+Since 1.3.65:
+ * afs_config.exe now validates cell names against DNS in addition
+ to the CellServDB file.
+
+ * In order to allow the freelance client to connect to a volume with ID
+ equal to 1 on the default cell we changed the fake root.afs volume ID
+ once again. This time we choose 0xFFFFFFFF. In addition, we change
+ the cell ID of the fake root.afs volume from 1 to 0xFFFFFFFF as well.
+ It will now be impossible for a volume ID to match that of another
+ cell unless the client is connected to 0xFFFFFFFD cells. That should
+ be enough room for growth.
+
+ * Fix "fs mkmount" command to work with UNC paths and when
+ started from non-AFS drives. It is now possible to create a mount
+ point in the freelance fake root.afs volume with the command
+
+ fs mkmount \\AFS\all\<directory-name> <volume-name> <cellname>
+
+ For example,
+
+ fs mkmount \\AFS\all\openafs.org root.cell openafs.org
+ fs mkmount \\AFS\all\.openafs.org root.cell openafs.org -rw
+
+ * The algorithm used to re-attempt access to the servers associated with
+ a volume has been altered to properly address the case in which all
+ servers have been marked down. The previous algorithm did not reset
+ the server's down flags so the servers were never actually retried.
+ This caused a problem with active volumes if the network connectivity
+ was lost as could be the case with a network cable removal, wireless
+ drop, or laptop hibernation. With the fix volume access is restored
+ almost instantenously when network connectivity becomes available.
+
+ * Support for SMB/CIFS browsing has been added to the AFS Client Service
+ SMB server. It is now possible to use "NET VIEW \\AFS" to obtain a
+ listing of AFS submounts and freelance mount points. Support for
+ NETSHAREENUM, NETSHAREGETINFO, NETSERVERENUM2, NETSERVERGETINFO
+ significantly enhances the behavior of AFS volumes within the Explorer
+ Shell. For instance, "AFS" now shows up as server in the Explorer
+ with each submount or freelance mount point visible as a share.
+ The right click menu in each folder now works with full functionality
+ on a consistent basis.
+
+ * The network provider can be configured to have different behavior
+ depending on the domain that the user logs into. These settings are
+ only relevant when using integrated login. A domain refers to an
+ Active Directory (AD) domain, a trusted Kerberos (non-AD) realm or the
+ local machine (i.e. local account logins). The domain name that is
+ used for selecting the domain would be the domain that is passed into
+ the NPLogonNotify function of the network provider. (see registry.txt
+ for details)
+
+ * Added a new registry value [HKCU\SOFTWARE\OpenAFS\Client]
+ "Authentication Cell" which may be used to specify a default
+ authentication cell for afscreds.exe which is different from
+ the default cell for the AFS Client Service daemon.
+
+ * Added a Logoff WinLogon Event Notification function to afslogon.dll.
+ afslogon.dll moved to %WINDIR%\System32\.
+ New registry entries added to register the dll for Winlogon events.
+
+ The logoff event will now force a call to ktc_ForgetAllTokens()
+ using the context of the user being logged off as long as the
+ user's profile is not loaded from within AFS. If the profile
+ was loaded from AFS we can't release the tokens since the Logoff
+ event is triggered prior to the profile being written back to
+ the its source location.
+
+ * Windows XP SP2 Internet Connection Firewall interoperability
+ has been added.
+
+ * The %WINDIR%\afsdsbmt.ini contains four sections:
+ Submounts, Drive Mappings, Active Maps and CSC Policies.
+ The Submounts and CSC policies are now stored in the registry under
+ [HKLM\SOFTWARE\OpenAFS\Client\Submounts]
+ [HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy]
+ The Drive Mappings and Active Maps are stored in the registry under
+ [HKCU\SOFTWARE\OpenAFS\Client\Mappings]
+ [HKCU\SOFTWARE\OpenAFS\Client\Active Maps]
+
+ There is no automatic migration of this data as it would be impossible
+ to consistently migrate data to user profiles which may not be active
+ when the machine is updated.
+
+ * The %WINDIR%\afs_freelance.ini contains lists of mountpoints for the
+ fake root.afs volume. For the same reasons as for the cellservdb file,
+ this information should not be in %WINDIR%. This information is now
+ kept under the registry key
+ [HKLM\SOFTWARE\OpenAFS\Client\Freelance]
+
+ The data from the afs_freelance.ini file will be automatically
+ migrated to the registry on first execution of afsd_service.exe
+
+ * Keeping the CellServDB file in the location %WINDIR%\afsdcell.ini is
+ troublesome for several reasons. One, it is confusing for those who
+ expect the file to be named "CellServDB" instead of "afsdcell.ini".
+ Two, this file is not a Windows Profile formatted file. Three,
+ applications should not be reading or writing to %WINDIR%. It causes
+ problems for Windows Terminal Server.
+
+ The new location of CellServDB will be the OpenAFS Client install
+ directory which is by default C:\Program Files\OpenAFS\Client and can
+ be determined by querying the registry for
+ [HKLM\SOFTWARE\TransarcCorporation\AFS Client\CurrentVersion]PathName
+
+ The existing afsdcell.ini will be migrated by the NSIS installer.
+ The Wix installer must still be updated to do the same.
+
+ * Change NSIS installer to use DNS by default; to remove Integrated Logon
+ High Security mode; and to add Terminal Services compatibility registry
+ entries to allow the OpenAFS tools to find the afsdcell.ini and other
+ configuration files in %WINDIR%.
+
+ * Add support for authenticated SMB connections. This will remove
+ the need for high security mode in most situations. Both NTLM
+ and Extended Security (GSS SPNEGO) modes are supported. Effectively,
+ only NTLM can be used even though Kerberos is now supported. The
+ reason is that it is not possible to construct a service principal
+ which is unique to each individual machine.
+
+ SMB Extended Auth does not work on XP SP2 unless one of two registry
+ modifications are made:
+
+ (1) To disable the check for matching host names on loopback connections
+ set this key. This does not require a reboot:
+
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
+ "DisableLoopbackCheck"=dword:00000001
+
+ (2) To add the AFS SMB/CIFS service name to an approved list. This
+ does require a reboot:
+
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
+ "BackConnectionHostNames"=multi-sz "AFS" "MACHINE-AFS"
+
+ afsd_service.exe will automatically add the current Netbios Name
+ to the BackConnectionHostNames list and then temporarily disable
+ the loopback check for one cycle of startup/shutdown of the service.
+ We assume most folks do not start/stop without a reboot so this
+ will be adequate in most cases.
+
+ * Fix security hole in afslogon.dll which allowed passwords to be
+ sent in clear text to the KDC in a misformed principal name.
+
+ * Fix cm_GetCell() to properly handle expired dns entries
+ without crashing
+
+ * If Freelance mode is active and the afs_freelance.ini
+ file does not exist, do not create an empty file.
+ Instead create a file containing ro and rw mountpoints
+ to the default cell using the standard conventions.
+
+ * Modify the Freelance support to handle the ability
+ to create rw mount points in the fake root.afs volume.
+
+ * Changed the RPC mechanism used for token setting from
+ named pipes to local. Use of named pipes can be restored
+ by setting the environment variable AFS_RPC_PROTSEQ to
+ "ncacn_np".
+
+ Named pipes were required when a Windows 9x system was
+ using a NT system in gateway mode which is incompatible
+ with our use of local loopback adapters.
+
+ * In afscreds.exe, if a username of the form user@REALM is
+ specified and no password is specified, do not perform a
+ kinit operation. Only perform the aklog functionality.
+
+ * Add a new registry value which allows the number of processors
+ on which afsd_service.exe executes to be restricted. Valid
+ values are 1..numOfProcessors
+
+ HKLM\SYSTEM\CurrentControlSet\Services\TransarcAfsDaemon\Parameters
+ (DWORD) MaxCPUs
+
Since 1.3.64:
+ * A second MSI based installer option is now available.
+
+ * Fixed Kerberos 5 kinit functionality in afscreds.exe to properly
+ request tickets for user/instance@REALM instead of just user@REALM
+
+ * Modify the Power Management Notify routine to wait for the Hard Dead
+ timeout period instead of a fixed 19 seconds. With the longer timeout
+ periods Hibernation and Standby could never succeed when network
+ connectivity is not available.
+
+ * The following fs.exe commands are now restricted to Administrator:
+ - checkservers with a non-zero timer value
+ - setcachesize
+ - newcell
+ - sysname with a new sysname list
+ - exportafs
+ - setcell
+ - setserverprefs
+ - storebehind
+ - setcrypt
+ - cscpolicy
+ - trace
+
+ setting the default sysname for a machine should be done via the
+ registry and not via "fs sysname".
+
+ * NSIS installer adds options to install Debugging Symbols
+ and the Microsoft Loopback Adapter; the user is now also
+ given the ability to select the afscreds.exe startup options.
+
+ * Build system modified to generate symbols for FREE (aka RELEASE)
+ builds as well as CHECKED (aka DEBUG) builds
+
+ * Sites which have a volume ID of 0x20000001 assigned to their
+ root.cell volumes have been experiencing problems with accessing
+ the root.cell volume of their cell when Freelance mode has been
+ active. This was because 0x20000001 was assigned to the fake
+ root.afs volume created by freelance. The fake volume id is
+ now set to 0x00000001 to prevent conflicts.
+
* The timeout logic in the AFS Client Service has been wrong
for sometime. It is based on two different assumptions.
First, the SMB client timeout is a fix value as was the case
This should be the end of the "Server paused or restarting messages"
- * Fix "fs mkmount" command to work with UNC paths and when
- started from non-AFS drives
-
* Add support for arbitrary UNC paths to the pioctl() support.
This enables the fs commands as well as the AFS Shell Extension
to work correctly when UNC paths are being used.
git://git.openafs.org / openafs.git / blobdiff