+++ /dev/null
-[[!toc levels=3]]
-
-# End User Quick Start Guide
-
-## Introduction
-
-This guide is a (hopefully) straightforward manual for setting up [[OpenAFS]]
-for Windows <del>1.3.70</del> **1.7.4**. It was written with the not-so-
-experienced user in mind and is a step-by-step description of a sample
-configuration. Changing the settings to your specific needs should pose no
-problems.
-
-_**(The changes for 1.7.4 are incomplete; none of the pictures are up to date.
-When complete, the markup should be removed --jtb) **_
-
-### Before the Installation
-
-Before we start, let us take a moment and just skim through the installation.
-For the impatient, this section may not be what you are looking for. This is
-an introduction to the concepts of AFS'ing in Windows -- "basic" knowledge you
-should have before attempting to connect to the world.
-
-#### System Requirements
-
-First of all, check that your system and network is capable of using
-[[OpenAFS]] for Windows. You will need <del>Windows 2000 or later. Support for
-Windows NT and the Windows 9x (including ME) series has been discontinued. If
-you succeed with the installation, it is sheer luck!</del> **Windows XP SP3,
-Windows Server 2003 SP2, Windows Vista SP1, Windows Server 2008, Windows 7,
-Windows Server 2008 R2**.
-
-The disc usage of [[OpenAFS]] is pretty limited: around <del>50</del>**100**
-MB in the standard installation. You may later increase the cache size, thus
-using up more.
-
-To be able to access files, you will need the network up and running. AFS is
-not very demanding on bandwidth, but realize that every byte of a file is
-transmitted over the wire (or air) uncompressed. The use of the client cache
-helps reduce bandwidth requirements.
-
-#### Kerberos: An Analogy
-
-AFS uses an access-restriction system called Kerberos, originally developed at
-MIT. Kerberos is a three-part authenticator. You could say the Kerberos server
-(a.k.a. KDC, Kerberos Domain Controller) is somewhat like an ID-card archive.
-When Adam wants to loan a car from Eve, Eve may trust Adam. Adam is trusted to
-leave the car back as agreed. In this case, Adam needs simply state "I am
-Adam". Eve lends him the car, and everything is fine.
-
-However, if Eve has never met this Adam fellow, she might not want to just
-give him the car and hope he returns with it. This is where the three-part
-authentication comes in. Authorities are trusted by most people. So, imagine
-this scenario instead: Adam tells Eve he wants to borrow her car.
-
- * Eve: "Fine, but how do I know you are who you say you are?"
- * Adam: "Do you trust the ID Authority and that they will only give out ID cards to the right person?"
- * Eve: "Yes, sure I do, they have information on everyone. Including me."
- * Adam: "So, you would accept if I were to show you my ID card, signed by the ID Authority?"
- * Eve: "Absolutely, and apparently, you trust them too, so I could do the same for you."
-
-Both Adam and Eve go about sending in their secret password (known only to the
-respective person and the computer at ID Authority). They flash their fresh ID
-cards, and accept each others identity. Instead of the two trusting each
-other, they only have to trust one common party.
-
-#### Kerberos in practice
-
-In AFS, you (the Windows Client, actually) are Adam, and the AFS server is
-Eve. They both communicate with a KDC.
-
-However, in the digital reality, things are not quite as easy as borrowing a
-car: Originally, version four of Kerberos was used in AFS. It turned out this
-was an insecure concept; many others then moved to [[KerberosV]] (version 5).
-[[OpenAFS]] followed as soon as possible, without breaking backward
-compatibility. <del>Unfortunatly, the Windows client was not updated with
-[[KerberosV]] when the Unix client was, which led Windows developers to create
-external tools for [[KerberosV]].</del>
-
-Nowadays, [[OpenAFS]] for Windows does support [[KerberosV]] tickets ("ID
-cards") directly, <del>but the variety of utilities still exist, creating the
-problem of choosing which one to use</del> **but MIT no longer supports its
-Kerberos for Windows implementation, requiring a transition to other
-implementations. Currently OpenAFS recommends that you use ``Heimdal''
-Kerberos.**
-
-In order to use [[KerberosV]] (recommended), you will have to use Kerberos for
-Windows <del>an MIT product</del>. Of course, this requires that you use
-[[KerberosV]] servers, which still is not always the case. Small sites may
-still use [[OpenAFS]]'s own Kerberos IV server implementation, called the
-**_kaserver_** **but since this option is no longer supported, this
-introduction will no longer discuss it**.
-
-### A Word of Advice
-
-While installing and configuring AFS, you should keep in mind that the
-authentication part is the part which most often causes problems. This is
-partly due to the fact that different generations of Kerberos are kept in the
-software for backward compatiblity. It may also be that some information is
-not available to the [[OpenAFS]] developers. Please be patient about getting
-Kerberos to work.
-
-If the AFS servers you are about to connect to are already set up and in use,
-you may be able to browse public areas without being authenticated. This way,
-you can check if AFS or Kerberos is causing your headache.
-
-### The Software Installation
-
-Now that you know about the existence and uses of Kerberos, we can continue
-with the installation. This guide will first discuss the installation screens,
-then continuing with a simple sample configuration and end with some
-references. Happy installing!
-
-## Step by Step
-
-### <del>Optionally:</del> Download and Install Kerberos for Windows
-
-<del>If you know, or believe, that the AFS cell you will be connecting to uses
-[[KerberosV]], you should download [MIT Kerberos for
-Windows](http://web.mit.edu/kerberos/www/). The latest release is available on
-[this page](http://web.mit.edu/kerberos/www/dist/). The download of interest
-is the **Installer** for Windows.</del>
-
-Download and install Heimdal Kerberos for Windows from [Secure
-Endpoints](https://www.secure-endpoints.com/heimdal). You can choose the
-"Typical Install'' _Maybe there's a way to set flags during installation?_
-_(NB: should give picture here)_.
-
-After installing Kerberos, you must edit the file
-`%SystemDrive%\ProgramData\Kerberos\krb5.conf` (usually equivalent to:
-`C:\Documents and Settings\All Users\Application Data\Kerberos\krb5.conf`) in
-Notepad as Administrator. Most of the file is useless but innocuous. But the
-first lines should say:
-
->
-> [libdefaults]
-> allow_weak_crypto = true
->
-
-You will need to add the line about weak cryptography. A later planned release
-in the 1.7.X branch will avoid the need to make this configuration file
-change.
-
-Note that installing <del>MIT</del> Kerberos for Windows will not prevent you
-from using the old Kerberos 4 protocol. It will, however, set up your computer
-for [[KerberosV]] as a first choice.
-
-### Download and Install Network Identity Manager (v2)
-
-Download and install Network Identity Manager (v2) also from [Secure
-Endpoints](https://www.secure-endpoints.com/netidmgr/v2/index.html). The
-"Typical Install" is all one needs here. _(NB: shoudl give picture here>_**
-
-### Obtaining [[OpenAFS]] for Windows
-
-The main site for [[OpenAFS]] is [openafs.org](http://openafs.org). From here
-you can download the latest releases of all versions of the [[OpenAFS]]
-package. On [this page](http://openafs.org/windows.html) you will always find
-the latest releases.
-
-For 64 bit machines, there are two MSI installers you need to run:
-
- * The OpenAFS File System with 64-bit Explorer Shell and Authentication Libraries
- * 32-bit Explorer Shell and Authentication Libraries.
-
-For 32 bit machines, there is one MSI installer that you need. It contains
-
- * The OpenAFS File System with 32-bit Explorer Shell and Authentication Libraries.
-
-In the remainder of this document we assume you have a 64-bit system. (Stopped
-here with 1.7.4 changes.)
-
-### Start the Installation
-
-To begin installing, run the file you downloaded. The screens are pretty
-standard. Let us go through them one by one.
-
-![](http://www.e.kth.se/~tommie/openafs/screens/install/msi/1 welcome.png)
-
-![](http://www.e.kth.se/~tommie/openafs/screens/install/nis/1 welcome.png)
-
-Installation begins at the welcome screen, shown to the right. Next, you will
-have to agree with the license. Those were the basic steps. From now on, you
-will need to make decisions. Some of them are "best practice," but some are
-site ("cell", in AFS lingo) specific.
-
-![](http://www.e.kth.se/~tommie/openafs/screens/install/msi/3 type.png)
-
-After the license agreement, you have the option of doing a "client only"
-installation (Typical) or a complete installation. You may also choose to
-configure [[OpenAFS]]'s components manually.
-
-In the Typical Installation, only enough to get your Windows Client working is
-installed. Some configuration is postponed until after the installation. Using
-the Complete Installation, everything will be installed, including the
-experimental AFS Server, a software development kit and (rather outdated)
-administration documentation.
-
-This choice is skipped in the [[NullSoft]] installer.
-
-#### Custom Installation
-
-![](http://www.e.kth.se/~tommie/openafs/screens/install/msi/4 custom.png)
-
-![](http://www.e.kth.se/~tommie/openafs/screens/install/nis/2 components.png)
-
-Choosing Custom Installation gives you more control over what is installed
-onto your computer. This is shown to the right. There are three different
-icons used when presenting the components: a grey, a white and a red cross.
-Installation using the Nullsoft Installer is similar, except a standard
-checkbox list is being used.
-
-The icon with a grey background indicates **_some_** of the subcomponents will
-be installed. The one with a white background indicates that the **_entire_**
-component will be installed. Last, the red cross shows that the component will
-not be installed. Pressing the "Disk Usage" button brings up an overview of
-your computer's storage. From there, you can find a drive with enough space
-left to install [[OpenAFS]]. Press "OK" to return to the previous screen.
-
-![](http://www.e.kth.se/~tommie/openafs/screens/install/nis/3 location.png)
-
-In the Nullsoft Installer, another dialog is used to specify the installation
-directory. The default location is a good choice.
-
-![](http://www.e.kth.se/~tommie/openafs/screens/install/nis/4 cellservdb.png)
-
-For the Nullsoft Installer executable, you also have to decide which
-[[CellServDB]] to use. This is a deprecated way of telling [[OpenAFS]] which
-servers to contact to reach files from a specific cell. New sites use DNS
-lookups instead.
-
-In the Microsoft Installer package, the [[CellServDB]] is preserved if found.
-Otherwise, the packaged file will be installed. You will not need to confirm
-this.
-
-If you already have a [[CellServDB]], you should use the existing file. If you
-are doing a fresh install, download the file from grand.central.org if
-possible. Otherwise, use the packaged file.
-
-![](http://www.e.kth.se/~tommie/openafs/screens/install/msi/6 configure.png)
-
-![](http://www.e.kth.se/~tommie/openafs/screens/install/nis/5 cellname.png)
-
-In the next step, you will need to decide upon (from the Microsoft Installer):
-
- * **Default Cell**
-
- The cell which knows what other cells you will be able to see. It is also
- used to find out which Kerberos KDC to authenticate your identity against. See
- also "Freelance Mode" below.
-
- * **Integrated Logon**
-
- This feature allows [[OpenAFS]] to use the username and password you
- entered during Windows Login. If you have the same username and password for
- your AFS account as in Windows, you will probably want to enable this feature.
- Anyway, if your usernames and passwords do not match, AFS will ignore the
- login, thus letting you login to AFS at a later time. (Default is
- **_enabled_**.)
-
- * **AFS crypt security**
-
- Even though you are authenticated without sending your password in clear
- over the network, the files and directories AFS transfers were historically
- sent without encryption. AFS for Windows now has support for encrypting all
- network traffic. Unless you need to access old AFS servers, you should have
- this enabled. (Default is **_enabled_**.)
-
- * **Freelance mode**
-
- AFS was originally intended to be run on stationary office computers. It
- required the AFS servers to be reachable at any time. Now, the laptop has made
- that an impossibility. Users disconnect and connect their computers to
- different networks several times a day. This led the AFS community to the
- invention of "Freelance Mode". Since the user's default cell determines which
- cells will be visible to the user, a workaround was neccessary when laptops
- began moving around. If you have a laptop, or will otherwise be without a
- connection to the servers of your default cell, you should have this enabled.
- If your computer can always communicate with the servers of the default cell,
- this mode is superfluous. (Default is **_enabled_**.)
-
- * **Lookup cells in DNS**
-
- In the early days of AFS, the mapping between cell names (often coinciding
- with the domain name) and the servers of the cell was made in a file called
- [[CellServDB]]. It contains a list of cells. Each cell has a number of servers
- which can be contacted in order to use data in the cell. However, as time
- passed by, the AFS administrators realized they had to keep the file up to
- date. Not only that, they also recognized they already had a database for their
- domain; the DNS records. To simplify the job of AFS administrators, the AFS
- community decided to read server mappings from the DNS instead. In [[OpenAFS]]
- for Windows, it is still under development, which is why you have the option of
- disabling it. Normally, you will not notice if the mapping is read from
- [[CellServDB]] or DNS. (Default is **_enabled_**.)
-
-Probably the only thing you have changed is the Default cell. All features can
-be left enabled, unless you have previously detected a bug in one of them.
-
-![](http://www.e.kth.se/~tommie/openafs/screens/install/msi/7 credentials.png)
-
-![](http://www.e.kth.se/~tommie/openafs/screens/install/nis/6 credentials.png)
-
-To be able to authenticate yourself to AFS, you will need to retrieve and
-renew Kerberos tickets. These are called "tokens" in the AFS world. Tokens
-must be renewed on regular intervals (a common setting is ten hours). In order
-to handle this, [[OpenAFS]] for Windows ships with a Credentials Manager. A
-credential is a common name for both tickets and tokens.
-
-To have the program start when you login, leave the checkbox filled. If you
-intend to authenticate with [[KerberosV]], you have two options: you either go
-with AFS Credentials Manager, or use the Leash Credentials Manager of Kerberos
-for Windows instead. In the latter case, you can disable automatic startup,
-and ignore the other checkboxes. If unsure, leave it enabled.
-
-The rest of the checkboxes are (from the Microsoft Installer):
-
- * **Auto initialize AFS Credentials**
-
- If you are not able to use the Integrated Logon feature (because the
- usernames do not match, for instance), you can use this feature instead.
- Whenever the Credentials Manager is started, or a new network address is found
- (see below), you will be asked to get new tokens. (This is equivalent to the
- "-A" parameter to afscreds.exe.)
-
- * **Renew drive maps**
-
- This option ensures all drives you have chosen to map to AFS are mapped.
- (This is equivalent to the "-M" parameter to afscreds.exe.)
-
- * **Detect IP address changes**
-
- If used together with the automatic initialization, new tokens will be
- asked for when the computer receives a new network address. This may be due to
- a modem connection, an ISP with DHCP, or just plug-and-play computing. (This is
- equivalent to the "-N" parameter to afscreds.exe.)
-
- * **Quiet mode**
-
- Normally, if the [[OpenAFS]] service is not started before the Credential
- Manager starts, the Manager will display a little guide to help you start it.
- Enabling this option makes the Credentials Manager silently ignore a stopped
- service. (This is equivalent to the "-Q" parameter to afscreds.exe.)
-
- * **Show credentials window on startup**
-
- The Credentials Manager usually resides in the system tray (lower-right
- corner). It shows a locked padlock if you have valid tokens, and a padlock with
- a red cross if not. If you enable this option, [[OpenAFS]] will automatically
- show you a screen with information about your current tokens. This can be
- achieved later by clicking on the lock icon in the system tray. (This is
- equivalent to the "-S" parameter to afscreds.exe.)
-
-Default is enabled for all options except the last. The install program only
-appends the parameters to the shortcuts of the Start Menu (under [[OpenAFS]]
-and under Autostart, if you choose to start the Manager at startup). You may
-alter these parameters at any time by right-clicking the menu item and choose
-"Properties".
-
-This is all it takes for Custom Installation. From now on, the differences
-between the three installation types are not visible.
-
-### Finishing the Installation
-
-![](http://www.e.kth.se/~tommie/openafs/screens/install/msi/8 ready.png)
-
-![](http://www.e.kth.se/~tommie/openafs/screens/install/nis/7 installing.png)
-
-Now that you have setup your [[OpenAFS]] package, [[OpenAFS]] can be copied
-into the right directories. This will be reasonably fast, so don't go for a
-coffee yet!
-
-![](http://www.e.kth.se/~tommie/openafs/screens/install/msi/11 restart.png)
-
-The last thing you have to do is reboot your computer. Theoretically, you
-could start [[OpenAFS]] without rebooting. This is not recommended, though.
-With all of today's anti virus programs and synchronization drivers, you can
-have that well-deserved coffee break now. Soon, the final adventure will
-begin.
-
-## Configure the Rest
-
-When you logged in, you may have encountered an error message from "AFS
-Integrated Logon". This is because you enabled Integrated Logon, but did not
-have the same username and password for both Windows and the AFS servers. In a
-later section, we will see how we can make [[OpenAFS]] ignore these situations
-without bothering you about it.
-
-[[OpenAFS]] will automatically open ports as neccessary in Windows Internet
-Connection Firewall. If you have another firewall installed, you will have to
-open TCP and UDP ports 7000 through 7009.
-
-Browse to "Control Panel" of your computer. You should have a new alternative
-called "AFS Client Configuration". Double-clicking this, you should see
-(something like) the screen below.
-
-![](http://www.e.kth.se/~tommie/openafs/screens/afsconfig/general.png)
-
-Please note that this is only a starting point. If you are looking for a
-complete configuration reference to [[OpenAFS]] for Windows, you should read
-the [[WindowsConfigurationReferenceGuide]].
-
-According to the Client Status, the service is started, as it should. If you
-used the Typical Installation mode, you will now have to change the cell name
-into something more appropriate. (No one can authenticate to openafs.org,
-really.) Change it to whatever your network administrator told you. It is
-usually simply the domain name of the organization.
-
-### Silencing the Intergrated Login
-
-![](http://www.e.kth.se/~tommie/openafs/screens/afsconfig/adv_login.png)
-
-Information is good, but not in excess. To remove the message, go to the
-"Advanced" tab. Click the "Logon..." button, and set "Fail Logins Silently" to
-"Yes". This is shown to the right.
-
-### Check If You Have Kerberos 5
-
-If everything is well, you should now be able to obtain AFS tokens for your
-default cell. Try this by opening the Credentials Manager from the Start Menu.
-Depending on your installation settings, you may be presented with a password
-prompt, an information window, or nothing.
-
-![](http://www.e.kth.se/~tommie/openafs/screens/windows/taskbar.png)
-
-If you get nothing, you have started the Credentials Manager in the system
-tray. Is the padlock locked? Then you do not need [[KerberosV]]. Otherwise, if
-there is a small red cross over it, try clicking the padlock.
-
-![Screenshot of AFSCreds.exe](http://lh3.ggpht.com/_v_0hCq1skrw/S89dFHP3_hI/AA
-AAAAAACFE/dMQfa_ERaH0/s800/afscreds-sc.png)
-
-If you get a screen like the one above, you can skip [[KerberosV]]. If it says
-"You do not have tokens within any AFS cell", you press "Obtain New
-Tokens...".
-
-Finally, if you get a password prompt, enter your AFS username and password.
-Confirm the AFS Cell name to be your default cell. Press "OK".
-
-If you get an error at this time, you (probably) need to have [[KerberosV]]
-installed. Often, the Credentials Manager complains the "Authentication Server
-was unavailable", or something similar.
-
-Optional: Kerberos for Windows To be able to use [[KerberosV]] authentication
-servers, install MIT Kerberos for Windows. A description of how to install
-this is outside the scope of this guide.
-
-## Trying It Out
-
-Start the Credentials Manager and try to obtain new tokens. This should work.
-You should be able to browse the lands of **_\\AFS\all_** like you were on a
-Unix computer. Do you have write permissions in the right directories?
-
-## Mapping Network Drives
-
-Many Windows users are more comfortable using drive letters instead of UNC
-path notation such as \\AFS\openafs.org\software\openafs\1.5.73\. Windows
-permits any UNC path to be mapped to a drive. On Windows 7 this can be done
-from the Start Menu. Right Click on "Computer" and select "Map Network Drive".
-Select a drive letter to map, enter the \\AFS UNC path to map, and select
-"Reconnect at logon". To map the AFS root volume, use the UNC path \\AFS\all.
-
-Drive mapping can also be performed using the "NET USE" command line tool.
-
-## From here to eternity
-
-The next time you install [[OpenAFS]] for Windows, you are sufficiently
-competent to go directly onto the [[WindowsAdministratorsInstallationGuide]].
-It is more hard-core, and with less fancy screen shots. The
-[[WindowsConfigurationReferenceGuide]] contains a complete description of the
-configuration options of [[OpenAFS]] for Windows.
-
-If anything goes wrong, you can hopefully look it up in
-[[WindowsTroubleshootingGuide]], a FAQ just for [[OpenAFS]] on Windows. Happy
-filing!
-