+Since 1.3.65:
+ * Added a new registry value [HKCU\SOFTWARE\OpenAFS\Client]
+ "Authentication Cell" which may be used to specify a default
+ authentication cell for afscreds.exe which is different from
+ the default cell for the AFS Client Service daemon.
+
+ * Added a Logoff WinLogon Event Notification function to afslogon.dll.
+ afslogon.dll moved to %WINDIR%\System32\.
+ New registry entries added to register the dll for Winlogon events.
+
+ The logoff event will now force a call to ktc_ForgetAllTokens()
+ using the context of the user being logged off.
+
+ Need to double check that this code does not prevent profile data
+ from being written back to an afs volume
+
+ * Windows XP SP2 Internet Connection Firewall interoperability
+ has been added.
+
+ * The %WINDIR%\afsdsbmt.ini contains four sections:
+ Submounts, Drive Mappings, Active Maps and CSC Policies.
+ The Submounts and CSC policies are now stored in the registry under
+ [HKLM\SOFTWARE\OpenAFS\Client\Submounts]
+ [HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy]
+ The Drive Mappings and Active Maps are stored in the registry under
+ [HKCU\SOFTWARE\OpenAFS\Client\Mappings]
+ [HKCU\SOFTWARE\OpenAFS\Client\Active Maps]
+
+ There is no automatic migration of this data as it would be impossible
+ to consistently migrate data to user profiles which may not be active
+ when the machine is updated.
+
+ * The %WINDIR%\afs_freelance.ini contains lists of mountpoints for the
+ fake root.afs volume. For the same reasons as for the cellservdb file,
+ this information should not be in %WINDIR%. This information is now
+ kept under the registry key
+ [HKLM\SOFTWARE\OpenAFS\Client\Freelance]
+
+ The data from the afs_freelance.ini file will be automatically
+ migrated to the registry on first execution of afsd_service.exe
+
+ * Keeping the CellServDB file in the location %WINDIR%\afsdcell.ini is
+ troublesome for several reasons. One, it is confusing for those who
+ expect the file to be named "CellServDB" instead of "afsdcell.ini".
+ Two, this file is not a Windows Profile formatted file. Three,
+ applications should not be reading or writing to %WINDIR%. It causes
+ problems for Windows Terminal Server.
+
+ The new location of CellServDB will be the OpenAFS Client install
+ directory which is by default C:\Program Files\OpenAFS\Client and can
+ be determined by querying the registry for
+ [HKLM\SOFTWARE\TransarcCorporation\AFS Client\CurrentVersion]PathName
+
+ The existing afsdcell.ini will be migrated by the NSIS installer.
+ The Wix installer must still be updated to do the same.
+
+ * Change NSIS installer to use DNS by default; to remove Integrated Logon
+ High Security mode; and to add Terminal Services compatibility registry
+ entries to allow the OpenAFS tools to find the afsdcell.ini and other
+ configuration files in %WINDIR%.
+
+ * Add support for authenticated SMB connections. This will remove
+ the need for high security mode in most situations. Both NTLM
+ and Extended Security (GSS SPNEGO) modes are supported. Effectively,
+ only NTLM can be used even though Kerberos is now supported. The
+ reason is that it is not possible to construct a service principal
+ which is unique to each individual machine.
+
+ SMB Extended Auth does not work on XP SP2 unless one of two registry
+ modifications are made:
+
+ (1) To disable the check for matching host names on loopback connections
+ set this key. This does not require a reboot:
+
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
+ "DisableLoopbackCheck"=dword:00000001
+
+ (2) To add the AFS SMB/CIFS service name to an approved list. This
+ does require a reboot:
+
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
+ "BackConnectionHostNames"=multi-sz "AFS" "MACHINE-AFS"
+
+ afsd_service.exe will automatically add the current Netbios Name
+ to the BackConnectionHostNames list and then temporarily disable
+ the loopback check for one cycle of startup/shutdown of the service.
+ We assume most folks do not start/stop without a reboot so this
+ will be adequate in most cases.
+
+ * Fix security hole in afslogon.dll which allowed passwords to be
+ sent in clear text to the KDC in a misformed principal name.
+
+ * Fix cm_GetCell() to properly handle expired dns entries
+ without crashing
+
+ * If Freelance mode is active and the afs_freelance.ini
+ file does not exist, do not create an empty file.
+ Instead create a file containing ro and rw mountpoints
+ to the default cell using the standard conventions.
+
+ * Modify the Freelance support to handle the ability
+ to create rw mount points in the fake root.afs volume.
+
+ * Changed the RPC mechanism used for token setting from
+ named pipes to local. Use of named pipes can be restored
+ by setting the environment variable AFS_RPC_PROTSEQ to
+ "ncacn_np".
+
+ Named pipes were required when a Windows 9x system was
+ using a NT system in gateway mode which is incompatible
+ with our use of local loopback adapters.
+
+ * In afscreds.exe, if a username of the form user@REALM is
+ specified and no password is specified, do not perform a
+ kinit operation. Only perform the aklog functionality.
+
+ * Add a new registry value which allows the number of processors
+ on which afsd_service.exe executes to be restricted. Valid
+ values are 1..numOfProcessors
+
+ HKLM\SYSTEM\CurrentControlSet\Services\TransarcAfsDaemon\Parameters
+ (DWORD) MaxCPUs
+
+Since 1.3.64:
+ * A second MSI based installer option is now available.
+
+ * Fixed Kerberos 5 kinit functionality in afscreds.exe to properly
+ request tickets for user/instance@REALM instead of just user@REALM
+
+ * Modify the Power Management Notify routine to wait for the Hard Dead
+ timeout period instead of a fixed 19 seconds. With the longer timeout
+ periods Hibernation and Standby could never succeed when network
+ connectivity is not available.
+
+ * The following fs.exe commands are now restricted to Administrator:
+ - checkservers with a non-zero timer value
+ - setcachesize
+ - newcell
+ - sysname with a new sysname list
+ - exportafs
+ - setcell
+ - setserverprefs
+ - storebehind
+ - setcrypt
+ - cscpolicy
+ - trace
+
+ setting the default sysname for a machine should be done via the
+ registry and not via "fs sysname".
+
+ * NSIS installer adds options to install Debugging Symbols
+ and the Microsoft Loopback Adapter; the user is now also
+ given the ability to select the afscreds.exe startup options.
+
+ * Build system modified to generate symbols for FREE (aka RELEASE)
+ builds as well as CHECKED (aka DEBUG) builds
+
+ * Sites which have a volume ID of 0x20000001 assigned to their
+ root.afs volumes have been experiencing problems with accessing
+ the root.afs volume of their cell when Freelance mode has been
+ active. This was because 0x20000001 was assigned to the fake
+ root.afs volume created by freelance. The fake volume id is
+ now set to 0x00000001 to prevent conflicts.
+
+ * The timeout logic in the AFS Client Service has been wrong
+ for sometime. It is based on two different assumptions.
+ First, the SMB client timeout is a fix value as was the case
+ with OS/2 Lan Manager. This assumption is incorrect. The
+ SMB timeout in Windows is a dynamic value computed based upon
+ a fixed minimum timeout to which is added time based upon the
+ size of the request and the performance characteristics of
+ the connection. Second, it is the responsibility of the
+ SMB Server to enforce the timeout requirements of the client.
+ This is untrue. The SMB Server cannot be expected to know
+ the requirements of the client. More importantly, if the
+ SMB server uses the SMB client timeout as a value to restrict
+ its behavior as an RX client, the performance characteristics
+ of the local SMB session would be used to prematurely terminate
+ WAN connections with significantly different performance
+ characteristics.
+
+ The timeout logic has therefore been modified in the following
+ manner:
+ . the Lan Manager Workstation (SMB) Session Timeout is used only
+ as a basis for configuring the Connection Dead Timeout
+ and Hard Dead Timeout values. The Connection Dead Timeout
+ must be at least 15 seconds longer than the SMB Timeout
+ and the Hard Dead Timeout must be at least double the
+ Connection Dead Timeout.
+ . New registry entries have been added to allow the Connection
+ Dead Timeout and Hard Dead Timeout values independent of the
+ Lan Manager Workstation Session Timeout
+ . The test to enforce the SMB Client Timeout has been removed.
+
+ One of the side-effects of removing the enforcement of the SMB
+ Client Timeout is that regardless of whether or not the SMB client
+ is available to receive the response (and how would the SMB server
+ know) the RX protocol response can be used to update the AFS
+ Client Service state for ready access by future SMB client
+ requests.
+
+ This should be the end of the "Server paused or restarting messages"
+
+ * Fix "fs mkmount" command to work with UNC paths and when
+ started from non-AFS drives
+
+ * Add support for arbitrary UNC paths to the pioctl() support.
+ This enables the fs commands as well as the AFS Shell Extension
+ to work correctly when UNC paths are being used.
+
+ * Fix afscreds.exe (by updating afskfw.lib) to search for cells via
+ DNS if the cell configuration cannot be determined via CellServDB
+
+ * Add debug info to test whether CM_BUF_WAITING or CM_SCACHE_WAITING
+ are ever set more than once at a time
+
+ * Fix the management of lists of cm_cell_t structures when using
+ DNS to lookup cell information. The previous code would fail to
+ reuse the same cellID for a cell if DNS was used more than once
+ for a given cell name. When the ttl expired, a single cm_cell_t
+ could be inserted into the cm_allCellsp list more than once
+ producing a loop. In addition, the vlServerp list belonging to
+ the cell was not freed resulting in improper refCounting of the
+ servers.
+
+ * Add DNS support to cm_IoctlNewCell() which previous only examined
+ the CellServDB file
+
+ * Add cm_FreeServer() function and call it from cm_FreeServerList()
+ to properly garbage collect cm_server_t objects
+
+ * Add numVCs variable to smb.c to track the number of smb_vc_t
+ objects created and use it to initialize the vcID field which
+ previously was set to 0 in all objects resulting in FindByID
+ collisions.
+
+ * Fixed DNS lookups to work consistently throughout the OpenAFS
+ product instead of just from within the afsd_service.exe
+
+ * Added a runtime check to ensure that AFS Client Service SMB
+ Server is accepting connections before attempting to mount
+ global drives.
+
+ * Read IP addresses for volume servers out of the CellServDB
+ file if gethostbyname() on the hostname fails.
+
+ * Fix getcellconfig() to populate both the Hostnames as well
+ as IP addresses when loading cell data via DNS
+
+ * Increase the Connection Dead Time to 50 from 20 seconds
+ Increase the Hard Dead Time to 120 from 40 seconds
+ (matches the Unix values)
+
+ * Fixed an assertion validating the number of allocated NCBs
+
+ * Fixed the build environment to consistently build for
+ Windows 2000 and above. (APPVER = 5.0)
+
+ * Fixed rx_debug to properly validate the receipt in incoming
+ data with select() and recvfrom(). Do not copy data out of
+ the socket buffer unless success is indicated.
+
+Since 1.3.63:
+ * afsd_service.exe will now display a message box to the
+ desktop when it terminates due to an IP Address Change.
+
+ * installer no longer deletes AFS Server configuration data
+ on uninstall
+
+ * installer generates a warning dialog if the RPC service
+ is not properly configured
+
+ * installer compressed with lzma instead of bzip2
+
+ * afsd_service.exe shutdown crash solved once and for all
+
+ * reference counting of smb_vc_t data structures improved
+
+ * name space collision of smb_fid_t event objects corrected
+
+ * the output of "fs memdump" is now written to
+ %WINDIR%\TEMP\afsd_alloc.log
+
+ * the file TaAfsApp_1033.dll is now properly installed allowing
+ the User Manager to start
+
+ * a new algorithm is used for computing filename pattern matches
+
+ * afscreds.exe now accepts user names containing instance
+ fields.
+
+ * Fix the Directory Name Lookup Cache to be case-sensitive.
+ This is crucial in environments in which a Windows client
+ is accessing a directory with more than one filename that
+ differs only by case. If the directory contains "FOO"
+ and "Foo". You want "DEL Foo" to delete the correct one.
+ We still have a problem in that "DEL foo" will delete a
+ random filename. This will be addressed in a future release.
+
+ * Fix afscreds.exe -M option (renewMaps) to work when High
+ Security mode is off. Also, remember to disable the ActiveMap
+ flag in afsdsbmt.ini when a drive mapping is removed.
+
+ * Updates to NSIS installer script. AFS Server configuration
+ data will not be destroyed on un-install or re-install.
+ Use a better compression algorithm.
+
+ * afslogon.dll now uses KFW to obtain tokens when available
+
+ * afslogon.dll when given an all uppercase username will
+ attempt to authenticate with both the uppercase name
+ and an all lowercase variation
+
+ * DST modification removed. The fix appears to make things
+ worse after a reboot of the machine.
+
+ * fs.exe: added "cscpolicy" which is used to
+ change client side caching policy for AFS shares
+
+ Usage: fs cscpolicy [-share <AFS share>] [-manual] [-programs]
+ [-documents] [-disable] [-help]
+
+ * Several uninitialized variables have been initialized
+
+ * It is now possible to obtain tokens using cross realm
+ Kerberos within afscreds.exe:
+ cell: dementia.org
+ user: jaltman@ATHENA.MIT.EDU
+ password: xxxxxxxx
+ Will obtain a cross realm ticket for jaltman/DEMENTIA.ORG@ATHENA.MIT.EDU
+ will will in turn be used to obtain afs@DEMENTIA.ORG.
+ The resulting token will be stored with the display name
+ jaltman@ATHENA.MIT.EDU@dementia.org
+
+ * aklog.exe has been added to the client
+
+ Usage: aklog [-d] [[-cell | -c] cell [-k krb_realm]]
+ [[-p | -path] pathname]
+ [-noprdb] [-force]
+ [-5 | -4]
+
+ -d gives debugging information.
+ krb_realm is the kerberos realm of a cell.
+ pathname is the name of a directory to which you wish to authenticate.
+ -noprdb means don't try to determine AFS ID.
+ -5 or -4 selects whether to use Kerberos V or Kerberos IV.
+ (default is Kerberos V)
+ No commandline arguments means authenticate to the local cell.
+
Since 1.3.62:
* All of the resource files have been restructured to adhere to
a set of rules IBM implemented for loading string resources.
git://git.openafs.org / openafs.git / blobdiff