plugin is not configured properly then the framework raises a SIGABRT. Most likely it’s a problem in your config file.

There should only be one SSS keytab. Of course you can call it what you like, on my dev setup it’s eos.sss.keytab. It should be owned by the user that you use to execute the CTA Frontend.

Thanks mate. Up and running.

1 Like