From: Jeffrey Altman Date: Mon, 30 Jul 2012 19:19:57 +0000 (-0400) Subject: doc: Windows Release Notes Integrated Logon X-Git-Tag: openafs-stable-1_8_0pre1~2130 X-Git-Url: http://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=070e90a92175eb91b3709598859fabb0c843d0a9 doc: Windows Release Notes Integrated Logon Expand on support for integrated logon details. Explain the new capabilities for per-user configuration and name mapping. Change-Id: I6aef3f99cb54aa964f9a6dbc3992031d6199e97d Reviewed-on: http://gerrit.openafs.org/7905 Tested-by: BuildBot Reviewed-by: Jeffrey Altman Tested-by: Jeffrey Altman --- diff --git a/doc/xml/ReleaseNotesWindows/relnotes.xml b/doc/xml/ReleaseNotesWindows/relnotes.xml index 04aa503..894d4c5 100644 --- a/doc/xml/ReleaseNotesWindows/relnotes.xml +++ b/doc/xml/ReleaseNotesWindows/relnotes.xml @@ -96,6 +96,16 @@ Microsoft Windows 2008 Server R2 (64-bit Intel) + + Microsoft Windows 8 Release Preview (32-bit and 64-bit Intel) + (not guaranteed to work with the final + release) + + + Microsoft Windows Server 2012 Release Preview (64-bit Intel) + (not guaranteed to work with the final + release) + @@ -142,9 +152,11 @@ disk space required - - Up to 60mb required for the OpenAFS binaries plus 100MB for the default AFSCache file. The size of the AFSCache file may be adjusted via the Registry after installation. The maximum cache size for 32-bit Windows is approximately 1.2GB. On 64-bit Windows there is no practical limit on the cache size. - + Up to 60mb required for the OpenAFS binaries plus 100MB for the default + AFSCache file. The size of the AFSCache file may be adjusted via the Registry after + installation. The maximum cache size for 32-bit Windows is approximately 1.2GB. On 64-bit + Windows there is no enforced limit on the cache size.
2.3 Additional Software Packages @@ -473,9 +485,9 @@ The OpenAFS for Windows client will use DNS SRV records and DNS AFSDB records to discover the location of AFS Volume Database servers when entries for the cell are not present in either the client's CellServDB registry store or file - (\%PROGRAMFILES%\OpenAFS\Client\CellServDB). Also see Registry Configuration for AFS Volume Database - Servers. + (\%ALLUSERSPROFILE%\OpenAFS\Client\CellServDB or \%PROGRAMFILES%\OpenAFS\Client\CellServDB). + Also see Registry Configuration for AFS Volume + Database Servers.
3.6. Obtaining AFS Tokens as a Integrated Part of Windows Logon @@ -500,12 +512,12 @@ tokens - OpenAFS for Windows installs a WinLogon Network Provider to provide Single Sign-On - functionality (aka Integrated Logon.) Integrated Logon can be used to obtain AFS tokens when - the Windows username and password match the username and password associated with the - default cell's Kerberos realm. For example, if the Windows username is "jaltman" and the - default cell is "your-file-system.com", then Integrated Logon can be successfully used if - the windows password matches the password assigned to the Kerberos principal + OpenAFS for Windows installs a WinLogon Authentication Provider to provide Single + Sign-On functionality (aka Integrated Logon.) Integrated Logon can be used to obtain AFS + tokens when the Windows username and password match the username and password associated + with the default cell's Kerberos realm. For example, if the Windows username is "jaltman" + and the default cell is "your-file-system.com", then Integrated Logon can be successfully + used if the windows password matches the password assigned to the Kerberos principal "jaltman@YOUR-FILE-SYSTEM.COM". The realm "YOUR-FILE-SYSTEM.COM" is obtained by performing a domain name to realm mapping on the hostname of one of the cell's Volume Database servers. @@ -513,14 +525,146 @@ system. OpenAFS does not provide tools for synchronizing the Windows and Kerberos user accounts and passwords. Integrated Logon can be enabled or disabled via the LogonOptions registry value. - When KFW is configured, Integrated Logon will use it to obtain tokens. Use of KFW for Integrated Logon can be disabled via the - EnableKFW registry value. - + When Heimdal or KFW is installed, Integrated Logon will use it to obtain tokens using + Kerberos v5. If you must use the deprecated kaserver for + authentication instead of Kerberos v5, the use of KFW can be disabled via the EnableKFW registry value. Integrated Logon will not transfer Kerberos v5 tickets into the user's logon session credential cache. This is no longer possible on Vista and Windows 7. - Integrated Logon does not have the ability to cache the user's username and password for the purpose of obtaining tokens if the Kerberos KDC is inaccessible at logon time. - Integrated Logon supports the ability to obtain tokens for multiple cells. For further information on how to configure this feature, read about the - TheseCells value. + Integrated Logon does not have the ability to cache the username and password for the + purpose of obtaining tokens if the Kerberos KDC is inaccessible at logon time. + Integrated Logon supports the ability to obtain tokens for multiple cells. For further + information on how to configure this feature, read about the TheseCells registry value. + Depending on the configuration of the local machine, it is possible for logon + authentication to complete with one of the following user account types: + + + + Local Machine Account (LOCALHOST domain) + + + Domain or Forest Account + + + Domain or Forest Account NETBIOS-compatible name + + + Kerberos Principal mapped to a local or domain or forest account + + + + For each "domain" context, the following properties are configurable: + + + Obtain AFS Tokens at Logon + + + Yes + + + No + + + + + Alternate Kerberos Realm Name - combined with the username to construct a Kerberos + principal + + + TheseCells - A list of cell names other than the workstation cell for which tokens + should be obtained + + + Fail Logons Silently + + + Yes + + + No + + + + + + Logon Script to Execute + + + Logon Retry Interval + + + Logon Sleep between Failure Interval + + + Within a "domain" context it is often desireable to apply alternate rules for a + particular user. The rules can include a username substitution. + + + + Obtain AFS Tokens at Logon + + + Yes + + + No + + + + + Alternate User Name + + + Alternate Kerberos Realm Name - combined with the username to construct a Kerberos + principal + + + TheseCells - A list of cell names other than the workstation cell for which tokens + should be obtained + + + Fail Logons Silently + + + Yes + + + No + + + + + Logon Script to Execute + + + Logon Retry Interval + + + Logon Sleep between Failure Interval + + + The configuration hierarchy is specified in the registry under the + HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain key. For + example: + + + + ...\NetworkProvider\Domain\LOCALHOST\ + + + ...\NetworkProvider\Domain\LOCALHOST\Administrator\ + + + ...\NetworkProvider\Domain\AD\ + + + ...\NetworkProvider\Domain\AD.EXAMPLE.ORG\ + + + + From the perspective of configuration, the Full domain name and the + NETBIOS-compatibility name are separate entities.
3.7. AFS Authentication Tool Command Line Options @@ -1068,7 +1212,6 @@ - The pre-1.5.50 OpenAFS Client provided an optional registry value, StoreAnsiFilenames, that could be set to instruct OpenAFS to store filenames using the ANSI Code Page instead of the OEM Code Page. The ANSI Code Page is a compatible superset of Latin-1. This setting is not the default setting because making this change would prevent OpenAFS for Windows from being able to access filenames containing the above characters which were created without this setting. @@ -2947,7 +3090,6 @@ - The example adds domain specific keys for 'ATHENA.MIT.EDU' (enable integrated logon) and 'LOCALHOST' (disable integrated logon and fail logins silently).
@@ -4636,9 +4778,13 @@ NSIS: %WINDIR%\SYSTEM32\afslogon.dll HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider | +- Domain - +-AD1.EXAMPLE.COM - +-AD2.EXAMPLE.NET - +-LOCALHOST + +-AD1.EXAMPLE.COM + +-AD1 + +-AD2.EXAMPLE.NET + +-AD2 + +-LOCALHOST + +-Administrator + +-Other User Each of the domain specific keys can have the set of values described in 2.1.1. The effective values are chosen as described in 2.1.2.
@@ -4651,7 +4797,11 @@ NSIS: %WINDIR%\SYSTEM32\afslogon.dll [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain name"] - [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain + name"]["user name"] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST\"user name"] +
Value: LogonOptions @@ -4661,7 +4811,10 @@ NSIS: %WINDIR%\SYSTEM32\afslogon.dll >[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain name>] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain + name>\<user name>] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST\<user name>] Type: DWORD Default: 0x01 NSIS/WiX: depends on user configuration @@ -4681,7 +4834,10 @@ NSIS: %WINDIR%\SYSTEM32\afslogon.dll [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain name>] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain + name>\<user name>] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST\<user name>] Type: DWORD (1|0) Default: 0 NSIS/WiX: (not set) @@ -4696,7 +4852,10 @@ NSIS: %WINDIR%\SYSTEM32\afslogon.dll [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain name>] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain + name>\<user name>] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST\<user name>] Type: REG_SZ or REG_EXPAND_SZ Default: (null) NSIS/WiX: (only value under NP key) <install path>\afscreds.exe -:%s -x @@ -4716,7 +4875,10 @@ NSIS: %WINDIR%\SYSTEM32\afslogon.dll [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain name>] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain + name>\<user name>] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST\<user name>] Type: DWORD Default: 30 NSIS/WiX: (not set) @@ -4733,7 +4895,10 @@ NSIS: %WINDIR%\SYSTEM32\afslogon.dll [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain name>] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain + name>\<user name>] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST\<user name>] Type: DWORD Default: 5 NSIS/WiX: (not set) @@ -4748,7 +4913,10 @@ NSIS: %WINDIR%\SYSTEM32\afslogon.dll >[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain name>] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain + name>\<user name>] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST\<user name>] Type: REG_SZ NSIS: <not set> When Kerberos v5 is being used, Realm specifies the Kerberos v5 realm that @@ -4764,12 +4932,29 @@ NSIS: %WINDIR%\SYSTEM32\afslogon.dll >[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain name>] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain + name>\<user name>] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST\<user name>] Type: REG_MULTI_SZ NSIS: <not set> When Kerberos v5 is being used, TheseCells provides a list of additional cells for which tokens should be obtained with the default Kerberos v5 principal.
+
+ Value: Username + + Username + + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\<domain + name>\<user name>] + [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST\<user name>] + Type: REG_SZ + NSIS: <not set> + Username specifies an alternate username to be combined with the Realm when constructing + the Kerberos v5 principal for which AFS tokens should be obtained. +