[OpenAFS] Integrated login failed: Credentials cache I/O operation failed XXX (with 1.5.x on Windows 2003 Terminal Server)

Michael Sievers Michael_Sievers@web.de
Mon, 22 Jan 2007 16:05:43 +0100

I can confirm, that this error only occurs, when a user is loggin in via 
Terminal Server. A console loggin works fine.

That's why, we only get this error on the Terminal Server. We got a lot of 
WindowsXP Pro workstations, using the OpenAFS client without any problems.

I try to provide you the integrated logon debug trace information as soon as 

Is it sufficient, to send the original mail to openafs-bugs@openafs.org as a 
bug report ?

Michael Sievers

----- Original Message ----- 
From: "Jeffrey Altman" <jaltman@secure-endpoints.com>
To: "Michael Sievers" <Michael_Sievers@web.de>
Cc: <openafs-info@openafs.org>
Sent: Monday, January 22, 2007 3:44 PM
Subject: Re: [OpenAFS] Integrated login failed: Credentials cache I/O 
operation failed XXX (with 1.5.x on Windows 2003 Terminal Server)

> Please confirm that the problem only occurs when the user is logging in
> via Terminal Server.
> Please provide integrated logon debug trace information extracted from
> the Windows Application Event Log as described in the OpenAFS for
> Windows Release Notes.
> Please file a bug report with this information to openafs-bugs@openafs.org
> Jeffrey Altman
> Michael Sievers wrote:
>> Hi !
>> We got a problem running the OpenAFS client on a Windows 2003 Terminal
>> Server. We use the integrated logon feature to obtain a AFS token at
>> logon, because the users home directorys are stored in afs.
>> Additionally, we use Kerberos for Windows 2.6.5.
>> The problem is, that with OpenAFS client version 1.5.x, we are getting
>> an error during logon. The message is
>> Integrated login failed: Credentials cache I/O operation failed XXX
>> The result is, that the user does not get his home directory, but a
>> temporary local profile. When he has logged in, the OpenAFS client
>> works, so the user can access afs. (This is probably because the leash
>> gets the AFS token) Just the OpenAFS integrated logon fails. (We tested
>> both KfW 2.6.5 and 3.1, no difference)
>> If you disable the OpenAFS integrated logon feature, the error does not
>> occur, but the user does not get his home directory (that's clear,
>> because, the OpenAFS client does not have a token at this time, so he
>> cannot access the user directory in afs).
>> BUT if the user logs out and then logs in again, everything works fine,
>> no error but the users home directory, That's because the user gets a
>> token once he has logged in and this token has a specific lifetime. If
>> the same user logs in a second time, while the afs token is still valid,
>> the OpenAFS client can now access the users afs directory during login
>> and load the profile.
>> We got this error with OpenAFS 1.5.x and with OpenAFS 1.4.3. Prior
>> versions work, but only a specific time, lets say, a day, or a half and
>> than, the same problem occurs. But if you reboot the server, with
>> version < 1.4.3 installed, it works again for a while. Very strange ...
>> Another phenomenon is, that this error only occurs, if a user trys to
>> login remotly. On the console of the terminal server (if the user is
>> sitting in front of the server), everything works fine. No error at all.
>> But if the same user wants to login via terminal service, he gets the
>> error.
>> As I mentioned before, we evaluated KfW 2.6.5 till 3.1, no difference.
>> To eliminate the influence of Microsoft patches, we tested the
>> configuration on an unpattched vanilla Windows 2003 Server installation,
>> but still the error occurs.
>> If you need more informations, feel free to ask.
>> Michael Sievers