[OpenAFS] Integrated login failed: Credentials cache I/O operation failed XXX (with 1.5.x on Windows 2003 Terminal Server)

Michael Sievers Michael_Sievers@web.de
Mon, 22 Jan 2007 15:14:36 +0100 

Hi !

We got a problem running the OpenAFS client on a Windows 2003 Terminal=20
Server. We use the integrated logon feature to obtain a AFS token at logo=
n,=20
because the users home directorys are stored in afs. Additionally, we use=
=20
Kerberos for Windows 2.6.5.

The problem is, that with OpenAFS client version 1.5.x, we are getting an=
=20
error during logon. The message is

Integrated login failed: Credentials cache I/O operation failed XXX

The result is, that the user does not get his home directory, but a=20
temporary local profile. When he has logged in, the OpenAFS client works,=
 so=20
the user can access afs. (This is probably because the leash gets the AFS=
=20
token) Just the OpenAFS integrated logon fails. (We tested both KfW 2.6.5=
=20
and 3.1, no difference)

If you disable the OpenAFS integrated logon feature, the error does not=20
occur, but the user does not get his home directory (that's clear, becaus=
e,=20
the OpenAFS client does not have a token at this time, so he cannot acces=
s=20
the user directory in afs).

BUT if the user logs out and then logs in again, everything works fine, n=
o=20
error but the users home directory, That's because the user gets a token=20
once he has logged in and this token has a specific lifetime. If the same=
=20
user logs in a second time, while the afs token is still valid, the OpenA=
FS=20
client can now access the users afs directory during login and load the=20
profile.

We got this error with OpenAFS 1.5.x and with OpenAFS 1.4.3. Prior versio=
ns=20
work, but only a specific time, lets say, a day, or a half and than, the=20
same problem occurs. But if you reboot the server, with version < 1.4.3=20
installed, it works again for a while. Very strange ...

Another phenomenon is, that this error only occurs, if a user trys to log=
in=20
remotly. On the console of the terminal server (if the user is sitting in=
=20
front of the server), everything works fine. No error at all. But if the=20
same user wants to login via terminal service, he gets the error.

As I mentioned before, we evaluated KfW 2.6.5 till 3.1, no difference. To=
=20
eliminate the influence of Microsoft patches, we tested the configuration=
 on=20
an unpattched vanilla Windows 2003 Server installation, but still the err=
or=20
occurs.

If you need more informations, feel free to ask.

Michael Sievers

--=20
Universit=E4t Paderborn
Zentrum f=FCr Informations- und Medientechnologien
Warburgerstr. 100
33098 Paderborn (Germany)