1 Registry keys and Environment Variables used in the Windows AFS Client
3 ======================================================================
10 The service parameters primarily affect the behavior of the AFS client
11 service (afsd_service.exe).
14 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
21 LAN adapter number to use. This is the lana number of the LAN
22 adapter that the SMB server should bind to. If unspecified or set
23 to -1, a LAN adapter with named 'AFS' or a loopback adapter will be
24 selected. If neither are present, then all available adapters will
25 be bound to. When binding to a non-loopback adapter, the NetBIOS
26 name '%hostname%-AFS' will be used (where %hostname% is the NetBIOS
27 name of the host truncated to 11 characters). Otherwise, the NetBIOS
32 Default : 98304 (CM_CONFIGDEFAULT_CACHESIZE)
33 Variable: cm_initParams.cacheSize
35 Size of the AFS cache in 1k blocks.
39 Default : 17 (CM_CONFIGDEFAULT_CHUNKSIZE)
40 Variable: cm_logChunkSize (cm_chunkSize = 1 << cm_logChunkSize)
42 Size of chunk for reading and writing. Actual chunk size is 2^cm_logChunkSize.
46 Default : 2 (CM_CONFIGDEFAULT_DAEMONS)
49 Number of background daemons (number of threads of
50 cm_BkgDaemon). (see cm_BkgDaemon in cm_daemon.c)
54 Default : 25 (CM_CONFIGDEFAULT_SVTHREADS)
55 Variable: numSvThreads
57 Number of SMB server threads (number of threads of smb_Server). (see
62 Default : 10000 (CM_CONFIGDEFAULT_STATS)
63 Variable: cm_initParams.nStatCaches
67 Value : LogoffPreserveTokens
71 If enabled (set to 1), the Logoff Event handler will not attempt
72 to delete the user's tokens if the user's profile is stored outside
78 Variable: cm_rootVolumeName
85 Variable: cm_mountRoot
87 Name of root mount point. In symlinks, if a path starts with
88 cm_mountRoot, it is assumed that the path is absolute (as opposed to
89 relative) and is adjusted accordingly. Eg: if a path is specified as
90 /afs/athena.mit.edu/foo/bar/baz and cm_mountRoot is "/afs", then the
91 path is interpreted as \\afs\all\athena.mit.edu\foo\bar\baz. If a
92 path does not start with with cm_mountRoot, the path is assumed to
93 be relative and suffixed to the reference directory (i.e. directory
94 where the symlink exists)
98 Type : REG_SZ or REG_EXPAND_SZ
99 Default : "%TEMP%\AFSCache"
100 Variable: cm_CachePath
102 Location of on-disk cache file. The default is the SYSTEM account's
103 TEMP directory. The attributes assigned to the file are HIDDEN and
107 Value : NonPersistentCaching
110 Variable: buf_CacheType
112 When this registry value is set to a non-zero value, the CachePath
113 value is ignored and the cache data is stored in the windows paging
114 file. This prevents the use of persistent caching (when available)
115 as well as the ability to alter the size of the cache at runtime
116 using the "fs setcachesize" command.
119 Value : ValidateCache
122 Variable: buf_CacheType
124 This value determines if and when persistent cache validation is
126 0 - Validation is disabled
127 1 - Validation is performed at startup
128 2 - Validation is performed at shutdown
134 Variable: traceOnPanic
136 Issues a breakpoint in the event of a panic. (breakpoint: _asm int 3).
141 Variable: cm_NetbiosName
143 Specifies the NetBIOS name to be used when binding to a Loopback
144 adapter. To provide the old behavior specify a value of
152 Select whether or not this AFS client should act as a gateway. If
153 set and the NetBIOS name hostname-AFS is bound to a physical NIC,
154 other machines in the subnet can access AFS via SMB connections to
157 When IsGateway is non-zero, the LAN adapter detection code will
158 avoid binding to a loopback adapter. This will ensure that the
159 NetBIOS name will be of the form hostname-AFS instead of the value
160 set by the "NetbiosName" registry value.
162 Value : ReportSessionStartups
165 Variable: reportSessionStartups
167 If enabled, all SMB sessions created are recorded in the Application
168 event log. This also enables other events such as drive mappings
169 or various error types to be logged.
171 Value : TraceBufferSize
173 Default : 5000 (CM_CONFIGDEFAULT_TRACEBUFSIZE)
174 Variable: traceBufSize
176 Number of entries to keep in trace log.
180 Default : "i386_nt40"
183 Provides an initial value for "fs sysname". The string can contain
184 one or more replacement values for @sys in order of preference separated
187 Value : SecurityLevel
192 Enables encryption on RX calls.
197 Variable: cm_dnsEnabled
199 Enables resolving volservers using AFSDB DNS queries. (see
200 afsdb-freelance-notes).
202 As of 1.3.60, this value is ignored as the DNS query support
203 utilizes the Win32 DNSQuery API which is available on Win2000
206 Value : FreelanceClient
209 Variable: cm_freelanceEnabled
211 Enables freelance client. (see afsdb-freelance-notes)
216 Variable: smb_hideDotFiles
218 Enables marking dotfiles with the hidden attribute. Dot files are
219 files whose name starts with a period (excluding "." and "..").
221 Value : MaxMpxRequests
224 Variable: smb_maxMpxRequests
226 Maximum number of multiplexed SMB requests that can be made.
228 Value : MaxVCPerServer
231 Variable: smb_maxVCPerServer
233 Maximum number of SMB virtual circuits.
238 Variable: rootCellName
240 Name of root cell (the cell from which root.afs should be mounted in
248 If enabled, does not send or indicate that we are able to send or
249 receive RX jumbograms.
256 If set to anything other than -1, uses that value as the maximum MTU
257 supported by the RX interface.
259 In order to enable OpenAFS to operate across the Cisco IPSec VPN
260 client, this value must be set to 1264 or smaller.
262 Value : ConnDeadTimeout
264 Default : 60 (seconds)
265 Variable: ConnDeadtimeout
267 The Connection Dead Time is enforced to be at a minimum 15 seconds
268 longer than the minimum SMB timeout as specified by
270 HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
273 If the minimum SMB timeout is not specified the value is 45 seconds.
274 See http://support.microsoft.com:80/support/kb/articles/Q102/0/67.asp
277 Value : HardDeadTimeout
279 Default : 120 (seconds)
280 Variable: HardDeadtimeout
282 The Hard Dead Time is enforced to be at least double the ConnDeadTimeout.
283 The provides an opportunity for at least one retry.
290 Enables logging of debug output to the Windows Event Log.
291 Bit 0 enables logging of "Logon Events" processed by the Network Provider
292 and Winlogon Event Notification Handler.
293 Bit 1 enables logging of events captured by the AFS Client Service.
294 Bit 2 enables real-time viewing of "fs trace" logging with DbgView
296 Bit 3 enables "fs trace" logging on startup.
301 Variable: allSubmount (smb.c)
303 By setting this value to 0, the "\\NetbiosName\all" mount point
304 will not be created. This allows the read-write versions of
305 root.afs to be hidden.
307 Value : NoFindLanaByName
311 Disables the attempt to identity the network adapter to use by
312 looking for an adapter with a display name of "AFS".
315 Type : DWORD {1..32} or {1..64} depending on the architecture
316 Default : <no default>
318 If this value is specified, afsd_service.exe will restrict itself
319 to executing on the specified number of CPUs if there are a greater
320 number installed in the machine.
322 NOTE: Setting this entry to "1" may be required on hyperthreaded
323 systems to avoid crashes in the RX library.
329 If this value is specified, it defines the type of SMB authentication
330 which must be present in order for the Windows SMB client to connect
331 to the AFS Client Service's SMB server. The values are:
332 0 = No authentication required
333 1 = NTLM authentication required
334 2 = Extended (GSS SPNEGO) authentication required
335 The default is Extended authentication
338 Type : DWORD {0 .. MAXDWORD}
341 This entry determines the maximum size of the %WINDIR%\TEMP\afsd_init.log
342 file. If the file is larger than this value when afsd_service.exe starts
343 the file will be reset to 0 bytes. If this value is 0, it means the file
344 should be allowed to grow indefinitely.
346 Value : FlushOnHibernate
350 If set, flushes all volumes before the machine goes on hibernate or
354 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters\GlobalAutoMapper]
356 Value : <Drive Letter:> for example "G:"
359 Specifies the submount name to be mapped by afsd_service.exe at startup
360 to the provided drive letter.
364 [HKLM\SOFTWARE\OpenAFS\Client]
366 Value : CellServDBDir
368 Default : <not defined>
370 Specifies the directory containing the CellServDB file.
371 When this value is not specified, the AFS Client install
375 Value : VerifyServiceSignature
379 This value can be used to disable the runtime verification of
380 the digital signatures applied to afsd_service.exe and the
381 OpenAFS DLLs it loads. This test is performed to verify that
382 the DLLs which are loaded by afsd_service.exe are from the
383 same distribution as afsd_service.exe. This is to prevent
384 random errors caused when DLLs from one distribution of AFS
385 are loaded by another one. This is not a security test. The
386 reason for disabling this test is to free up additional memory
387 which can be used for a large cache size.
394 This value can be used to debug the cause of pioctl() failures.
395 Set a non-zero value and the pioctl() library will output status
396 information to stdout. Executing command line tools such as
397 tokens.exe, fs.exe, etc can then be used to determine why the
398 pioctl() call is failing.
403 Default : 0x0 (MiniDumpNormal)
405 This value is used to specify the type of minidump generated by
406 afsd_service.exe either when the process crashes or when a user
407 initiated is dump file is generated with the "fs.exe minidump"
410 Valid values are dependent on the version of DbgHelp.dll installed
411 on the machine. See the Microsoft Developer Library for further
414 MiniDumpNormal = 0x00000000,
415 MiniDumpWithDataSegs = 0x00000001,
416 MiniDumpWithFullMemory = 0x00000002,
417 MiniDumpWithHandleData = 0x00000004,
418 MiniDumpFilterMemory = 0x00000008,
419 MiniDumpScanMemory = 0x00000010,
420 MiniDumpWithUnloadedModules = 0x00000020,
421 MiniDumpWithIndirectlyReferencedMemory = 0x00000040,
422 MiniDumpFilterModulePaths = 0x00000080,
423 MiniDumpWithProcessThreadData = 0x00000100,
424 MiniDumpWithPrivateReadWriteMemory = 0x00000200,
425 MiniDumpWithoutOptionalData = 0x00000400,
426 MiniDumpWithFullMemoryInfo = 0x00000800,
427 MiniDumpWithThreadInfo = 0x00001000,
428 MiniDumpWithCodeSegs = 0x00002000
431 Value : StoreAnsiFilenames
435 This value can be used to force the AFS Client Service to
436 store filenames using the Windows system's ANSI character set
437 instead of the OEM Code Page character set which has traditionally
438 been used by SMB file systems.
440 Note: The use of ANSI characters will render access to files
441 with 8-bit OEM file names unaccessible from Windows. This option
442 is of use primarily when you wish to allow file names produced
443 on Windows to be accessible from Latin-1 Unix systems and vice
448 [HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy]
450 Value : "smb/cifs share name"
454 This key is used to map SMB/CIFS shares to Client Side Caching
455 (off-line access) policies. For each share one of the following
456 policies may be used: "manual", "programs", "documents", "disable"
458 These values used to be stored in afsdsbmt.ini
461 [HKLM\SOFTWARE\OpenAFS\Client\Freelance]
463 Value : "numeric value"
467 This key is used to store dot terminated mount point strings
468 for use in constructing the fake root.afs volume when Freelance
469 (dynamic roots) mode is activated.
471 "athena.mit.edu#athena.mit.edu:root.cell."
472 ".athena.mit.edu%athena.mit.edu:root.cell."
474 These values used to be stored in afs_freelance.ini
478 [HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks]
480 Value : "numeric value"
484 This key is used to store a dot terminated symlink strings
485 for use in constructing the fake root.afs volume when Freelance
486 (dynamic roots) mode is activated.
488 "linkname:destination-path."
489 "athena:athena.mit.edu."
490 "home:athena.mit.edu\user\j\a\jaltman."
491 "filename:path\file."
495 [HKLM\SOFTWARE\OpenAFS\Client\Submounts]
497 Value : "submount name"
501 This key is used to store mappings of unix style AFS paths
502 to submount names which can be referenced as UNC paths.
503 For example the submount string "/athena.mit.edu/user/j/a/jaltman"
504 can be associated with the submount name "jaltman.home".
505 This can then be referenced as the UNC path \\AFS\jaltman.home.
507 These values used to be stored in afsdsbmt.ini
509 NOTE: Submounts should no longer be used with OpenAFS.
510 Use the Windows Explorer to create drive mappings to AFS UNC
511 paths instead of using the AFS Submount mechanism.
515 [HKLM\SOFTWARE\OpenAFS\Client\Server Preferences\VLDB]
517 Value : "hostname or ip address"
521 This key is used to specify a default set of VLDB server preferences.
522 For each entry the value name will be either the IP address of a server
523 or a fully qualified domain name. The value will be the ranking. The
524 ranking will be adjusted by a random value between 0 and 256 prior to
525 the preference being set.
529 [HKLM\SOFTWARE\OpenAFS\Client\Server Preferences\File]
531 Value : "hostname or ip address"
535 This key is used to specify a default set of File server preferences.
536 For each entry the value name will be either the IP address of a server
537 or a fully qualified domain name. The value will be the ranking. The
538 ranking will be adjusted by a random value between 0 and 256 prior to
539 the preference being set.
543 2. Network provider parameters
544 ------------------------------
545 Affects the network provider (afslogon.dll).
548 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
550 Value : FailLoginsSilently
554 Do not display message boxes if the login fails.
557 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
563 Disables visible warnings during logon.
565 Value : AuthentProviderPath
567 NSIS : %WINDIR%\SYSTEM32\afslogon.dll
569 Specifies the install location of the authentication provider dll.
575 Specifies the class of network provider
577 Value : DependOnGroup
581 Specifies the service groups upon which the AFS Client Service
582 depends. Windows should not attempt to start the AFS Client Service
583 until all of the services within these groups have successfully
586 Value : DependOnService
588 NSIS : Tcpip NETBIOS RpcSs
590 Specifies a list of services upon which the AFS Client Service
591 depends. Windows should not attempt to start the AFS Client Service
592 until all of the specified services have successfully started.
596 NSIS : "OpenAFSDaemon"
598 Specifies the display name of the AFS Client Service
602 NSIS : %WINDIR%\SYSTEM32\afslogon.dll
604 Specifies the DLL to use for the network provider
607 2.1 Domain specific configuration keys for the Network Provider
608 ---------------------------------------------------------------
610 The network provider can be configured to have different behavior
611 depending on the domain that the user logs into. These settings are
612 only relevant when using integrated login. A domain refers to an
613 Active Directory (AD) domain, a trusted Kerberos (non-AD) realm or the
614 local machine (i.e. local account logins). The domain name that is
615 used for selecting the domain would be the domain that is passed into
616 the NPLogonNotify function of the network provider.
618 Domain specific registry keys are :
620 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
623 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain]
626 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain name"]
627 (Specific domain key. One per domain.)
629 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST]
633 HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider
640 Each of the domain specific keys can have the set of values described
641 in 2.1.1. The effective values are chosen as described in 2.1.2.
643 2.1.1 Domain specific configuration values
644 -------------------------------------------
645 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
646 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain]
647 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain name"]
648 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST]
653 NSIS/WiX: depends on user configuration
655 0x00 - Integrated Logon is not used
656 0x01 - Integrated Logon is used
657 0x02 - High Security Mode is used
658 0x03 - Integrated Logon with High Security Mode is used
660 High Security Mode generates random SMB names for the creation of
661 Drive Mappings. This mode should not be used without Integrated Logon.
663 As of 1.3.65 the SMB server supports SMB authentication. The High
664 Security Mode should not be used when using SMB authentication
665 (SMBAuthType setting is non zero).
667 Value : FailLoginsSilently
672 If true, does not display any visible warnings in the event of an
673 error during the integrated login process.
676 Type : REG_SZ or REG_EXPAND_SZ
678 NSIS/WiX: (only value under NP key) <install path>\afscreds.exe -:%s -x -a -m -n -q
680 A logon script that will be scheduled to be run after the profile
681 load is complete. If using the REG_EXPAND_SZ type, you can use
682 any system environment variable as "%varname%" which would be
683 expanded at the time the network provider is run. Optionally
684 using a "%s" in the value would result in it being expanded into
685 the AFS SMB username for the session.
687 Value : LoginRetryInterval
692 If the OpenAFS client service has not started yet, the network
693 provider will wait for a maximum of "LoginRetryInterval" seconds
694 while retrying every "LoginSleepInterval" seconds to check if the
697 Value : LoginSleepInterval
702 See description of LoginRetryInterval.
708 When Kerberos 5 is being used, TheseCells provides a list of additional
709 cells for which tokens should be obtained with the default Kerberos 5
713 2.1.2 Selection of effective values for domain specific configuration
714 ----------------------------------------------------------------------
716 During login to domain X, where X is the domain passed into
717 NPLogonNotify as lpAuthentInfo->LogonDomainName or the string
718 'LOCALHOST' if lpAuthentInfo->LogonDomainName equals the name of the
719 computer, the following keys will be looked up.
721 1. NP key. ("HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider")
722 2. Domains key. (NP key\"Domain")
723 3. Specific domain key. (Domains key\X)
725 If the specific domain key does not exist, then the domains key will
726 be ignored. All the configuration information in this case will
727 come from the NP key.
729 If the specific domain key exists, then for each of the values
730 metioned in (2), they will be looked up in the specific domain key,
731 domains key and the NP key successively until the value is found.
732 The first instance of the value found this way will be the effective
733 for the login session. If no such instance can be found, the
734 default will be used. To re-iterate, a value in a more specific key
735 supercedes a value in a less specific key. The exceptions to this
736 rule are stated below.
738 2.1.3 Exceptions to 2.1.2
739 --------------------------
741 To retain backwards compatibility, the following exceptions are made
744 2.1.3.1 'FailLoginsSilently'
746 Historically, the 'FailLoginsSilently' value was in
747 HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters
748 key and not in the NP key. Therefore, for backwards compatibility,
749 the value in the Parameters key will supercede all instances of this
750 value in other keys. In the absence of this value in the Parameters
751 key, normal scope rules apply.
753 2.1.3.2 'LogonScript'
755 If a 'LogonScript' is not specified in the specific domain key nor
756 in the domains key, the value in the NP key will only be checked if
757 the effective 'LogonOptions' specify a high security integrated
758 login. If a logon script is specified in the specific domain key or
759 the domains key, it will be used regardless of the high security
760 setting. Please be aware of this when setting this value.
763 3. AFS Credentials System Tray Tool parameters
764 ----------------------------------------------
765 Affects the behavior of afscreds.exe
768 [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
773 Function: GetGatewayName()
775 If the AFS client is utilizing a gateway to obtain AFS access,
776 the name of the gateway is specified by this value.
781 Variable: IsServiceConfigured()
783 The value Cell is used to determine if the AFS Client Service has
784 been properly configured or not.
788 [HKLM\SOFTWARE\OpenAFS\Client]
789 [HKCU\SOFTWARE\OpenAFS\Client]
794 Function: InitApp(), Main_OnCheckTerminate()
796 This value is used to determine whether or not a shortcut should be
797 maintained in the user's Start Menu->Programs->Startup folder.
799 This value used to be stored at
800 [HKLM\Software\TransarcCorporation\AFS Client\AfsCreds].
802 The current user value is checked first; if it does not exist the local
803 machine value is checked.
809 Function: KFW_is_available()
811 When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used
812 to obtain AFS credentials. By setting this value to 0, the internal
813 Kerberos 4 implementation will be used instead. The current user value
814 is checked first; if it does not exist the local machine value is checked.
819 Function: KFW_use_krb524()
821 When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used
822 to obtain AFS credentials. By setting this value to 1, the Kerberos 5
823 tickets will be converted to Kerberos 4 tokens via a call to the krb524
824 daemon. The current user value is checked first; if it does not exist
825 the local machine value is checked.
827 Value : AfscredsShortcutParams
829 Default : "-A -M -N -Q"
830 Function: Shortcut_FixStartup
832 This value specifies the command line options which should be set
833 as part of the shortcut to afscreds.exe. afscreds.exe rewrites the
834 shortcut each time it exits so as to ensure that the shortcut points
835 to the latest version of the program. This value is used to determine
836 which values should be used for command line parameters. The current
837 user value is checked first; if it does not exist the local machine
840 The following subset of the command line options are appropriate for
841 use in this registry setting:
844 -M = renew drive maps
845 -N = ip address change detection
846 -Q = quiet mode. do not display start service dialog
847 if afsd_service is not already running
848 -S = show tokens dialog on startup
853 [HKCU\SOFTWARE\OpenAFS\Client]
855 Value : Authentication Cell
858 Function: Afscreds.exe GetDefaultCell()
860 This value allows the user to configure a different cell name to
861 be used as the default cell when acquiring tokens in afscreds.exe
865 [HKCU\SOFTWARE\OpenAFS\Client\Reminders]
867 Value : "afs cell name"
870 Function: LoadRemind(), SaveRemind()
872 These values are used to save and restore the state of the reminder
873 flag for each cell for which the user has obtained tokens.
875 This value used to be stored at
876 [HKLM\Software\TransarcCorporation\AFS Client\AfsCreds].
880 [HKCU\SOFTWARE\OpenAFS\Client\Active Maps]
882 Value : "upper case drive letter"
886 These values are used to store the persistence state of the AFS
887 drive mappings as listed in the [...\Client\Mappings] key
889 These values used to be stored in the afsdsbmt.ini file
892 [HKCU\SOFTWARE\OpenAFS\Client\Mappings]
894 Value : "upper case drive letter"
898 These values are used to store the AFS path in Unix notation
899 to which the drive letter is to be mapped.
901 These values used to be stored in the afsdsbmt.ini file.
904 ENVIRONMENT VARIABLES:
906 Variable: AFS_RPC_ENCRYPT
907 Values: "OFF" disables the use of RPC encryption
908 any other value allows RPC encryption to be used
909 Default: RPC encryption is on
912 Variable: AFS_RPC_PROTSEQ
913 Values: "ncalrpc" - local RPC
914 "ncacn_np" - named pipes
915 "ncacn_ip_tcp" - tcp/ip