Discussion:
Integrated login failed: Credentials cache I/O operation failed XXX (with 1.5.x on Windows 2003 Terminal Server)
(too old to reply)
Michael Sievers
2007-01-22 14:14:36 UTC
Permalink
Hi !

We got a problem running the OpenAFS client on a Windows 2003 Terminal
Server. We use the integrated logon feature to obtain a AFS token at logon,
because the users home directorys are stored in afs. Additionally, we use
Kerberos for Windows 2.6.5.

The problem is, that with OpenAFS client version 1.5.x, we are getting an
error during logon. The message is

Integrated login failed: Credentials cache I/O operation failed XXX

The result is, that the user does not get his home directory, but a
temporary local profile. When he has logged in, the OpenAFS client works, so
the user can access afs. (This is probably because the leash gets the AFS
token) Just the OpenAFS integrated logon fails. (We tested both KfW 2.6.5
and 3.1, no difference)

If you disable the OpenAFS integrated logon feature, the error does not
occur, but the user does not get his home directory (that's clear, because,
the OpenAFS client does not have a token at this time, so he cannot access
the user directory in afs).

BUT if the user logs out and then logs in again, everything works fine, no
error but the users home directory, That's because the user gets a token
once he has logged in and this token has a specific lifetime. If the same
user logs in a second time, while the afs token is still valid, the OpenAFS
client can now access the users afs directory during login and load the
profile.

We got this error with OpenAFS 1.5.x and with OpenAFS 1.4.3. Prior versions
work, but only a specific time, lets say, a day, or a half and than, the
same problem occurs. But if you reboot the server, with version < 1.4.3
installed, it works again for a while. Very strange ...

Another phenomenon is, that this error only occurs, if a user trys to login
remotly. On the console of the terminal server (if the user is sitting in
front of the server), everything works fine. No error at all. But if the
same user wants to login via terminal service, he gets the error.

As I mentioned before, we evaluated KfW 2.6.5 till 3.1, no difference. To
eliminate the influence of Microsoft patches, we tested the configuration on
an unpattched vanilla Windows 2003 Server installation, but still the error
occurs.

If you need more informations, feel free to ask.

Michael Sievers
--
Universität Paderborn
Zentrum für Informations- und Medientechnologien
Warburgerstr. 100
33098 Paderborn (Germany)
Derrick J Brashear
2007-01-22 14:17:42 UTC
Permalink
Post by Michael Sievers
Hi !
We got a problem running the OpenAFS client on a Windows 2003 Terminal
Server. We use the integrated logon feature to obtain a AFS token at logon,
because the users home directorys are stored in afs. Additionally, we use
Kerberos for Windows 2.6.5.
The problem is, that with OpenAFS client version 1.5.x, we are getting an
error during logon. The message is
What's "x" here? Also, you have kaserver or krb5 kdc?
Michael Sievers
2007-01-22 15:05:43 UTC
Permalink
I can confirm, that this error only occurs, when a user is loggin in via
Terminal Server. A console loggin works fine.

That's why, we only get this error on the Terminal Server. We got a lot of
WindowsXP Pro workstations, using the OpenAFS client without any problems.

I try to provide you the integrated logon debug trace information as soon as
possible.

Is it sufficient, to send the original mail to openafs-***@openafs.org as a
bug report ?

Michael Sievers

----- Original Message -----
From: "Jeffrey Altman" <***@secure-endpoints.com>
To: "Michael Sievers" <***@web.de>
Cc: <openafs-***@openafs.org>
Sent: Monday, January 22, 2007 3:44 PM
Subject: Re: [OpenAFS] Integrated login failed: Credentials cache I/O
operation failed XXX (with 1.5.x on Windows 2003 Terminal Server)
Post by Jeffrey Altman
Please confirm that the problem only occurs when the user is logging in
via Terminal Server.
Please provide integrated logon debug trace information extracted from
the Windows Application Event Log as described in the OpenAFS for
Windows Release Notes.
Jeffrey Altman
Post by Michael Sievers
Hi !
We got a problem running the OpenAFS client on a Windows 2003 Terminal
Server. We use the integrated logon feature to obtain a AFS token at
logon, because the users home directorys are stored in afs.
Additionally, we use Kerberos for Windows 2.6.5.
The problem is, that with OpenAFS client version 1.5.x, we are getting
an error during logon. The message is
Integrated login failed: Credentials cache I/O operation failed XXX
The result is, that the user does not get his home directory, but a
temporary local profile. When he has logged in, the OpenAFS client
works, so the user can access afs. (This is probably because the leash
gets the AFS token) Just the OpenAFS integrated logon fails. (We tested
both KfW 2.6.5 and 3.1, no difference)
If you disable the OpenAFS integrated logon feature, the error does not
occur, but the user does not get his home directory (that's clear,
because, the OpenAFS client does not have a token at this time, so he
cannot access the user directory in afs).
BUT if the user logs out and then logs in again, everything works fine,
no error but the users home directory, That's because the user gets a
token once he has logged in and this token has a specific lifetime. If
the same user logs in a second time, while the afs token is still valid,
the OpenAFS client can now access the users afs directory during login
and load the profile.
We got this error with OpenAFS 1.5.x and with OpenAFS 1.4.3. Prior
versions work, but only a specific time, lets say, a day, or a half and
than, the same problem occurs. But if you reboot the server, with
version < 1.4.3 installed, it works again for a while. Very strange ...
Another phenomenon is, that this error only occurs, if a user trys to
login remotly. On the console of the terminal server (if the user is
sitting in front of the server), everything works fine. No error at all.
But if the same user wants to login via terminal service, he gets the
error.
As I mentioned before, we evaluated KfW 2.6.5 till 3.1, no difference.
To eliminate the influence of Microsoft patches, we tested the
configuration on an unpattched vanilla Windows 2003 Server installation,
but still the error occurs.
If you need more informations, feel free to ask.
Michael Sievers
Jeffrey Altman
2007-01-22 15:11:32 UTC
Permalink
as a bug report ?
No. The bug report should be complete with the log data and the
confirmation.
Jeffrey Altman
2007-10-04 15:44:24 UTC
Permalink
This was caused by a bug in KFW's Credential Cache API implementation.
It will be fixed in KFW 3.2.2 to be released later this month.

Jeffrey Altman

Michael Sievers
2007-01-22 14:31:34 UTC
Permalink
----- Original Message -----
From: "Derrick J Brashear" <***@dementia.org>
To: "Michael Sievers" <***@web.de>
Cc: <openafs-***@openafs.org>
Sent: Monday, January 22, 2007 3:17 PM
Subject: Re: [OpenAFS] Integrated login failed: Credentials cache I/O
operation failed XXX (with 1.5.x on Windows 2003 Terminal Server)
Post by Derrick J Brashear
Post by Michael Sievers
Hi !
We got a problem running the OpenAFS client on a Windows 2003 Terminal
Server. We use the integrated logon feature to obtain a AFS token at
logon, because the users home directorys are stored in afs. Additionally,
we use Kerberos for Windows 2.6.5.
The problem is, that with OpenAFS client version 1.5.x, we are getting an
error during logon. The message is
What's "x" here? Also, you have kaserver or krb5 kdc?
x means, that we tried several OpenAFS versions of the 1.5 branche, but all
of them showed the same behavior, including version 1.5.13.

Sorry I forgot to mention, we use a krb5 kdc with a cross realm trust to an
Active Directoy.

Michael Sievers
Jeffrey Altman
2007-01-22 14:44:56 UTC
Permalink
Please confirm that the problem only occurs when the user is logging in
via Terminal Server.

Please provide integrated logon debug trace information extracted from
the Windows Application Event Log as described in the OpenAFS for
Windows Release Notes.

Please file a bug report with this information to openafs-***@openafs.org

Jeffrey Altman
Post by Michael Sievers
Hi !
We got a problem running the OpenAFS client on a Windows 2003 Terminal
Server. We use the integrated logon feature to obtain a AFS token at
logon, because the users home directorys are stored in afs.
Additionally, we use Kerberos for Windows 2.6.5.
The problem is, that with OpenAFS client version 1.5.x, we are getting
an error during logon. The message is
Integrated login failed: Credentials cache I/O operation failed XXX
The result is, that the user does not get his home directory, but a
temporary local profile. When he has logged in, the OpenAFS client
works, so the user can access afs. (This is probably because the leash
gets the AFS token) Just the OpenAFS integrated logon fails. (We tested
both KfW 2.6.5 and 3.1, no difference)
If you disable the OpenAFS integrated logon feature, the error does not
occur, but the user does not get his home directory (that's clear,
because, the OpenAFS client does not have a token at this time, so he
cannot access the user directory in afs).
BUT if the user logs out and then logs in again, everything works fine,
no error but the users home directory, That's because the user gets a
token once he has logged in and this token has a specific lifetime. If
the same user logs in a second time, while the afs token is still valid,
the OpenAFS client can now access the users afs directory during login
and load the profile.
We got this error with OpenAFS 1.5.x and with OpenAFS 1.4.3. Prior
versions work, but only a specific time, lets say, a day, or a half and
than, the same problem occurs. But if you reboot the server, with
version < 1.4.3 installed, it works again for a while. Very strange ...
Another phenomenon is, that this error only occurs, if a user trys to
login remotly. On the console of the terminal server (if the user is
sitting in front of the server), everything works fine. No error at all.
But if the same user wants to login via terminal service, he gets the
error.
As I mentioned before, we evaluated KfW 2.6.5 till 3.1, no difference.
To eliminate the influence of Microsoft patches, we tested the
configuration on an unpattched vanilla Windows 2003 Server installation,
but still the error occurs.
If you need more informations, feel free to ask.
Michael Sievers
Jeffrey Altman
2007-01-22 14:50:47 UTC
Permalink
Post by Michael Sievers
Integrated login failed: Credentials cache I/O operation failed XXX
This error means that the user does not have the privileges to
communicate with the instance of the krbcc32s.exe running within the
System session.

This could be because Terminal Server logons do not occur with the
"SYSTEM" account. There may be a lower-privilege account being used.
The krbcc32s.exe running in the System session was started by "SYSTEM"
and only "SYSTEM" can communicate with it.

Assuming this is the case, MEMORY: or FILE: ccaches may need to be used
by the Terminal Server logon. I will need to think about how that
would be done.
Continue reading on narkive:
Loading...