[OpenAFS] openafs pioctl issue on windows

Jeffrey Altman Jeffrey Altman" <jaltman@secure-endpoints.com
Thu, 30 Oct 2008 13:25:32 -0700

The pioctl error is not strange.  Previously in this thread I indicated =
that it means 'end of list'.  Aklog reads the list of existing tokens.  =
There were none.  Tokens reads the list of tokens.  There was one.

Jeffrey Altman

-original message-
Subject: Re: [OpenAFS] openafs pioctl issue on windows
From: "David Bear" <David.Bear@asu.edu>
Date: 2008-10-30 11:43

This is getting stranger and stranger -- Jeff, I finally got the name =
another service to test.. below is a screen shot of what happened.

On Thu, Oct 23, 2008 at 7:11 PM, Jeffrey Altman <
jaltman@secure-endpoints.com> wrote:

> David Bear wrote:
> > KFW is version 3.2.2 -- resintalled today.
> > Windows is XP Pro with SP2
> > credential cache is API: -- we do make use of windows logon =
> > I've stopped using kinit and only use NIM to get and destroy tickets. =
> > do succesfully get tickets in asu.edu <http://asu.edu>,  as the =
> > of klist shows:
> > Ticket cache: API:bvossoug@ASU.EDU <API%3Abvossoug@ASU.EDU> =
> API%3Abvossoug@ASU.EDU <API%253Abvossoug@ASU.EDU>>
> > Default principal: bvossoug@ASU.EDU <mailto:bvossoug@ASU.EDU>
> >
> > Valid starting Expires Service principal
> > 10/23/08 15:34:38 10/24/08 01:34:39 krbtgt/ASU.EDU
> > <http://ASU.EDU>@ASU.EDU <http://ASU.EDU>
> >  renew until 10/30/08 15:30:56
> >
> > but I'm not getting the afs@asu.edu <mailto:afs@asu.edu> credential.. =
> > why?
> > So, does this indicate the problem is with KfW instead of =
> You have not received any service tickets.  All you have is a TGT.
> Can you obtain service tickets for any service?
>  kvno.exe <service-ticket-name>
> You could also turn on logging in NIM and examine the log.
> My guess is that assuming you have the AFS credential acquisition
> properly configured for NIM that the clock on the machine is not
> set correctly.  Wrong time or wrong time zone.
> I check the date/time.. It syncing with the domain controls which sync =
the kerb servers. It all works.

I did the following in a cmd shell:

C:\Documents and Settings\bvossoug>klist

Ticket cache: API:bvossoug@ASU.EDU <API%3Abvossoug@ASU.EDU>
Default principal: bvossoug@ASU.EDU
 Valid starting Expires Service principal

10/30/08 08:45:08 10/30/08 18:45:10 krbtgt/ASU.EDU@ASU.EDU

  renew until 11/06/08 08:44:55

C:\Documents and Settings\bvossoug>aklog
pioctl temp !=3D 0: 0x66543218

NOTE how AKLOG fails.

Then, testing with kvno to get another service, works okay.

C:\Documents and Settings\bvossoug>kvno host/ppp1.asu.edu@ASU.EDU
host/ppp1.asu.edu@ASU.EDU: kvno =3D 4

NOW the thing thats weird is that AFTER i did the kvno, NIM suddenly =
itself and suddenly I had afs@ASU.EDU service tickets. So I check using =
tokens command

C:\Documents and Settings\bvossoug>tokens
Tokens held by the Cache Manager:

User bvossoug@ASU.EDU's tokens for afs@asu.edu [Expires Oct 30 18:45]

pioctl temp !=3D 0: 0x66543218

  --End of list ----

So, tokens finally says that the user as an AFS token, but still returns =
pioctrol error.

This is getting curiouser and curiouser...

David Bear
College of Public Programs at ASU