[OpenAFS] openafs pioctl issue on windows

David Bear David.Bear@asu.edu
Thu, 30 Oct 2008 11:43:15 -0700


------=_Part_16910_15078553.1225392195300
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

This is getting stranger and stranger -- Jeff, I finally got the name of
another service to test.. below is a screen shot of what happened.

On Thu, Oct 23, 2008 at 7:11 PM, Jeffrey Altman <
jaltman@secure-endpoints.com> wrote:

> David Bear wrote:
> > KFW is version 3.2.2 -- resintalled today.
> > Windows is XP Pro with SP2
> > credential cache is API: -- we do make use of windows logon credentials.
> > I've stopped using kinit and only use NIM to get and destroy tickets. I
> > do succesfully get tickets in asu.edu <http://asu.edu>,  as the output
> > of klist shows:
> > Ticket cache: API:bvossoug@ASU.EDU <API%3Abvossoug@ASU.EDU> <mailto:
> API%3Abvossoug@ASU.EDU <API%253Abvossoug@ASU.EDU>>
> > Default principal: bvossoug@ASU.EDU <mailto:bvossoug@ASU.EDU>
> >
> > Valid starting Expires Service principal
> > 10/23/08 15:34:38 10/24/08 01:34:39 krbtgt/ASU.EDU
> > <http://ASU.EDU>@ASU.EDU <http://ASU.EDU>
> >  renew until 10/30/08 15:30:56
> >
> > but I'm not getting the afs@asu.edu <mailto:afs@asu.edu> credential.. ??
> > why?
> > So, does this indicate the problem is with KfW instead of openafs?
>
> You have not received any service tickets.  All you have is a TGT.
>
> Can you obtain service tickets for any service?
>
>  kvno.exe <service-ticket-name>
>
> You could also turn on logging in NIM and examine the log.
>
> My guess is that assuming you have the AFS credential acquisition
> properly configured for NIM that the clock on the machine is not
> set correctly.  Wrong time or wrong time zone.
>
> I check the date/time.. It syncing with the domain controls which sync the
the kerb servers. It all works.

I did the following in a cmd shell:


C:\Documents and Settings\bvossoug>klist

Ticket cache: API:bvossoug@ASU.EDU <API%3Abvossoug@ASU.EDU>
Default principal: bvossoug@ASU.EDU
 Valid starting Expires Service principal

10/30/08 08:45:08 10/30/08 18:45:10 krbtgt/ASU.EDU@ASU.EDU

  renew until 11/06/08 08:44:55

C:\Documents and Settings\bvossoug>aklog
pioctl temp != 0: 0x66543218

NOTE how AKLOG fails.

Then, testing with kvno to get another service, works okay.

C:\Documents and Settings\bvossoug>kvno host/ppp1.asu.edu@ASU.EDU
host/ppp1.asu.edu@ASU.EDU: kvno = 4

NOW the thing thats weird is that AFTER i did the kvno, NIM suddenly updated
itself and suddenly I had afs@ASU.EDU service tickets. So I check using the
tokens command

C:\Documents and Settings\bvossoug>tokens
Tokens held by the Cache Manager:

User bvossoug@ASU.EDU's tokens for afs@asu.edu [Expires Oct 30 18:45]

pioctl temp != 0: 0x66543218

  --End of list ----

So, tokens finally says that the user as an AFS token, but still returns the
pioctrol error.

This is getting curiouser and curiouser...

--
David Bear
College of Public Programs at ASU
602-464-0424

------=_Part_16910_15078553.1225392195300
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<p>This is getting stranger and stranger -- Jeff, I finally got the name of another service to test.. below is a screen shot of what happened.<br></p><p></p><div class="gmail_quote">On Thu, Oct 23, 2008 at 7:11 PM, Jeffrey Altman <span dir="ltr">&lt;<a href="mailto:jaltman@secure-endpoints.com">jaltman@secure-endpoints.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="Ih2E3d">David Bear wrote:<br>
&gt; KFW is version 3.2.2 -- resintalled today.<br>
&gt; Windows is XP Pro with SP2<br>
&gt; credential cache is API: -- we do make use of windows logon credentials.<br>
&gt; I&#39;ve stopped using kinit and only use NIM to get and destroy tickets. I<br>
</div>&gt; do succesfully get tickets in <a href="http://asu.edu" target="_blank">asu.edu</a> &lt;<a href="http://asu.edu" target="_blank">http://asu.edu</a>&gt;, &nbsp;as the output<br>
&gt; of klist shows:<br>
&gt; Ticket cache: <a href="mailto:API%3Abvossoug@ASU.EDU">API:bvossoug@ASU.EDU</a> &lt;mailto:<a href="mailto:API%253Abvossoug@ASU.EDU">API%3Abvossoug@ASU.EDU</a>&gt;<br>
&gt; Default principal: <a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a> &lt;mailto:<a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a>&gt;<br>
<div class="Ih2E3d">&gt;<br>
&gt; Valid starting Expires Service principal<br>
&gt; 10/23/08 15:34:38 10/24/08 01:34:39 krbtgt/<a href="http://ASU.EDU" target="_blank">ASU.EDU</a><br>
</div>&gt; &lt;<a href="http://ASU.EDU" target="_blank">http://ASU.EDU</a>&gt;@<a href="http://ASU.EDU" target="_blank">ASU.EDU</a> &lt;<a href="http://ASU.EDU" target="_blank">http://ASU.EDU</a>&gt;<br>
<div class="Ih2E3d">&gt; &nbsp;renew until 10/30/08 15:30:56<br>
&gt;<br>
</div>&gt; but I&#39;m not getting the <a href="mailto:afs@asu.edu">afs@asu.edu</a> &lt;mailto:<a href="mailto:afs@asu.edu">afs@asu.edu</a>&gt; credential.. ??<br>
<div class="Ih2E3d">&gt; why?<br>
&gt; So, does this indicate the problem is with KfW instead of openafs?<br>
<br>
</div>You have not received any service tickets. &nbsp;All you have is a TGT.<br>
<br>
Can you obtain service tickets for any service?<br>
<br>
 &nbsp;kvno.exe &lt;service-ticket-name&gt;<br>
<br>
You could also turn on logging in NIM and examine the log.<br>
<br>
My guess is that assuming you have the AFS credential acquisition<br>
properly configured for NIM that the clock on the machine is not<br>
set correctly. &nbsp;Wrong time or wrong time zone.<br>
<font color="#888888"><br>
</font></blockquote></div><p>I check the date/time.. It syncing with the domain controls which sync the the kerb servers. It all works.&nbsp;</p><p>I did the following in a cmd shell:</p><p><br>C:\Documents and Settings\bvossoug&gt;klist<br>
<br>Ticket cache: <a href="mailto:API%3Abvossoug@ASU.EDU">API:bvossoug@ASU.EDU</a><br>Default principal: <a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a><br>&nbsp;Valid starting     Expires            Service principal<br>
<br>10/30/08 08:45:08  10/30/08 18:45:10  krbtgt/<a href="http://ASU.EDU">ASU.EDU</a>@<a href="http://ASU.EDU">ASU.EDU</a><br><br>&nbsp;       renew until 11/06/08 08:44:55<br><br>C:\Documents and Settings\bvossoug&gt;aklog<br>
pioctl temp != 0: 0x66543218<br><br></p><p>NOTE how AKLOG fails.</p><p>Then, testing with kvno to get another service, works okay.</p><p>C:\Documents and Settings\bvossoug&gt;kvno host/<a href="http://ppp1.asu.edu">ppp1.asu.edu</a>@<a href="http://ASU.EDU">ASU.EDU</a><br>
host/<a href="http://ppp1.asu.edu">ppp1.asu.edu</a>@<a href="http://ASU.EDU">ASU.EDU</a>: kvno = 4<br><br>NOW the thing thats weird is that AFTER i did the kvno, NIM suddenly updated itself and suddenly I had <a href="mailto:afs@ASU.EDU">afs@ASU.EDU</a> service tickets. So I check using the tokens command&nbsp;<br>
<br>C:\Documents and Settings\bvossoug&gt;tokens<br>Tokens held by the Cache Manager:<br><br>User <a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a>&#39;s tokens for <a href="mailto:afs@asu.edu">afs@asu.edu</a> [Expires Oct 30 18:45]<br>
<br>pioctl temp != 0: 0x66543218<br><br>&nbsp;  --End of list ---- <br></p><p>So, tokens finally says that the user as an AFS token, but still returns the pioctrol error.</p><p>This is getting curiouser and curiouser...<br></p>
<p>--<br>David Bear<br></p>College of Public Programs at ASU<br>602-464-0424<br>

------=_Part_16910_15078553.1225392195300--