Update Windows note files with the latest changes.
+Since 1.3.65:
+ * Added a new registry value [HKCU\SOFTWARE\OpenAFS\Client]
+ "Authentication Cell" which may be used to specify a default
+ authentication cell for afscreds.exe which is different from
+ the default cell for the AFS Client Service daemon.
+
+ * Added a Logoff WinLogon Event Notification function to afslogon.dll.
+ afslogon.dll moved to %WINDIR%\System32\.
+ New registry entries added to register the dll for Winlogon events.
+
+ The logoff event will now force a call to ktc_ForgetAllTokens()
+ using the context of the user being logged off.
+
+ Need to double check that this code does not prevent profile data
+ from being written back to an afs volume
+
+ * Windows XP SP2 Internet Connection Firewall interoperability
+ has been added.
+
+ * The %WINDIR%\afsdsbmt.ini contains four sections:
+ Submounts, Drive Mappings, Active Maps and CSC Policies.
+ The Submounts and CSC policies are now stored in the registry under
+ [HKLM\SOFTWARE\OpenAFS\Client\Submounts]
+ [HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy]
+ The Drive Mappings and Active Maps are stored in the registry under
+ [HKCU\SOFTWARE\OpenAFS\Client\Mappings]
+ [HKCU\SOFTWARE\OpenAFS\Client\Active Maps]
+
+ There is no automatic migration of this data as it would be impossible
+ to consistently migrate data to user profiles which may not be active
+ when the machine is updated.
+
+ * The %WINDIR%\afs_freelance.ini contains lists of mountpoints for the
+ fake root.afs volume. For the same reasons as for the cellservdb file,
+ this information should not be in %WINDIR%. This information is now
+ kept under the registry key
+ [HKLM\SOFTWARE\OpenAFS\Client\Freelance]
+
+ The data from the afs_freelance.ini file will be automatically
+ migrated to the registry on first execution of afsd_service.exe
+
+ * Keeping the CellServDB file in the location %WINDIR%\afsdcell.ini is
+ troublesome for several reasons. One, it is confusing for those who
+ expect the file to be named "CellServDB" instead of "afsdcell.ini".
+ Two, this file is not a Windows Profile formatted file. Three,
+ applications should not be reading or writing to %WINDIR%. It causes
+ problems for Windows Terminal Server.
+
+ The new location of CellServDB will be the OpenAFS Client install
+ directory which is by default C:\Program Files\OpenAFS\Client and can
+ be determined by querying the registry for
+ [HKLM\SOFTWARE\TransarcCorporation\AFS Client\CurrentVersion]PathName
+
+ The existing afsdcell.ini will be migrated by the NSIS installer.
+ The Wix installer must still be updated to do the same.
+
+ * Change NSIS installer to use DNS by default; to remove Integrated Logon
+ High Security mode; and to add Terminal Services compatibility registry
+ entries to allow the OpenAFS tools to find the afsdcell.ini and other
+ configuration files in %WINDIR%.
+
+ * Add support for authenticated SMB connections. This will remove
+ the need for high security mode in most situations. Both NTLM
+ and Extended Security (GSS SPNEGO) modes are supported. Effectively,
+ only NTLM can be used even though Kerberos is now supported. The
+ reason is that it is not possible to construct a service principal
+ which is unique to each individual machine.
+
+ SMB Extended Auth does not work on XP SP2 unless one of two registry
+ modifications are made:
+
+ (1) To disable the check for matching host names on loopback connections
+ set this key. This does not require a reboot:
+
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
+ "DisableLoopbackCheck"=dword:00000001
+
+ (2) To add the AFS SMB/CIFS service name to an approved list. This
+ does require a reboot:
+
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
+ "BackConnectionHostNames"=multi-sz "AFS" "MACHINE-AFS"
+
+ afsd_service.exe will automatically add the current Netbios Name
+ to the BackConnectionHostNames list and then temporarily disable
+ the loopback check for one cycle of startup/shutdown of the service.
+ We assume most folks do not start/stop without a reboot so this
+ will be adequate in most cases.
+
+ * Fix security hole in afslogon.dll which allowed passwords to be
+ sent in clear text to the KDC in a misformed principal name.
+
+ * Fix cm_GetCell() to properly handle expired dns entries
+ without crashing
+
+ * If Freelance mode is active and the afs_freelance.ini
+ file does not exist, do not create an empty file.
+ Instead create a file containing ro and rw mountpoints
+ to the default cell using the standard conventions.
+
+ * Modify the Freelance support to handle the ability
+ to create rw mount points in the fake root.afs volume.
+
+ * Changed the RPC mechanism used for token setting from
+ named pipes to local. Use of named pipes can be restored
+ by setting the environment variable AFS_RPC_PROTSEQ to
+ "ncacn_np".
+
+ Named pipes were required when a Windows 9x system was
+ using a NT system in gateway mode which is incompatible
+ with our use of local loopback adapters.
+
+ * In afscreds.exe, if a username of the form user@REALM is
+ specified and no password is specified, do not perform a
+ kinit operation. Only perform the aklog functionality.
+
+ * Add a new registry value which allows the number of processors
+ on which afsd_service.exe executes to be restricted. Valid
+ values are 1..numOfProcessors
+
+ HKLM\SYSTEM\CurrentControlSet\Services\TransarcAfsDaemon\Parameters
+ (DWORD) MaxCPUs
+
Since 1.3.64:
* A second MSI based installer option is now available.
-OpenAFS for Windows 1.3.65 Installation Notes
+OpenAFS for Windows 1.3.66 Installation Notes
---------------------------------------------
The OpenAFS for Windows product was very poorly maintained throughout the
add these service principals to the list of principals to be maintained
for each host.
+19. As of 1.3.66, the use of INI files for the storage of AFS configuration
+data is no more. No longer are there any AFS related files stored in the
+%WINDIR% directory. The CellServDB file is no longer called "afsdsbmt.ini"
+and it is stored in the OpenAFS\Client directory. The afs_freelance.ini
+and afsdsbmt.ini file data has been moved to the registry.
+
+IMPORTANT: while the CellServDB file location and freelance mountpoint
+data will be automatically migrated; there is no mechanism for automatic
+migration of Submounts, Drive Mappings, Active Maps, and CSCPolicy data.
+
+20. As of 1.3.66, the OpenAFS Client is compatible with Windows XP SP2.
+The Internet Connection Firewall will be automatically adjusted to allow
+the receipt of incoming callback messages from the AFS file server. In
+addition, the appropriate Back Connection entries are added to the registry
+to allow SMB authentication to be performed across the loopback connection.
+
+21.
------------------------------------------------------------------------
(1) File/Directory access is not integrated with windows security
-(2) tokens are assigned to the service on a system global basis. Therefore,
-all users and processes on the machine are able to access files with the
-list of available tokens. This is dangerous if anonymous logins are enabled;
-or if multiple users are on the machine (ie, Terminal Server or XP user
-switching)
-
(3) SMB LANA list is static.
(3a) IP address changes cause the service to terminate due to an assertion
and per-machine settings. All of the new registry items need to
be added to the UI
-(29) Windows XP SP2 and Windows 2003 SP1 are going to lockdown the
- machine. We need to add code to programatically open the
- Internet Connection Firewall to the ports needed by the various
- AFS services.
-
(30) There appears to be a thread safety issue in the Rx library when
running on Intel processors which support hyper-threading
-------------------------------------------------------------------------
List sent to SLAC:
- 1. Convert from use of .INI files to appropriate places in the registry
- 2. No longer use AFS Client Service "cell" as the default cell for individual users
- 3. Re-write afsd_service.exe to perform synchronized thread startup and shutdown. Currently there is no synchronization of thread creation which results in timing conflicts; and there is no attempt to cleanly shutdown the service which causes problems when restarting and prevents the implementation of a persistent cache
- 4. Implement a persistent cache
- 5. Prevent panic situation when the root.afs volume is not reachable
- 6. Prevent panic situation when the IP address to which the SMB server is bound is removed from the local machine's network configuration
- 7. Only use Local RPC mechanism unless Gateway mode is on
- 8. Identify and fix the problems with running the RX library on Hyperthreaded systems
- 9. Add support for Named Pipes within the afs filesystem
- 10. Add support for Windows XP2 - dynamically open/close ports in the firewall
- 11. Add support for r/w mounts in the Freelance fake root.afs volume.
- 12. Re-write afscreds.exe to support:
+ 1. No longer use AFS Client Service "cell" as the default cell for individual users
+ 2. Re-write afsd_service.exe to perform synchronized thread startup and shutdown.
+ Currently there is no synchronization of thread creation which results in timing
+ conflicts; and there is no attempt to cleanly shutdown the service which causes
+ problems when restarting and prevents the implementation of a persistent cache
+ 3. Implement a persistent cache
+ 4. Prevent panic situation when the root.afs volume is not reachable
+ 5. Prevent panic situation when the IP address to which the SMB server is bound is removed
+ from the local machine's network configuration
+ 6. Identify and fix the problems with running the RX library on Hyperthreaded systems
+ 7. Add support for Named Pipes within the afs filesystem
+ (This is not currently a supported feature of AFS; it will require
+ changes to the servers as well as the clients.)
+ 8. Re-write afscreds.exe to support:
1. choosing between Kerberos 5 and Kerberos 4 on a per principal basis
2. providing users with the ability to map multiple cells to a single principal
3. providing change password functionality on a per principal basis
4. no longer include drive mapping
5. configuration of afscreds startup options in shortcut
- 13. Re-write afs_config.exe to be only "per user" functionality which does not require admin privileges
+ 9. Re-write afs_config.exe to be only "per user" functionality which does not require admin
+ privileges
1. default cell and principal for the user
2. drive mappings
3. visibility of afs creds and setting of afs creds startup options
- 14. Create new afs_admin.exe tool to be installed in the administrator folder (or use MMS) which contains
+ 10. Create new afs_admin.exe tool to be installed in the administrator folder (or use MMS)
+ which contains
1. afs client service cell name
2. integrated logon configuration
3. Gateway configuration
11. network configuration
12. miscellaneous
13. need to add support for all of the new registry values since 1.2.8
- 15. Identify why 16-bit DOS applications executed out of AFS fail
- 16. Create new Windows Security Group to which users can be added for them to become AFS Client Administrators
- 17. Add support for configurable Icon file representing AFS folders within the Explorer Shell
- 18. Documentation Documentation Documentation
- 19. Large File support (> 2GB)
- 20. Integrate KFW installation into the NSIS installer
- 21. Fix High Security mode (prevents SMB shares from being shared by more than one session)
+ 11. Identify why 16-bit DOS applications executed out of AFS fail
+ 12. Create new Windows Security Group to which users can be added for them to become AFS
+ Client Administrators
+ 13. Add support for configurable Icon file representing AFS folders within the Explorer Shell
+ 14. Documentation Documentation Documentation
+ 15. Large File support (> 2GB)
+ 16. Integrate KFW installation into the NSIS installer
+ 17. Add support for record locking to AFS (requires changes to the servers)
Regkey:
+[HKCU\SOFTWARE\OpenAFS\Client]
+
+Value : Authentication Cell
+Type : REG_SZ
+Default : <none>
+Function: Afscreds.exe GetDefaultCell()
+
+ This value allows the user to configure a different cell name to
+ be used as the default cell when acquiring tokens in afscreds.exe
+
+
+Regkey:
[HKCU\SOFTWARE\OpenAFS\Client\Reminders]
Value : "afs cell name"
[HKLM\Software\TransarcCorporation\AFS Client\AfsCreds].
+Regkey:
+[HKCU\SOFTWARE\OpenAFS\Client\Active Maps]
+
+Value : "upper case drive letter"
+Type : DWORD {0, 1}
+Default : <none>
+
+ These values are used to store the persistence state of the AFS
+ drive mappings as listed in the [...\Client\Mappings] key
+
+ These values used to be stored in the afsdsbmt.ini file
+
+Regkey:
+[HKCU\SOFTWARE\OpenAFS\Client\Mappings]
+
+Value : "upper case drive letter"
+Type : REG_SZ
+Default : <none>
+
+ These values are used to store the AFS path in Unix notation
+ to which the drive letter is to be mapped.
+
+ These values used to be stored in the afsdsbmt.ini file.
+
+
+Regkey:
+[HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy]
+
+Value : "smb/cifs share name"
+Type : REG_SZ
+Default : <none>
+
+ This key is used to map SMB/CIFS shares to Client Side Caching
+ (off-line access) policies. For each share one of the following
+ policies may be used: "manual", "programs", "documents", "disable"
+
+ These values used to be stored in afsdsbmt.ini
+
+Regkey:
+[HKLM\SOFTWARE\OpenAFS\Client\Freelance]
+
+Value : "numeric value"
+Type : REG_SZ
+Default : <none>
+
+ This key is used to store newline terminated mount point strings
+ for use in constructing the fake root.afs volume when Freelance
+ (dynamic roots) mode is activated.
+
+ "athena.mit.edu#athena.mit.edu:root.cell.\n"
+ ".athena.mit.edu%athena.mit.edu:root.cell.\n"
+
+ These values used to be stored in afs_freelance.ini
+
+
+Regkey:
+[HKLM\SOFTWARE\OpenAFS\Client\Submounts]
+
+Value : "submount name"
+Type : REG_SZ
+Default : <none>
+
+ This key is used to store mappings of unix style AFS paths
+ to submount names which can be referenced as UNC paths.
+ For example the submount string "/athena.mit.edu/user/j/a/jaltman"
+ can be associated with the submount name "jaltman.home".
+ This can then be referenced as the UNC path \\AFS\jaltman.home.
+
+ These values used to be stored in afsdsbmt.ini
+
+
ENVIRONMENT VARIABLES:
Variable: AFS_RPC_ENCRYPT