[OpenAFS] openafs pioctl issue on windows

David Bear David.Bear@asu.edu
Thu, 30 Oct 2008 14:18:54 -0700


------=_Part_19906_21928354.1225401534471
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Thu, Oct 30, 2008 at 1:25 PM, Jeffrey Altman <
jaltman@secure-endpoints.com> wrote:

> The pioctl error is not strange.  Previously in this thread I indicated
> that it means 'end of list'.  Aklog reads the list of existing tokens.
>  There were none.  Tokens reads the list of tokens.  There was one.
>
> What seems strange to me is that on 'normally functioning systems' (those
with openafs and kfw that works as expected) I don't see the pioctl error.
The other strange thing is why did I suddenly get a afs@asu.edu service
ticket after performing the kvno on the other host principal?


> Jeffrey Altman
>
> -original message-
> Subject: Re: [OpenAFS] openafs pioctl issue on windows
> From: "David Bear" <David.Bear@asu.edu>
> Date: 2008-10-30 11:43
>
> This is getting stranger and stranger -- Jeff, I finally got the name of
> another service to test.. below is a screen shot of what happened.
>
> On Thu, Oct 23, 2008 at 7:11 PM, Jeffrey Altman <
> jaltman@secure-endpoints.com> wrote:
>
> > David Bear wrote:
> > > KFW is version 3.2.2 -- resintalled today.
> > > Windows is XP Pro with SP2
> > > credential cache is API: -- we do make use of windows logon
> credentials.
> > > I've stopped using kinit and only use NIM to get and destroy tickets. I
> > > do succesfully get tickets in asu.edu <http://asu.edu>,  as the output
> > > of klist shows:
> > > Ticket cache: API:bvossoug@ASU.EDU <API%3Abvossoug@ASU.EDU> <
> API%3Abvossoug@ASU.EDU <API%253Abvossoug@ASU.EDU>> <mailto:
> > API%3Abvossoug@ASU.EDU <API%253Abvossoug@ASU.EDU> <
> API%253Abvossoug@ASU.EDU <API%25253Abvossoug@ASU.EDU>>>
> > > Default principal: bvossoug@ASU.EDU <mailto:bvossoug@ASU.EDU>
> > >
> > > Valid starting Expires Service principal
> > > 10/23/08 15:34:38 10/24/08 01:34:39 krbtgt/ASU.EDU
> > > <http://ASU.EDU>@ASU.EDU <http://ASU.EDU>
> > >  renew until 10/30/08 15:30:56
> > >
> > > but I'm not getting the afs@asu.edu <mailto:afs@asu.edu> credential..
> ??
> > > why?
> > > So, does this indicate the problem is with KfW instead of openafs?
> >
> > You have not received any service tickets.  All you have is a TGT.
> >
> > Can you obtain service tickets for any service?
> >
> >  kvno.exe <service-ticket-name>
> >
> > You could also turn on logging in NIM and examine the log.
> >
> > My guess is that assuming you have the AFS credential acquisition
> > properly configured for NIM that the clock on the machine is not
> > set correctly.  Wrong time or wrong time zone.
> >
> > I check the date/time.. It syncing with the domain controls which sync
> the
> the kerb servers. It all works.
>
> I did the following in a cmd shell:
>
>
> C:\Documents and Settings\bvossoug>klist
>
> Ticket cache: API:bvossoug@ASU.EDU <API%3Abvossoug@ASU.EDU> <
> API%3Abvossoug@ASU.EDU <API%253Abvossoug@ASU.EDU>>
> Default principal: bvossoug@ASU.EDU
>  Valid starting Expires Service principal
>
> 10/30/08 08:45:08 10/30/08 18:45:10 krbtgt/ASU.EDU@ASU.EDU
>
>  renew until 11/06/08 08:44:55
>
> C:\Documents and Settings\bvossoug>aklog
> pioctl temp != 0: 0x66543218
>
> NOTE how AKLOG fails.
>
> Then, testing with kvno to get another service, works okay.
>
> C:\Documents and Settings\bvossoug>kvno host/ppp1.asu.edu@ASU.EDU
> host/ppp1.asu.edu@ASU.EDU: kvno = 4
>
> NOW the thing thats weird is that AFTER i did the kvno, NIM suddenly
> updated
> itself and suddenly I had afs@ASU.EDU service tickets. So I check using
> the
> tokens command
>
> C:\Documents and Settings\bvossoug>tokens
> Tokens held by the Cache Manager:
>
> User bvossoug@ASU.EDU's tokens for afs@asu.edu [Expires Oct 30 18:45]
>
> pioctl temp != 0: 0x66543218
>
>  --End of list ----
>
> So, tokens finally says that the user as an AFS token, but still returns
> the
> pioctrol error.
>
> This is getting curiouser and curiouser...
>
> --
> David Bear
> College of Public Programs at ASU
> 602-464-0424
>
>
>


-- 
David Bear
College of Public Programs at ASU
602-464-0424

------=_Part_19906_21928354.1225401534471
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<br><br><div class="gmail_quote">On Thu, Oct 30, 2008 at 1:25 PM, Jeffrey Altman <span dir="ltr">&lt;<a href="mailto:jaltman@secure-endpoints.com">jaltman@secure-endpoints.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
The pioctl error is not strange. &nbsp;Previously in this thread I indicated that it means &#39;end of list&#39;. &nbsp;Aklog reads the list of existing tokens. &nbsp;There were none. &nbsp;Tokens reads the list of tokens. &nbsp;There was one.<br>
<br></blockquote><div></div><div>What seems strange to me is that on &#39;normally functioning systems&#39; (those with openafs and kfw that works as expected) I don&#39;t see the pioctl error.&nbsp;</div><div></div><div>The other strange thing is why did I suddenly get a <a href="mailto:afs@asu.edu">afs@asu.edu</a> service ticket after performing the kvno on the other host principal?</div>
<div>&nbsp;</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Jeffrey Altman<br>
<div class="Ih2E3d"><br>
-original message-<br>
Subject: Re: [OpenAFS] openafs pioctl issue on windows<br>
From: &quot;David Bear&quot; &lt;<a href="mailto:David.Bear@asu.edu">David.Bear@asu.edu</a>&gt;<br>
Date: 2008-10-30 11:43<br>
<br>
This is getting stranger and stranger -- Jeff, I finally got the name of<br>
another service to test.. below is a screen shot of what happened.<br>
<br>
On Thu, Oct 23, 2008 at 7:11 PM, Jeffrey Altman &lt;<br>
<a href="mailto:jaltman@secure-endpoints.com">jaltman@secure-endpoints.com</a>&gt; wrote:<br>
<br>
&gt; David Bear wrote:<br>
&gt; &gt; KFW is version 3.2.2 -- resintalled today.<br>
&gt; &gt; Windows is XP Pro with SP2<br>
&gt; &gt; credential cache is API: -- we do make use of windows logon credentials.<br>
&gt; &gt; I&#39;ve stopped using kinit and only use NIM to get and destroy tickets. I<br>
&gt; &gt; do succesfully get tickets in <a href="http://asu.edu" target="_blank">asu.edu</a> &lt;<a href="http://asu.edu" target="_blank">http://asu.edu</a>&gt;, &nbsp;as the output<br>
&gt; &gt; of klist shows:<br>
</div>&gt; &gt; Ticket cache: <a href="mailto:API%3Abvossoug@ASU.EDU">API:bvossoug@ASU.EDU</a> &lt;<a href="mailto:API%253Abvossoug@ASU.EDU">API%3Abvossoug@ASU.EDU</a>&gt; &lt;mailto:<br>
&gt; <a href="mailto:API%253Abvossoug@ASU.EDU">API%3Abvossoug@ASU.EDU</a> &lt;<a href="mailto:API%25253Abvossoug@ASU.EDU">API%253Abvossoug@ASU.EDU</a>&gt;&gt;<br>
<div class="Ih2E3d">&gt; &gt; Default principal: <a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a> &lt;mailto:<a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a>&gt;<br>
&gt; &gt;<br>
&gt; &gt; Valid starting Expires Service principal<br>
&gt; &gt; 10/23/08 15:34:38 10/24/08 01:34:39 krbtgt/<a href="http://ASU.EDU" target="_blank">ASU.EDU</a><br>
&gt; &gt; &lt;<a href="http://ASU.EDU" target="_blank">http://ASU.EDU</a>&gt;@<a href="http://ASU.EDU" target="_blank">ASU.EDU</a> &lt;<a href="http://ASU.EDU" target="_blank">http://ASU.EDU</a>&gt;<br>
&gt; &gt; &nbsp;renew until 10/30/08 15:30:56<br>
&gt; &gt;<br>
&gt; &gt; but I&#39;m not getting the <a href="mailto:afs@asu.edu">afs@asu.edu</a> &lt;mailto:<a href="mailto:afs@asu.edu">afs@asu.edu</a>&gt; credential.. ??<br>
&gt; &gt; why?<br>
&gt; &gt; So, does this indicate the problem is with KfW instead of openafs?<br>
&gt;<br>
&gt; You have not received any service tickets. &nbsp;All you have is a TGT.<br>
&gt;<br>
&gt; Can you obtain service tickets for any service?<br>
&gt;<br>
&gt; &nbsp;kvno.exe &lt;service-ticket-name&gt;<br>
&gt;<br>
&gt; You could also turn on logging in NIM and examine the log.<br>
&gt;<br>
&gt; My guess is that assuming you have the AFS credential acquisition<br>
&gt; properly configured for NIM that the clock on the machine is not<br>
&gt; set correctly. &nbsp;Wrong time or wrong time zone.<br>
&gt;<br>
&gt; I check the date/time.. It syncing with the domain controls which sync the<br>
the kerb servers. It all works.<br>
<br>
I did the following in a cmd shell:<br>
<br>
<br>
C:\Documents and Settings\bvossoug&gt;klist<br>
<br>
</div>Ticket cache: <a href="mailto:API%3Abvossoug@ASU.EDU">API:bvossoug@ASU.EDU</a> &lt;<a href="mailto:API%253Abvossoug@ASU.EDU">API%3Abvossoug@ASU.EDU</a>&gt;<br>
<div class="Ih2E3d">Default principal: <a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a><br>
</div><div><div class="Wj3C7c">&nbsp;Valid starting Expires Service principal<br>
<br>
10/30/08 08:45:08 10/30/08 18:45:10 krbtgt/<a href="http://ASU.EDU" target="_blank">ASU.EDU</a>@<a href="http://ASU.EDU" target="_blank">ASU.EDU</a><br>
<br>
 &nbsp;renew until 11/06/08 08:44:55<br>
<br>
C:\Documents and Settings\bvossoug&gt;aklog<br>
pioctl temp != 0: 0x66543218<br>
<br>
NOTE how AKLOG fails.<br>
<br>
Then, testing with kvno to get another service, works okay.<br>
<br>
C:\Documents and Settings\bvossoug&gt;kvno host/<a href="http://ppp1.asu.edu" target="_blank">ppp1.asu.edu</a>@<a href="http://ASU.EDU" target="_blank">ASU.EDU</a><br>
host/<a href="http://ppp1.asu.edu" target="_blank">ppp1.asu.edu</a>@<a href="http://ASU.EDU" target="_blank">ASU.EDU</a>: kvno = 4<br>
<br>
NOW the thing thats weird is that AFTER i did the kvno, NIM suddenly updated<br>
itself and suddenly I had <a href="mailto:afs@ASU.EDU">afs@ASU.EDU</a> service tickets. So I check using the<br>
tokens command<br>
<br>
C:\Documents and Settings\bvossoug&gt;tokens<br>
Tokens held by the Cache Manager:<br>
<br>
User <a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a>&#39;s tokens for <a href="mailto:afs@asu.edu">afs@asu.edu</a> [Expires Oct 30 18:45]<br>
<br>
pioctl temp != 0: 0x66543218<br>
<br>
 &nbsp;--End of list ----<br>
<br>
So, tokens finally says that the user as an AFS token, but still returns the<br>
pioctrol error.<br>
<br>
This is getting curiouser and curiouser...<br>
<br>
--<br>
David Bear<br>
College of Public Programs at ASU<br>
602-464-0424<br>
<br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>David Bear<br>College of Public Programs at ASU<br>602-464-0424<br>

------=_Part_19906_21928354.1225401534471--