[OpenAFS] Cannot browse AFS as a non-privileged user

Jeffrey Altman jaltman@your-file-system.com
Tue, 10 Sep 2013 09:24:53 -0400


This is a cryptographically signed message in MIME format.

--------------ms030300020109010403090709
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I have created

  https://rt.central.org/rt/Ticket/Display.html?id=3D131726

to track this issue.  There are no obvious changes between 1.7.23 and
1.7.24 which would impact admin vs non-admin access to a file system.
It sounds like a pioctl is failing but not all pioctls are failing which
is very odd.  Attaching a kernel debugger to the system and adding break
points in the pioctl processing pathway will likely be necessary to
identify the issue.

I will attempt to reproduce and address the issue before the 1.7.27 relea=
se.

Jeffrey Altman


On 9/10/2013 8:36 AM, Kostas Liakakis wrote:
> Hello again,
>=20
> Following up myself, I started trying earlier versions to see if there
> is any change. Mind you, this is the 32bit version installer.
>=20
> 1.7.25 Same problem as the latest version
>=20
> 1.7.24 Same problem as the latest version
>=20
> 1.7.23 Works like a charm
>=20
> 1.7.22 BSOD right after logging in. I had the time to briefly see the
> padlock icon with what looked like a black dot at the lower left corner=
=2E
> The BSOD message was:
> NO_MORE_IRP_STACK_LOCATIONS
> STOP 0x35 (0x85952130, 0, 0, 0)
>=20
> 1.7.21 Works like a charm
>=20
> 1.7.20 Works like a charm
>=20
> Now I am off to the changelogs to see if I can nail something useful.
>=20
> -Kostas
>=20
>=20
> On 09/09/2013 10:35 PM, Kostas Liakakis wrote:
>>
>> Hello,
>>
>> It has been many years now since we first installed OpenAFS + KfW on o=
ur
>> Windows XP clients and have been using it without any trouble. Stickin=
g
>> to the "if it ain't broken, don't fix it" principal we sticked with so=
me
>> 1.3.7x version of the OpenAFS client.
>>
>> Today, as part of a general update, I decided it was time to move on,
>> thinking the IFS redirector had more than enough time to mature. I wen=
t
>> on installing Heimdal 1.5.1 binaries, along with NetIDMgr 2.0 and
>> OpenAFS 1.7.26 (in that order) on an otherwise freshly installed WinXP=

>> computer which basically only had SP3 and whatever dependencies the
>> CM2012 client brought along (Silverlight etc). Some domain-wide group
>> policy has also been applied, but as this machine belongs to a TEST OU=

>> for the time being, they should be mostly harmless stuff.
>>
>> I quickly found about the missing 5-to-4 .DLLs NetIDMgr would require
>> that was not present in Heimdal, complemented them from KfW3.2.2 and
>> soon I was able to get tokens for my realm and browse the AFS
>> filesystem....
>>
>> ... with an administrator account. As soon as I logged on as a simple
>> user, I could not get tokens anymore and the AFS padlock icon would
>> appear broken. While hovering over, a tooltip saying "OpenAFS service
>> cannot be reached" would come up.
>>
>> aklog from command prompt after grabbing tickets from my KDC would say=
:
>>
>> C:\Documents and Settings\kostas>aklog -d
>> Authenticating to cell physics.auth.gr.
>> Getting v5 tickets: afs/physics.auth.gr@PHYSICS.AUTH.GR
>> Getting v5 tickets: afs@PHYSICS.AUTH.GR
>> pioctl Redirector is ready
>> pioctl NetbiosName =3D "AFS"
>> pioctl filename =3D "\\AFS\all\_._AFS_IOCTL_._"
>> About to resolve name kostas@PHYSICS.AUTH.GR to id
>> Id 10002
>> Set username to kostas@PHYSICS.AUTH.GR
>> Setting tokens.
>> pioctl Redirector is ready
>> pioctl NetbiosName =3D "AFS"
>> pioctl filename =3D "\\AFS\all\_._AFS_IOCTL_._"
>> aklog: Cache Manager is not initialized / afsd is not running while
>> setting token for cell physics.auth.gr
>>
>> However, the afsd_service.exe process was running fine.
>>
>> Without logging off, I opened a new CMD window with administrator
>> privileges and was able to get tokens alright and browse the filesyste=
m
>> from the privileged process, so the AFS is working alright.
>>
>> But at the same time, as the non-privileged user, I can't browse
>> \\AFS\all, nor \\AFS\physics.auth.gr which is available even to
>> non-logged users. When I try to do so, Windows responds with:
>>
>> "\\afs\all is not accessible. You might not have permission to use thi=
s
>> network resource. Contact your ... "
>>
>> However, I CAN browse \\afs and see the freelance generated root.cell
>>
>> It fells like this is a permission thingie, but I don't really know
>> where to look at right now. Any insight you may have is much appreciat=
ed.
>>
>> Thanks,
>>
>> -Kostas
>>
>>
>>
>>
>>
>>
>>
>=20


--------------ms030300020109010403090709
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINITCC
BkIwggUqoAMCAQICEDirAC//rpa3Vv85Wvtd5xswDQYJKoZIhvcNAQEFBQAwgcoxCzAJBgNV
BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1
c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0
aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMgUHJp
bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTExMDkwMTAwMDAwMFoXDTIx
MDgzMTIzNTk1OVowgaYxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3Jh
dGlvbjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEeMBwGA1UECxMVUGVyc29u
YSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5TeW1hbnRlYyBDbGFzcyAxIEluZGl2aWR1YWwg
U3Vic2NyaWJlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxuwn
/R1j9DsdisHTHMjIgoa2uEqGkqqBXHLKMA0vnkEiVzAhJZCao/SsKsaIF4ZhchN2LuwDyyeb
jyCAN+DkitpVplAP/LlcI2mJQqG6H6/vDvmkyQrx+DeyxtmSSq5937hEH5u6P4wG/tgjT0hR
I2pghKjuJy9g35byGiqMPI8AzE/L+iCOvDX24fCatgXz/B0/xhR7DtryBeTTgwKmxWlwtKnk
VunbHVz0pjbia7UeKi3cvrvuOgSwMAitX2hsxr0GloiE5+apZC28ODC7iCbDZ2ZmtLR3+cCh
xw5y72bi5bnK4POFdzWY3tQcsP5mceI4y258T0BV65fZqBge7QIDAQABo4ICRDCCAkAwOAYI
KwYBBQUHAQEELDAqMCgGCCsGAQUFBzABhhxodHRwOi8vcGtpLW9jc3AudmVyaXNpZ24uY29t
MBIGA1UdEwEB/wQIMAYBAf8CAQAwbAYDVR0gBGUwYzBhBgtghkgBhvhFAQcXATBSMCYGCCsG
AQUFBwIBFhpodHRwOi8vd3d3LnN5bWF1dGguY29tL2NwczAoBggrBgEFBQcCAjAcGhpodHRw
Oi8vd3d3LnN5bWF1dGguY29tL3JwYTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnZl
cmlzaWduLmNvbS9wY2ExLWczLmNybDAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwx
GjAYBgNVBAMTEVZlcmlTaWduTVBLSS0yLTk3MB0GA1UdDgQWBBSt+cOTci21uShh5KTXYNXE
Cl4aATCB8QYDVR0jBIHpMIHmoYHQpIHNMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVy
aVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsT
MShjKSAxOTk5IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBD
BgNVBAMTPFZlcmlTaWduIENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkgLSBHM4IRAItbdVaEVIULAM+vOEjOsaQwDQYJKoZIhvcNAQEFBQADggEBANaP
wdqbiPKzbE0fWC+6AVFddMFG6MO4e5/WQPHv/zK6iWvADjRDn6SZ5qTwXUgzYoWFYf4jiCKM
YJsrnGVJlMSiOCRIpVylUEto6WIip5PomSJuPVu7EEIOH0x1RzRWCY/4vYw881y70pZwVHBi
Te/REL6dSCxe7IZrB4LwPeElJygs4BZ2HrP95WKW0oo9Xyuu+1zCE7dlY8s0dkOf1oeZq26t
lcEAP0Yngf813iMOQ9wUXzL5yinvwlIw9ZnduYH4OiUgjYJo8rkhhXRmBOGGORYy8i3WKqjJ
3tkAAk/jGCDFpYFWtpXe04Kt+HslvmR8LqC6cCz4+XXidE0HbYQwggbXMIIFv6ADAgECAhAl
sq27FC4B63Z8q1Jzxx+CMA0GCSqGSIb3DQEBBQUAMIGmMQswCQYDVQQGEwJVUzEdMBsGA1UE
ChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdv
cmsxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuU3ltYW50ZWMg
Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHNDAeFw0xMzAxMTUwMDAwMDBa
Fw0xNDAxMTYyMzU5NTlaMIHOMS4wLAYDVQQDDCVQZXJzb25hIE5vdCBWYWxpZGF0ZWQgLSAx
MzU4Mjc2MTA4NjMxMSswKQYJKoZIhvcNAQkBFhxqYWx0bWFuQHlvdXItZmlsZS1zeXN0ZW0u
Y29tMQ8wDQYDVQQLDAZTL01JTUUxHjAcBgNVBAsMFVBlcnNvbmEgTm90IFZhbGlkYXRlZDEf
MB0GA1UECwwWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEdMBsGA1UECgwUU3ltYW50ZWMgQ29y
cG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChjpVdVk6XeKFff4To
xGglVcP3FVY95LfwfBUKbQKppRYgfKBFW1RIEG+KXpc3IGOOTUX0Lg1xaukRwuoqv/pqRMNK
JabXcr1RFuCFg9xfcmP5Z+65qQ+IRxYCKdcNfu3GdS7rMOY57+VLU7aZnnMgnt0oE42awze8
gYQSJsdjZKKZS9DBnzxJYfzqhIw7txoMdV7rwPAZm5yujsqI/eWuZPZ+qZ+8GTsnHJzZNvc6
KrDGU6aVfknM+qf92hXA2VXvmtf1B17BBbGX6Hgat71Ufw5oXFly6/Vt+e5mKIozXytw8qPX
NllsG89ITVzn0OovcpcSRFBrXanzVn7JVj33AgMBAAGjggLVMIIC0TAMBgNVHRMBAf8EAjAA
MA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwHQYD
VR0OBBYEFMC1SMuRefXyNAwkZM+Lgu7iJ6nFMCcGA1UdEQQgMB6BHGphbHRtYW5AeW91ci1m
aWxlLXN5c3RlbS5jb20wHwYDVR0jBBgwFoAUrfnDk3IttbkoYeSk12DVxApeGgEwggErBggr
BgEFBQcBAQSCAR0wggEZMIIBFQYIKwYBBQUHMAKGggEHbGRhcDovL2RpcmVjdG9yeS52ZXJp
c2lnbi5jb20vQ04lMjAlM0QlMjBTeW1hbnRlYyUyMENsYXNzJTIwMSUyMEluZGl2aWR1YWwl
MjBTdWJzY3JpYmVyJTIwQ0ElMjAtJTIwRzQlMkMlMjBPVSUyMCUzRCUyMFBlcnNvbmElMjBO
b3QlMjBWYWxpZGF0ZWQlMkMlMjBPVSUyMCUzRCUyMFN5bWFudGVjJTIwVHJ1c3QlMjBOZXR3
b3JrJTJDJTIwTyUyMCUzRCUyMFN5bWFudGVjJTIwQ29ycG9yYXRpb24lMkMlMjBDJTIwJTNE
JTIwVVM/Y0FDZXJ0aWZpY2F0ZTtiaW5hcnkwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL3Br
aS1jcmwuc3ltYXV0aC5jb20vY2FfNTYxYzEwMzY5MGM5N2E2OTI0N2EwZWYwNzFhYzgxYWYv
TGF0ZXN0Q1JMLmNybDBsBgNVHSAEZTBjMGEGC2CGSAGG+EUBBxcBMFIwJgYIKwYBBQUHAgEW
Gmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vY3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cu
c3ltYXV0aC5jb20vcnBhMCoGCmCGSAGG+EUBEAMEHDAaBhFghkgBhvhFARABAgIEAYazFxYF
MTA5MjIwDQYJKoZIhvcNAQEFBQADggEBAHVBsY+l21fY0twxzNnO0QbadbRT4n7k3rYfOMbP
noBDkYQx5lcrYn19f7e+ADMPdW/MY2ZjFM76aiRgiTo2IjMB7z4vyX6hfGJKTIHX9loDW0H2
z2o0jYqXDQtXx9A/gfMtVh9J+8O5IuCPsVtXgI4p6kRQHN+Er2Rzu1I4BILxE9HsDb/ruX6p
NXZSUQ2AcMP87ZVfz+reumMpJgWWAoiQWJCgp+qZ2c2AG+yV+FstiMpxIj/qB9+BrFRuam8d
IGbH0tIS2tyc7pgit8Pid2Zv7HGT2NFu69INsKIyqGImhMVuOUaCq/kNi3Z+6R5Hm3ljift8
ZF52Kiq4whe8KlcxggRSMIIETgIBATCBuzCBpjELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5
bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMR4w
HAYDVQQLExVQZXJzb25hIE5vdCBWYWxpZGF0ZWQxNzA1BgNVBAMTLlN5bWFudGVjIENsYXNz
IDEgSW5kaXZpZHVhbCBTdWJzY3JpYmVyIENBIC0gRzQCECWyrbsULgHrdnyrUnPHH4IwCQYF
Kw4DAhoFAKCCAmswGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTMwOTEwMTMyNDUzWjAjBgkqhkiG9w0BCQQxFgQUcRzy/VZO7aJWy33yM5rv7fwGxAMwbAYJ
KoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4G
CCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCB
zAYJKwYBBAGCNxAEMYG+MIG7MIGmMQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMg
Q29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxHjAcBgNVBAsT
FVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuU3ltYW50ZWMgQ2xhc3MgMSBJbmRp
dmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHNAIQJbKtuxQuAet2fKtSc8cfgjCBzgYLKoZIhvcN
AQkQAgsxgb6ggbswgaYxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3Jh
dGlvbjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEeMBwGA1UECxMVUGVyc29u
YSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5TeW1hbnRlYyBDbGFzcyAxIEluZGl2aWR1YWwg
U3Vic2NyaWJlciBDQSAtIEc0AhAlsq27FC4B63Z8q1Jzxx+CMA0GCSqGSIb3DQEBAQUABIIB
AB3Vn90r0sdSn9IeEeL7abvGaLhDT/sFt2ocid6EMg5Jj+9hlObC+XjDIaVw08Es4KK+CMuY
KfrcVsVJdOPcFaIwjEPyy/6fzKb8HHuJwztDYnxqholx+peqswbEGj5rSwyqmShX1cSRs886
+9gLHbPDdFP9WuiLYjX4KdBHZh88Y85KYGm7VgT/Ucg1lES7aZeARDNnSLs41bEOeKraKkfr
nJO/A8bI3HiDUwWC63w9aN2iwLSvSRSXepaABMf4fpqDTWXfhnwrXCbMrUZ1R419WXjPllyW
H/339Gf/0tRcpbxw5JAaztHuxZmaLnLCy7t0X+4rJZOaOlLwtLM964sAAAAAAAA=
--------------ms030300020109010403090709--