If NIM is getting and listing tokens, then KFW is working just fine. pioctl error 0x66543218 means "End of List"
The tokens command does not use KFW. It speaks to the AFS cache manager via the pioctl interface which is implemented as a file open/write/read/close sequence on a file called _._AFS_IOCTL_._ in the AFS name space. The file open is performed in the context of a particular SMB session. Each session has an authenticated identity. The tokens are stored in the AFS cache manager bound to the SMB authentication identity. If you are able to obtain/list tokens with NIM and not from tokens. It means that the two processes are running in different sessions and are authenticating over SMB using different identities. There is no way to monitor the SMB authentication identity other than by running the AFS cache manager under a debugger and intercepting the authentication requests. With oafw 1.5.54 if you use "fs memdump" it will output the list of tokens that are known as part of the output to %windir%\temp\afsd_alloc.log. However, it won't tell you what smb authentication session a command is executed under. As for your KFW error you will need to provide a lot more info. What version? What OS? What credential cache type:name? For example, if you are using the MSLSA: credential cache to make use of the Windows Logon credentials, you can't perform kinit. Jeffrey Altman David Bear wrote: > > > On Wed, Oct 22, 2008 at 12:18 PM, Jeffrey Altman > <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: > > NIM uses the same pioctl call as tokens.exe to obtain the tokens list. > > As long as they are being executed from within the same logon session > they will display the same results. > > Hint: "Run as ..." or "Run as administrator" produces a new logon > session. > > Okay -- I tried this from cmd, in a new session. > This failes. > C:\WINDOWS\system32>tokens > > Tokens held by the Cache Manager: > > --End of list -- > pioctl temp != 0: 0x66543218 > Then > C:\WINDOWS\system32>kinit iddwb > kinit(v5): Inappropriate I/O control operation while getting initial > credentials > > So, I guess kfw is not working properly here. Any pointers on what could > be wrong with KFW? > > > Jeffrey Altman > > David Bear wrote: > > I am using > > > > /usr/sbin/rxdebug -server pp-bvossoughi.dhcp.asu.edu > <http://pp-bvossoughi.dhcp.asu.edu> > > <http://pp-bvossoughi.dhcp.asu.edu> -port 7001 -vers > > > > Trying 10.218.16.141 (port 7001): > > AFS version: OpenAFS_1.5.5400 > > > > This system has had intermittent erros with accessing openafs. The > issue > > seems to be always an access/token issue. > > > > KFW 3.2.2 is install and the user is able to get tokens in the > asu.edu <http://asu.edu> > > <http://asu.edu> realm. NIM show the TGT's. > > > > However, any attempt to use 'tokens' to display the afs tokens > causes this: > > > > C:\Documents and Settings\bvossoug>tokens > > Tokens held by the Cache Manager: > > > > pioctl temp != 0: 0x66543218 > > --End of list -- > > > > I googled and found someone with a similar error here: > > > http://www.openafs.org/pipermail/openafs-info/2006-December/024568.html > > > > But I don't know if it could be related since there was no > resolution on > > the thread and it is so old. > > > > I created an fs minidump and copied that ad the afsd_init.log to > an afs > > location that should be world readable at > > > > /afs/asu.edu/pp/oss/afsDumps <http://asu.edu/pp/oss/afsDumps> > <http://asu.edu/pp/oss/afsDumps> > > > > ( the acl is set as system:anyuser so I hope the world can read this > > location ) > > > > Any pointers on where to go next? (BTW, the issue seems to be tied > to a > > specific user logon. I was able to log on to windows as myself, get > > tokens, and use afs) > > > > -- > > > > David Bear > > College of Public Programs at ASU > > 602-464-0424 > > > > > -- > David Bear > College of Public Programs at ASU > 602-464-0424 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
