From: TommieGannert <TommieGannert>
Date: Tue, 27 Jul 2004 10:08:00 +0000 (+0000)
Subject: none
X-Git-Url: https://git.openafs.org/?p=openafs-wiki.git;a=commitdiff_plain;h=cec8acb77ed916d8896d5f373b436ef2c000ac83

none
---

diff --git a/AFSLore/NewWindowsDocumentation.mdwn b/AFSLore/NewWindowsDocumentation.mdwn
index 9d9d0f4..39ce1cb 100644
--- a/AFSLore/NewWindowsDocumentation.mdwn
+++ b/AFSLore/NewWindowsDocumentation.mdwn
@@ -14,3 +14,17 @@
 - The [afs-install-notes.txt](http://web.mit.edu/~jaltman/Public/OpenAFS/afs-install-notes.txt) file.
 - The [registry.txt](http://web.mit.edu/~jaltman/Public/OpenAFS/registry.txt) file.
 - The [[WindowsLoopBackAdapter]] page.
+
+### <a name="Things That Are Not Implemented"></a><a name="Things That Are Not Implemented "></a> Things That Are Not Implemented Yet
+
+Registry:
+
+- [[LogoffTokenTransfer]]
+- [[LogoffTokenTransferTimeout]]
+- [[NoWarnings]]
+- Class
+- [[DependOnGroup]]
+- [[DependOnService]]
+- Name
+- [[ProviderPath]]
+- [[LogonOptions]] (it is available in UI and HS mode should not be used)
diff --git a/AFSLore/WindowsConfigurationReferenceGuide.mdwn b/AFSLore/WindowsConfigurationReferenceGuide.mdwn
index 1740c18..af12a8a 100644
--- a/AFSLore/WindowsConfigurationReferenceGuide.mdwn
+++ b/AFSLore/WindowsConfigurationReferenceGuide.mdwn
@@ -38,6 +38,17 @@
             <li><a href="#Tweaking RPC Traffic"> Tweaking RPC Traffic</a></li>
             <li><a href="#Enabling Debug Trace Events"> Enabling Debug Trace Events</a></li>
             <li><a href="#Restricting the Number of Utiliz"> Restricting the Number of Utilized CPUs</a></li>
+            <li><a href="#Moving the _CellServDB File"> Moving the CellServDB File</a></li>
+            <li><a href="#Moving the Integrated Logon Supp"> Moving the Integrated Logon Support File</a></li>
+            <li><a href="#Allowing More Time For the Servi"> Allowing More Time For the Service To Start</a></li>
+            <li><a href="#Running a Logon Script"> Running a Logon Script</a></li>
+            <li><a href="#Integrated Logon Usage"> Integrated Logon Usage</a></li>
+            <li><a href="#Integrated Logon Silence"> Integrated Logon Silence</a></li>
+          </ul>
+        </li>
+        <li><a href="#Per Domain Options"> Per Domain Options</a><ul>
+            <li><a href="#Resolution of Domain Specific Va"> Resolution of Domain Specific Values</a></li>
+            <li><a href="#Exceptions To the Resolution Rul"> Exceptions To the Resolution Rule</a></li>
           </ul>
         </li>
         <li><a href="#Windows Registry Keys of _OpenAF"> Windows Registry Keys of OpenAFS</a></li>
@@ -243,6 +254,71 @@ Normally, the `TraceOption` (type DWORD) in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo
 
 For most part, the [[OpenAFS]] client can use as many processors as available. It has, however, showed that Hyperthreaded Pentium 4 systems can cause the [[OpenAFS]] service to crash. If you have such a system, you should set `MaxCPUs` (type DWORD) (in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters`) to 1. The default is undefined, and means all processors may be used.
 
+### <a name="Moving the _CellServDB File"></a> Moving the [[CellServDB]] File
+
+The registry setting `CellServDBDir` (type string) in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider` specifies the base directory of the [[CellServDB]] file. Note that the filename `CellServDB` is appended to this path. The default is `C:\Program Files\OpenAFS\Client`.
+
+### <a name="Moving the Integrated Logon Supp"></a> Moving the Integrated Logon Support File
+
+[[OpenAFS]] installs very few files outside its directory in `Program Files`. The Integrated Logon DLL, `afslogon.dll`, is an exception. It is installed in `%WINDIR%\SYSTEM32` by default.
+
+To change this location you must update the registry value `AuthentProviderPath` (type string) in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider` to point to the new location.
+
+### <a name="Allowing More Time For the Servi"></a> Allowing More Time For the Service To Start
+
+When the AFS Client Service starts, it has to read files, the registry, DNS and connect to servers. All of this may take quite some time. On slow computers, the default retry policy can be too short.
+
+In this case, the `LoginRetryInterval` (type DWORD) and `LoginSleepInterval` (type DWORD) values in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider` can be increased. If the [[OpenAFS]] client service has not started yet, the network provider will wait for a maximum of `LoginRetryInterval` seconds while retrying every `LoginSleepInterval` seconds to check if the service is up. This setting is domain-specific, see below.
+
+### <a name="Running a Logon Script"></a> Running a Logon Script
+
+You may set `LogonScript` (type string or expandable string) of `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider` to any runnable script or program. Default is to not run any program. This setting is also domain-specific, see below.
+
+### <a name="Integrated Logon Usage"></a> Integrated Logon Usage
+
+Utilization of the Integrated Logon feature can be set on a per-domain basis. The value is called `LogonOption` (type DWORD) and can be found in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider`. Setting this to zero disables Integrated Logon, a one enables it. Default is enabled. If you set this to 2, you enable the [[OpenAFS]] High Security mode, and setting it to 3 enables both High Security Mode and Integrated Logon.
+
+High Security mode is a deprecated techinque to let several users logon to the same computer at once. Since [[OpenAFS]] now supports authenticated SMB connections, there is really no need for this mode. If you still want to use this mode, you should disable SMB Authentication. See "Tweaking the SMB Connections" on this matter.
+
+### <a name="Integrated Logon Silence"></a> Integrated Logon Silence
+
+In the Client Configuration, you may choose whether the Intergrated Logon should warn when you cannot logon, or if it should not. Since this setting is domain-specific, here is the background. The `FailLoginsSilently` (type DWORD) in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider` can be set to 1 to ignore any failures. Default is to warn (i.e. a value of zero).
+
+## <a name="Per Domain Options"></a> Per Domain Options
+
+[[OpenAFS]] for Windows is now able to support domain-specific settings. Four of the settings in the previous section can be adjusted on a domain basis:
+
+- Allowing More Time For the Service To Start
+- Running a Logon Script
+- Integrated Logon Usage
+- Integrated Logon Silence
+
+This is a new feature of [[OpenAFS]] 1.3.6, and is not yet supported by the configuration user interface. While being a usable feature, we choose to document, so that you can still use it. A new configuration interface is hopefully on its way.
+
+All values that can be domain-specific are located under `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider`. Domains which want to have specific settings can create the subkey <tt>Domain\\_domain_\\</tt> and store the values there. The domain name is the logon domain, as specified in the Windows Login screen. A special domain, called `LOCALHOST`, is a placeholder for the local computer. Any other Active Directory or Kerberos realm should use it's realm name for the key.
+
+### <a name="Resolution of Domain Specific Va"></a> Resolution of Domain Specific Values
+
+As a consequence of this scheme, there must also be set rules for resolving which value to use. Let us use the following example in the discussion:
+
+    ...\NetworkProvider\  LogonOption = 1
+    	Domain\				LogonOption = 0
+    		OPENAFS.ORG\	 LogonOption = 1
+    		MIT.EDU\
+    		LOCALHOST\		LogonOption = 0
+
+If the specific domain key does not exist, then the `Domain` key will be ignored. All the configuration information in this case will come from the standard `NetworkProvider` key.
+
+If the specific domain key exists, then the value will be looked up in the specific domain key, domains key and the NP key successively until the value is found. The first instance of the value found this way will be the effective for the login session. If no such instance can be found, the default will be used. To re-iterate, a value in a more specific key supercedes a value in a less specific key.
+
+Back to our example. Logging in to domain `OPENAFS.ORG` clearly enables the Integrated Logon. Logging on the local computer disables it. Logging in to `MIT.EDU` will also disable Integrated Logon, because the domain key exists, but misses a value. This resolves to using the value of `Domain\LogonOption`. However, logging in to `KTH.SE` would enable Integrated Logon. It is not listed as a domain, and thus the `NetworkProvider\LogonOption` is used. In order to retain backward-compatibility, there are two exceptions to this resolution order.
+
+### <a name="Exceptions To the Resolution Rul"></a> Exceptions To the Resolution Rule
+
+Historically, the 'FailLoginsSilently' value was in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters` key and not in the `NetworkProvider` key. Therefore, for backwards compatibility, the value in the `Parameters` key will supercede all instances of this value in other keys. In the absence of this value in the `Parameters` key, normal scope rules apply.
+
+The second exception is for the `LogonScript` value. If a `LogonScript` is not specified in the specific domain key nor in the `Domain` key, the value in the `NetworkProvider` key will only be checked if the effective `LogonOptions` specify a high security integrated login. If a logon script is specified in the specific domain key or the domains key, it will be used regardless of the high security setting. Please be aware of this when setting this value.
+
 ## <a name="Windows Registry Keys of _OpenAF"></a> Windows Registry Keys of [[OpenAFS]]
 
 During the preparation of this release of [[OpenAFS]], a lot of changes have been made to the way configuration is stored. The work is still not finished, why the list of registry keys currently used can be found [here](http://web.mit.edu/~jaltman/Public/OpenAFS/registry.txt).
diff --git a/AFSLore/WindowsTroubleshootingGuide.mdwn b/AFSLore/WindowsTroubleshootingGuide.mdwn
index d6b967b..76645d7 100644
--- a/AFSLore/WindowsTroubleshootingGuide.mdwn
+++ b/AFSLore/WindowsTroubleshootingGuide.mdwn
@@ -4,17 +4,30 @@
   <ul>
     <li><a href="#Troubleshooting Guide for _OpenA"> Troubleshooting Guide for OpenAFS for Windows</a><ul>
         <li><a href="#Bugs"> Bugs</a><ul>
+            <li><a href="#Are my tokens destroyed when I l"> Are my tokens destroyed when I logout?</a></li>
             <li><a href="#How come my non-ASCII filename c"> How come my non-ASCII filename characters are wrong; code page problems?</a></li>
+            <li><a href="#Why do my 2 GB+ files break?"> Why do my 2 GB+ files break?</a></li>
+            <li><a href="#Why does the Client Service cras"> Why does the Client Service crash when I start my laptop?</a></li>
             <li><a href="#Why does _OpenAFS for Windows cr"> Why does OpenAFS for Windows crash on my Hyperthreaded Pentium 4?</a></li>
           </ul>
         </li>
         <li><a href="#Error Messages"> Error Messages</a><ul>
+            <li><a href="#Why can't I use _OpenAFS with an"> Why can't I use OpenAFS with an Active Directory KDC?</a></li>
+            <li><a href="#Why can't I install _OpenAFS on"> Why can't I install OpenAFS on Windows NT, ME or 9x?</a></li>
             <li><a href="#What is this _MrxSmb event 3019"> What is this MrxSmb event 3019 that pops up in my System Log?</a></li>
             <li><a href="#Why isn't the AFS Light Gateway"> Why isn't the AFS Light Gateway working anymore?</a></li>
           </ul>
         </li>
+        <li><a href="#Features"> Features</a><ul>
+            <li><a href="#Why can I not use fs to set the"> Why can I not use <tt>fs</tt> to set the X option anymore?</a></li>
+            <li><a href="#Why should I abandon Kerberos 4?"> Why should I abandon Kerberos 4?</a></li>
+          </ul>
+        </li>
         <li><a href="#Nomenclature"> Nomenclature</a><ul>
+            <li><a href="#What is "High Security Mode"?"> What is "High Security Mode"?</a></li>
+            <li><a href="#What is the Microsoft Loop Back"> What is the Microsoft Loop Back Adapter?</a></li>
             <li><a href="#What is a "submount"?"> What is a "submount"?</a></li>
+            <li><a href="#What is "Symbol Information"?"> What is "Symbol Information"?</a></li>
           </ul>
         </li>
       </ul>
@@ -24,30 +37,84 @@
 
 ## <a name="Bugs"></a> Bugs
 
+### <a name="Are my tokens destroyed when I l"></a> Are my tokens destroyed when I logout?
+
+Hard to tell. If your profile is local (not on the network, roaming) there is no need for the tokens, and they are destroyed when you logout.
+
+If, on the other hand, you are using roaming profiles, there is unfortunately no way for the AFS Client Service to know when the profile has been put back into AFS. Thus, the "roaming" could fail if the service tried to forget the tokens. When using roaming profiles, the tokens are not destroyed on logout.
+
 ### <a name="How come my non-ASCII filename c"></a> How come my non-ASCII filename characters are wrong; code page problems?
 
 Yes, it is. Currently, the [[OpenAFS]] implementation uses a SMB server with which Windows communicates. This server is not yet able to handle all code pages. So, if you are accessing files from other systems as well, you will experience the old code page missmatch problem.
 
 The CIFS protocol itself has support for Unicode. Hopefully, it will be implemented in [[OpenAFS]] in the future. (from J. Altman)
 
+### <a name="Why do my 2 GB+ files break?"></a> Why do my 2 GB+ files break?
+
+First of all, note that the default cache size is 20 MB, which means a 2 GB file will flush the cache directly. Second, [[OpenAFS]] does not yet support files larger than 2<sup>31</sup> bytes, which is 2 GB.
+
+### <a name="Why does the Client Service cras"></a> Why does the Client Service crash when I start my laptop?
+
+If the [[OpenAFS]] Client Service cannot connect to your home cell when it starts, it will crash.
+
+To solve this problem, look up the Freelance Mode in the [[WindowsConfigurationReferenceGuide]].
+
 ### <a name="Why does _OpenAFS for Windows cr"></a> Why does [[OpenAFS]] for Windows crash on my Hyperthreaded Pentium 4?
 
 This is due to a known bug. Set `MaxCPUs` (type DWORD) (in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters`) to 1. This restricts the [[OpenAFS]] Client Service to use one processor.
 
 ## <a name="Error Messages"></a> Error Messages
 
+### <a name="Why can&#39;t I use _OpenAFS with an"></a> Why can't I use [[OpenAFS]] with an Active Directory KDC?
+
+You can, however Microsoft uses the Kerberos tickets in a way no one had anticipated during protocol design. While remaining syntactically valid, the tickets the AD KDC issues are very large. They can be 10 kB while other KDC implementations usually issue tickets around 500 bytes in size.
+
+You will have to setup you AFS server to support the larger ticket sizes, or update your server.
+
+### <a name="Why can&#39;t I install _OpenAFS on"></a><a name="Why can&#39;t I install _OpenAFS on "></a> Why can't I install [[OpenAFS]] on Windows NT, ME or 9x?
+
+As of version 1.3.65, the old Windows branch will no longer be maintained. The interface for the Windows NT series and the Windows 9x series are completely different. Most of the users now use Windows 2000 or newer. Less has changed between Windows NT 4 and Windows 2000, but the developer community has decided to discontinue support for Windows NT 4 too.
+
+The main reason for this decision is the lack of developers and fundings. [[OpenAFS]] for Windows is a free project and requires donations ,or developers with time left, to move forward. Old versions of [[OpenAFS]] for Windows 9x and NT 4 are still available.
+
 ### <a name="What is this _MrxSmb event 3019"></a><a name="What is this _MrxSmb event 3019 "></a> What is this [[MrxSmb]] event 3019 that pops up in my System Log?
 
-The [[MrxSmb]] event 3019 is due to the use of the Loop Back device. It can be safely ignored. (from [JSI FAQ, 3136](http://www.jsiinc.com/SUBG/TIP3100/rh3136.htm))
+The [[MrxSmb]] event 3019 is due to the use of the [[WindowsLoopBackAdapter]]. It can be safely ignored. (from [JSI FAQ, 3136](http://www.jsiinc.com/SUBG/TIP3100/rh3136.htm))
 
 ### <a name="Why isn&#39;t the AFS Light Gateway"></a><a name="Why isn&#39;t the AFS Light Gateway "></a> Why isn't the AFS Light Gateway working anymore?
 
-The Light Gateway works by simply publishing what [[OpenAFS]] has already built for internal use. If you install the Microsoft Loop Back Adapter, the submounts will only be published on the local computer. Either remove the Loop Back Adapter, or stop using the gateway functionality.
+The Light Gateway works by simply publishing what [[OpenAFS]] has already built for internal use. If you install the [[WindowsLoopBackAdapter]], the submounts will only be published on the local computer. Either remove the Loop Back Adapter, or stop using the gateway functionality.
+
+## <a name="Features"></a> Features
+
+### <a name="Why can I not use fs to set the"></a><a name="Why can I not use fs to set the "></a> Why can I not use `fs` to set the X option anymore?
+
+Starting with version 1.3.65 several settings now require Administrator privileges to change them.
+
+### <a name="Why should I abandon Kerberos 4?"></a> Why should I abandon Kerberos 4?
+
+A gigant security hole was found in the Kerberos 4 protocol. This led the world to move over to the (already deployed) more secure Kerberos 5 protocol. The problem occurs when using trusted domains.
+
+Recent updates to [[OpenAFS]] include support for Kerberos 5. If your cell still uses **_kaserver_** or a plain Kerberos 4 server, you should update them to use Kerberos 5. The **_kaserver_** can be seen as deprecated. The most common Kerberos 5 servers (KDCs) are [Heimdal](http://www.pdc.kth.se/heimdal/), [MIT Kerberos](http://web.mit.edu/kerberos/www/) and [Microsoft's Active Directory services](http://www.microsoft.com/).
 
 ## <a name="Nomenclature"></a> Nomenclature
 
+### <a name="What is &quot;High Security Mode&quot;?"></a> What is "High Security Mode"?
+
+It is a deprecated way of achieving some sort of security. Before the [[OpenAFS]] for Windows client was able to use authenticated SMB connections, you had a potential security risk when more than one user was logging on to the same computer at once.
+
+The High Security Mode created a SMB share with a random name, instead of the default <tt>\\\\machine-AFS</tt>. Thus making it harder for anyone else to connect to it. There is no reason to go for the High Security Mode now that [[OpenAFS]] for Windows supports SMB authentication.
+
+### <a name="What is the Microsoft Loop Back"></a><a name="What is the Microsoft Loop Back "></a> What is the Microsoft Loop Back Adapter?
+
+See the [[WindowsLoopBackAdapter]] page.
+
 ### <a name="What is a &quot;submount&quot;?"></a> What is a "submount"?
 
 A submount is used in [[OpenAFS]] for Windows to map drives. Instead of mapping drives directly to the AFS server, the [[OpenAFS]] Client uses another approach. It uses the CIFS file system as an intermediary. So, the Windows computer really thinks it maps a normal Windows share. These shares are the same thing as a submount. When you want to map a drive, the [[OpenAFS]] service creates a submount, exports it for Windows to see it, and maps the share. The submount "all" is always available and is the root of the AFS file system (`/afs` in Unix). This means you can always access any cell by writing `\\AFS\all\cell\...`.
 
 This is a quick-and-dirty approach, but it has an upside. In Unix, the way to shorten a path is to install a symbolic link. In Windows, this is not possible. Using submounts, however, you can create shortcuts to any AFS path. Say you often use the path `/afs/openafs.org/usr/someone/development/code/openafs/src/WINNT`. Then you could create a submount (say, "openafs-nt") of it, thus reducing the path to `\\AFS\openafs-nt`.
+
+### <a name="What is &quot;Symbol Information&quot;?"></a> What is "Symbol Information"?
+
+When installing [[OpenAFS]], you have the option of installing symbol information. This helps the developers track down crashes. It is only informational, and if you don't intend to send bug reports (you really should), there is no need for this feature.