[OpenAFS] openafs pioctl issue on windows
David Bear
David.Bear@asu.edu
Thu, 30 Oct 2008 11:43:15 -0700
------=_Part_16910_15078553.1225392195300
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
This is getting stranger and stranger -- Jeff, I finally got the name of
another service to test.. below is a screen shot of what happened.
On Thu, Oct 23, 2008 at 7:11 PM, Jeffrey Altman <
jaltman@secure-endpoints.com> wrote:
> David Bear wrote:
> > KFW is version 3.2.2 -- resintalled today.
> > Windows is XP Pro with SP2
> > credential cache is API: -- we do make use of windows logon credentials.
> > I've stopped using kinit and only use NIM to get and destroy tickets. I
> > do succesfully get tickets in asu.edu <http://asu.edu>, as the output
> > of klist shows:
> > Ticket cache: API:bvossoug@ASU.EDU <API%3Abvossoug@ASU.EDU> <mailto:
> API%3Abvossoug@ASU.EDU <API%253Abvossoug@ASU.EDU>>
> > Default principal: bvossoug@ASU.EDU <mailto:bvossoug@ASU.EDU>
> >
> > Valid starting Expires Service principal
> > 10/23/08 15:34:38 10/24/08 01:34:39 krbtgt/ASU.EDU
> > <http://ASU.EDU>@ASU.EDU <http://ASU.EDU>
> > renew until 10/30/08 15:30:56
> >
> > but I'm not getting the afs@asu.edu <mailto:afs@asu.edu> credential.. ??
> > why?
> > So, does this indicate the problem is with KfW instead of openafs?
>
> You have not received any service tickets. All you have is a TGT.
>
> Can you obtain service tickets for any service?
>
> kvno.exe <service-ticket-name>
>
> You could also turn on logging in NIM and examine the log.
>
> My guess is that assuming you have the AFS credential acquisition
> properly configured for NIM that the clock on the machine is not
> set correctly. Wrong time or wrong time zone.
>
> I check the date/time.. It syncing with the domain controls which sync the
the kerb servers. It all works.
I did the following in a cmd shell:
C:\Documents and Settings\bvossoug>klist
Ticket cache: API:bvossoug@ASU.EDU <API%3Abvossoug@ASU.EDU>
Default principal: bvossoug@ASU.EDU
Valid starting Expires Service principal
10/30/08 08:45:08 10/30/08 18:45:10 krbtgt/ASU.EDU@ASU.EDU
renew until 11/06/08 08:44:55
C:\Documents and Settings\bvossoug>aklog
pioctl temp != 0: 0x66543218
NOTE how AKLOG fails.
Then, testing with kvno to get another service, works okay.
C:\Documents and Settings\bvossoug>kvno host/ppp1.asu.edu@ASU.EDU
host/ppp1.asu.edu@ASU.EDU: kvno = 4
NOW the thing thats weird is that AFTER i did the kvno, NIM suddenly updated
itself and suddenly I had afs@ASU.EDU service tickets. So I check using the
tokens command
C:\Documents and Settings\bvossoug>tokens
Tokens held by the Cache Manager:
User bvossoug@ASU.EDU's tokens for afs@asu.edu [Expires Oct 30 18:45]
pioctl temp != 0: 0x66543218
--End of list ----
So, tokens finally says that the user as an AFS token, but still returns the
pioctrol error.
This is getting curiouser and curiouser...
--
David Bear
College of Public Programs at ASU
602-464-0424
------=_Part_16910_15078553.1225392195300
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<p>This is getting stranger and stranger -- Jeff, I finally got the name of another service to test.. below is a screen shot of what happened.<br></p><p></p><div class="gmail_quote">On Thu, Oct 23, 2008 at 7:11 PM, Jeffrey Altman <span dir="ltr"><<a href="mailto:jaltman@secure-endpoints.com">jaltman@secure-endpoints.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="Ih2E3d">David Bear wrote:<br>
> KFW is version 3.2.2 -- resintalled today.<br>
> Windows is XP Pro with SP2<br>
> credential cache is API: -- we do make use of windows logon credentials.<br>
> I've stopped using kinit and only use NIM to get and destroy tickets. I<br>
</div>> do succesfully get tickets in <a href="http://asu.edu" target="_blank">asu.edu</a> <<a href="http://asu.edu" target="_blank">http://asu.edu</a>>, as the output<br>
> of klist shows:<br>
> Ticket cache: <a href="mailto:API%3Abvossoug@ASU.EDU">API:bvossoug@ASU.EDU</a> <mailto:<a href="mailto:API%253Abvossoug@ASU.EDU">API%3Abvossoug@ASU.EDU</a>><br>
> Default principal: <a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a> <mailto:<a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a>><br>
<div class="Ih2E3d">><br>
> Valid starting Expires Service principal<br>
> 10/23/08 15:34:38 10/24/08 01:34:39 krbtgt/<a href="http://ASU.EDU" target="_blank">ASU.EDU</a><br>
</div>> <<a href="http://ASU.EDU" target="_blank">http://ASU.EDU</a>>@<a href="http://ASU.EDU" target="_blank">ASU.EDU</a> <<a href="http://ASU.EDU" target="_blank">http://ASU.EDU</a>><br>
<div class="Ih2E3d">> renew until 10/30/08 15:30:56<br>
><br>
</div>> but I'm not getting the <a href="mailto:afs@asu.edu">afs@asu.edu</a> <mailto:<a href="mailto:afs@asu.edu">afs@asu.edu</a>> credential.. ??<br>
<div class="Ih2E3d">> why?<br>
> So, does this indicate the problem is with KfW instead of openafs?<br>
<br>
</div>You have not received any service tickets. All you have is a TGT.<br>
<br>
Can you obtain service tickets for any service?<br>
<br>
kvno.exe <service-ticket-name><br>
<br>
You could also turn on logging in NIM and examine the log.<br>
<br>
My guess is that assuming you have the AFS credential acquisition<br>
properly configured for NIM that the clock on the machine is not<br>
set correctly. Wrong time or wrong time zone.<br>
<font color="#888888"><br>
</font></blockquote></div><p>I check the date/time.. It syncing with the domain controls which sync the the kerb servers. It all works. </p><p>I did the following in a cmd shell:</p><p><br>C:\Documents and Settings\bvossoug>klist<br>
<br>Ticket cache: <a href="mailto:API%3Abvossoug@ASU.EDU">API:bvossoug@ASU.EDU</a><br>Default principal: <a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a><br> Valid starting Expires Service principal<br>
<br>10/30/08 08:45:08 10/30/08 18:45:10 krbtgt/<a href="http://ASU.EDU">ASU.EDU</a>@<a href="http://ASU.EDU">ASU.EDU</a><br><br> renew until 11/06/08 08:44:55<br><br>C:\Documents and Settings\bvossoug>aklog<br>
pioctl temp != 0: 0x66543218<br><br></p><p>NOTE how AKLOG fails.</p><p>Then, testing with kvno to get another service, works okay.</p><p>C:\Documents and Settings\bvossoug>kvno host/<a href="http://ppp1.asu.edu">ppp1.asu.edu</a>@<a href="http://ASU.EDU">ASU.EDU</a><br>
host/<a href="http://ppp1.asu.edu">ppp1.asu.edu</a>@<a href="http://ASU.EDU">ASU.EDU</a>: kvno = 4<br><br>NOW the thing thats weird is that AFTER i did the kvno, NIM suddenly updated itself and suddenly I had <a href="mailto:afs@ASU.EDU">afs@ASU.EDU</a> service tickets. So I check using the tokens command <br>
<br>C:\Documents and Settings\bvossoug>tokens<br>Tokens held by the Cache Manager:<br><br>User <a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a>'s tokens for <a href="mailto:afs@asu.edu">afs@asu.edu</a> [Expires Oct 30 18:45]<br>
<br>pioctl temp != 0: 0x66543218<br><br> --End of list ---- <br></p><p>So, tokens finally says that the user as an AFS token, but still returns the pioctrol error.</p><p>This is getting curiouser and curiouser...<br></p>
<p>--<br>David Bear<br></p>College of Public Programs at ASU<br>602-464-0424<br>
------=_Part_16910_15078553.1225392195300--