[OpenAFS] openafs pioctl issue on windows
Jeffrey Altman
jaltman@secure-endpoints.com
Wed, 22 Oct 2008 17:28:33 -0400
If NIM is getting and listing tokens, then KFW is working just fine.
pioctl error 0x66543218 means "End of List"
The tokens command does not use KFW. It speaks to the AFS cache manager
via the pioctl interface which is implemented as a file
open/write/read/close sequence on a file called _._AFS_IOCTL_._ in the
AFS name space. The file open is performed in the context of a
particular SMB session. Each session has an authenticated identity.
The tokens are stored in the AFS cache manager bound to the SMB
authentication identity.
If you are able to obtain/list tokens with NIM and not from tokens.
It means that the two processes are running in different sessions and
are authenticating over SMB using different identities. There is no
way to monitor the SMB authentication identity other than by running
the AFS cache manager under a debugger and intercepting the
authentication requests.
With oafw 1.5.54 if you use "fs memdump" it will output the list of
tokens that are known as part of the output to
%windir%\temp\afsd_alloc.log. However, it won't tell you what smb
authentication session a command is executed under.
As for your KFW error you will need to provide a lot more info.
What version? What OS? What credential cache type:name?
For example, if you are using the MSLSA: credential cache to make use
of the Windows Logon credentials, you can't perform kinit.
Jeffrey Altman
David Bear wrote:
>
>
> On Wed, Oct 22, 2008 at 12:18 PM, Jeffrey Altman
> <jaltman@secure-endpoints.com <mailto:jaltman@secure-endpoints.com>> wrote:
>
> NIM uses the same pioctl call as tokens.exe to obtain the tokens list.
>
> As long as they are being executed from within the same logon session
> they will display the same results.
>
> Hint: "Run as ..." or "Run as administrator" produces a new logon
> session.
>
> Okay -- I tried this from cmd, in a new session.
> This failes.
> C:\WINDOWS\system32>tokens
>
> Tokens held by the Cache Manager:
>
> --End of list --
> pioctl temp != 0: 0x66543218
> Then
> C:\WINDOWS\system32>kinit iddwb
> kinit(v5): Inappropriate I/O control operation while getting initial
> credentials
>
> So, I guess kfw is not working properly here. Any pointers on what could
> be wrong with KFW?
>
>
> Jeffrey Altman
>
> David Bear wrote:
> > I am using
> >
> > /usr/sbin/rxdebug -server pp-bvossoughi.dhcp.asu.edu
> <http://pp-bvossoughi.dhcp.asu.edu>
> > <http://pp-bvossoughi.dhcp.asu.edu> -port 7001 -vers
> >
> > Trying 10.218.16.141 (port 7001):
> > AFS version: OpenAFS_1.5.5400
> >
> > This system has had intermittent erros with accessing openafs. The
> issue
> > seems to be always an access/token issue.
> >
> > KFW 3.2.2 is install and the user is able to get tokens in the
> asu.edu <http://asu.edu>
> > <http://asu.edu> realm. NIM show the TGT's.
> >
> > However, any attempt to use 'tokens' to display the afs tokens
> causes this:
> >
> > C:\Documents and Settings\bvossoug>tokens
> > Tokens held by the Cache Manager:
> >
> > pioctl temp != 0: 0x66543218
> > --End of list --
> >
> > I googled and found someone with a similar error here:
> >
> http://www.openafs.org/pipermail/openafs-info/2006-December/024568.html
> >
> > But I don't know if it could be related since there was no
> resolution on
> > the thread and it is so old.
> >
> > I created an fs minidump and copied that ad the afsd_init.log to
> an afs
> > location that should be world readable at
> >
> > /afs/asu.edu/pp/oss/afsDumps <http://asu.edu/pp/oss/afsDumps>
> <http://asu.edu/pp/oss/afsDumps>
> >
> > ( the acl is set as system:anyuser so I hope the world can read this
> > location )
> >
> > Any pointers on where to go next? (BTW, the issue seems to be tied
> to a
> > specific user logon. I was able to log on to windows as myself, get
> > tokens, and use afs)
> >
> > --
> >
> > David Bear
> > College of Public Programs at ASU
> > 602-464-0424
>
>
>
>
> --
> David Bear
> College of Public Programs at ASU
> 602-464-0424