Here are some useful things to check and mention when contacting us for help:
Check the version of the gLExec version:
Check the file permissions of the gLExec executable.
For all run-modes of gLExec, the gLExec must be executable for all users.
- For running gLExec in setuid mode, preferably use one of the following modes (setuid and setgid):
glexec: mode: 6111, 6511, 6711; owned by root:glexec glexec.conf: mode: 0440; owned by root:glexec
- In case setgid is not possible, preferably use one of the following modes (only setuid):
glexec: mode: 4111, 4511, 4711; owned by root:glexec or root:root glexec.conf: mode: 0444; owned by root:glexec or root:root
- For running gLExec in logging only mode, preferably use one of the following modes:
glexec: mode: 0111, 0511, 0711; owned by root:glexec or root:root glexec.conf: mode: 0444; owned by root:glexec or root:root
Before continuing with testing: The gLExec Exit Codes and the Environment variables
The following pages might hold interesting to glance through before proceeding with your debugging:
- Proxy file handling in gLExec: All the details about the environment variables used by gLExec.
- Exit codes of gLExec: All the details about the exit codes of gLExec.
Test the exit codes by printing them on the shell by showing the value of $? Example:
/opt/glite/sbin/glexec /usr/bin/id -a; echo $?
Execute with exported GLEXEC_CLIENT_CERT and exported X509_USER_PROXY, with the full path
See Proxy file handling in gLExec for the purpose of these environment variables.
export GLEXEC_CLIENT_CERT=`pwd`/mkproxy-x509-voms export X509_USER_PROXY=`pwd`/mkproxy-x509-voms
Is the user account that tries to use gLExec whitelisted?
Method 1.: the calling account is a member of the 'glexec' primary or secondary group.
Method 2.: the account or the pool is whitelisted in the glexec.conf. See the Man pages of gLExec for more details on the whitelist options.
Note: when gLExec fails with a 'user not whitelisted' error, this might be caused by an unreadable glexec.conf file: in case the glexec.conf file is unreadable, gLExec uses its buildin defaults, including whitelisting only unix accounts which are member of the glexec group.
Example test script for gLExec
Testing basic functionality:
#!/bin/sh TESTPROXY=/tmp/x509up_`id -u` export GLEXEC_CLIENT_CERT=$TESTPROXY export X509_USER_PROXY=$TESTPROXY /opt/glite/sbin/glexec /usr/bin/id -a ; echo $?
Testing with the transfer of a specific proxy file:
#!/bin/sh TESTPROXY=/tmp/x509up_`id -u` export GLEXEC_CLIENT_CERT=$TESTPROXY export X509_USER_PROXY=$TESTPROXY export GLEXEC_SOURCE_PROXY=$TESTPROXY /opt/glite/sbin/glexec /usr/bin/id -a ; echo $?
Testing multi-user Pilot Job scenarios:
#!/bin/sh VOMSINFO=`which voms-proxy-info` PILOT_PROXY=/tmp/x509up_`id -u` TARGET_USER_PROXY=`pwd`/other.proxy export X509_USER_PROXY=$PILOT_PROXY export GLEXEC_CLIENT_CERT=$TARGET_USER_PROXY export GLEXEC_SOURCE_PROXY=$TARGET_USER_PROXY $VOMSINFO -all /opt/glite/sbin/glexec $VOMSINFO -all