[OpenAFS] ktc 7 error on Openafs 1.7.17 on Windows 6 2005 (64 bit)

John Tang Boyland boyland@uwm.edu
Fri, 07 Sep 2012 13:06:55 -0500 

On Fri, 07 Sep 2012 12:47:18 EDT, jaltman@your-file-system.com wrote:
] On 9/7/2012 11:11 AM, John Tang Boyland wrote:
] > Dear OpenAFS community,
] >    I have a new crop of students attempting to get OpenAFS working on
] > their computers.  OpenAFS 1.7 is working better than OpenAFS 1.6=20
] >   <digression>
] >   except that the
] >   need to edit krb5.conf to add "allow_weak_crypto =3D true" is annoyin=
] g.
] >   Students (1) can't find the file and give up (ProgramData is "hidden"=
] ),
] >   or (2) find it and edit it and find they can't save it, because they
] >   don't know what it means to "edit as administrator".  So they save
] >   as krb5.conf.txt, and then don't get a useful error message
] >   back from NIM -- it simply tries "openafs.org" instead.
] >   aklog gives more useful messages.
] >   </digression>
] 
] Windows Installer provides support for MSI Transforms to permit
] organizations to distribute installers that are pre-configured for
] the needs of their environment.  Documentation on how to build
] transforms for OpenAFS is included in the OpenAFS Release Notes CHM.
] Talks on how to develop them have been given at AFS and Kerberos Best
] Practice Workshops.

OK.  I may be able to find someone who can do this.  Thanks.
 
] If "openafs.org" is the configured cell on the machine, that has nothing
] to do with the configuration of "krb5.conf".  "krb5.conf" is
] Kerberos configuration, not AFS configuration.

Yes.  I agree.  It's NIM that falls back to openafs.org, it seems
(even if openafs was installed with cell cs.uwm.edu).
(I'm not completely sure, perhaps students are misinstalling openafs too.)
 
] > but I was surprised to see someone still getting "ktc 7" error when
] > using aklog.
] >=20
] > Network Identity Manager is able to get credentials and AFS tokens (alb=
] eit
] > with a LONG delay).
] 
] But these tokens are not visible to "tokens.exe"?   What is wrong with
] these tokens?

> tokens

Tokens held by the Cache Manager

AFS Device may not have been started.

My guess is (since AFS is accessible without tokens, i.e. with
system:anyuser) that the cache manager is running but it cannot be
communicated with.

] > kinit works fine.  aklog works until the
] > very last step, when it gets unknown error (ktc 7).
] 
] What is the output of "aklog -d"?

> aklog -d -c cs.uwm.edu
Authenticating to cell cs.uwm.edu.
Getting v5 tickets: afs/cs.uwm.edu@CS.UWM.EDU
About to resolve name xxxx@CS.UWM.EDU to id
Id NNNNN
Set username to xxxx@CS.UWM.EDU
Getting tokens.
aklog: Unknown code ktc 7 (11862791) while obtaining tokens for cell cs.uwm.edu

] > With the setup, we able to access \\afs\cs.uwm.edu\users\classes
] > but not able to access the actual class, almost certainly
] > because up to this point requires no tokens, but
] > tokens are required to get into the class.
] >=20
] > It seems that OpenAFS is running and NIM/Kerberos are running fine,
] > but it is not possible to get the tokens from NIM to openafs.
] >=20
] > I tried:
] > 	net view \\afs
] > and got the error
] > 	'net' is not known as a command, batch file, ...
] 
] net.exe is a Windows provided tool located in c:\windows\system32.
] If you cannot find net.exe, something is wrong with the PATH on the
] system in question.

Yes, something (unrelated NIM/KfW/AFS) seems to be wrong with the
system.

Thanks,
John