2 Registry keys and Environment Variables used in the Windows AFS Client
3 ----------------------------------------------------------------------
10 The service parameters primarily affect the behavior of the AFS client
11 service (afsd_service.exe).
14 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
21 LAN adapter number to use. This is the lana number of the LAN
22 adapter that the SMB server should bind to. If unspecified or set
23 to -1, a LAN adapter with named 'AFS' or a loopback adapter will be
24 selected. If neither are present, then all available adapters will
25 be bound to. When binding to a non-loopback adapter, the NetBIOS
26 name '%hostname%-AFS' will be used (where %hostname% is the NetBIOS
27 name of the host truncated to 11 characters). Otherwise, the NetBIOS
32 Default : 98304 (CM_CONFIGDEFAULT_CACHESIZE)
33 Variable: cm_initParams.cacheSize
35 Size of the AFS cache in 1k blocks.
39 Default : 17 (CM_CONFIGDEFAULT_CHUNKSIZE)
40 Variable: cm_logChunkSize (cm_chunkSize = 1 << cm_logChunkSize)
42 Size of chunk for reading and writing. Actual chunk size is 2^cm_logChunkSize.
46 Default : 2 (CM_CONFIGDEFAULT_DAEMONS)
49 Number of background daemons (number of threads of
50 cm_BkgDaemon). (see cm_BkgDaemon in cm_daemon.c)
54 Default : 25 (CM_CONFIGDEFAULT_SVTHREADS)
55 Variable: numSvThreads
57 Number of SMB server threads (number of threads of smb_Server). (see
62 Default : 10000 (CM_CONFIGDEFAULT_STATS)
63 Variable: cm_initParams.nStatCaches
67 Value : LogoffTokenTransfer
70 Variable: smb_LogoffTokenTransfer
72 If enabled (set to 1), activates functionality where the user's
73 tokens are kept intact until smb_LogoffTokenTransferTimeout seconds
74 elapse after user logs off. If roaming profiles are used and the
75 roaming profile takes a long time to be written back, this ensures
76 that the tokens remain valid until the profile save is complete.
78 Value : LogoffTokenTransferTimeout
81 Variable: smb_LogoffTokenTransferTimeout
83 See LogoffTokenTransfer above.
88 Variable: cm_rootVolumeName
95 Variable: cm_mountRoot
97 Name of root mount point. In symlinks, if a path starts with
98 cm_mountRoot, it is assumed that the path is absolute (as opposed to
99 relative) and is adjusted accordingly. Eg: if a path is specified as
100 /afs/athena.mit.edu/foo/bar/baz and cm_mountRoot is "/afs", then the
101 path is interpreted as \\afs\all\athena.mit.edu\foo\bar\baz. If a
102 path does not start with with cm_mountRoot, the path is assumed to
103 be relative and suffixed to the reference directory (i.e. directory
104 where the symlink exists)
108 Type : REG_SZ or REG_EXPAND_SZ
109 Default : "%TEMP%\AFSCache"
110 Variable: cm_CachePath
112 Location of on-disk cache file. The default is the SYSTEM account's
113 TEMP directory. The attributes assigned to the file are HIDDEN and
117 Value : NonPersistentCaching
120 Variable: buf_CacheType
122 When this registry value is set to a non-zero value, the CachePath
123 value is ignored and the cache data is stored in the windows paging
124 file. This prevents the use of persistent caching (when available)
125 as well as the ability to alter the size of the cache at runtime
126 using the "fs setcachesize" command.
129 Value : ValidateCache
132 Variable: buf_CacheType
134 This value determines if and when persistent cache validation is
136 0 - Validation is disabled
137 1 - Validation is performed at startup
138 2 - Validation is performed at shutdown
144 Variable: traceOnPanic
146 Issues a breakpoint in the event of a panic. (breakpoint: _asm int 3).
151 Variable: cm_NetbiosName
153 Specifies the NetBIOS name to be used when binding to a Loopback
154 adapter. To provide the old behavior specify a value of
162 Select whether or not this AFS client should act as a gateway. If
163 set and the NetBIOS name hostname-AFS is bound to a physical NIC,
164 other machines in the subnet can access AFS via SMB connections to
167 When IsGateway is non-zero, the LAN adapter detection code will
168 avoid binding to a loopback adapter. This will ensure that the
169 NetBIOS name will be of the form hostname-AFS instead of the value
170 set by the "NetbiosName" registry value.
172 Value : ReportSessionStartups
175 Variable: reportSessionStartups
177 If enabled, all SMB sessions created are recorded in the Application
178 event log. This also enables other events such as drive mappings
179 or various error types to be logged.
181 Value : TraceBufferSize
183 Default : 5000 (CM_CONFIGDEFAULT_TRACEBUFSIZE)
184 Variable: traceBufSize
186 Number of entries to keep in trace log.
190 Default : "i386_nt40"
193 Provides an initial value for "fs sysname". The string can contain
194 one or more replacement values for @sys in order of preference separated
197 Value : SecurityLevel
202 Enables encryption on RX calls.
207 Variable: cm_dnsEnabled
209 Enables resolving volservers using AFSDB DNS queries. (see
210 afsdb-freelance-notes).
212 As of 1.3.60, this value is ignored as the DNS query support
213 utilizes the Win32 DNSQuery API which is available on Win2000
216 Value : FreelanceClient
219 Variable: cm_freelanceEnabled
221 Enables freelance client. (see afsdb-freelance-notes)
226 Variable: smb_hideDotFiles
228 Enables marking dotfiles with the hidden attribute. Dot files are
229 files whose name starts with a period (excluding "." and "..").
231 Value : MaxMpxRequests
234 Variable: smb_maxMpxRequests
236 Maximum number of multiplexed SMB requests that can be made.
238 Value : MaxVCPerServer
241 Variable: smb_maxVCPerServer
243 Maximum number of SMB virtual circuits.
248 Variable: rootCellName
250 Name of root cell (the cell from which root.afs should be mounted in
258 If enabled, does not send or indicate that we are able to send or
259 receive RX jumbograms.
266 If set to anything other than -1, uses that value as the maximum MTU
267 supported by the RX interface.
269 In order to enable OpenAFS to operate across the Cisco IPSec VPN
270 client, this value must be set to 1264 or smaller.
272 Value : ConnDeadTimeout
274 Default : 60 (seconds)
275 Variable: ConnDeadtimeout
277 The Connection Dead Time is enforced to be at a minimum 15 seconds
278 longer than the minimum SMB timeout as specified by
280 HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
283 If the minimum SMB timeout is not specified the value is 45 seconds.
284 See http://support.microsoft.com:80/support/kb/articles/Q102/0/67.asp
287 Value : HardDeadTimeout
289 Default : 120 (seconds)
290 Variable: HardDeadtimeout
292 The Hard Dead Time is enforced to be at least double the ConnDeadTimeout.
293 The provides an opportunity for at least one retry.
297 Type : DWORD {0, 1, 2, 3}
300 Enables logging of debug output to the Windows Event Log.
301 Bit 0 enables logging of "Logon Events" processed by the Network Provider
302 and Winlogon Event Notification Handler.
303 Bit 1 enables logging of events captured by the AFS Client Service.
308 Variable: allSubmount (smb.c)
310 By setting this value to 0, the "\\NetbiosName\all" mount point
311 will not be created. This allows the read-write versions of
312 root.afs to be hidden.
314 Value : NoFindLanaByName
318 Disables the attempt to identity the network adapter to use by
319 looking for an adapter with a display name of "AFS".
322 Type : DWORD {1..32} or {1..64} depending on the architecture
323 Default : <no default>
325 If this value is specified, afsd_service.exe will restrict itself
326 to executing on the specified number of CPUs if there are a greater
327 number installed in the machine.
329 NOTE: Setting this entry to "1" may be required on hyperthreaded
330 systems to avoid crashes in the RX library.
336 If this value is specified, it defines the type of SMB authentication
337 which must be present in order for the Windows SMB client to connect
338 to the AFS Client Service's SMB server. The values are:
339 0 = No authentication required
340 1 = NTLM authentication required
341 2 = Extended (GSS SPNEGO) authentication required
342 The default is Extended authentication
345 Type : DWORD {0 .. MAXDWORD}
348 This entry determines the maximum size of the %WINDIR%\TEMP\afsd_init.log
349 file. If the file is larger than this value when afsd_service.exe starts
350 the file will be reset to 0 bytes. If this value is 0, it means the file
351 should be allowed to grow indefinitely.
353 Value : FlushOnHibernate
357 If set, flushes all volumes before the machine goes on hibernate or
361 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters\GlobalAutoMapper]
363 Value : <Drive Letter:> for example "G:"
366 Specifies the submount name to be mapped by afsd_service.exe at startup
367 to the provided drive letter.
371 [HKLM\SOFTWARE\OpenAFS\Client]
373 Value : CellServDBDir
375 Default : <not defined>
377 Specifies the directory containing the CellServDB file.
378 When this value is not specified, the AFS Client install
382 Value : VerifyServiceSignature
386 This value can be used to disable the runtime verification of
387 the digital signatures applied to afsd_service.exe and the
388 OpenAFS DLLs it loads. This test is performed to verify that
389 the DLLs which are loaded by afsd_service.exe are from the
390 same distribution as afsd_service.exe. This is to prevent
391 random errors caused when DLLs from one distribution of AFS
392 are loaded by another one. This is not a security test. The
393 reason for disabling this test is to free up additional memory
394 which can be used for a large cache size.
401 This value can be used to debug the cause of pioctl() failures.
402 Set a non-zero value and the pioctl() library will output status
403 information to stdout. Executing command line tools such as
404 tokens.exe, fs.exe, etc can then be used to determine why the
405 pioctl() call is failing.
408 Value : StoreAnsiFilenames
412 This value can be used to force the AFS Client Service to
413 store filenames using the Windows system's ANSI character set
414 instead of the OEM Code Page character set which has traditionally
415 been used by SMB file systems.
417 Note: The use of ANSI characters will render access to files
418 with 8-bit OEM file names unaccessible from Windows. This option
419 is of use primarily when you wish to allow file names produced
420 on Windows to be accessible from Latin-1 Unix systems and vice
425 [HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy]
427 Value : "smb/cifs share name"
431 This key is used to map SMB/CIFS shares to Client Side Caching
432 (off-line access) policies. For each share one of the following
433 policies may be used: "manual", "programs", "documents", "disable"
435 These values used to be stored in afsdsbmt.ini
438 [HKLM\SOFTWARE\OpenAFS\Client\Freelance]
440 Value : "numeric value"
444 This key is used to store dot terminated mount point strings
445 for use in constructing the fake root.afs volume when Freelance
446 (dynamic roots) mode is activated.
448 "athena.mit.edu#athena.mit.edu:root.cell."
449 ".athena.mit.edu%athena.mit.edu:root.cell."
451 These values used to be stored in afs_freelance.ini
455 [HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks]
457 Value : "numeric value"
461 This key is used to store a dot terminated symlink strings
462 for use in constructing the fake root.afs volume when Freelance
463 (dynamic roots) mode is activated.
465 "linkname:destination-path."
466 "athena:athena.mit.edu."
467 "home:athena.mit.edu\user\j\a\jaltman."
468 "filename:path\file."
472 [HKLM\SOFTWARE\OpenAFS\Client\Submounts]
474 Value : "submount name"
478 This key is used to store mappings of unix style AFS paths
479 to submount names which can be referenced as UNC paths.
480 For example the submount string "/athena.mit.edu/user/j/a/jaltman"
481 can be associated with the submount name "jaltman.home".
482 This can then be referenced as the UNC path \\AFS\jaltman.home.
484 These values used to be stored in afsdsbmt.ini
486 NOTE: Submounts should no longer be used with OpenAFS.
487 Use the Windows Explorer to create drive mappings to AFS UNC
488 paths instead of using the AFS Submount mechanism.
492 [HKLM\SOFTWARE\OpenAFS\Client\Server Preferences\VLDB]
494 Value : "hostname or ip address"
498 This key is used to specify a default set of VLDB server preferences.
499 For each entry the value name will be either the IP address of a server
500 or a fully qualified domain name. The value will be the ranking. The
501 ranking will be adjusted by a random value between 0 and 256 prior to
502 the preference being set.
506 [HKLM\SOFTWARE\OpenAFS\Client\Server Preferences\File]
508 Value : "hostname or ip address"
512 This key is used to specify a default set of File server preferences.
513 For each entry the value name will be either the IP address of a server
514 or a fully qualified domain name. The value will be the ranking. The
515 ranking will be adjusted by a random value between 0 and 256 prior to
516 the preference being set.
520 2. Network provider parameters
521 ------------------------------
522 Affects the network provider (afslogon.dll).
525 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
527 Value : FailLoginsSilently
531 Do not display message boxes if the login fails.
534 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
540 Disables visible warnings during logon.
542 Value : AuthentProviderPath
544 NSIS : %WINDIR%\SYSTEM32\afslogon.dll
546 Specifies the install location of the authentication provider dll.
552 Specifies the class of network provider
554 Value : DependOnGroup
558 Specifies the service groups upon which the AFS Client Service
559 depends. Windows should not attempt to start the AFS Client Service
560 until all of the services within these groups have successfully
563 Value : DependOnService
565 NSIS : Tcpip NETBIOS RpcSs
567 Specifies a list of services upon which the AFS Client Service
568 depends. Windows should not attempt to start the AFS Client Service
569 until all of the specified services have successfully started.
573 NSIS : "OpenAFSDaemon"
575 Specifies the display name of the AFS Client Service
579 NSIS : %WINDIR%\SYSTEM32\afslogon.dll
581 Specifies the DLL to use for the network provider
584 2.1 Domain specific configuration keys for the Network Provider
585 ---------------------------------------------------------------
587 The network provider can be configured to have different behavior
588 depending on the domain that the user logs into. These settings are
589 only relevant when using integrated login. A domain refers to an
590 Active Directory (AD) domain, a trusted Kerberos (non-AD) realm or the
591 local machine (i.e. local account logins). The domain name that is
592 used for selecting the domain would be the domain that is passed into
593 the NPLogonNotify function of the network provider.
595 Domain specific registry keys are :
597 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
600 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain]
603 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain name"]
604 (Specific domain key. One per domain.)
606 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST]
610 HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider
617 Each of the domain specific keys can have the set of values described
618 in 2.1.1. The effective values are chosen as described in 2.1.2.
620 2.1.1 Domain specific configuration values
621 -------------------------------------------
622 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
623 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain]
624 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain name"]
625 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST]
630 NSIS/WiX: depends on user configuration
632 0x00 - Integrated Logon is not used
633 0x01 - Integrated Logon is used
634 0x02 - High Security Mode is used
635 0x03 - Integrated Logon with High Security Mode is used
637 High Security Mode generates random SMB names for the creation of
638 Drive Mappings. This mode should not be used without Integrated Logon.
640 As of 1.3.65 the SMB server supports SMB authentication. The High
641 Security Mode should not be used when using SMB authentication
642 (SMBAuthType setting is non zero).
644 Value : FailLoginsSilently
649 If true, does not display any visible warnings in the event of an
650 error during the integrated login process.
653 Type : REG_SZ or REG_EXPAND_SZ
655 NSIS/WiX: (only value under NP key) <install path>\afscreds.exe -:%s -x -a -m -n -q
657 A logon script that will be scheduled to be run after the profile
658 load is complete. If using the REG_EXPAND_SZ type, you can use
659 any system environment variable as "%varname%" which would be
660 expanded at the time the network provider is run. Optionally
661 using a "%s" in the value would result in it being expanded into
662 the AFS SMB username for the session.
664 Value : LoginRetryInterval
669 If the OpenAFS client service has not started yet, the network
670 provider will wait for a maximum of "LoginRetryInterval" seconds
671 while retrying every "LoginSleepInterval" seconds to check if the
674 Value : LoginSleepInterval
679 See description of LoginRetryInterval.
685 When Kerberos 5 is being used, TheseCells provides a list of additional
686 cells for which tokens should be obtained with the default Kerberos 5
690 2.1.2 Selection of effective values for domain specific configuration
691 ----------------------------------------------------------------------
693 During login to domain X, where X is the domain passed into
694 NPLogonNotify as lpAuthentInfo->LogonDomainName or the string
695 'LOCALHOST' if lpAuthentInfo->LogonDomainName equals the name of the
696 computer, the following keys will be looked up.
698 1. NP key. ("HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider")
699 2. Domains key. (NP key\"Domain")
700 3. Specific domain key. (Domains key\X)
702 If the specific domain key does not exist, then the domains key will
703 be ignored. All the configuration information in this case will
704 come from the NP key.
706 If the specific domain key exists, then for each of the values
707 metioned in (2), they will be looked up in the specific domain key,
708 domains key and the NP key successively until the value is found.
709 The first instance of the value found this way will be the effective
710 for the login session. If no such instance can be found, the
711 default will be used. To re-iterate, a value in a more specific key
712 supercedes a value in a less specific key. The exceptions to this
713 rule are stated below.
715 2.1.3 Exceptions to 2.1.2
716 --------------------------
718 To retain backwards compatibility, the following exceptions are made
721 2.1.3.1 'FailLoginsSilently'
723 Historically, the 'FailLoginsSilently' value was in
724 HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters
725 key and not in the NP key. Therefore, for backwards compatibility,
726 the value in the Parameters key will supercede all instances of this
727 value in other keys. In the absence of this value in the Parameters
728 key, normal scope rules apply.
730 2.1.3.2 'LogonScript'
732 If a 'LogonScript' is not specified in the specific domain key nor
733 in the domains key, the value in the NP key will only be checked if
734 the effective 'LogonOptions' specify a high security integrated
735 login. If a logon script is specified in the specific domain key or
736 the domains key, it will be used regardless of the high security
737 setting. Please be aware of this when setting this value.
740 3. AFS Credentials System Tray Tool parameters
741 ----------------------------------------------
742 Affects the behavior of afscreds.exe
745 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
750 Function: GetGatewayName()
752 If the AFS client is utilizing a gateway to obtain AFS access,
753 the name of the gateway is specified by this value.
758 Variable: IsServiceConfigured()
760 The value Cell is used to determine if the AFS Client Service has
761 been properly configured or not.
765 [HKLM\SOFTWARE\OpenAFS\Client]
766 [HKCU\SOFTWARE\OpenAFS\Client]
771 Function: InitApp(), Main_OnCheckTerminate()
773 This value is used to determine whether or not a shortcut should be
774 maintained in the user's Start Menu->Programs->Startup folder.
776 This value used to be stored at
777 [HKLM\Software\TransarcCorporation\AFS Client\AfsCreds].
779 The current user value is checked first; if it does not exist the local
780 machine value is checked.
786 Function: KFW_is_available()
788 When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used
789 to obtain AFS credentials. By setting this value to 0, the internal
790 Kerberos 4 implementation will be used instead. The current user value
791 is checked first; if it does not exist the local machine value is checked.
796 Function: KFW_use_krb524()
798 When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used
799 to obtain AFS credentials. By setting this value to 1, the Kerberos 5
800 tickets will be converted to Kerberos 4 tokens via a call to the krb524
801 daemon. The current user value is checked first; if it does not exist
802 the local machine value is checked.
804 Value : AfscredsShortcutParams
806 Default : "-A -M -N -Q"
807 Function: Shortcut_FixStartup
809 This value specifies the command line options which should be set
810 as part of the shortcut to afscreds.exe. afscreds.exe rewrites the
811 shortcut each time it exits so as to ensure that the shortcut points
812 to the latest version of the program. This value is used to determine
813 which values should be used for command line parameters. The current
814 user value is checked first; if it does not exist the local machine
819 [HKCU\SOFTWARE\OpenAFS\Client]
821 Value : Authentication Cell
824 Function: Afscreds.exe GetDefaultCell()
826 This value allows the user to configure a different cell name to
827 be used as the default cell when acquiring tokens in afscreds.exe
831 [HKCU\SOFTWARE\OpenAFS\Client\Reminders]
833 Value : "afs cell name"
836 Function: LoadRemind(), SaveRemind()
838 These values are used to save and restore the state of the reminder
839 flag for each cell for which the user has obtained tokens.
841 This value used to be stored at
842 [HKLM\Software\TransarcCorporation\AFS Client\AfsCreds].
846 [HKCU\SOFTWARE\OpenAFS\Client\Active Maps]
848 Value : "upper case drive letter"
852 These values are used to store the persistence state of the AFS
853 drive mappings as listed in the [...\Client\Mappings] key
855 These values used to be stored in the afsdsbmt.ini file
858 [HKCU\SOFTWARE\OpenAFS\Client\Mappings]
860 Value : "upper case drive letter"
864 These values are used to store the AFS path in Unix notation
865 to which the drive letter is to be mapped.
867 These values used to be stored in the afsdsbmt.ini file.
870 ENVIRONMENT VARIABLES:
872 Variable: AFS_RPC_ENCRYPT
873 Values: "OFF" disables the use of RPC encryption
874 any other value allows RPC encryption to be used
875 Default: RPC encryption is on
878 Variable: AFS_RPC_PROTSEQ
879 Values: "ncalrpc" - local RPC
880 "ncacn_np" - named pipes
881 "ncacn_ip_tcp" - tcp/ip