CTA tape server failed to run "eos space ls" command

Hi, there,
We are now using cta 4.2-1 for testing. When we tried to retrieve a file from a tape, the cta-taped process failed to run “eos space ls”, and retrievial request failed. And the EOS log reads:

211009 09:38:20 time=1633743500.389483 func=IdMap                    level=INFO  logid=static.............................. unit=mgm@laso01.ihep.ac.cn:1094 tid=00007f6e21ffd700 source=Mapping:993                    tident= sec=(null) uid=99 gid=99 name=- geo="" sec.prot=sss sec.name="cta" sec.host="laso-tape05.ihep.ac.cn" sec.vorg="" sec.grps="tape" sec.role="" sec.info="" sec.app="" sec.tident="cta.84308:366@laso-tape05" vid.uid=1000 vid.gid=1031
211009 09:38:20 time=1633743500.389570 func=open                     level=INFO  logid=9573f792-28a1-11ec-b49d-000af7d67d60 unit=mgm@laso01.ihep.ac.cn:1094 tid=00007f6e21ffd700 source=XrdMgmOfsFile:499              tident=cta.84308:366@laso-tape05 sec=sss   uid=1000 gid=1031 name=cta geo="" op=read path=/proc/admin/ info=mgm.cmd.proto=ggEECgIQAQ==
211009 09:38:20 time=1633743500.389976 func=Emsg                     level=ERROR logid=9573f792-28a1-11ec-b49d-000af7d67d60 unit=mgm@laso01.ihep.ac.cn:1094 tid=00007f6e21ffd700 source=XrdMgmOfsFile:3239             tident=cta.84308:366@laso-tape05 sec=sss   uid=1000 gid=1031 name=cta geo="" Unable to execute proc command - you don't have the requested permissions for that operation (2) /proc/admin/; Operation not permitted

The EOS Vid setup is as following:

hostmatch:"protocol=* pattern=eos*.ihep.ac.cn
hostmatch:"protocol=* pattern=laso-tape*
hostmatch:"protocol=* pattern=laso0*
hostmatch:"protocol=sss pattern=laso-tape*
hostmatch:"protocol=sss pattern=laso-tape0*.ihep.ac.cn
hostmatch:"protocol=sss pattern=laso0*
hostmatch:"protocol=unix pattern=eos0*.ihep.ac.cn
hostmatch:"protocol=unix pattern=laso-tape*
hostmatch:"protocol=unix pattern=laso0*.ihep.ac.cn
krb5:"<pwd>":gid => root
krb5:"<pwd>":uid => root
publicaccesslevel: => 1024
sss:"*@laso-tape*":gid => root
sss:"*@laso-tape*":uid => root
sss:"<pwd>":gid => root
sss:"<pwd>":uid => root
sudoer                 => uids(cta)
tident:"*@eos*.ihep.ac.cn":gid => root
tident:"*@eos*.ihep.ac.cn":uid => root
tident:"*@laso-tape*":gid => root
tident:"*@laso-tape*":uid => root
tident:"*@laso0*":gid => root
tident:"*@laso0*":uid => root
tident:"*@localhost":gid => root
tident:"*@localhost":uid => root
tident:"grpc@[:1]":gid => root
tident:"grpc@[:1]":uid => root
tident:"grpc@cta.ihep.ac.cn":gid => root
tident:"grpc@cta.ihep.ac.cn":uid => root
tident:"grpc@laso01.ihep.ac.cn":gid => root
tident:"grpc@laso01.ihep.ac.cn":uid => root
tident:"sss@laso-tape*":gid => root
tident:"sss@laso-tape*":uid => root
tident:"sss@laso-tape0*.ihep.ac.cn":gid => root
tident:"sss@laso-tape0*.ihep.ac.cn":uid => root
tident:"sss@laso0*":gid => root
tident:"sss@laso0*":uid => root
tident:"unix@eos0*.ihep.ac.cn":gid => root
tident:"unix@eos0*.ihep.ac.cn":uid => root
tident:"unix@laso-tape*":gid => root
tident:"unix@laso-tape*":uid => root
tident:"unix@laso0*.ihep.ac.cn":gid => root
tident:"unix@laso0*.ihep.ac.cn":uid => root
tident:"unix@localhost":gid => root
tident:"unix@localhost":uid => root
unix:"*:@laso-tape*":gid => root
unix:"*:@laso-tape*":uid => root
unix:"*@laso-tape*":gid => root
unix:"*@laso-tape*":uid => root
unix:"<pwd>":gid => nobody
unix:"<pwd>":uid => nobody
unix:"unix@laso-tape*":gid => root
unix:"unix@laso-tape*":uid => root

We use the server laso-tape05 as our tape server, and laso01 as the EOS MGM server. It is a eos permission problem, but we don’t know to fix this problem.

Running “xrdfs root://laso01.ihep.ac.cn/ query space /eos” by hand also failed.


cta-taped is configured to use SSS keys through /etc/sysconfig/cta-taped. For example, on a local test system we have


So one can run

sudo -u cta XrdSecPROTOCOL=sss XrdSecSSSKT=/etc/cta/ctafrontend_client_sss.keytab eos space ls

Please check your config in this respect.