From 0949ca36faf493b235a4fde03b3b9a3eb3745d9c Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Tue, 15 Mar 2005 00:55:56 +0000
Subject: [PATCH] windows-notes-20050314

Update notes to describe fix for cross realm trusts to Windows
multi-domain forests
---
 doc/txt/winnotes/afs-changes-since-1.2.txt |   23 +++++++++++++++++++++++
 doc/txt/winnotes/afs-install-notes.txt     |    5 ++++-
 2 files changed, 27 insertions(+), 1 deletions(-)

diff --git a/doc/txt/winnotes/afs-changes-since-1.2.txt b/doc/txt/winnotes/afs-changes-since-1.2.txt
index f61977e..ed24827 100644
--- a/doc/txt/winnotes/afs-changes-since-1.2.txt
+++ b/doc/txt/winnotes/afs-changes-since-1.2.txt
@@ -1,4 +1,27 @@
 Since 1.3.77:
+  * OpenAFS for Windows has failed to work at sites which are 
+    utilizing a cross-realm trust between an MIT/Heimdal realm
+    and a multi-domain Windows forest when the workstation being
+    accessed is not located in the root domain.  This is caused 
+    by a bug in the workstation which was triggered after the 
+    introduction of Windows 2003 Server.  When the bug is triggered,
+    the workstation attempts to authenticate users to afsd_service.exe
+    by contacting the Domain Controller instead of using the 
+    LSA loopback authentication mechanism.
+
+    One of the reasons this bug occurs is because the workstation    
+    does not have a reliable way of knowing that the service whose
+    netbios name is "AFS" is located on the workstation.  This will
+    be fixed starting in Longhorn Beta 1 by Microsoft.  The 
+    "BackConnectionHostNames" registry value will be used to 
+    indicate that the authentications to that service name should
+    be performed using the loopback authentication mechanism.
+
+    In the meantime, when Logon Caching is enabled, we can force
+    afsd_service.exe to authenticate using the logon cache before
+    contacting the Domain Controller.  This will work with both
+    password and smart card based logons.  
+
   * The allDown logic in cm_ConnByMServers() was wrong.  The allDown
     flag should not be cleared if a volume's server reference is 
     marked as "offline".  In the case where all of the volume's 
diff --git a/doc/txt/winnotes/afs-install-notes.txt b/doc/txt/winnotes/afs-install-notes.txt
index 8349d31..c16187c 100644
--- a/doc/txt/winnotes/afs-install-notes.txt
+++ b/doc/txt/winnotes/afs-install-notes.txt
@@ -543,7 +543,10 @@ Where: -long   print all info
        -addrs  print only host interfaces
        -cache  print only cache configuration
 
-
+37.  If you are a site which utilizes MIT/Heimdal Kerberos principals
+to logon to Windows via a cross-realm relationship with a multi-domain
+Windows forest, you must enable Windows logon caching unless the 
+workstation is Longhorn Beta 1 or later.
 
 ------------------------------------------------------------------------
 
-- 
1.7.1