[OpenAFS] Unable to Obtain Tokens / KTC_NOCM Cause Discovered

Jason C. Wells jcw@highperformance.net
Wed, 7 Jan 2004 21:20:02 -0800 (PST)


I finally discovered how to cause the KTC_NOCM error and then how to
prevent it.  I guess I can't really say I know the cause, but I do know
what circumstances this error occurs under.

For a long while I wasn't getting the Error # 11862791 and then suddenly I
was.  I had been logging into windows as my normal user name 'jcw'.  I
had been playing with using an MIT KDC for Windows login, rather than
logging into the local computer, or a Windows AD server.  I was also
working on integrating the OpenAFS login.  It was during this time that my
problem manifested.

The user 'jcw' is a member of the Administrators group.  When I log into
the Administrator account to the local machine (which I rarely do, since
jcw is an administrator) I could access the AFS file space.  When I logged
in as jcw to the MIT KDC, I could not access AFS.

So I fell in category one as this message from Jeff explained:
https://lists.openafs.org/pipermail/openafs-info/2003-December/011375.html

It really boggled my mind why 'Administrator' could access AFS, where
'jcw' (also an administrator) could not.  I tried logging is as 'jcw' to
the local machine and voila, I could access the AFS file space.

For some reason, there is a difference in the level of privelege that
'jcw' is granted depending on whether 'jcw' logs in to the MIT KDC or the
local machine.

Can someone confirm this behavior?  You'll need to have a working MIT V5
KDC and configure windows to login with it.  Can someone explain this
behavior?

Is this a bug or a feature?

Jeff, do you want a bug report on my observations?

IMO, that 'jcw' requires elevated privelege at all is inappropriate.  I
recall Jeff saying that this is known and being worked.

FWIW, I can get tokens either by afs_creds and the kasverer or by aklog
and the KDC.

Later,
Jason C. Wells