[OpenAFS] NOCM Error on 20040508

Jason C. Wells jcw@highperformance.net
Mon, 10 May 2004 19:08:30 -0700 (PDT)


On Mon, 10 May 2004, Jeffrey Altman wrote:

> Jason C. Wells wrote:
>
> >
> >I get this error message on log in:  "KTC_NOCM: The service, Transarc
> >AFS Daemon, most likely not started! (0xb50307) (ktc{GetToken() failed)".
> >This is when I log in using the MIT KDC.
> >
> Are you saying that Integrated Logon is producing this error?
> Or is this error being produced by some other command you
> are executing?  aklog.exe?  from within a logon script?

I assume it's the integrated logon. It is not aklog.  A message pops up in
a GUI dialog prompt.

I guess I should mention that my startup script also fails with: aklog:
unable to obtain tokens for cell stradamotorsports.com (status: 11862793).
It's the same NOCM message, but on the commandline.  I didn't mention it
because I consider the two error message (GUI and CLI)  to be one in the
same.

> If you are executing aklog.exe. how are the Kerberos 5
> tickets being obtained?

Kerberos 5 tickets are obtained through ms2mit.  Once I have the tickets
copied from windows credentials cache, I run aklog -5.

My script: (including old k524 stuff)

@echo off
set BASEDRIVE=D:
set MITKERB=%BASEDRIVE%\Progra~1\MIT\Kerberos\bin

echo Extracting Kerberos credentials from windows' credential cache.
%MITKERB%\ms2mit.exe
echo.

rem echo Getting Kerberos V5 credentials from MIT KDC.
rem %MITKERB%\kinit.exe -5 -f
rem echo.

rem echo Copying Kerberos V5 credentials into Kerberos V4 credentials.
rem %MITKERB%\k524init.exe
rem echo.

echo Getting an AFS token.
%MITKERB%\aklog.exe -5
echo.

rem This has been made into a registry entry?
rem echo Enabling OpenAFS encryption.  Your must re-run 'fs setcrypt on'
if you restart OpenAFS.
rem %BASEDRIVE%\Progra~1\OpenAFS\AFS\Client\Program\fs setcrypt on
rem echo.

rem pause

> >If I log in using Local Workstation, I can get a token by running kinit -5
> >-f and aklog -5.  In fact, I do this immediately after the MIT KDC login
> >attempt (without a reboot) which would tell me that afsd is working
> >correctly and that there is something specifically amiss with an MIT
> >login.

> >With respect to using an MIT KDC, 1.3.6300 works for me and 20040508 does
> >not.  When 1.3.6300 came out I was thrilled because everything was working
> >as I had expected, except the drive selection drop down menu.
> >
> >Just for giggles, I reverted to 1.3.6300 and verified that using an MIT
> >KDC works.  It does.
> >
> >Questions?
> >
> >
> One important question.  What are you using to obtain the tokens?
> Does the aklog.exe which comes with OpenAFS 0508 work for you?

The above script is used to obtain tokens from the KDC.  This means the
answer to your second question is no.  The aklog that comes with 0508
doesn't work when I go through the MIT KDC.  See the above error message.
This is the same error message that I had seen is pre-1.3.6300 days.

It's late back East.  How much coffee do you you drink man? :)

Later,
Jason C. Wells