From: Jeffrey Altman Date: Thu, 15 Jul 2004 17:26:35 +0000 (+0000) Subject: winnotes-20040715 X-Git-Tag: openafs-devel-1_3_66~41 X-Git-Url: http://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=8063c68dc8a57447cac39444197511d21257ea88 winnotes-20040715 Update Windows note files with the latest changes. --- diff --git a/doc/txt/winnotes/afs-changes-since-1.2.txt b/doc/txt/winnotes/afs-changes-since-1.2.txt index 289a6d2..c6496f8 100644 --- a/doc/txt/winnotes/afs-changes-since-1.2.txt +++ b/doc/txt/winnotes/afs-changes-since-1.2.txt @@ -1,3 +1,126 @@ +Since 1.3.65: + * Added a new registry value [HKCU\SOFTWARE\OpenAFS\Client] + "Authentication Cell" which may be used to specify a default + authentication cell for afscreds.exe which is different from + the default cell for the AFS Client Service daemon. + + * Added a Logoff WinLogon Event Notification function to afslogon.dll. + afslogon.dll moved to %WINDIR%\System32\. + New registry entries added to register the dll for Winlogon events. + + The logoff event will now force a call to ktc_ForgetAllTokens() + using the context of the user being logged off. + + Need to double check that this code does not prevent profile data + from being written back to an afs volume + + * Windows XP SP2 Internet Connection Firewall interoperability + has been added. + + * The %WINDIR%\afsdsbmt.ini contains four sections: + Submounts, Drive Mappings, Active Maps and CSC Policies. + The Submounts and CSC policies are now stored in the registry under + [HKLM\SOFTWARE\OpenAFS\Client\Submounts] + [HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy] + The Drive Mappings and Active Maps are stored in the registry under + [HKCU\SOFTWARE\OpenAFS\Client\Mappings] + [HKCU\SOFTWARE\OpenAFS\Client\Active Maps] + + There is no automatic migration of this data as it would be impossible + to consistently migrate data to user profiles which may not be active + when the machine is updated. + + * The %WINDIR%\afs_freelance.ini contains lists of mountpoints for the + fake root.afs volume. For the same reasons as for the cellservdb file, + this information should not be in %WINDIR%. This information is now + kept under the registry key + [HKLM\SOFTWARE\OpenAFS\Client\Freelance] + + The data from the afs_freelance.ini file will be automatically + migrated to the registry on first execution of afsd_service.exe + + * Keeping the CellServDB file in the location %WINDIR%\afsdcell.ini is + troublesome for several reasons. One, it is confusing for those who + expect the file to be named "CellServDB" instead of "afsdcell.ini". + Two, this file is not a Windows Profile formatted file. Three, + applications should not be reading or writing to %WINDIR%. It causes + problems for Windows Terminal Server. + + The new location of CellServDB will be the OpenAFS Client install + directory which is by default C:\Program Files\OpenAFS\Client and can + be determined by querying the registry for + [HKLM\SOFTWARE\TransarcCorporation\AFS Client\CurrentVersion]PathName + + The existing afsdcell.ini will be migrated by the NSIS installer. + The Wix installer must still be updated to do the same. + + * Change NSIS installer to use DNS by default; to remove Integrated Logon + High Security mode; and to add Terminal Services compatibility registry + entries to allow the OpenAFS tools to find the afsdcell.ini and other + configuration files in %WINDIR%. + + * Add support for authenticated SMB connections. This will remove + the need for high security mode in most situations. Both NTLM + and Extended Security (GSS SPNEGO) modes are supported. Effectively, + only NTLM can be used even though Kerberos is now supported. The + reason is that it is not possible to construct a service principal + which is unique to each individual machine. + + SMB Extended Auth does not work on XP SP2 unless one of two registry + modifications are made: + + (1) To disable the check for matching host names on loopback connections + set this key. This does not require a reboot: + + [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] + "DisableLoopbackCheck"=dword:00000001 + + (2) To add the AFS SMB/CIFS service name to an approved list. This + does require a reboot: + + [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] + "BackConnectionHostNames"=multi-sz "AFS" "MACHINE-AFS" + + afsd_service.exe will automatically add the current Netbios Name + to the BackConnectionHostNames list and then temporarily disable + the loopback check for one cycle of startup/shutdown of the service. + We assume most folks do not start/stop without a reboot so this + will be adequate in most cases. + + * Fix security hole in afslogon.dll which allowed passwords to be + sent in clear text to the KDC in a misformed principal name. + + * Fix cm_GetCell() to properly handle expired dns entries + without crashing + + * If Freelance mode is active and the afs_freelance.ini + file does not exist, do not create an empty file. + Instead create a file containing ro and rw mountpoints + to the default cell using the standard conventions. + + * Modify the Freelance support to handle the ability + to create rw mount points in the fake root.afs volume. + + * Changed the RPC mechanism used for token setting from + named pipes to local. Use of named pipes can be restored + by setting the environment variable AFS_RPC_PROTSEQ to + "ncacn_np". + + Named pipes were required when a Windows 9x system was + using a NT system in gateway mode which is incompatible + with our use of local loopback adapters. + + * In afscreds.exe, if a username of the form user@REALM is + specified and no password is specified, do not perform a + kinit operation. Only perform the aklog functionality. + + * Add a new registry value which allows the number of processors + on which afsd_service.exe executes to be restricted. Valid + values are 1..numOfProcessors + + HKLM\SYSTEM\CurrentControlSet\Services\TransarcAfsDaemon\Parameters + (DWORD) MaxCPUs + Since 1.3.64: * A second MSI based installer option is now available. diff --git a/doc/txt/winnotes/afs-install-notes.txt b/doc/txt/winnotes/afs-install-notes.txt index 4fdf39a..c365af4 100644 --- a/doc/txt/winnotes/afs-install-notes.txt +++ b/doc/txt/winnotes/afs-install-notes.txt @@ -1,4 +1,4 @@ -OpenAFS for Windows 1.3.65 Installation Notes +OpenAFS for Windows 1.3.66 Installation Notes --------------------------------------------- The OpenAFS for Windows product was very poorly maintained throughout the @@ -220,6 +220,23 @@ a non-MS KDC for authentication, then your KDC administrator will have to add these service principals to the list of principals to be maintained for each host. +19. As of 1.3.66, the use of INI files for the storage of AFS configuration +data is no more. No longer are there any AFS related files stored in the +%WINDIR% directory. The CellServDB file is no longer called "afsdsbmt.ini" +and it is stored in the OpenAFS\Client directory. The afs_freelance.ini +and afsdsbmt.ini file data has been moved to the registry. + +IMPORTANT: while the CellServDB file location and freelance mountpoint +data will be automatically migrated; there is no mechanism for automatic +migration of Submounts, Drive Mappings, Active Maps, and CSCPolicy data. + +20. As of 1.3.66, the OpenAFS Client is compatible with Windows XP SP2. +The Internet Connection Firewall will be automatically adjusted to allow +the receipt of incoming callback messages from the AFS file server. In +addition, the appropriate Back Connection entries are added to the registry +to allow SMB authentication to be performed across the loopback connection. + +21. ------------------------------------------------------------------------ diff --git a/doc/txt/winnotes/afs-issues.txt b/doc/txt/winnotes/afs-issues.txt index e2eda93..a69170e 100644 --- a/doc/txt/winnotes/afs-issues.txt +++ b/doc/txt/winnotes/afs-issues.txt @@ -5,12 +5,6 @@ which can be found in the RT database or on the mailing list. (1) File/Directory access is not integrated with windows security -(2) tokens are assigned to the service on a system global basis. Therefore, -all users and processes on the machine are able to access files with the -list of available tokens. This is dangerous if anonymous logins are enabled; -or if multiple users are on the machine (ie, Terminal Server or XP user -switching) - (3) SMB LANA list is static. (3a) IP address changes cause the service to terminate due to an assertion @@ -110,11 +104,6 @@ directories. and per-machine settings. All of the new registry items need to be added to the UI -(29) Windows XP SP2 and Windows 2003 SP1 are going to lockdown the - machine. We need to add code to programatically open the - Internet Connection Firewall to the ports needed by the various - AFS services. - (30) There appears to be a thread safety issue in the Rx library when running on Intel processors which support hyper-threading @@ -132,28 +121,32 @@ directories. ------------------------------------------------------------------------- List sent to SLAC: - 1. Convert from use of .INI files to appropriate places in the registry - 2. No longer use AFS Client Service "cell" as the default cell for individual users - 3. Re-write afsd_service.exe to perform synchronized thread startup and shutdown. Currently there is no synchronization of thread creation which results in timing conflicts; and there is no attempt to cleanly shutdown the service which causes problems when restarting and prevents the implementation of a persistent cache - 4. Implement a persistent cache - 5. Prevent panic situation when the root.afs volume is not reachable - 6. Prevent panic situation when the IP address to which the SMB server is bound is removed from the local machine's network configuration - 7. Only use Local RPC mechanism unless Gateway mode is on - 8. Identify and fix the problems with running the RX library on Hyperthreaded systems - 9. Add support for Named Pipes within the afs filesystem - 10. Add support for Windows XP2 - dynamically open/close ports in the firewall - 11. Add support for r/w mounts in the Freelance fake root.afs volume. - 12. Re-write afscreds.exe to support: + 1. No longer use AFS Client Service "cell" as the default cell for individual users + 2. Re-write afsd_service.exe to perform synchronized thread startup and shutdown. + Currently there is no synchronization of thread creation which results in timing + conflicts; and there is no attempt to cleanly shutdown the service which causes + problems when restarting and prevents the implementation of a persistent cache + 3. Implement a persistent cache + 4. Prevent panic situation when the root.afs volume is not reachable + 5. Prevent panic situation when the IP address to which the SMB server is bound is removed + from the local machine's network configuration + 6. Identify and fix the problems with running the RX library on Hyperthreaded systems + 7. Add support for Named Pipes within the afs filesystem + (This is not currently a supported feature of AFS; it will require + changes to the servers as well as the clients.) + 8. Re-write afscreds.exe to support: 1. choosing between Kerberos 5 and Kerberos 4 on a per principal basis 2. providing users with the ability to map multiple cells to a single principal 3. providing change password functionality on a per principal basis 4. no longer include drive mapping 5. configuration of afscreds startup options in shortcut - 13. Re-write afs_config.exe to be only "per user" functionality which does not require admin privileges + 9. Re-write afs_config.exe to be only "per user" functionality which does not require admin + privileges 1. default cell and principal for the user 2. drive mappings 3. visibility of afs creds and setting of afs creds startup options - 14. Create new afs_admin.exe tool to be installed in the administrator folder (or use MMS) which contains + 10. Create new afs_admin.exe tool to be installed in the administrator folder (or use MMS) + which contains 1. afs client service cell name 2. integrated logon configuration 3. Gateway configuration @@ -167,11 +160,12 @@ List sent to SLAC: 11. network configuration 12. miscellaneous 13. need to add support for all of the new registry values since 1.2.8 - 15. Identify why 16-bit DOS applications executed out of AFS fail - 16. Create new Windows Security Group to which users can be added for them to become AFS Client Administrators - 17. Add support for configurable Icon file representing AFS folders within the Explorer Shell - 18. Documentation Documentation Documentation - 19. Large File support (> 2GB) - 20. Integrate KFW installation into the NSIS installer - 21. Fix High Security mode (prevents SMB shares from being shared by more than one session) + 11. Identify why 16-bit DOS applications executed out of AFS fail + 12. Create new Windows Security Group to which users can be added for them to become AFS + Client Administrators + 13. Add support for configurable Icon file representing AFS folders within the Explorer Shell + 14. Documentation Documentation Documentation + 15. Large File support (> 2GB) + 16. Integrate KFW installation into the NSIS installer + 17. Add support for record locking to AFS (requires changes to the servers) diff --git a/doc/txt/winnotes/registry.txt b/doc/txt/winnotes/registry.txt index 124094a..0a8a50f 100644 --- a/doc/txt/winnotes/registry.txt +++ b/doc/txt/winnotes/registry.txt @@ -470,6 +470,18 @@ Function: Shortcut_FixStartup Regkey: +[HKCU\SOFTWARE\OpenAFS\Client] + +Value : Authentication Cell +Type : REG_SZ +Default : +Function: Afscreds.exe GetDefaultCell() + + This value allows the user to configure a different cell name to + be used as the default cell when acquiring tokens in afscreds.exe + + +Regkey: [HKCU\SOFTWARE\OpenAFS\Client\Reminders] Value : "afs cell name" @@ -484,6 +496,77 @@ Function: LoadRemind(), SaveRemind() [HKLM\Software\TransarcCorporation\AFS Client\AfsCreds]. +Regkey: +[HKCU\SOFTWARE\OpenAFS\Client\Active Maps] + +Value : "upper case drive letter" +Type : DWORD {0, 1} +Default : + + These values are used to store the persistence state of the AFS + drive mappings as listed in the [...\Client\Mappings] key + + These values used to be stored in the afsdsbmt.ini file + +Regkey: +[HKCU\SOFTWARE\OpenAFS\Client\Mappings] + +Value : "upper case drive letter" +Type : REG_SZ +Default : + + These values are used to store the AFS path in Unix notation + to which the drive letter is to be mapped. + + These values used to be stored in the afsdsbmt.ini file. + + +Regkey: +[HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy] + +Value : "smb/cifs share name" +Type : REG_SZ +Default : + + This key is used to map SMB/CIFS shares to Client Side Caching + (off-line access) policies. For each share one of the following + policies may be used: "manual", "programs", "documents", "disable" + + These values used to be stored in afsdsbmt.ini + +Regkey: +[HKLM\SOFTWARE\OpenAFS\Client\Freelance] + +Value : "numeric value" +Type : REG_SZ +Default : + + This key is used to store newline terminated mount point strings + for use in constructing the fake root.afs volume when Freelance + (dynamic roots) mode is activated. + + "athena.mit.edu#athena.mit.edu:root.cell.\n" + ".athena.mit.edu%athena.mit.edu:root.cell.\n" + + These values used to be stored in afs_freelance.ini + + +Regkey: +[HKLM\SOFTWARE\OpenAFS\Client\Submounts] + +Value : "submount name" +Type : REG_SZ +Default : + + This key is used to store mappings of unix style AFS paths + to submount names which can be referenced as UNC paths. + For example the submount string "/athena.mit.edu/user/j/a/jaltman" + can be associated with the submount name "jaltman.home". + This can then be referenced as the UNC path \\AFS\jaltman.home. + + These values used to be stored in afsdsbmt.ini + + ENVIRONMENT VARIABLES: Variable: AFS_RPC_ENCRYPT