Problems like those encountered in RT Ticket https://rt.dcache.org/Ticket/Display.html?id=10057
have to do with the refusal of the xrdcp client to delegate a proxy because the hostname
has not been verified or has been verified using DNS lookup. These can usually
be solved by having the host certs reissued with a SAN extension for the alias.
However, the user may be in the dark as to why an authentication error occurs. This
can be from either the total absence of a proxy on the dcache destination side (pool)
or because the TPC client has fallen back to generating the proxy from the host cert
whose DN is not mapped on the source server.
Modification:
On an error response during the authentication phase, if the protocol is gsi,
report whether or not the pool received a delegated proxy. This should help
in the diagnosis.
Result:
A little less mystery as to what might have gone wrong.
Target: master
Request: 4.0
Request: 3.5
Acked-by: Paul
Motivation:
Problems like those encountered in RT Ticket https://rt.dcache.org/Ticket/Display.html?id=10057 have to do with the refusal of the xrdcp client to delegate a proxy because the hostname has not been verified or has been verified using DNS lookup. These can usually be solved by having the host certs reissued with a SAN extension for the alias.
However, the user may be in the dark as to why an authentication error occurs. This can be from either the total absence of a proxy on the dcache destination side (pool) or because the TPC client has fallen back to generating the proxy from the host cert whose DN is not mapped on the source server.
Modification:
On an error response during the authentication phase, if the protocol is gsi, report whether or not the pool received a delegated proxy. This should help in the diagnosis.
Result:
A little less mystery as to what might have gone wrong.
Target: master Request: 4.0 Request: 3.5 Acked-by: Paul