From b624c2bc738ab053761383043ef8f960b15e16cb Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Mon, 5 Apr 2004 07:32:57 +0000 Subject: [PATCH] afs-release-notes-20040405 release notes as of 1.3.63 --- doc/txt/winnotes/afs-changes-since-1.2.txt | 299 +++++++++++++++++++++++++++++ doc/txt/winnotes/afs-issues.txt | 132 +++++++++++++ 2 files changed, 431 insertions(+) create mode 100644 doc/txt/winnotes/afs-changes-since-1.2.txt create mode 100644 doc/txt/winnotes/afs-issues.txt diff --git a/doc/txt/winnotes/afs-changes-since-1.2.txt b/doc/txt/winnotes/afs-changes-since-1.2.txt new file mode 100644 index 0000000..0bc77e8 --- /dev/null +++ b/doc/txt/winnotes/afs-changes-since-1.2.txt @@ -0,0 +1,299 @@ +Since 1.3.62: + * All of the resource files have been restructured to adhere to + a set of rules IBM implemented for loading string resources. + These rules had either been forgotten or were not discovered + by folks working on the OpenAFS sources. The end result was + memory corruption. This is primary item which was preventing + the AFS Server from working. + + * Increased the size of the maximum ticket size stored in a token + from 344 bytes to 12,000. Increased the buffers used to convey + messages between the pioctl() caller and the SMB Server from + 1000 bytes to 12,512. The code appeared to have been writing + above the top of the stack by quite a few number of bytes. + (The increased ticket size is necessary for the next item.) + + * When obtaining AFS Tokens via KFW, krb524 is no longer required. + Instead the raw Kerberos 5 ticket is used in its entirety. This + is extremely important as it allows us to use pure Kerberos 5 KDCs + as the source of the AFS authentication. The use of up to 12,000 byte + tickets will allow tickets produced by all versions of Microsoft + Active Directory to be used. + - create a user account. + - designate it DES only + - disable pre-auth + - specify its UPN to be "afs@realm" + - assign a SPN of "afs/cellname" to the UPN with setspn.exe + + * Do not enforce the funky 8dot3 pattern matching rule that the first "." + is special when using long file names. (you must use "*.*" and not "*") + Instead only enforce it when performing 8dot3 searches. + + * Fixed the DST problem with creation times being set one hour ahead + + * Fixed the problem when using \\afs\cell-alias. For example, + \\afs\uncc instead of \\afs\uncc.edu. Do not a new cell struct + for the alias name; instead simply expand the name. One of the + symptoms of this problem was a loss of acquired tokens. + + * Fixed the AFS Shell Extension. The Symbolic Link menu was empty + of strings. (Only English strings provided.) + + * Fixed the installer to properly replace in use files. + + * Fixed the build system to cleanup generated component version files + + * The release build compiled with MSVC 6.0 compiler to avoid the + afsd_service.exe shutdown crash. This does not solve the problem + but simply avoids it for the time being. + +Since 1.3.61: + + * fix afslogon.dll to not corrupt memory when High Security mode + is not used. + + * fix afsd_service.exe to not attempt to restore the stack when + an exception occurs. (not safe in multi-threaded programs) + + * fix uninstaller to properly remove the CRT and MFC DLLs + + * remove a Message Box from afscreds.exe when getcellconfig() + fails on a kerberos realm which is not a cell + +The following is a list of changes to the OpenAFS for Window client +since 1.3.60. + + * "fs setserverprefs" will leave afsd service deadlocked + + * "vos listaddrs" will core dump + + * installer sets the appropriate keys to support Integrated Logon + + * installer disables the "Find Lana by Name" functionality as it + was causing headaches for many users + + * fix the intermittent crash of the power management thread when + shutting down the AFS Client Service + + * optimizes the obtain drive mount list functionality which is + executed every time the mount tab in afscreds.exe and afs_config.exe + are refreshed. (this happens a lot) + + * fix the service shutdown logic. add the STOP_PENDING state + and do not accept additional service events after we declare + ourselves STOPPED. + +The following is a list of changes to the OpenAFS for Window client +since 1.2.10. + +* flexelint was run against the source tree and hundreds (perhaps + thousands) of corrections were applied to ensure prototypes + were in use; types were used consistently; variables were + initialized; unused variables were removed; etc. + +* A wide variety of instrumentation was added including the + ability to produce a stack trace from within afsd_service.exe + when it crashes. + +* Dynamic configuration of the RDRtimeout value based upon the + LanMan Workstation Session Timeout + +* The mount root no longer needs to be called "/afs". This + is now set by a registry value "MountRoot" within the key + HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters + +* The cell list is now only read out of afsdcell.ini when the + file changes instead of each time a cell is resolved. + +* Thread synchronization was added to cm_server.c and ktc_nt.c + +* All calls to GlobalAlloc()/GlobalFree() were replaced with + calloc()/free(). The Global functions were needed on Windows 3.x + but have caused a variety of problems on the Win32 platforms. + Avoiding them is highly recommended by several Microsoft + Knowledgebase articles + +* Support for Symbolic Links added to the AFS Shell Extension + +* Added a registry value "OverlayEnabled" to determine if + Shell Extension Overlays should be enabled. + HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters + +* New Build system to support VC6, VC.NET, VC.NET2003 compilers and + separate trees for checked and free builds. Build system supports + a custom directory src\WINNT\extra which can be used as a grafting + location of organization specific additions to the build tree. + +* New installer built using NSIS 2.0. + +* Named all kernel objects in order to allow them to be monitored + with tools such as SysInternals' ProcExp.exe. + +* Introduced new EventLog framework for AFSD + +* Introduced Power Management interface to AFSD for Standby and + Hibernate modes to allow cache to be flushed prior to network + disconnect + +* Utilize Win32 DNSQuery API instead of internal routines. This + allows DNS SRV queries to be sent to all current domain name + servers. Not just one specified in an INI file. DNS is now + always activated. + +* "NetbiosName" registry value may be used to specify a fixed + Netbios Name such as "AFS" to be used instead of "HOSTNAME-AFS" + when the loopback adapter is in use. If you need to use the + old notation with a loopback adapter installed specify a registry + entry of + + "NetbiosName" REG_EXPAND_SZ = "%COMPUTERNAME%-AFS" + +* Refactor all modules which depend on LAN Adapter and NetbiosName + determination in a new library: lanahelper.lib. This allows for + consistent behavior throughout the product. + +* Move the afsd.log and afsd_init.log files to the directory specified + by the "TEMP" environment variable. This is usually %WINDIR%\TEMP + for services. Added the Date to the log entries. + +* New registry value "RxMaxMTU" used to limit the size of the RX + packets sent by the AFS Client Service to the Server. In order + to enable OpenAFS to work across the Cisco IPSec VPN the packet + size must be restricted to 1264 or smaller. The latest NSIS + installer sets a value of 1260 by default. + +* New registry value "RxNoJumbo" to disable the use of Jumbo Rx + packets. This is not needed in order to work across the Cisco + VPN but might be needed for other network environments. This + value is not set by the NSIS installer. + +* New registry value "HideDotFiles" is used to apply the Hidden + attribute to files whose names begin with a '.'. This value + is set by the NSIS installer. + +* New registry value "MaxMpxRequests" allows the maximum number + of multiplexed sessions to be configured at run time. This + value is not set by the NSIS installer. The default value is + 50. + +* New registry value "MaxVCPerServer" allows the maxmimum number + of VCs per server to be configured at run time. This value is + not set by the NSIS installer. The default value is 100. + +* New registry value "AllSubmount" allows the "all" submount to + be disabled by setting its value to 0x00. + +* Allow cells names to be valid mount points + \\\ + +* Store the active state of drive mappings in order for afscreds.exe + to restore them upon startup + +* Add exception handling to generate a Stack Trace to the afsd_init.log + file if one happens to occur. + +* Add lots of logging to help detect the cause of invalid SMB packets + +* Enable Kerberos for Windows to be used to obtain AFS Tokens via + conversion of Kerberos 5 "afs" service tickets. Supports auto- + renewal of expiring tokens as long as afscreds.exe is running. + +* New afscreds.exe command line options: + -A = autoinit + -M = renew drive maps + -N = ip address change detection + -Z = unmap drives + +* New registry value "EnableKFW" in {HKCU,HKLM}SOFTWARE\OpenAFS\Client + determines whether or not MIT Kerberos for Windows should be used + to obtain tokens via Kerberos 5 tickets. + +* New registry value "AfscredsShortcutParams" in + {HKCU,HKLM}SOFTWARE\OpenAFS\Client + determines the command line parameters to be specified when "fixing" + the AFS Shortcut in the user's startup folder. + +* The "ShowTrayIcon" registry value has been moved from + HKLM\Software\TransarcCorporation\AFS Client\AfsCreds to + {HKCU,HKLM}SOFTWARE\OpenAFS\Client + +* The registry values used to store the token expiration + reminders have been moved from + HKLM\Software\TransarcCorporation\AFS Client\AfsCreds to + {HKCU,HKLM}SOFTWARE\OpenAFS\Client\Reminders + +* Obtain the Logon User Name from the Explorer key when available + +* new text document doc\txt\winnotes\registry.txt lists all registry + values used by OpenAFS (excluding the AFS Server) + +* BUG: rx_securityClass objects were not properly reference + counted and were never freed. + +* BUG: reduce the number of conditions under which CM_ERROR_TIMEOUT + would be generated. The existence of a server does not imply + that it is not down. If all of the servers for a cell are down + return CM_ERROR_NOSUCHVOLUME instead. This prevents the Explorer + Shell from hanging. + +* BUG: the directory name lookup cache failed to free the entries + in the cache when the name cache entries cycled. The entries + in the cache would become dereferenced without being freed. + +* BUG: fs setserverprefs could be executed without Administrator + privileges + +* BUG: the number of allocated NCB objects (100) exceeded the number + which could actually be waited upon by the kernel (64). Any objects + which were utilized above the limit could never have event completions + detected. + +* BUG: smb_username_t objects were not being reference counted and + were not properly freed. + +* BUG: smb_tid_t objects could under unusual circumstances be freed + before they were no longer referenced. + +* BUG: smb_fid_t object pointer were frequently used even when + their value could be NULL. They were not properly released and + therefore they were never freed. + +* BUG: smb_packet_t data structures were not completely initialized + upon creation + +* BUG: when Rx produces a CM_ERROR_NOIPC error do not return "Access + Denied" because that causes the Explorer Shell to try again until + access is obtained. Instead return "Remote Resources" which allows + the shell to move on and treat the error as transient. + +* BUG: when initializing the NCBreturns structure, separate Event objects + were created for each NCB although a single Event object was supposed + to be shared by all. + +* BUG: smb_dirSearch_t objects were not being properly referenced counted + or freed. + +* BUG: smb_tran2Packet_t objects were not being properly referenced + counted or freed. + +* BUG: directory path creation did not handle the case of multiple + directories requiring creation in one attempt + +* BUG: SMB requests which required an Extended Response were ignored. + This prevented some files from being written to AFS volumes. + +* BUG: character strings were being freed even after they were + inserted into in use data structures + +* BUG: inconsistent usernames were used when High Security mode was + enabled. (there is still much to do in this area) + +* BUG: pioctl() calls which require out of band RPC operations were + susceptible to race conditions when performed by multiple processes + +* BUG: memory allocation and deallocation crossed instances of the + C Runtime Library producing memory leakage and corruption in + afscreds and the client configurator. + + + diff --git a/doc/txt/winnotes/afs-issues.txt b/doc/txt/winnotes/afs-issues.txt new file mode 100644 index 0000000..a9fce71 --- /dev/null +++ b/doc/txt/winnotes/afs-issues.txt @@ -0,0 +1,132 @@ +This file is a rough list of known issues with the 1.3.63 release of OpenAFS +on Windows. This list is not complete. There are probably other issues +which can be found in the RT database or on the mailing list. + + +(1) File/Directory access is not integrated with windows security + +(2) tokens are assigned to the service on a system global basis. Therefore, +all users and processes on the machine are able to access files with the +list of available tokens. This is dangerous if anonymous logins are enabled; +or if multiple users are on the machine (ie, Terminal Server or XP user +switching) + +(3) SMB LANA list is static. + +(3a) IP address changes cause the service to terminate due to an assertion +in smb_Listener() thread. + +(3b) New IP addresses do not get bound + +(3c) Loopback adapter hack: + (i) prevents use of AFS Gateway + (ii) requires installation of loopback adapter + (iii) the list of hack adapters is incomplete (VMWare, MS TV/Video, ...) + (iv) incompatible with Windows 2000 and earlier + +(4) Performance of the AFS Client Service code simply sucks. The average +read, write, and delete times for AFS are more than ten times slower than +the equivalent Windows File Share operations. The Window File Share operations +are not all that fast. It has been claimed that the Windows AFS functions are +one hundred times slower than the equivalent operations on Linux. I would not +be at all surprised. The best we can do without rewriting AFS as a IFS would +be to match the Windows File Share performance. I believe the threading model +is imposing significant delays in the movement of data from between the SMB +and RX protocol operations. There was also an issue with large numbers of +page faults which have since been fixed. + +(5) The AFS SMB code logs numerous 1002 events each day. This is caused +when an invalid SMB message are being processed from within the client. +It is unclear if the invalid SMB message has been received or is being sent. + +(6) The AFS client service causes MRxSMB to produce 3019 events. This is probably +the result of either malformed messages or invalid LANA values being used. + +(7) There appear to be directory locking problems associated with renaming +directories. + +(8) File termination differences between Win9x and nt/w2k/xp (Jim Peterson) + +(9) How to silence "Explorer" when the mapped drive is not available? + +(10) Convert to IFS!!!!!! + +(11) Kerberos 5 integration: +(11f) allow arbitrary cell to realm mappings +(11g) modify UI to allow user to choose whether to authenticate + using Kerberos or AFS +(11h) modify UI to allow user to select an existing principal to + be used to request AFS tokens +(11i) modify UI to display Kerberos 5 ticket info (principal, + ticket lifetimes, etc) + +(12) Default cell is system global just like everything else. Different + users logging in via Integrated Logon or using afscreds.exe cannot + be automatically prompted for different cells + +(13) AFS Integrated Logon: +(13a) Obtain tokens via Kerberos 5 +(13b) If using Kerberos, need to figure out a means of passing credentials + into the user space until such time as I finish the new credential + cache service. +(13c) If network is not available must store the username and password + somewhere until such time as the network starts. + +(14) Loopback adapter is not always installed with bindings to "File and + Printer Sharing for Microsoft Networks" or "Client for Microsoft + Networks". If these are not bound then SMB names will successfully + be published to a list of zero which causes the AFS not to function. + We need a way to test whether the Loopback adapter is properly bound + so we know if it is safe to use. Actually, it is worse. Even with + the bindings on Win2000 the loopback adapter frequently fails to publish + SMB names. Of course, the error messages report nothing. + +(15) If a drive mapping is "in use", then afscreds cannot be used to Modify + or Delete the Mapping. If a map to "H:" to \afs\cell\foo" with + description "home" is modified to point to \afs\cell\bar, then the + description must be unique. "home" cannot be reused. We need a way + to remove "home" from the submount list. + +(16) WinAFS configuration values are still stored in old style INI files + instead of using the Registry. This is especially important for + per-user values such as drive mappings + +(17) Drive mappings are lost on WinXP after return from Standby. (This could + be because the AFS Client Service fails OR because the RX protocol is + temporarily unable to access the Cell due to network restore timing + issues.) + +(18) No support for Unicode filenames. Translations make file unreadable + +(19) No auto-restart on service failure + +(20) Better EventLog handling + +(21) Named Pipes Support + +(22) Memory Mapped File support + +(23) Large file support + +(24) Execution of debug builds indicates corruption of run time library + allocated memory blocks due to buffer overruns. This may be the + result of improper object locking or out of bounds access. + +(25) AFS Shell Extensions do not work on UNC paths of the form \\AFS\... + They only work on mapped drives. + +(26) Implement persistent disk based cache which survives restarts + +(27) NSIS Installer issues for re-installs + (a) AFS Server Configurator should not start on update + (b) AFS Server Volumes and Configuration Data should not be + removed on uninstall + +(28) The User Interface needs to be re-designed to separate the per-user + and per-machine settings. All of the new registry items need to + be added to the UI + +(29) Windows XP SP2 and Windows 2003 SP1 are going to lockdown the + machine. We need to add code to programatically open the + Internet Connection Firewall to the ports needed by the various + AFS services. -- 1.9.4