Windows: Explanation of KTC_NOCM error and Drive Mappings Issues was Re: [OpenAFS] Unable to Obtain Tokens

Jeffrey Altman jaltman@columbia.edu
Thu, 04 Dec 2003 15:28:03 -0500


This is a cryptographically signed message in MIME format.

--------------ms030709050700090904070501
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

The KTC_NOCM error code is produced from within afscreds.exe under two 
circumstances:

   1. afscreds is unable to determine if the AFS Client Service is
      running.  The most likely cause of this in the 1.2.x versions is
      when a non-administrator account is being used.  The 1.2.x
      afscreds was attempting to obtain access to the Service Control
      Manager with rights it could not obtain.  The 1.3.5x version
      utilizes the minimum rights necessary to obtain status information.
   2. The AFS Client Service is known to be running but the RPC
      communication has failed for some unknown reason.

There are two different types of drive mappings supported in OpenAFS.  
Per user drive mappings which are maintained by the Windows shell and 
preserved in the end user's profile.  These are the mappings which are 
created from within the afscreds from the "Drive Letters" tab.   Each 
drive letter is mapped to a Windows Network Share which is given the 
name specified in the "Description" field.  It is for this reason that 
"descriptions" must be unique.

The other type of mappings are the Global Drive mappings which are read 
from the registry key:

  
HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters\GlobalAutoMapper

these mappings are established not within the shell context but from the 
AFS Client Service itself.

The contents of \WINDOWS\afsdsbmt.ini are not really used as part of the 
process of preserving the Windows Shell mappings.  In particular, a 
roaming profile being used on two or more machines with different drive 
mappings will become extremely confused. 

The todo list for drive mappings should include the following items:

    * move drive mapping information to the user's profile (HKCU
      registry hive) and out of the afsdsbmt.ini file
    * do not use the Windows Shell persistent drive mappings capability
    * use the integrated logon dll to create the drive mappings on each
      invocation
    * allow afscreds.exe to verify the drive mappings and if they are
      not present create them in cases where integrated logon is not used
    * the concept of persistent versus per session mappings should be
      local to AFS
    * efforts must be taken to ensure that integrated logon and afscreds
      actions do not clobber global mappings on a particular machine
    * the whole concept of the high security drive mappings must be
      re-evaluated.  the purpose of these mappings is to randomly assign
      usernames to the mappings such that other users who might see the
      published share names cannot access them.  However, this also
      means that once created local users cannot interact with them in a
      reasonable way either. 

None of this work has yet to be done.  Most of this work will probably 
result in incompatibilities with the existing deployed infrastructure.

Jeffrey Altman


Jason C. Wells wrote:

>On Wed, 3 Dec 2003, Jeffrey Altman wrote:
>
>  
>
>>Another possibility is that you no longer have authorization to open the
>>NT SC Manager or the AFS Client Service.
>>
>>You might want to try the 1.3.50 build, you can find an installer at
>>
>>  /afs/athena.mit.edu/user/j/a/jaltman/Public/OpenAFS/
>>
>>Be sure to uninstall the previous version first.  This installer uses
>>the NSIS installer instead of InstallShield.  I am not sure it can
>>update an InstallShield installation of OpenAFS.
>>    
>>
>
>This worked.  Everything was running fine.
>
>Then it wasn't.  This time I knew that I had only changed the global drive
>mappings.  I also elected not to preserve my config files.  This proved to
>be important as you might discern from the rest of this message.
>
>During this most recent iteration, I had tried to change my global drive
>mappings to z: and h:.  The trouble started after trying to change the
>drive mappings.  When trying to change the drive mappings, I would get
>some error saying "Description Already Used".
>
>I then tried manually editing the afsdsbmt.ini file to delete the "already
>described" mappings so that I could then use the afs_config dialog to set
>up my mappings the way I wanted.  This didn't help.
>
>I have restored my afsdsbmt.ini and voila, AFS client is back to working.
>But not with the drive mappings I desire.
>
>While I was doing all of this, I noticed that what afsdsbmt.ini lists as
>drive mappings and what windows lists as drive mappings are two different
>things.  This was strange.
>
>While trying to determine a specific method to set the drive mappings the
>way that I wanted, I really couldn't see any rhyme or reason to the way in
>which drive mappings are configured.  The afsdsbmt.ini file is simple
>enough.  The results of my efforts are different from what I would
>expect though.
>
>For example: At one point I had a Q: drive that is shown as not connected
>in Windows explorer (big red X on the drive icon).  The drive shows in
>"Drive Letters" on afscreds, but I cannot remove it.  The Q: drive doesn't
>appear in afsdsbmt.ini.  Strange.
>
>I suspect that Windows isn't correctly reporting/releasing available drive
>letters.  I suspect this because I would get errors that drives were
>already in use that were not reported as used.  A combination of rebooting
>windows and changing drive letter mappings using only the GUI dialogs got
>me back on track.
>
>I do have a working AFS client now.  My problem was somehow related to
>drive mapping.  (unless Jeff A. pipes up and says I am smoking crack)
>
>So some sort of error in drive mappings caused the Cache Manager or the
>client to give me the original "Error: 11862791 (AFS service my not have
>started)" / "KTM_NOCM".
>
>I have done enough tweaking on this I could probably repeat the problems I
>had if someone needed a tester.  (perhaps PEBKAC? ;) )
>
>This message is sent to the list mostly for posterity.  There wasn't much
>on the net about the particular error code I was receiving.  Hopefully
>some future person will find this useful.
>
>Later,
>Jason C. Wells
>
>
>
>
>
>
>
>
>
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info
>  
>

--------------ms030709050700090904070501
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJUDCC
AwYwggJvoAMCAQICAwpxijANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNV
BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx
HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl
bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAzMDczMDAyMDkyOFoXDTA0MDcyOTAyMDkyOFowRjEf
MB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEjMCEGCSqGSIb3DQEJARYUamFsdG1h
bkBjb2x1bWJpYS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBtDG6ZyGA
sK+rZOfKPKGBn6oCTLYSLk/mpeX9QTmTG71qh308KUeN35qqoRXjLvscfw6NPOYXiuxE/RqL
sx7WKEnK3C4gzzpioCTX1b7o4M7YbpvCRBFPE9Jgsd0yz2EN+mk/pPuK1GP+iQNot2m4A56A
aPe6F5T25GqffU535GNIdAtWPao6wHcOm17se25ny/TNzb9mlA4UzYl9XP7MF1fkpJyaDDAy
DNNTSSjxBdPVs2EaYq1p/xadXbIpysQiySXAxoeiZusgJopRHLcBsBmmY9QVD4QnUqZVmfJ5
f1CiNri5vlexKCmdFSrxMLuoLr4EQZCECdusp6ZnIt75AgMBAAGjMTAvMB8GA1UdEQQYMBaB
FGphbHRtYW5AY29sdW1iaWEuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEA
DPKe/CuAgEUxsrPskJQx2fL6soAEG2iqrqOGIRREHDaXWDBNMEWEbOEMLvh3+yhqHOUc9x3r
2IfsP/XHnujaqsMVXLagokVTnpPN675wv8LZ8hLHblLnykaTCq6RZpVskh2iAiJwpYMcKNF6
jyYaQyGHBGT3PK8uVGVCG4Pp9k4wggMGMIICb6ADAgECAgMKcYowDQYJKoZIhvcNAQEEBQAw
gZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEo
MCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMzA3MzAwMjA5
MjhaFw0wNDA3MjkwMjA5MjhaMEYxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIx
IzAhBgkqhkiG9w0BCQEWFGphbHRtYW5AY29sdW1iaWEuZWR1MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAwbQxumchgLCvq2TnyjyhgZ+qAky2Ei5P5qXl/UE5kxu9aod9PClH
jd+aqqEV4y77HH8OjTzmF4rsRP0ai7Me1ihJytwuIM86YqAk19W+6ODO2G6bwkQRTxPSYLHd
Ms9hDfppP6T7itRj/okDaLdpuAOegGj3uheU9uRqn31Od+RjSHQLVj2qOsB3Dpte7HtuZ8v0
zc2/ZpQOFM2JfVz+zBdX5KScmgwwMgzTU0ko8QXT1bNhGmKtaf8WnV2yKcrEIsklwMaHombr
ICaKURy3AbAZpmPUFQ+EJ1KmVZnyeX9Qoja4ub5XsSgpnRUq8TC7qC6+BEGQhAnbrKemZyLe
+QIDAQABozEwLzAfBgNVHREEGDAWgRRqYWx0bWFuQGNvbHVtYmlhLmVkdTAMBgNVHRMBAf8E
AjAAMA0GCSqGSIb3DQEBBAUAA4GBAAzynvwrgIBFMbKz7JCUMdny+rKABBtoqq6jhiEURBw2
l1gwTTBFhGzhDC74d/soahzlHPcd69iH7D/1x57o2qrDFVy2oKJFU56Tzeu+cL/C2fISx25S
58pGkwqukWaVbJIdogIicKWDHCjReo8mGkMhhwRk9zyvLlRlQhuD6fZOMIIDODCCAqGgAwIB
AgIQZkVyt8x09c9jdkWE0C6RATANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTAT
BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3
dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lv
bjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkB
FhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTA0MDgy
NzIzNTk1OVowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNV
BAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBT
ZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUq
bXA8+tyu9+50bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC
9tewkd4c6avgGAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEww
KQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQI
MAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBADGxS0dd+QFx5fVTbF15
1j2YwCYTYoEipxL4IpXoG0m3J3sEObr85vIk65H6vewNKjj3UFWobPcNrUwbvAP0teuiR59s
ogxYjTFCCRFssBpp0SsSskBdavl50OouJd2K5PzbDR+dAvNa28o89kTqJmmHf0iezqWf54TY
yWJirQXGMYID1TCCA9ECAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJu
IENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRD
ZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIw
MDAuOC4zMAIDCnGKMAkGBSsOAwIaBQCgggIPMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTAzMTIwNDIwMjgwM1owIwYJKoZIhvcNAQkEMRYEFHusFq5FHG8X
gQrwpx/fVMv4bI0JMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwIC
AgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGrBgkrBgEEAYI3
EAQxgZ0wgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNV
BAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBT
ZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDCnGK
MIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rl
cm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT
FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0Eg
MjAwMC44LjMwAgMKcYowDQYJKoZIhvcNAQEBBQAEggEAv7J5nF7raKqAdOeuNHdoHXEyujOT
CBGM/rkyCr8kzmF+okYy7G5fQ51lrmG9t7PPj1/zYbMIU211uenmbKFX0i5q7wPGmN1MzZtO
mwIbglnL8i0s/voBjbpgDP08qlOuQyZuz4WX3SFPJB9yxbJcc8klgkXFHEOuTfqfa+eydGR0
CV73cbfEV0SffJhzeupkQhqQiBCnvYuM0e07c+oRD0kPd2TSnA+C69+ESscaK01tZ8sq4lu0
i+PRPnYrL9Ll6t0mse6LYM1Fk/4EOk4TNLoZbBBIggn1w/JHlqPTmaPhS2BUc2KbSrUVEfnv
lOtge8xaI8pM9rtn/QvulDJ55gAAAAAAAA==
--------------ms030709050700090904070501--