Windows: afslogon major refactoring NPLogonNotify() This is a major refactoring of NPLogonNotify() that is meant to reduce redundancy and add functionality. Key highlights include: * New Domain\user hierarchy that permits configuration settings to be applied on a per user basis instead of a domain basis. As part of the extension the username itself can be mapped. * Attempt to import the MSLSA credentials prior to performing KFW_AFS_get_cred(). * Do not perform redundant KFW_AFS_get_cred() calls. * Add a flag to indicate if the authentication name is the LSA principal name. * Add more debugging messages. Change-Id: Iacd6c6b4d3fe25f07a9c6982d0859eee22d09fe8 Reviewed-on: http://gerrit.openafs.org/7635 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com> Tested-by: Jeffrey Altman <jaltman@your-file-system.com>
Windows: Remove High Security Integrated Logon High security mode for integrated logon never was high security. It use was deprecated in the 1.5 series and it has no use at all in the afs redirector world. Remove it. FIXES: 21702 Change-Id: I019b4fecc430517d29195e79e39529a782c88073 Reviewed-on: http://gerrit.openafs.org/7285 Tested-by: BuildBot <buildbot@rampaginggeek.com> Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com> Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Windows: Redirector interface for afsd_service.exe Over the last three years the afsd_service sources have been gradually separated into distinct layers for the SMB server and the AFS cache. The eventual goal of this work was to permit the addition of alternative interfaces to the cache manager in parallel. This patchset implements the first alternative interface, a reverse ioctl model that communicates with a native IFS redirector driver. The driver will be submitted in a subsequent patchset. Although it is possible to run afsd_service with both the SMB and RDR interfaces active at the same time. In practice it is somewhat impractical because it destroys the uniformity of the \\AFS name space. The RDR loads at boot time and claims all of \\AFS. The SMB interface if active at the same time must use the old \\%HOSTNAME%-AFS. As implemented, if the RDR interface is functional the SMB interface is not started. Only if the RDR interface fails will the SMB interface be activated. The afsd_service.exe maintains all of its primary responsibilities for communicating with the AFS servers, processing callbacks, enforcing permissions, handling afs path ioctls, Windows RPC service simulation, and object management. The biggest change is in the cm_buf_t management. Data is exchanged with the RDR by passing control over cm_buf_t->data buffers in the form of Windows File Extents. This avoids data copies across a communication channel which significantly improves performance at a substantial complexity cost. Credential management is switched from a Windows username binding to a GUID binding where the GUIDs represent authentication groups that are managed by the RDR. This patchset includes additional changes to support integrated logon in conjunction with the RDR. In particular, adding support for authentication groups. Change-Id: I7135489421c67a429ec3b2acd4c8ae08b8329f6d Reviewed-on: http://gerrit.openafs.org/5432 Tested-by: BuildBot <buildbot@rampaginggeek.com> Tested-by: Rod Widdowson <rdw@steadingsoftware.com> Reviewed-by: Jeffrey Altman <jaltman@openafs.org> Tested-by: Jeffrey Altman <jaltman@openafs.org>
Windows: afslogon network provider debug registry value create a new TransarcAFSDaemon\NetworkProvider "Debug" value to be used for activating the network provider debugging. The overlapping use of TransarcAFSDaemon\Parameters "TraceOption" is just too confusing. Permit both methods to be used. Change-Id: I4ba233b38bda547af35aa4b363edc819bcc3792c Reviewed-on: http://gerrit.openafs.org/5316 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Derrick Brashear <shadow@dementix.org>
windows-afslogon-20070406 Fix eventlog reporting. Do not attempt to log an event if the event source registration fails. Use DebugEvent0 instead of DebugEvent when there are no parameters. Modify the LOOKUPKEYCHAIN macro to recognize ERROR_MORE_DATA errors. Fix the reading of Domain specific configuration for LogonScript and TheseCells. Previously the dwSize value was being overwritten so that subsequent RegQueryValueEx call would fail. Fix a memory leak in the TheseCells reading code. Add support for Domain specific "Realm" specification. The realm is the realm to be appended to the username. When logging in as a domain or to the local machine, the specified "Domain" name is not going to be a valid realm name. Construct a proper principal name based upon the domain specified realm for use in obtaining tokens with KFW. If the domain specified "TheseCells" list includes the default cell, do not obtain tokens twice.
windows-vista-sdk-ntsecapi-compat-20070403 There is no way to replace FOO with the value of BAR in cpp.
windows-afslogon-20070328 There are two serious problems with integrated logon: (1) openafs afslogon.dll obtains Kerberos v5 tickets and then forwards them into the logon session. This was done because MIT KFW did not have such functionality. As of KFW 3.1, KFW does, so we are removing it. the functionality worked by copying the credentials to a FILE ccache and then using the Logon Event Handler to move the credentials into an API ccache and delete the temporary file. For non-interactive logons the Logon Event handlers do not get triggered. Neither do LogonScripts get executed. As a side effect, for each logon a credential cache file was left behind. (2) when combined with non-interactive logons, there are some very bad side effects if a network provider performs Kerberos v5 operations. Each logon occurs in a new logon session and will spawn a private copy of krbcc32s.exe. As a result, integrated logon is being disabled for non-interactive logons.
windows-vista-sdk-ntsecapi-compat-20070324 When loading the Vista SDK ntsecapi.h we must set _WIN32_WINNT to 0x0501 or greater
windows-vs2005b2-20050706 Visual Studio 2005 Beta 2 has been released. As part of this release Microsoft has tightened the rules for their C++ compliance. * no longer can a variable declared in a for() statement be used outside of the associated command block * no longer can a function or variable be declared implicitly as 'int' * several types such as size_t have become 64-bit values on all platforms * due to type changes the C++ function names in libraries have changed. This requires the use of different .DEF file export lists
windows-logon-20050630 Add a method to disable the deletion of tokens at logoff ==================== This delta was composed from multiple commits as part of the CVS->Git migration. The checkin message with each commit was inconsistent. The following are the additional commit messages. ==================== add a registry entry to prevent token destruction at logoff
windows-pcache-20050310 This patch applies all of the work done to add persistent cache support, cache manager debugging, and a variety of bug fixes. A full description will be committed within doc/txt/winnotes as part of a later commit.
windows-misc-20050102 * The AFS Service needs to respond to SERVICE_ACCEPT_SHUTDOWN messages in addition to SERVICE_ACCEPT_STOP. * Move RPC shutdown until after the SMB and RX shutdown procedures complete. Block until RPC shutdown is complete. * Modify afslogon.dll (integrated logon) to wait for service if its state is START_PENDING. If the timeout period occurs, reset to the retry interval and not the sleep interval. * When renewing the server list for a cell obtained via DNS AFSDB records, the cm_cell_t entry must be removed from the list of all cells. Otherwise, the list of cells will be corrupted. * In the dcache and scache modules, use the cm_scache_t dataVersion instead of the cm_fakeDirVersion. * Synchronize fs.c with the unix version. ==================== This delta was composed from multiple commits as part of the CVS->Git migration. The checkin message with each commit was inconsistent. The following are the additional commit messages. ==================== Include ptuser.h for prototypes. ==================== link to afsutil.lib for hostutil functions
ticket-6077-20040804 FIXES 6077 Patch from Joe Buehler modified by Asanka
afslogon-20040722 the procedure used to obtain the profile directory failed in Domains which were not Forests. If ADS_NAME_INITTYPE_GC fails, we must try ADS_NAME_INITTYPE_DOMAIN which requires the Domain. Added a Domain parameter to QueryAdHomePathFromSid. This was easy to obtain in the NPLogonNotify since the logon domain is provided as a parameter. Unfortunately, the domain provided to the winlogon event notification routine is the user authentication domain, not the logon domain for the local machine. Needed to create a GetLocalShortDomain function which uses the IADsADSystemInfo COM interface to obtain the local short domain. With this in place, we can now properly detect the profile directory in all cases. Document MaxLogSize in registry.txt
misc-cleanups-20040721 * Cleanup debug logging. In particular, allow the TraceOptions registry value to be used as a bit flag as it was intended. Give each type of debugging its own value instead of having each module test for the zero bit. * Modify the handling of the afsd_init.log file. This file originally was replaced on each start. However, with auto-restart this causes any error information from the previous halt to be lost. So it was changed quite a while back to append forever. The problem with this is that the file gets unreasonably large. Solution: add a new registry value, MaxLogSize, which determins how large the file should be allowed to become before truncation. The default is 100K. The magic value 0 means grow indefinitely. * Update afslogon.dll. Cleanup logging. Fix some errors. Remove unused variables. AND do not Forget Tokens on Logoff if the profile is located in AFS space. * Fix a bug introduced yesterday in cellconfig.c which caused problems accessing the CellServDB file * Update the NSIS installer to replace the CRTL DLLs instead of overwrite them. * Add new Startup Winlogon handler to initialize the TraceOption.
strsafe-20040715 String Safety fixes
afslogon-wix-cleanup-20040715 - Fix NTMakefiles in many directories to define WIN32_LEAN_AND_MEAN NOGDI to avoid macro redefinitions - update text files - add "authentication cell" registry value for afscreds.exe From asanka@mit.edu: Network provider : - If the user is logging into an AD domain, then look up the user's profile path, find out which cell it's in and then authenticate to that cell instead of the default cell. - Domain specific registry keys - A few fixes for handling UNICODE_STRINGs smb3.c : - Delete partial security context during negotiation client_cpa : - As per the SDK which says we must handle CPL_INQUIRE message, we do. Also fixes a small bug where the icon isn't properly set when viewing the Control Panel folder. loopbackutils.cpp - Don't bother setting the app data template, because we are setting it in the MSI anyway. install/wix/NTMakefile - Add a configurable symbol AFSDEV_AUXWIXDEFINES which can be used to customize a build of the msi. install/wix - Move afslogon.dll to SYSTEM32 directory - Add registry keys to support WinLogon notifications. - Rename afsdcell.ini to CellServDB and move it to the client directory. - If there's already an afsdcell.ini in the Windows directory, copy that over to the client directory instead. - Add descriptions to AFS client and server services