From: Joseph H Vilas Date: Thu, 29 Jul 2004 22:16:53 +0000 (+0000) Subject: none X-Git-Url: http://git.openafs.org/?p=openafs-wiki.git;a=commitdiff_plain;h=705f833dcd763462749c7d782d9a9078c20f077a none --- diff --git a/AFSLore/WindowsConfigurationReferenceGuide.mdwn b/AFSLore/WindowsConfigurationReferenceGuide.mdwn index b999045..cf7820a 100644 --- a/AFSLore/WindowsConfigurationReferenceGuide.mdwn +++ b/AFSLore/WindowsConfigurationReferenceGuide.mdwn @@ -65,7 +65,7 @@ ## Introduction -Once you have installed [[OpenAFS]] for Windows onto your computer, there are two programs you will be concerned with: The first one is the AFS Client (Credentials Manager), the second is the AFS Client Configuration program. Many of the options in [[OpenAFS]] can be set from both programs. This is a source of confusion, which this guide will try to sort out. +Once you have installed [[OpenAFS]] for Windows onto your computer, there are two programs you will be concerned with: the AFS Client (Credentials Manager), and the AFS Client Configuration program. Many of the options in [[OpenAFS]] can be set from both programs. This is a source of confusion, which this guide will try to sort out. Because this is a reference, the programs will be described in order, screen by screen. At the end, files and Windows Registry keys will be described. @@ -75,7 +75,7 @@ This program is located in `C:\Program Files\OpenAFS\Client\Program\afscreds.exe ### Command Line Options -If you intend to run `afscreds.exe` from a command line, the following options may be of interrest to you. NB: The flags are case-insensitive, and can begin with either **_-_** (� la Unix) or **_/_** (old Windows style). +If you intend to run `afscreds.exe` from a command line, the following options may be of interest to you. NB: The flags are case-insensitive, and can begin with either **_-_** (� la Unix) or **_/_** (old Windows style).
-A
@@ -110,7 +110,7 @@ The Credentials Manager can make use of MIT Kerberos for Windows, if installed. ### Drive Letters - A fundamental entity in the Microsoft Windows operating systems is the **_drive_**. A drive is identified by one letter and a colon. To mask a network file system as a drive is called to "map a drive". + A fundamental entity in the Microsoft Windows operating systems is the **_drive_**. A drive is identified by one letter and a colon. Masking a network file system as a drive is called "mapping a drive." Mapping a drive in [[OpenAFS]] requires you to know three things. You will have to know what drive you want to map, what AFS path to map from, and what to call the mapping. The first two should be obivous. If you are used to Unix, however, note that the AFS Path is written using backslash, not slash. You also have the option to automatically reconnect the drive on login. @@ -134,7 +134,7 @@ Clicking it brings the Credentials Manager up. Right-clicking opens a three-item This program is located in `C:\Program Files\OpenAFS\Common\afs_config.exe` (default location). The configuration utility can perform most operations of the Credentials Manager, and more. In fact, the Client Configuration is not able to obtain tokens, but everything else can be updated with it. -When installed, [[OpenAFS]] also installs this program as a Control Panel applet, called "AFS Client Configuration". No matter how you call it, the functionality is the same. +When installed, [[OpenAFS]] also installs this program as a Control Panel applet, called "AFS Client Configuration". No matter what you call it, the functionality is the same. ### General @@ -152,9 +152,9 @@ Mapping drives and creating submounts work the same way as for the Credentials M ### Preferences - Since AFS can mirror both files and volume information on several servers, there must be a way to determine which server to contact. In [[OpenAFS]] for Windows, this is specified using the Server Preferences screen. Normally, you will never need to manually change the preferences of the servers. However, if you are doing load balance testing or if you are stress testing a server, you may set the preferences here. + Since AFS can mirror both files and volume information on several servers, there must be a way to determine which server to contact. In [[OpenAFS]] for Windows, this is specified using the Server Preferences screen. Normally, you will never need to manually change the preferences of the servers. However, if you are doing load balance testing or if you are stress-testing a server, you may want to set preferences here. -You can also import the rankings from a file. The file is a text file with one line per server. Whitespaces separate the server name from the rankning number. Note that the servers are imported to the active list (File Server or Volume Location Server). +You can also import the rankings from a file. The file is a text file with one line per server. Whitespaces separate the server name from the ranking number. Note that the servers are imported to the active list (File Server or Volume Location Server). ### AFS Cells @@ -168,14 +168,14 @@ In the Cache Configuration section, there are four options: - **Cache Size** determines the maximum disk cache size. The disk cache is a file, and it will always have the chosen size. I.e. it will not shrink if possible. The defualt is 20 MB. If you are editing large files, you may want to increase the cache size. Note that [[OpenAFS]] for Windows does not have a **_persistent cache_**. This means the cache will be flushed each time the [[OpenAFS]] service stops. The Unix versions of [[OpenAFS]] does have a persistent cache. - **Cache Path** holds the path to the file acting as disk cache. The default is `C:\AFSCache`. -- **Chunk Size** is the smallest transfer unit. The cache works by caching chunks of files, contrary to entire files. It should be set to a size which is fast to transfer over the network, yet large enough to avoid lots and lots of transfers. The default is 32 kB. It must be an even power of two. +- **Chunk Size** is the smallest transfer unit. The cache works by caching chunks of files, not necessarily entire files. It should be set to a size which is fast to transfer over the network, yet large enough to avoid lots and lots of transfers. The default is 32 kB. It must be an even power of two. - **Status Cache** describes file meta information caching. 1000 entries is the default. #### Logon Settings -Change the behaviour of the Integrated Logon feature. The login retry interval sets how long (in seconds) [[OpenAFS]] will try to obtain initial tokens. Fail Logins Silently controls whether you will get a message box telling the reason for the failure, or not. +Change the behavior of the Integrated Logon feature. The login retry interval sets how long (in seconds) [[OpenAFS]] will try to obtain initial tokens. Fail Logins Silently controls whether you will get a message box telling the reason for the failure. -Setting "Fail Logins Silently" to "No" also affects the function of the retry interval. When the interval has passed, you will be given a question to start the timer over or not. If you choose to start over, another retry interval will be used to try and obtain the tokens. +Setting "Fail Logins Silently" to "No" also affects the function of the retry interval. When the interval has passed, you will be asked whether to start the timer over or not. If you choose to start over, another retry interval will be used to try and obtain the tokens. #### Diagnostic @@ -191,17 +191,17 @@ In a highly networked environment, it is not uncommon to read login scripts from #### Binding -Before [[OpenAFS]] for Windows began to use the [[WindowsLoopBackAdapter]], it used physical network interfaces to bind to. In certain situations, the default choice may be a bad choice. For instance, when the network interface connects directly to the Internet, this would be a bad idea. With the Loop Back Adapter, this is no longer an issue. +Before [[OpenAFS]] for Windows began to use the [[WindowsLoopBackAdapter]], it used physical network interfaces to bind to. In certain situations, the default choice may be a bad one. For instance, when the network interface connects directly to the Internet, this would be a bad idea. With the Loop Back Adapter, this is no longer an issue. #### Miscellaneous These settings are hardly ever changed. They control system specific settings. -- **Probe Interval** determines how often to check file servers. AFS is designed through the principle of callbacks. The file servers are obligued to notify each client if a subscribed file changes. This setup is not guaranteed to work if the servers loose the subscription list. Therefore, the client must probe the servers as often as possible. **_Note: Currently this setting is not permanently stored in the Windows Registry. It is only induced in a running AFS Client Service._** +- **Probe Interval** determines how often to check file servers. AFS is designed through the principle of callbacks. The file servers are obliged to notify each client if a subscribed file changes. This setup is not guaranteed to work if the servers lose the subscription list. Therefore, the client probes the servers regularly. **_Note: currently this setting is not permanently stored in the Windows Registry. It is only induced in a running AFS Client Service._** - **Background Threads** controls how many AFS network threads will be running. One thread is able to handle one request from an AFS server at any time. Default is four threads. - **Service Threads** controls how many SMB/CIFS threads will be running. If your computer is a single user machine, not doing any video or audio editing, a low number should suffice. It is possible that a higher number will get better performance for many parallel file accesses. Default is two threads. - **System Name** is the value of "@sys". It should never be changed. Default is currently "i386\_nt40" for Windows NT/2000/XP/2003. -- **Mount Directory** is really "Mount Root". It is used when resolving symlinks. Microsoft Windows does not know of symbolic links, why the AFS Client Service must convert them. If a symlink target begins with the **_Mount Directory_** string, it will be transformed into an absolute path of the form `\\AFS\ALL\...`. Default is `/afs`. There is generally no need to modify this value. +- **Mount Directory** is really "Mount Root". It is used when resolving symlinks. Microsoft Windows does not know about symbolic links, so the AFS Client Service must convert them. If a symlink target begins with the **_Mount Directory_** string, it will be transformed into an absolute path of the form `\\AFS\ALL\...`. Default is `/afs`. There is generally no need to modify this value. - **Root Volume** is the name of the root volume of the default cell. Default is `root.afs`, and is the recommended AFS root volume name. ## Settings Without a User Interface @@ -210,11 +210,11 @@ Currently, some options have not yet been given a proper user interface. These c ### Netbios Name -As the AFS service publishes its services as SMB/CIFS shares, there must be a name of this service. The `NetbiosName` (type expanding string) value of `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` can change this. The default is "AFS". Change this to "%COMPUTERNAME%-AFS" to revert to the old behaviour. +As the AFS service publishes its services as SMB/CIFS shares, there must be a name of this service. The `NetbiosName` (type expanding string) value of `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` can change this. The default is "AFS". Change this to "%COMPUTERNAME%-AFS" to revert to the old behavior. ### Encryption of Network Traffic -Historically, AFS did not support encrypted network traffic. This has changed in recent years. The support is off by default in order to be compatible with old servers. You enable and disable encryption through the value `SecurityLevel` (type DWORD) in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` set to 1 to enable and 0 to disable. +Historically, AFS did not support encrypted network traffic. This has changed in recent years. The support is off by default in order to be compatible with old servers. You enable and disable encryption through the value `SecurityLevel` (type DWORD) in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters`. Set to 1 to enable and 0 to disable. ### Freelance Client Support @@ -287,11 +287,11 @@ In `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Param ### Enabling Debug Trace Events -Normally, the `TraceOption` (type DWORD) in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` is 0, meaning no traces will be output to the Application Event Log. Setting it to 1 enables trace output. +Normally, the `TraceOption` (type DWORD) in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` is 0, meaning no traces will be sent to the Application Event Log. Setting it to 1 enables trace output. ### Restricting the Number of Utilized CPUs -For most part, the [[OpenAFS]] client can use as many processors as available. It has, however, showed that Hyperthreaded Pentium 4 systems can cause the [[OpenAFS]] service to crash. If you have such a system, you should set `MaxCPUs` (type DWORD) (in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters`) to 1. The default is undefined, and means all processors may be used. +For most part, the [[OpenAFS]] client can use as many processors as available. However, using multiple processors on a Hyperthreaded Pentium 4 system can cause the [[OpenAFS]] service to crash. If you have such a system, you should set `MaxCPUs` (type DWORD) (in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters`) to 1. The default is undefined, and means all processors may be used. ### Moving the [[CellServDB]] File @@ -305,17 +305,17 @@ To change this location you must update the registry value `AuthentProviderPath` ### Allowing More Time For the Service To Start -When the AFS Client Service starts, it has to read files, the registry, DNS and connect to servers. All of this may take quite some time. On slow computers, the default retry policy can be too short. +When the AFS Client Service starts, it has to read files, the registry, DNS information, and connect to servers. All of this may take quite some time. On slow computers, the default retry policy can be too short. -In this case, the `LoginRetryInterval` (type DWORD) and `LoginSleepInterval` (type DWORD) values in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider` can be increased. If the [[OpenAFS]] client service has not started yet, the network provider will wait for a maximum of `LoginRetryInterval` seconds while retrying every `LoginSleepInterval` seconds to check if the service is up. This setting is domain-specific, see below. +In this case, the `LoginRetryInterval` (type DWORD) and `LoginSleepInterval` (type DWORD) values in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider` can be increased. If the [[OpenAFS]] client service has not started yet, the network provider will wait for a maximum of `LoginRetryInterval` seconds while retrying every `LoginSleepInterval` seconds to check if the service is up. This setting is domain-specific; see below. ### Running a Logon Script -You may set `LogonScript` (type string or expandable string) of `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider` to any runnable script or program. Default is to not run any program. This setting is also domain-specific, see below. +You may set `LogonScript` (type string or expandable string) of `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider` to any runnable script or program. Default is to not run any program. This setting is also domain-specific; see below. ### Integrated Logon Usage -Utilization of the Integrated Logon feature can be set on a per-domain basis. The value is called `LogonOption` (type DWORD) and can be found in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider`. Setting this to zero disables Integrated Logon, a one enables it. Default is enabled. If you set this to 2, you enable the [[OpenAFS]] High Security mode, and setting it to 3 enables both High Security Mode and Integrated Logon. +Utilization of the Integrated Logon feature can be set on a per-domain basis. The value is called `LogonOption` (type DWORD) and can be found in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider`. Setting this to zero disables Integrated Logon, and a one enables it. Default is enabled. If you set this to 2, you enable the [[OpenAFS]] High Security mode, and setting it to 3 enables both High Security Mode and Integrated Logon. High Security mode is a deprecated techinque to let several users logon to the same computer at once. Since [[OpenAFS]] now supports authenticated SMB connections, there is really no need for this mode. If you still want to use this mode, you should disable SMB Authentication. See "Tweaking the SMB Connections" on this matter. @@ -325,7 +325,7 @@ In the Client Configuration, you may choose whether the Intergrated Logon should ### Disable Automatic Use of [[KerberosV]] -If you have MIT Kerberos for Windows installed, and you do not want to let AFS Credentials Manager use it, you can disable it setting `EnableKFW` (type DWORD) in `SOFTWARE\OpenAFS\Client`. This can be done in either of `HKEY_LOCAL_MACHINE` or `HKEY_CURRENT_USER`. +If you have MIT Kerberos for Windows installed, and you do not want to let AFS Credentials Manager use it, you can disable it by setting `EnableKFW` (type DWORD) in `SOFTWARE\OpenAFS\Client`. This can be done in either of `HKEY_LOCAL_MACHINE` or `HKEY_CURRENT_USER`. ### Changing the Default Authentication Cell @@ -335,7 +335,7 @@ The value `Authentication Cell` (type string) in `HKEY_CURRENT_USER\SOFTWARE\Ope ### Changing the Parameters of AFS Credentials Manager -When the AFS Credentials Manager starts, it recreates the Start Menu and Startup shortcuts to enforce the parameters given during installation. These parameters are stored as `AfscredsShortcutParams` in `SOFTWARE\OpenAFS\Client`. It can be set for both `HKEY_LOCAL_MACHINE` and for `HKEY_CURRENT_USER`. Default is `-A -M -N -Q`. See above for an explanation on these parameters. +When the AFS Credentials Manager starts, it recreates the Start Menu and Startup shortcuts to enforce the parameters given during installation. These parameters are stored as `AfscredsShortcutParams` in `SOFTWARE\OpenAFS\Client`. It can be set for both `HKEY_LOCAL_MACHINE` and for `HKEY_CURRENT_USER`. Default is `-A -M -N -Q`. See above for an explanation of these parameters. ## Per Domain Options @@ -348,7 +348,7 @@ When the AFS Credentials Manager starts, it recreates the Start Menu and Startup This is a new feature of [[OpenAFS]] 1.3.6, and is not yet supported by the configuration user interface. While being a usable feature, we choose to document, so that you can still use it. A new configuration interface is hopefully on its way. -All values that can be domain-specific are located under `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider`. Domains which want to have specific settings can create the subkey Domain\\_domain_\\ and store the values there. The domain name is the logon domain, as specified in the Windows Login screen. A special domain, called `LOCALHOST`, is a placeholder for the local computer. Any other Active Directory or Kerberos realm should use it's realm name for the key. +All values that can be domain-specific are located under `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider`. Domains which want to have specific settings can create the subkey Domain\\_domain_\\ and store the values there. The domain name is the logon domain, as specified in the Windows Login screen. A special domain, called `LOCALHOST`, is a placeholder for the local computer. Any other Active Directory or Kerberos realm should use its realm name for the key. ### Resolution of Domain Specific Values @@ -362,16 +362,16 @@ As a consequence of this scheme, there must also be set rules for resolving whic If the specific domain key does not exist, then the `Domain` key will be ignored. All the configuration information in this case will come from the standard `NetworkProvider` key. -If the specific domain key exists, then the value will be looked up in the specific domain key, domains key and the NP key successively until the value is found. The first instance of the value found this way will be the effective for the login session. If no such instance can be found, the default will be used. To re-iterate, a value in a more specific key supercedes a value in a less specific key. +If the specific domain key exists, then the value will be looked up in the specific domain key, domains key and the NP key successively until the value is found. The first instance of the value found this way will be the effective for the login session. If no such instance can be found, the default will be used. in other words, a value in a more specific key supercedes a value in a less specific key. Back to our example. Logging in to domain `OPENAFS.ORG` clearly enables the Integrated Logon. Logging on the local computer disables it. Logging in to `MIT.EDU` will also disable Integrated Logon, because the domain key exists, but misses a value. This resolves to using the value of `Domain\LogonOption`. However, logging in to `KTH.SE` would enable Integrated Logon. It is not listed as a domain, and thus the `NetworkProvider\LogonOption` is used. In order to retain backward-compatibility, there are two exceptions to this resolution order. ### Exceptions To the Resolution Rule -Historically, the 'FailLoginsSilently' value was in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` key and not in the `NetworkProvider` key. Therefore, for backwards compatibility, the value in the `Parameters` key will supercede all instances of this value in other keys. In the absence of this value in the `Parameters` key, normal scope rules apply. +Historically, the 'FailLoginsSilently' value was in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` key and not in the `NetworkProvider` key. Therefore, for backward compatibility, the value in the `Parameters` key will supercede all instances of this value in other keys. In the absence of this value in the `Parameters` key, normal scope rules apply. The second exception is for the `LogonScript` value. If a `LogonScript` is not specified in the specific domain key nor in the `Domain` key, the value in the `NetworkProvider` key will only be checked if the effective `LogonOptions` specify a high security integrated login. If a logon script is specified in the specific domain key or the domains key, it will be used regardless of the high security setting. Please be aware of this when setting this value. ## Windows Registry Keys of [[OpenAFS]] -During the preparation of this release of [[OpenAFS]], a lot of changes have been made to the way configuration is stored. The work is still not finished, why the list of registry keys currently used can be found [here](http://web.mit.edu/~jaltman/Public/OpenAFS/registry.txt). +During the preparation of this release of [[OpenAFS]], a lot of changes have been made to the way configuration is stored. The work is still not finished; the list of registry keys currently used can be found [here](http://web.mit.edu/~jaltman/Public/OpenAFS/registry.txt). diff --git a/AFSLore/WindowsEndUserQuickStartGuide.mdwn b/AFSLore/WindowsEndUserQuickStartGuide.mdwn index 12cd5ea..e86f1a6 100644 --- a/AFSLore/WindowsEndUserQuickStartGuide.mdwn +++ b/AFSLore/WindowsEndUserQuickStartGuide.mdwn @@ -2,35 +2,35 @@ ## Introduction -This guide is a (hopefully) straight forward manual for setting up [[OpenAFS]] for Windows 1.3.70. It was written with the not-so-experienced user in mind and is a step-by-step description of a sample configuration. Changing the settings to your specific needs should pose no problems. +This guide is a (hopefully) straightforward manual for setting up [[OpenAFS]] for Windows 1.3.70. It was written with the not-so-experienced user in mind and is a step-by-step description of a sample configuration. Changing the settings to your specific needs should pose no problems. ### Before the Installation -Before we start, let us take a moment and just skim through the installation. For the impatient, this section may not be what you are looking for. This is an introduction to the concepts of AFS'ing in Windows. The "basic" knowledge you should have before attempting to connect to the world. +Before we start, let us take a moment and just skim through the installation. For the impatient, this section may not be what you are looking for. This is an introduction to the concepts of AFS'ing in Windows -- "basic" knowledge you should have before attempting to connect to the world. #### System Requirements First of all, check that your system and network is capable of using [[OpenAFS]] for Windows. You will need Windows 2000 or later. Support for Windows NT and the Windows 9x (including ME) series has been discontinued. If you succeed with the installation, it is sheer luck! -The disc usage of [[OpenAFS]] is pretty limited, around 50 MB in the standard installation. You may later increase the cache size, thus using up more. +The disc usage of [[OpenAFS]] is pretty limited: around 50 MB in the standard installation. You may later increase the cache size, thus using up more. -To be able to access files, you will need the network up and running. AFS is not very demanding on bandwidth, but realize that every byte of a file is transmitted over the wire (or air) uncompressed. The use of the client cache helps reducing the bandwidth requirements. +To be able to access files, you will need the network up and running. AFS is not very demanding on bandwidth, but realize that every byte of a file is transmitted over the wire (or air) uncompressed. The use of the client cache helps reduce bandwidth requirements. -#### Kerberos, an analogy +#### Kerberos: An Analogy AFS uses an access-restriction system called Kerberos, originally developed at MIT. Kerberos is a three-part authenticator. You could say the Kerberos server (a.k.a. KDC, Kerberos Domain Controller) is somewhat like an ID-card archive. When Adam wants to loan a car from Eve, Eve may trust Adam. Adam is trusted to leave the car back as agreed. In this case, Adam needs simply state "I am Adam". Eve lends him the car, and everything is fine. -However, if Eve has never met this Adam fellow, she might not want to just give him the car and hope he is returning with it. This is where the three-part authentication comes in. Authorities are trusted by most people. So, imagine this scenario instead: Adam tells Eve he wants to borrow her car. +However, if Eve has never met this Adam fellow, she might not want to just give him the car and hope he returns with it. This is where the three-part authentication comes in. Authorities are trusted by most people. So, imagine this scenario instead: Adam tells Eve he wants to borrow her car. -- Fine, but how do I know you are who you say you are? She says. +- Eve: "Fine, but how do I know you are who you say you are?" -- Do you trust the ID Authority and that they will only give out ID cards to the right person? He continues. +- Adam: "Do you trust the ID Authority and that they will only give out ID cards to the right person?" -- Yes, sure I do, they have information on everyone. Including me. +- Eve: "Yes, sure I do, they have information on everyone. Including me." -- So, you would accept if I were to show you an ID card of me that has been signed by the ID Authority? Adam persists. +- Adam: "So, you would accept if I were to show you an my ID card, signed by the ID Authority?" -- Absolutely, and apparently, you trust them too, so I could do the same to you, she says. +- Eve: "Absolutely, and apparently, you trust them too, so I could do the same for you." Both Adam and Eve go about sending in their secret password (known only to the respective person and the computer at ID Authority). They flash their fresh ID cards, and accept each others identity. Instead of the two trusting each other, they only have to trust one common party. @@ -38,17 +38,17 @@ Both Adam and Eve go about sending in their secret password (known only to the r In AFS, you (the Windows Client, actually) are Adam, and the AFS server is Eve. They both communicate with a KDC. -However, in the digital reality, things are not quite as easy as borrowing a car: Originally, the version four of Kerberos was used in AFS. It turned out this was an insecure concept, why the rest of the world moved to [[KerberosV]] (version 5). [[OpenAFS]] followed as soon as possible, without breaking backward compatibility. Unfortunatly, the Windows client was not updated with [[KerberosV]] when the Unix client was, which led the Windows people to create external tools for [[KerberosV]]. +However, in the digital reality, things are not quite as easy as borrowing a car: Originally, version four of Kerberos was used in AFS. It turned out this was an insecure concept; many others then moved to [[KerberosV]] (version 5). [[OpenAFS]] followed as soon as possible, without breaking backward compatibility. Unfortunatly, the Windows client was not updated with [[KerberosV]] when the Unix client was, which led Windows developers to create external tools for [[KerberosV]]. -Nowadays, [[OpenAFS]] for Windows does support [[KerberosV]] tickets ("ID cards") directly, but the variety of utilities still exist and create the problem of choosing which one to use. +Nowadays, [[OpenAFS]] for Windows does support [[KerberosV]] tickets ("ID cards") directly, but the variety of utilities still exist, creating the problem of choosing which one to use. -In order to use [[KerberosV]] (recommended), you will have to use Kerberos for Windows, an MIT product. Of course, this requires that you use [[KerberosV]] servers, which still is not always the case. Small sites may still use [[OpenAFS]]' own Kerberos server implementation, called the **_kaserver_**. +In order to use [[KerberosV]] (recommended), you will have to use Kerberos for Windows, an MIT product. Of course, this requires that you use [[KerberosV]] servers, which still is not always the case. Small sites may still use [[OpenAFS]]'s own Kerberos server implementation, called the **_kaserver_**. ### A Word of Warning -While installing and configuring AFS, you should keep in mind that the authentication part is the part which most often causes problems. This is partly due to the fact that different generations of Kerberos is kept in the software to be backwards-compatible. It may also be that some information is not available to the [[OpenAFS]] developers. Please be patient about getting Kerberos to work. +While installing and configuring AFS, you should keep in mind that the authentication part is the part which most often causes problems. This is partly due to the fact that different generations of Kerberos are kept in the software for backward compatiblity. It may also be that some information is not available to the [[OpenAFS]] developers. Please be patient about getting Kerberos to work. -If the AFS servers you are about to connect to already is in use, you can probably browse around in the public folders without being authenticated. This way, you can check if it is AFS in itself, or Kerberos that is causing your headache. +If the AFS servers you are about to connect to are already set up and in use, you may be able to browse public areas without being authenticated. This way, you can check if AFS or Kerberos is causing your headache. ### The Software Installation @@ -58,7 +58,7 @@ Now that you know about the existence and uses of Kerberos, we can continue with ### Obtaining [[OpenAFS]] for Windows -The main site for [[OpenAFS]] is [openafs.org](http://openafs.org). From here you can download the latest releases of both all versions of the [[OpenAFS]] package. On [this page](http://openafs.org/release/latest.html) you will always find the latest releases. The ready-to-install Windows package is usually located at the bottom of the page. +The main site for [[OpenAFS]] is [openafs.org](http://openafs.org). From here you can download the latest releases of all versions of the [[OpenAFS]] package. On [this page](http://openafs.org/release/latest.html) you will always find the latest releases. The ready-to-install Windows package is usually located at the bottom of the page. The file you download is either an executable file, or a Microsoft Installer file. Both do the same. The Microsoft Installer file requires the Microsoft Installer (how surprising), but that ships with Windows 2000 and later. @@ -72,45 +72,45 @@ Note that installing MIT Kerberos for Windows will not prevent you from using th To begin installing, run the file you downloaded. The screens are pretty standard. Let us go through them one by one. - Installation begins at the welcome screen, shown to the right. Next, you will have to agree with the license. Those were the basic steps. From now on, you will need to make decisions. Some of them are "best practice", but some are site ("cell", in AFS lingo) specific. + Installation begins at the welcome screen, shown to the right. Next, you will have to agree with the license. Those were the basic steps. From now on, you will need to make decisions. Some of them are "best practice," but some are site ("cell", in AFS lingo) specific. - After the license agreement, you have the option of doing a "client only" installation (Typical) or a complete installation. You may also choose to configure [[OpenAFS]]' components manually. + After the license agreement, you have the option of doing a "client only" installation (Typical) or a complete installation. You may also choose to configure [[OpenAFS]]'s components manually. In the Typical Installation, only enough to get your Windows Client working is installed. Some configuration is postponed until after the installation. Using the Complete Installation, everything will be installed, including the experimental AFS Server, a software development kit and (rather outdated) administration documentation. #### Custom Installation - Choosing Custom Installation gives you more control over what is installed onto your computer. This is shown to the right. There are three different icons used when presenting the components; a grey, a white and a red cross. + Choosing Custom Installation gives you more control over what is installed onto your computer. This is shown to the right. There are three different icons used when presenting the components: a grey, a white and a red cross. -The icon with a grey background indicates **_some_** of the components subcomponents are installed. The one with a white background indicates that the **_entire_** component will be installed. Last, the red/white cross shows that the component will not be installed. Pressing the "Disk Usage" button brings up an overview of your computers storage. From there, you can find a drive with enough space left to install [[OpenAFS]]. Press "OK" to return to the previous screen. +The icon with a grey background indicates **_some_** of the subcomponents will be installed. The one with a white background indicates that the **_entire_** component will be installed. Last, the red cross shows that the component will not be installed. Pressing the "Disk Usage" button brings up an overview of your computer's storage. From there, you can find a drive with enough space left to install [[OpenAFS]]. Press "OK" to return to the previous screen. In the next step, you will need to decide upon: -- **Default Cell** The cell which knows what other cells you will be able to see. It is also used to find out which Kerberos KDC to authenticate your identity against. See also "Freelance mode" below. +- **Default Cell** The cell which knows what other cells you will be able to see. It is also used to find out which Kerberos KDC to authenticate your identity against. See also "Freelance Mode" below. -- **Integrated Logon** This feature allows [[OpenAFS]] to use the username and password you entered during Windows Login. If you have the same username and password for your AFS account as in Windows, you will probably want to enable this feature. Anyway, if your usernames and passwords do not match, AFS will ignore the login. Thus letting you login to AFS at a later time. (Default is **_enabled_**.) +- **Integrated Logon** This feature allows [[OpenAFS]] to use the username and password you entered during Windows Login. If you have the same username and password for your AFS account as in Windows, you will probably want to enable this feature. Anyway, if your usernames and passwords do not match, AFS will ignore the login, thus letting you login to AFS at a later time. (Default is **_enabled_**.) -- **AFS crypt security** Even though you are authenticated without sending your password in clear over the network, the files and directories AFS transfers were historically sent without encryption. AFS for Windows now have support for encrypting all network traffic. Unless you need to access old AFS servers, you should have this enabled. (Default is **_enabled_**.) +- **AFS crypt security** Even though you are authenticated without sending your password in clear over the network, the files and directories AFS transfers were historically sent without encryption. AFS for Windows now has support for encrypting all network traffic. Unless you need to access old AFS servers, you should have this enabled. (Default is **_enabled_**.) -- **Freelance mode** AFS was originally intended to be run on stationary office computers. It required the AFS servers to be reachable at any time. Now, the laptop has made that an impossibility. Users disconnect and connect their computers to different networks several times a day. This led the AFS community to the invention of "Freelance mode". Since the users Default cell determines which cells will be visible to the user, a workaround was neccessary when laptops began moving around. If you have a laptop, or will otherwise be without a connection to the servers of your default cell, you should have this enabled. If your computer can always communicate with the servers of the default cell, this mode is superflous. (Default is **_enabled_**.) +- **Freelance mode** AFS was originally intended to be run on stationary office computers. It required the AFS servers to be reachable at any time. Now, the laptop has made that an impossibility. Users disconnect and connect their computers to different networks several times a day. This led the AFS community to the invention of "Freelance Mode". Since the user's default cell determines which cells will be visible to the user, a workaround was neccessary when laptops began moving around. If you have a laptop, or will otherwise be without a connection to the servers of your default cell, you should have this enabled. If your computer can always communicate with the servers of the default cell, this mode is superfluous. (Default is **_enabled_**.) -- **Lookup cells in DNS** In the young days of AFS, the mapping between cell names (often coinciding with the domain name) and the servers of the cell was made in a file called [[CellServDB]]. It contains a list of cells. Each cell has a number of servers which can be connected in order to manipulate files of the cell. However, as time passed by, the AFS administrators realized they had to keep the file up to date. Not only that, they also recognized they already had a database for their domain; the DNS records. To simplify the job of AFS administrators, the AFS community decided to read server mappings from the DNS instead. In [[OpenAFS]] for Windows, it is still under development, why you have the option of disabling it. Normally, you will not notice if the mapping is read from [[CellServDB]] or DNS. (Default is **_enabled_**.) +- **Lookup cells in DNS** In the early days of AFS, the mapping between cell names (often coinciding with the domain name) and the servers of the cell was made in a file called [[CellServDB]]. It contains a list of cells. Each cell has a number of servers which can be contacted in order to use data in the cell. However, as time passed by, the AFS administrators realized they had to keep the file up to date. Not only that, they also recognized they already had a database for their domain; the DNS records. To simplify the job of AFS administrators, the AFS community decided to read server mappings from the DNS instead. In [[OpenAFS]] for Windows, it is still under development, which is why you have the option of disabling it. Normally, you will not notice if the mapping is read from [[CellServDB]] or DNS. (Default is **_enabled_**.) Probably the only thing you have changed is the Default cell. All features can be left enabled, unless you have previously detected a bug in one of them. To be able to authenticate yourself to AFS, you will need to retrieve and renew Kerberos tickets. These are called "tokens" in the AFS world. Tokens must be renewed on regular intervals (a common setting is ten hours). In order to handle this, [[OpenAFS]] for Windows ships with a Credentials Manager. A credential is a common name for both tickets and tokens. -To have the program start when you login, leave the checkbox filled. If you intend to authenticate with [[KerberosV]], you have to options. Either you go with AFS Credentials Manager, or you use the Leash Credentials Manager of Kerberos for Windows instead. In the latter case, you can disable automatic startup, and ignore the other checkboxes. If unsure, leave it enabled. +To have the program start when you login, leave the checkbox filled. If you intend to authenticate with [[KerberosV]], you have two options: you either go with AFS Credentials Manager, or use the Leash Credentials Manager of Kerberos for Windows instead. In the latter case, you can disable automatic startup, and ignore the other checkboxes. If unsure, leave it enabled. The rest of the checkboxes are: - **Auto initialize AFS Credentials** If you are not able to use the Integrated Logon feature (because the usernames do not match, for instance), you can use this feature instead. Whenever the Credentials Manager is started, or a new network address is found (see below), you will be asked to get new tokens. (This is equivalent to the "-A" parameter to `afscreds.exe`.) -- **Renew drive maps** This option ensures all drives you have choosen to map to AFS are mapped. (This is equivalent to the "-M" parameter to `afscreds.exe`.) +- **Renew drive maps** This option ensures all drives you have chosen to map to AFS are mapped. (This is equivalent to the "-M" parameter to `afscreds.exe`.) -- **Detect IP address changes** If used together with the automatic initialisation, new tokens will be asked for when the computer receives a new network address. This may be due to a modem connection, an ISP with DHCP, or just plug-and-play computing. (This is equivalent to the "-N" parameter to `afscreds.exe`.) +- **Detect IP address changes** If used together with the automatic initialization, new tokens will be asked for when the computer receives a new network address. This may be due to a modem connection, an ISP with DHCP, or just plug-and-play computing. (This is equivalent to the "-N" parameter to `afscreds.exe`.) -- **Quiet mode** Normally, if the [[OpenAFS]] service is not started before the Credential Manager starts, the Manager will display a litte guide to help you start it. Enabling this option makes the Credentials Manager silently ignore a stopped service. (This is equivalent to the "-Q" parameter to `afscreds.exe`.) +- **Quiet mode** Normally, if the [[OpenAFS]] service is not started before the Credential Manager starts, the Manager will display a little guide to help you start it. Enabling this option makes the Credentials Manager silently ignore a stopped service. (This is equivalent to the "-Q" parameter to `afscreds.exe`.) - **Show credentials window on startup** The Credentials Manager usually resides in the system tray (lower-right corner). It shows a locked padlock if you have valid tokens, and a padlock with a red cross if not. If you enable this option, [[OpenAFS]] will automatically show you a screen with information about your current tokens. This can be achieved later by clicking on the lock icon in the system tray. (This is equivalent to the "-S" parameter to `afscreds.exe`.) @@ -122,7 +122,7 @@ This is all it takes for Custom Installation. From now on, the differences betwe Now that you have setup your [[OpenAFS]] package, [[OpenAFS]] can be copied into the right directories. This will be reasonably fast, so don't go for a coffee yet! - The last thing you have to do is reboot your computer. Theoretically, you could start [[OpenAFS]] without rebooting. This is not recommended, though. With all of todays anti virus programs and synchronization drivers, you can have that well-deserved coffee break now. Soon, the final adventure will begin. + The last thing you have to do is reboot your computer. Theoretically, you could start [[OpenAFS]] without rebooting. This is not recommended, though. With all of today's anti virus programs and synchronization drivers, you can have that well-deserved coffee break now. Soon, the final adventure will begin. ## Configure the Rest @@ -134,7 +134,7 @@ Browse to "Control Panel" of your computer. You should have a new alternative ca Please note that this is only a starting point. If you are looking for a complete configuration reference to [[OpenAFS]] for Windows, you should read the [[WindowsConfigurationReferenceGuide]]. -According to the Client Status, the service is started, as it should. If you used the Typical Installation mode, you will now have to change the cell name into something more appropriate. (Few people can authenticate to openafs.org, really.) Change it to whatever your network administrator told you. It is usually simply the domain name of the organisation. +According to the Client Status, the service is started, as it should. If you used the Typical Installation mode, you will now have to change the cell name into something more appropriate. (Few people can authenticate to openafs.org, really.) Change it to whatever your network administrator told you. It is usually simply the domain name of the organization. ### Silencing the Intergrated Login @@ -154,7 +154,7 @@ If you get an error at this time, you (probably) need to have [[KerberosV]] inst ### Optional: Kerberos for Windows -Install MIT Kerberos for Windows, to be able to use [[KerberosV]] authentication servers. A description of how to install this is outside the scope of this guide. +To be able to use [[KerberosV]] authentication servers, install MIT Kerberos for Windows. A description of how to install this is outside the scope of this guide. ## Trying It Out @@ -162,7 +162,7 @@ Start the Credentials Manager and try to obtain new tokens. This should work. Yo ## Mapping Drives -One last thing is missing, to be able to use [[OpenAFS]] for Windows fully. You should make AFS space available as a drive. Open the information window of Credentials Manager. Go to the Drive Letters tab, and press "Add...". +To be able to use [[OpenAFS]] for Windows fully, one last thing is missing: you should make AFS space available as a drive. Open the information window of Credentials Manager. Go to the Drive Letters tab, and press "Add...". On your screen should be a window like this one. Choose drive "X:", leave AFS Path as "\\afs", and leave Description empty. If you would like this mapping to be re-established with each login (of the current user), check "Restore this mapping whenever I logon". As soon as you press "OK", the new X: drive should pop up in Windows.