[OpenAFS] openafs pioctl issue on windows
David Bear
David.Bear@asu.edu
Thu, 30 Oct 2008 14:18:54 -0700
------=_Part_19906_21928354.1225401534471
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On Thu, Oct 30, 2008 at 1:25 PM, Jeffrey Altman <
jaltman@secure-endpoints.com> wrote:
> The pioctl error is not strange. Previously in this thread I indicated
> that it means 'end of list'. Aklog reads the list of existing tokens.
> There were none. Tokens reads the list of tokens. There was one.
>
> What seems strange to me is that on 'normally functioning systems' (those
with openafs and kfw that works as expected) I don't see the pioctl error.
The other strange thing is why did I suddenly get a afs@asu.edu service
ticket after performing the kvno on the other host principal?
> Jeffrey Altman
>
> -original message-
> Subject: Re: [OpenAFS] openafs pioctl issue on windows
> From: "David Bear" <David.Bear@asu.edu>
> Date: 2008-10-30 11:43
>
> This is getting stranger and stranger -- Jeff, I finally got the name of
> another service to test.. below is a screen shot of what happened.
>
> On Thu, Oct 23, 2008 at 7:11 PM, Jeffrey Altman <
> jaltman@secure-endpoints.com> wrote:
>
> > David Bear wrote:
> > > KFW is version 3.2.2 -- resintalled today.
> > > Windows is XP Pro with SP2
> > > credential cache is API: -- we do make use of windows logon
> credentials.
> > > I've stopped using kinit and only use NIM to get and destroy tickets. I
> > > do succesfully get tickets in asu.edu <http://asu.edu>, as the output
> > > of klist shows:
> > > Ticket cache: API:bvossoug@ASU.EDU <API%3Abvossoug@ASU.EDU> <
> API%3Abvossoug@ASU.EDU <API%253Abvossoug@ASU.EDU>> <mailto:
> > API%3Abvossoug@ASU.EDU <API%253Abvossoug@ASU.EDU> <
> API%253Abvossoug@ASU.EDU <API%25253Abvossoug@ASU.EDU>>>
> > > Default principal: bvossoug@ASU.EDU <mailto:bvossoug@ASU.EDU>
> > >
> > > Valid starting Expires Service principal
> > > 10/23/08 15:34:38 10/24/08 01:34:39 krbtgt/ASU.EDU
> > > <http://ASU.EDU>@ASU.EDU <http://ASU.EDU>
> > > renew until 10/30/08 15:30:56
> > >
> > > but I'm not getting the afs@asu.edu <mailto:afs@asu.edu> credential..
> ??
> > > why?
> > > So, does this indicate the problem is with KfW instead of openafs?
> >
> > You have not received any service tickets. All you have is a TGT.
> >
> > Can you obtain service tickets for any service?
> >
> > kvno.exe <service-ticket-name>
> >
> > You could also turn on logging in NIM and examine the log.
> >
> > My guess is that assuming you have the AFS credential acquisition
> > properly configured for NIM that the clock on the machine is not
> > set correctly. Wrong time or wrong time zone.
> >
> > I check the date/time.. It syncing with the domain controls which sync
> the
> the kerb servers. It all works.
>
> I did the following in a cmd shell:
>
>
> C:\Documents and Settings\bvossoug>klist
>
> Ticket cache: API:bvossoug@ASU.EDU <API%3Abvossoug@ASU.EDU> <
> API%3Abvossoug@ASU.EDU <API%253Abvossoug@ASU.EDU>>
> Default principal: bvossoug@ASU.EDU
> Valid starting Expires Service principal
>
> 10/30/08 08:45:08 10/30/08 18:45:10 krbtgt/ASU.EDU@ASU.EDU
>
> renew until 11/06/08 08:44:55
>
> C:\Documents and Settings\bvossoug>aklog
> pioctl temp != 0: 0x66543218
>
> NOTE how AKLOG fails.
>
> Then, testing with kvno to get another service, works okay.
>
> C:\Documents and Settings\bvossoug>kvno host/ppp1.asu.edu@ASU.EDU
> host/ppp1.asu.edu@ASU.EDU: kvno = 4
>
> NOW the thing thats weird is that AFTER i did the kvno, NIM suddenly
> updated
> itself and suddenly I had afs@ASU.EDU service tickets. So I check using
> the
> tokens command
>
> C:\Documents and Settings\bvossoug>tokens
> Tokens held by the Cache Manager:
>
> User bvossoug@ASU.EDU's tokens for afs@asu.edu [Expires Oct 30 18:45]
>
> pioctl temp != 0: 0x66543218
>
> --End of list ----
>
> So, tokens finally says that the user as an AFS token, but still returns
> the
> pioctrol error.
>
> This is getting curiouser and curiouser...
>
> --
> David Bear
> College of Public Programs at ASU
> 602-464-0424
>
>
>
--
David Bear
College of Public Programs at ASU
602-464-0424
------=_Part_19906_21928354.1225401534471
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<br><br><div class="gmail_quote">On Thu, Oct 30, 2008 at 1:25 PM, Jeffrey Altman <span dir="ltr"><<a href="mailto:jaltman@secure-endpoints.com">jaltman@secure-endpoints.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
The pioctl error is not strange. Previously in this thread I indicated that it means 'end of list'. Aklog reads the list of existing tokens. There were none. Tokens reads the list of tokens. There was one.<br>
<br></blockquote><div></div><div>What seems strange to me is that on 'normally functioning systems' (those with openafs and kfw that works as expected) I don't see the pioctl error. </div><div></div><div>The other strange thing is why did I suddenly get a <a href="mailto:afs@asu.edu">afs@asu.edu</a> service ticket after performing the kvno on the other host principal?</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Jeffrey Altman<br>
<div class="Ih2E3d"><br>
-original message-<br>
Subject: Re: [OpenAFS] openafs pioctl issue on windows<br>
From: "David Bear" <<a href="mailto:David.Bear@asu.edu">David.Bear@asu.edu</a>><br>
Date: 2008-10-30 11:43<br>
<br>
This is getting stranger and stranger -- Jeff, I finally got the name of<br>
another service to test.. below is a screen shot of what happened.<br>
<br>
On Thu, Oct 23, 2008 at 7:11 PM, Jeffrey Altman <<br>
<a href="mailto:jaltman@secure-endpoints.com">jaltman@secure-endpoints.com</a>> wrote:<br>
<br>
> David Bear wrote:<br>
> > KFW is version 3.2.2 -- resintalled today.<br>
> > Windows is XP Pro with SP2<br>
> > credential cache is API: -- we do make use of windows logon credentials.<br>
> > I've stopped using kinit and only use NIM to get and destroy tickets. I<br>
> > do succesfully get tickets in <a href="http://asu.edu" target="_blank">asu.edu</a> <<a href="http://asu.edu" target="_blank">http://asu.edu</a>>, as the output<br>
> > of klist shows:<br>
</div>> > Ticket cache: <a href="mailto:API%3Abvossoug@ASU.EDU">API:bvossoug@ASU.EDU</a> <<a href="mailto:API%253Abvossoug@ASU.EDU">API%3Abvossoug@ASU.EDU</a>> <mailto:<br>
> <a href="mailto:API%253Abvossoug@ASU.EDU">API%3Abvossoug@ASU.EDU</a> <<a href="mailto:API%25253Abvossoug@ASU.EDU">API%253Abvossoug@ASU.EDU</a>>><br>
<div class="Ih2E3d">> > Default principal: <a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a> <mailto:<a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a>><br>
> ><br>
> > Valid starting Expires Service principal<br>
> > 10/23/08 15:34:38 10/24/08 01:34:39 krbtgt/<a href="http://ASU.EDU" target="_blank">ASU.EDU</a><br>
> > <<a href="http://ASU.EDU" target="_blank">http://ASU.EDU</a>>@<a href="http://ASU.EDU" target="_blank">ASU.EDU</a> <<a href="http://ASU.EDU" target="_blank">http://ASU.EDU</a>><br>
> > renew until 10/30/08 15:30:56<br>
> ><br>
> > but I'm not getting the <a href="mailto:afs@asu.edu">afs@asu.edu</a> <mailto:<a href="mailto:afs@asu.edu">afs@asu.edu</a>> credential.. ??<br>
> > why?<br>
> > So, does this indicate the problem is with KfW instead of openafs?<br>
><br>
> You have not received any service tickets. All you have is a TGT.<br>
><br>
> Can you obtain service tickets for any service?<br>
><br>
> kvno.exe <service-ticket-name><br>
><br>
> You could also turn on logging in NIM and examine the log.<br>
><br>
> My guess is that assuming you have the AFS credential acquisition<br>
> properly configured for NIM that the clock on the machine is not<br>
> set correctly. Wrong time or wrong time zone.<br>
><br>
> I check the date/time.. It syncing with the domain controls which sync the<br>
the kerb servers. It all works.<br>
<br>
I did the following in a cmd shell:<br>
<br>
<br>
C:\Documents and Settings\bvossoug>klist<br>
<br>
</div>Ticket cache: <a href="mailto:API%3Abvossoug@ASU.EDU">API:bvossoug@ASU.EDU</a> <<a href="mailto:API%253Abvossoug@ASU.EDU">API%3Abvossoug@ASU.EDU</a>><br>
<div class="Ih2E3d">Default principal: <a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a><br>
</div><div><div class="Wj3C7c"> Valid starting Expires Service principal<br>
<br>
10/30/08 08:45:08 10/30/08 18:45:10 krbtgt/<a href="http://ASU.EDU" target="_blank">ASU.EDU</a>@<a href="http://ASU.EDU" target="_blank">ASU.EDU</a><br>
<br>
renew until 11/06/08 08:44:55<br>
<br>
C:\Documents and Settings\bvossoug>aklog<br>
pioctl temp != 0: 0x66543218<br>
<br>
NOTE how AKLOG fails.<br>
<br>
Then, testing with kvno to get another service, works okay.<br>
<br>
C:\Documents and Settings\bvossoug>kvno host/<a href="http://ppp1.asu.edu" target="_blank">ppp1.asu.edu</a>@<a href="http://ASU.EDU" target="_blank">ASU.EDU</a><br>
host/<a href="http://ppp1.asu.edu" target="_blank">ppp1.asu.edu</a>@<a href="http://ASU.EDU" target="_blank">ASU.EDU</a>: kvno = 4<br>
<br>
NOW the thing thats weird is that AFTER i did the kvno, NIM suddenly updated<br>
itself and suddenly I had <a href="mailto:afs@ASU.EDU">afs@ASU.EDU</a> service tickets. So I check using the<br>
tokens command<br>
<br>
C:\Documents and Settings\bvossoug>tokens<br>
Tokens held by the Cache Manager:<br>
<br>
User <a href="mailto:bvossoug@ASU.EDU">bvossoug@ASU.EDU</a>'s tokens for <a href="mailto:afs@asu.edu">afs@asu.edu</a> [Expires Oct 30 18:45]<br>
<br>
pioctl temp != 0: 0x66543218<br>
<br>
--End of list ----<br>
<br>
So, tokens finally says that the user as an AFS token, but still returns the<br>
pioctrol error.<br>
<br>
This is getting curiouser and curiouser...<br>
<br>
--<br>
David Bear<br>
College of Public Programs at ASU<br>
602-464-0424<br>
<br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>David Bear<br>College of Public Programs at ASU<br>602-464-0424<br>
------=_Part_19906_21928354.1225401534471--