[OpenAFS] openafs pioctl issue on windows
David Bear
David.Bear@asu.edu
Thu, 23 Oct 2008 15:56:07 -0700
------=_Part_59797_23797965.1224802567144
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Comments inline below..
On Wed, Oct 22, 2008 at 2:28 PM, Jeffrey Altman <
jaltman@secure-endpoints.com> wrote:
> If NIM is getting and listing tokens, then KFW is working just fine.
>
> pioctl error 0x66543218 means "End of List"
>
Okay, I generated garbage for you. Sorry. I thought I could produce this
remotely, so I did a psexec shell and captured this info. Clearly, I would
be been using a different smb session than the primary user.
> The tokens command does not use KFW. It speaks to the AFS cache manager
> via the pioctl interface which is implemented as a file
> open/write/read/close sequence on a file called _._AFS_IOCTL_._ in the
> AFS name space. The file open is performed in the context of a
> particular SMB session. Each session has an authenticated identity.
> The tokens are stored in the AFS cache manager bound to the SMB
> authentication identity.
>
> I have been back to the system, logged in with the users credentials
instead of my own and generated the afsd_alloc.log. It is on /afs/
asu.edu/pp/oss/afsDumps along with the output of klist, a screen shot of NIM
and the configuration files I use with I install KfW.
>
> With oafw 1.5.54 if you use "fs memdump" it will output the list of
> tokens that are known as part of the output to
> %windir%\temp\afsd_alloc.log. However, it won't tell you what smb
> authentication session a command is executed under.
>
KFW is version 3.2.2 -- resintalled today.
Windows is XP Pro with SP2
credential cache is API: -- we do make use of windows logon credentials.
I've stopped using kinit and only use NIM to get and destroy tickets. I do
succesfully get tickets in asu.edu, as the output of klist shows:
Ticket cache: API:bvossoug@ASU.EDU <API%3Abvossoug@ASU.EDU>
Default principal: bvossoug@ASU.EDU
Valid starting Expires Service principal
10/23/08 15:34:38 10/24/08 01:34:39 krbtgt/ASU.EDU@ASU.EDU
renew until 10/30/08 15:30:56
but I'm not getting the afs@asu.edu credential.. ?? why?
So, does this indicate the problem is with KfW instead of openafs?
>
>
> > On Wed, Oct 22, 2008 at 12:18 PM, Jeffrey Altman
> > <jaltman@secure-endpoints.com <mailto:jaltman@secure-endpoints.com>>
> wrote:
> >
> > NIM uses the same pioctl call as tokens.exe to obtain the tokens
> list.
> >
> > As long as they are being executed from within the same logon session
> > they will display the same results.
> >
> > Hint: "Run as ..." or "Run as administrator" produces a new logon
> > session.
> >
> > Okay -- I tried this from cmd, in a new session.
> > This failes.
> > C:\WINDOWS\system32>tokens
> >
> > Tokens held by the Cache Manager:
> >
> > --End of list --
> > pioctl temp != 0: 0x66543218
> > Then
> > C:\WINDOWS\system32>kinit iddwb
> > kinit(v5): Inappropriate I/O control operation while getting initial
> > credentials
> >
> > So, I guess kfw is not working properly here. Any pointers on what could
> > be wrong with KFW?
> >
> >
> > Jeffrey Altman
> >
> > David Bear wrote:
> > > I am using
> > >
> > > /usr/sbin/rxdebug -server pp-bvossoughi.dhcp.asu.edu
> > <http://pp-bvossoughi.dhcp.asu.edu>
> > > <http://pp-bvossoughi.dhcp.asu.edu> -port 7001 -vers
> > >
> > > Trying 10.218.16.141 (port 7001):
> > > AFS version: OpenAFS_1.5.5400
> > >
> > > This system has had intermittent erros with accessing openafs. The
> > issue
> > > seems to be always an access/token issue.
> > >
> > > KFW 3.2.2 is install and the user is able to get tokens in the
> > asu.edu <http://asu.edu>
> > > <http://asu.edu> realm. NIM show the TGT's.
> > >
> > > However, any attempt to use 'tokens' to display the afs tokens
> > causes this:
> > >
> > > C:\Documents and Settings\bvossoug>tokens
> > > Tokens held by the Cache Manager:
> > >
> > > pioctl temp != 0: 0x66543218
> > > --End of list --
> > >
> > > I googled and found someone with a similar error here:
> > >
> >
> http://www.openafs.org/pipermail/openafs-info/2006-December/024568.html
> > >
> > > But I don't know if it could be related since there was no
> > resolution on
> > > the thread and it is so old.
> > >
> > > I created an fs minidump and copied that ad the afsd_init.log to
> > an afs
> > > location that should be world readable at
> > >
> > > /afs/asu.edu/pp/oss/afsDumps <http://asu.edu/pp/oss/afsDumps>
> > <http://asu.edu/pp/oss/afsDumps>
> > >
> > > ( the acl is set as system:anyuser so I hope the world can read
> this
> > > location )
> > >
> > > Any pointers on where to go next? (BTW, the issue seems to be tied
> > to a
> > > specific user logon. I was able to log on to windows as myself, get
> > > tokens, and use afs)
> > >
> > > --
> > >
> > > David Bear
> > > College of Public Programs at ASU
> > > 602-464-0424
> >
> >
> >
> >
> > --
> > David Bear
> > College of Public Programs at ASU
> > 602-464-0424
>
>
>
--
David Bear
College of Public Programs at ASU
602-464-0424
------=_Part_59797_23797965.1224802567144
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Comments inline below..<br><br><div class="gmail_quote">On Wed, Oct 22, 2008 at 2:28 PM, Jeffrey Altman <span dir="ltr"><<a href="mailto:jaltman@secure-endpoints.com">jaltman@secure-endpoints.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">If NIM is getting and listing tokens, then KFW is working just fine.<br>
<br>
pioctl error 0x66543218 means "End of List"<br>
</blockquote><div></div><div>Okay, I generated garbage for you. Sorry. I thought I could produce this remotely, so I did a psexec shell and captured this info. Clearly, I would be been using a different smb session than the primary user.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">The tokens command does not use KFW. It speaks to the AFS cache manager<br>
via the pioctl interface which is implemented as a file<br>
open/write/read/close sequence on a file called _._AFS_IOCTL_._ in the<br>
AFS name space. The file open is performed in the context of a<br>
particular SMB session. Each session has an authenticated identity.<br>
The tokens are stored in the AFS cache manager bound to the SMB<br>
authentication identity.<br>
<br>
</blockquote><div></div><div>I have been back to the system, logged in with the users credentials instead of my own and generated the afsd_alloc.log. It is on /afs/<a href="http://asu.edu/pp/oss/afsDumps">asu.edu/pp/oss/afsDumps</a> along with the output of klist, a screen shot of NIM and the configuration files I use with I install KfW.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><br>
With oafw 1.5.54 if you use "fs memdump" it will output the list of<br>
tokens that are known as part of the output to<br>
%windir%\temp\afsd_alloc.log. However, it won't tell you what smb<br>
authentication session a command is executed under.<br>
</blockquote><div></div><div>KFW is version 3.2.2 -- resintalled today.</div><div>Windows is XP Pro with SP2</div><div>credential cache is API: -- we do make use of windows logon credentials.</div><div>I've stopped using kinit and only use NIM to get and destroy tickets. I do succesfully get tickets in <a href="http://asu.edu">asu.edu</a>, as the output of klist shows:</div>
<div></div><div>Ticket cache: <a href="mailto:API%3Abvossoug@ASU.EDU">API:bvossoug@ASU.EDU</a><br>Default principal: <a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a><br><br>Valid starting Expires Service principal<br>
10/23/08 15:34:38 10/24/08 01:34:39 krbtgt/<a href="http://ASU.EDU">ASU.EDU</a>@<a href="http://ASU.EDU">ASU.EDU</a><br> renew until 10/30/08 15:30:56<br><br></div><div>but I'm not getting the <a href="mailto:afs@asu.edu">afs@asu.edu</a> credential.. ?? why?</div>
<div></div><div>So, does this indicate the problem is with KfW instead of openafs? </div><div>><br>
><br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="Ih2E3d">> On Wed, Oct 22, 2008 at 12:18 PM, Jeffrey Altman<br>
</div><div><div class="Wj3C7c">> <<a href="mailto:jaltman@secure-endpoints.com">jaltman@secure-endpoints.com</a> <mailto:<a href="mailto:jaltman@secure-endpoints.com">jaltman@secure-endpoints.com</a>>> wrote:<br>
><br>
> NIM uses the same pioctl call as tokens.exe to obtain the tokens list.<br>
><br>
> As long as they are being executed from within the same logon session<br>
> they will display the same results.<br>
><br>
> Hint: "Run as ..." or "Run as administrator" produces a new logon<br>
> session.<br>
><br>
> Okay -- I tried this from cmd, in a new session.<br>
> This failes.<br>
> C:\WINDOWS\system32>tokens<br>
><br>
> Tokens held by the Cache Manager:<br>
><br>
> --End of list --<br>
> pioctl temp != 0: 0x66543218<br>
> Then<br>
> C:\WINDOWS\system32>kinit iddwb<br>
> kinit(v5): Inappropriate I/O control operation while getting initial<br>
> credentials<br>
><br>
> So, I guess kfw is not working properly here. Any pointers on what could<br>
> be wrong with KFW?<br>
><br>
><br>
> Jeffrey Altman<br>
><br>
> David Bear wrote:<br>
> > I am using<br>
> ><br>
> > /usr/sbin/rxdebug -server <a href="http://pp-bvossoughi.dhcp.asu.edu" target="_blank">pp-bvossoughi.dhcp.asu.edu</a><br>
> <<a href="http://pp-bvossoughi.dhcp.asu.edu" target="_blank">http://pp-bvossoughi.dhcp.asu.edu</a>><br>
> > <<a href="http://pp-bvossoughi.dhcp.asu.edu" target="_blank">http://pp-bvossoughi.dhcp.asu.edu</a>> -port 7001 -vers<br>
> ><br>
> > Trying <a href="http://10.218.16.141" target="_blank">10.218.16.141</a> (port 7001):<br>
> > AFS version: OpenAFS_1.5.5400<br>
> ><br>
> > This system has had intermittent erros with accessing openafs. The<br>
> issue<br>
> > seems to be always an access/token issue.<br>
> ><br>
> > KFW 3.2.2 is install and the user is able to get tokens in the<br>
> <a href="http://asu.edu" target="_blank">asu.edu</a> <<a href="http://asu.edu" target="_blank">http://asu.edu</a>><br>
> > <<a href="http://asu.edu" target="_blank">http://asu.edu</a>> realm. NIM show the TGT's.<br>
> ><br>
> > However, any attempt to use 'tokens' to display the afs tokens<br>
> causes this:<br>
> ><br>
> > C:\Documents and Settings\bvossoug>tokens<br>
> > Tokens held by the Cache Manager:<br>
> ><br>
> > pioctl temp != 0: 0x66543218<br>
> > --End of list --<br>
> ><br>
> > I googled and found someone with a similar error here:<br>
> ><br>
> <a href="http://www.openafs.org/pipermail/openafs-info/2006-December/024568.html" target="_blank">http://www.openafs.org/pipermail/openafs-info/2006-December/024568.html</a><br>
> ><br>
> > But I don't know if it could be related since there was no<br>
> resolution on<br>
> > the thread and it is so old.<br>
> ><br>
> > I created an fs minidump and copied that ad the afsd_init.log to<br>
> an afs<br>
> > location that should be world readable at<br>
> ><br>
> > /afs/<a href="http://asu.edu/pp/oss/afsDumps" target="_blank">asu.edu/pp/oss/afsDumps</a> <<a href="http://asu.edu/pp/oss/afsDumps" target="_blank">http://asu.edu/pp/oss/afsDumps</a>><br>
> <<a href="http://asu.edu/pp/oss/afsDumps" target="_blank">http://asu.edu/pp/oss/afsDumps</a>><br>
> ><br>
> > ( the acl is set as system:anyuser so I hope the world can read this<br>
> > location )<br>
> ><br>
> > Any pointers on where to go next? (BTW, the issue seems to be tied<br>
> to a<br>
> > specific user logon. I was able to log on to windows as myself, get<br>
> > tokens, and use afs)<br>
> ><br>
> > --<br>
> ><br>
> > David Bear<br>
> > College of Public Programs at ASU<br>
> > 602-464-0424<br>
><br>
><br>
><br>
><br>
> --<br>
> David Bear<br>
> College of Public Programs at ASU<br>
> 602-464-0424<br>
<br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>David Bear<br>College of Public Programs at ASU<br>602-464-0424<br>
------=_Part_59797_23797965.1224802567144--