<para>The AFS volume is a tree of files and sub-directories. AFS volumes are created by administrators and are joined to an AFS cell via the use of a mount point. Once a volume is created, users can create files and directories as well as mount points and symlinks within the volume without regard for the physical location of the volume. Administrators can move the volume to another server as necessary without the need to notify users. In fact, the volume move can occur while files in the volume are in use. </para>
<para>AFS volumes can be replicated to read-only copies. When accessing files from a read-only replica, clients will read all of the data from a single replica. If that replica becomes unavailable, the clients will failover to any replica that is reachable. Users of the data are unaware of where the replicas are stored or which one is being accessed. The contents of the replicas can be updated at any time by
<para>OpenAFS can be installed either as a new installation or an upgrade from previous versions of either OpenAFS for Windows or the former IBM AFS 3.6 for Windows.
Installers are provided as <ulinkurl="http://msdn.microsoft.com/en-us/library/cc185688%28v=vs.85%29.aspx">Windows Installer packages (.msi)</ulink> that are built using the open source
<ulinkurl="http://wix.sourceforge.net/">WiX Toolkit</ulink>. The MSI can be customized for organizations via the use of <ulinkurl="http://msdn.microsoft.com/en-us/library/aa367447%28v=vs.85%29.aspx">MSI Transforms</ulink> (see <linklinkend="Introduction_to_MSI_Deployment">MSI Deployment Guide</link>)
<para>Older releases of OpenAFS are available for download if unsupported operating systems must be used. The last version of OpenAFS with support for Win9x is 1.2.2b. The last version with support for Windows NT 4.0 is 1.2.10. The last version to support Windows 2000 and XP SP1 is 1.6.x.</para>
Up to 60mb required for the OpenAFS binaries plus 100MB for the default AFSCache file. The size of the AFSCache file may be adjusted via <linklinkend="Regkey_TransarcAFSDaemon_Parameters_CacheSize">the Registry</link> after installation. The maximum cache size for 32-bit Windows is approximately 1.2GB. On 64-bit Windows there is no practical limit on the cache size.
<ulinkurl="https://www.secure-endpoints.com/heimdal">Heimdal</ulink> or <ulinkurl="http://web.mit.edu/kerberos/dist/index.html">MIT Kerberos for Windows</ulink> 3.2.x if Kerberos v5 authentication support is desired. Heimdal is preferred over MIT Kerberos as it will provide OpenAFS the ability to offer enhanced capabilities in future releases. For 64-bit Windows installations, the 64-bit version of Kerberos for Windows is required. For 32-bit Windows installations, the 32-bit version of Kerberos for Windows is required.
<para>Starting with the 1.5.50 release of OpenAFS for Windows, each of the AFS Client Service, the AFS Explorer Shell Extension, and the command-line tools are Unicode enabled. No longer is OpenAFS restricted to accessing file system objects whose names can be represented in the locale specific OEM code page. This has significant benefits for end users. Most importantly it permits non-Western languages to now be used for file system object names in AFS from Microsoft Windows operating systems. Now that Unicode names are supported,
<ulinkurl="http://en.wikipedia.org/wiki/Roaming_user_profile">Roaming User Profiles</ulink> and
<ulinkurl="http://en.wikipedia.org/wiki/Folder_redirection">Folder Redirection</ulink> will no longer fail when a user attempts to store an object with a name that cannot be represented in the OEM code page.
<para>Unicode names are stored in AFS using UTF-8 encoding. UTF-8 is supported as a locale on MacOS X, Linux, Solaris, and most other operating systems. This permits non-Western object names to be exchanged between Microsoft Windows and other operating systems. The OpenAFS for Windows client also implements
<ulinkurl="http://en.wikipedia.org/wiki/Unicode_normalization">Unicode Normalization</ulink> as part of the name lookup algorithm. This is necessary because Unicode does not provide a unique representation for each input string. The use of normalization permits a file system object name created on MacOS X to be matched with the same string entered on Microsoft Windows even though the operating system's choice of representation may be different.
<para>It is important to note that AFS file servers are character-set agnostic. All file system object names are stored as octet strings without any character set tagging. If a file system object is created using OEM Code Page 858 and then interpreted as UTF-8 it is likely that the object name will appear to be gibberish. OpenAFS for Windows goes to great lengths to ensure that the object name is converted to a form that will permit the user to rename the object using Unicode. Accessing UTF-8 names on UNIX systems that have the locale set to one of the ISO Latin character sets will result in the UTF-8 strings appearing to be gibberish. </para>
<para>UNIX AFS can not perform Unicode Normalization for string comparisons. Although it is possible to store and read Unicode object names, it is possible that a user may not be able to open an object by typing the name of the object at the keyboard. GUI point and click operations should permit any object to be accessed.</para>
<para>Before there was native support for Kerberos v5 derived AFS tokens, the krb524 service was used to convert a Kerberos v5 service ticket into a Kerberos v4 service ticket that could in turn be used to construct an AFS authentication token. As of OpenAFS 1.2.8 [14 December 2002], support was added to allow the immediate use of Kerberos v5 tickets as AFS (2b) tokens. This is the first building block necessary to break away from the limitations of Kerberos v4 with AFS. By using Kerberos v5 directly the security holes inherent in Kerberos v4 cross-realm are avoided. Use of cryptographically stronger algorithms for authentication and encryption become a possibility.</para>
<para>Another reason for using Kerberos v5 directly is because the krb524 service runs on port (4444/udp), which has increasingly been blocked by Internet service providers. The port was used to spread a worm which attacked Microsoft Windows in the Summer of 2003. When the port is blocked users find that they are unable to authenticate.</para>
<para>Replacing the Kerberos v4 ticket with a Kerberos v5 ticket is a win in all situations except when the cell name does not match the realm name and the principal names placed into the ACL's are not the principal names from the Kerberos v5 ticket. Unfortunately, some organizations have AFS cell names and Kerberos realm names which differ by more then just typographic case and rely the krb524d service to map the Kerberos v5 client principal name from realm FOO to a Kerberos v4 principal in realm BAR. This allows user@FOO to appear to be user@bar for the purposes of accessing the AFS cell.
<para>To support this mode of operation OpenAFS for Windows versions 1.4.x through 1.6.x supported a registry value,
<linklinkend="Value_Use524">Use524</link>, that forced the use of krb524d within the AFS Authentication Tool and during integrated logon. Previous revisions of this documentation advised that this option should only be used by individuals until such time as their organizations transitioned away from the krb524 service.
<para>Over the last few years all Kerberos distributions have removed support for Kerberos v4. As a result, OpenAFS can no longer support the krb524d service and the functionality has been removed from the source tree for the 1.7.x release.</para>
<para>As an alternative, sites should be aware that the OpenAFS 1.4.x servers permit the use of a secondary realm name that can be treated as equivalent to the cell name for authentication. This functionality can be used to avoid the need for the krb524 service if and only if both realms are managed by the same administrative entity.
<para>The Network Identity Manager replaces the former KFW 2.6.x ticket manager, "Leash", and when combined with the OpenAFS Provider it can be used as a replacement for the AFS Authentication Tool (afscreds.exe). Unlike both Leash and the AFS Authentication Tool, Network Identity Manager with the OpenAFS Provider can easily acquire and renew AFS tokens for multiple cells from one or more Kerberos v5 identities.</para>
<para>The AFS configuration panel for each Kerberos v5 identity is used to configure which cells credentials should be obtained for and how they should be obtained. If the cell to realm mapping cannot be automatically determined, it can be explicitly specified. If the cell does not support Kerberos v5 tickets as tokens, then a krb524 service can be configured.</para>
<para>The OpenAFS Provider configuration panel can be used to check the status of the AFS Client Service and its version. An optional checkbox is provided that will prevent the AFS Authentication Tool from being started by Windows after login. A shortcut to the OpenAFS Control Panel is also provided.</para>
<para>As of OpenAFS 1.5.66, the Network Identity Manager OpenAFS Provider displays the same AFS Lock notification icon generated by the AFS Authentication Tool. The AFS Lock can be used to determine if:</para>
<para>The Microsoft Loopback Adapter (MLA) is installed with a name "AFS" and a pre-assigned IP address of 10.254.254.253. The MLA is bound to the "Client for Microsoft Networks" service and not bound to the "File and Printer Sharing for Microsoft Networks" service. If the MLA is unbound to "Client Microsoft Networks", the OpenAFS Client Service will become inaccessible when the machine is disconnected from the network. If the MLA is bound to "File and Printer Sharing ..." there will be a service type collision between the "AFS" SMB Service and the local machine's File Sharing Service. This will result in the OpenAFS client service becoming inaccessible and the "NET VIEW \\AFS" command will return a "System Error 52" message. To correct the problem:</para>
<para>When the MLA is not installed the NETBIOS name published by the OpenAFS SMB server must be unique in order to avoid name conflicts on public network. The unique name will take the form "<emphasis>MACHINE</emphasis>-AFS". One of the benefits of using the MLA is that the NETBIOS name does not have to be published on any adapter other than the MLA. Therefore the chosen name is no longer required to be globally unique. Instead the NETBIOS name associated with the AFS Client Service is simply "AFS" and portable UNC paths of the form \\AFS\cellname\path can now be used on all machines.
<para>The content of the fake "root.afs" volume is dynamically generated as cells are accessed. When the fake "root.afs" volume is initially constructed it will only contain two mount points: a
<emphasis>read-write path </emphasis>mount point used to access the "root.cell" volume of the default AFS cell. Any attempt to access a valid cell name will result in a new mount point being created in the fake "root.afs" volume. If the cellname begins with a "." the mount point will be a
<para>Additional mount points may be manually created using the "fs mkmount" command. Mount points may be removed using the "fs rmmount" command.</para>
<para>Integrated Logon will not transfer Kerberos v5 tickets into the user's logon session credential cache. This is no longer possible on Vista and Windows 7.</para>
<para>Integrated Logon does not have the ability to cache the user's username and password for the purpose of obtaining tokens if the Kerberos KDC is inaccessible at logon time.</para>
<para>Integrated Logon supports the ability to obtain tokens for multiple cells. For further information on how to configure this feature, read about the
<para>autoinit will result in automated attempts to acquire AFS tokens when afscreds.exe is started. afscreds.exe will attempt to utilize tickets stored in the MSLSA credentials cache; any existing CCAPI credentials cache; and finally display an Obtain Tokens dialog to the user. When used in combination with IP address change detection, afscreds.exe will attempt to acquire AFS tokens whenever the IP address list changes and the Kerberos KDC is accessible.</para>
<para>The renew drive maps option is used to ensure that the user drive maps constructed via the OpenAFS tools (not NET USE) are re-constructed each time afscreds.exe is started.</para>
<para>By default afscreds.exe is configured by the OpenAFS.org installers to use "-A -N -M -Q" as startup options. Currently, there is no user interface to change this selection after install time although these options may be altered via the registry on either per machine or per user basis. See
<linklinkend="Value_AfscredsShortcutParams">AfscredsShortcutParams</link> in
Due to conflicts with Vista and Windows 7 User Account Control, the Drive Letter Mount and Advanced tabs of the AFS Authentication Tool were disabled beginning with the 1.5.66 release.
<para>The OpenAFS for Windows client supports a local Windows authorization group named "AFS Client Admins". This group is used in place of the "Administrators" group to determine which users are allowed to modify the AFS Client Service configuration via the AFS Control Panel (afs_config.exe) or fs.exe command line tool. The following fs.exe commands are now restricted to members of the "AFS Client Admins" group:</para>
<para>The creation or removal of mount points and symlinks in the Freelance "root.afs" volume are also restricted to members of the "AFS Client Admins" group.</para>
<para>The initial membership of the "AFS Client Admins" group when created by the installer is equivalent to the local "Administrators" group. If a user is added to the "Administrators" group after the creation of the "AFS Client Admin" group, that user will not be an AFS Client Administrator. Only users that are members of the "AFS Client Admins" group are AFS Client Administrators. The local "SYSTEM" account is an implicit member of the "AFS Client Admins" group.</para>
<titleid="Support_for_UNC_Paths">3.9. OpenAFS Support for UNC Paths </title>
<indextermsignificance="normal">
<primary>UNC paths</primary>
</indexterm>
<indextermsignificance="normal">
<primary>JP Software</primary>
<secondary>4NT</secondary>
</indexterm>
<indextermsignificance="normal">
<primary>JP Software</primary>
<secondary>Take Commands</secondary>
</indexterm>
<indextermsignificance="normal">
<primary>PowerShell</primary>
</indexterm>
<para>The OpenAFS client supports UNC paths everywhere. UNC paths provide a canonical name for resources stored within AFS. UNC paths should be used instead of drive letter mappings whenever possible. This is especially true when specifying the location of roaming profiles and redirected folders.</para>
<para>Power users that make extensive use of the command line shell, cmd.exe, should consider using JP Software's 4NT or Take Command command processors. Unlike cmd.exe, the JPSoftware shells fully support UNC paths as the current directory. JPSoftware added special recognition for OpenAFS to its command shells, 4NT 7.0 and Take Command 7.0. AFS paths can be entered in UNIX notation (e.g., /afs/openafs.org/software), space utilization reports the output of the volume status for the specified path, and many AFS specific functions and variables have been added to the command language. Take Command 13.1 will include support for OpenAFS IFS Reparse Points.</para>
<para>The OpenAFS Client ships with its own version of aklog.exe which should be used in preference to those obtained by other sources. The OpenAFS aklog.exe supports Kerberos v5 as well as the ability to auto-generate AFS IDs within foreign PTS databases.</para>
<titleid="OpenAFS_Servers_on_Windows">3.11. OpenAFS Servers on Windows are Unsupported</title>
<indextermsignificance="normal">
<primary>OpenAFS Servers on Windows</primary>
</indexterm>
<indextermsignificance="normal">
<primary>Freelance mode</primary>
</indexterm>
<indextermsignificance="normal">
<primary>EnableKFW</primary>
</indexterm>
<indextermsignificance="normal">
<primary>power management</primary>
</indexterm>
<indextermsignificance="normal">
<primary>kaserver</primary>
</indexterm>
<para>The AFS Server functionality provided as part of the OpenAFS install package might work but should be considered highly experimental. It has not been thoroughly tested. Any data which would cause pain if lost should not be stored in an OpenAFS Server on Windows.</para>
<para>When the OpenAFS Server is installed, the TransarcAFSServer service (bosctlsvc.exe) will be installed and configured. The TransarcAFSServer service will auto-start the traditional AFS bos server. The former AFS Server Configuration wizard makes assumptions that no longer hold true and it has therefore been disabled. However, following the instructions for installing the AFS Servers on UNIX it is possible to properly configure the AFS Servers on Microsoft Windows. The AFS Server binaries, configuration files, and log files are installed under %Program Files%\OpenAFS\Server.
<ulinkurl="http://www.openafs.org/no-more-des.html">kaserver has been deprecated and its use is strongly discouraged.</ulink> Instead, Active Directory or some other Kerberos v5 KDC should be used in its place.
<para>Freelance mode should be disabled when the AFS Client Service is installed on the same machine as the AFS Server,. Otherwise, it will be impossible to manipulate the contents of the root.afs volume for the hosted cell without constructing an explicit mountpoint to the root.afs volume from another volume.</para>
<para>The AFS Servers are not aware of power management events nor are they aware of network configuration changes. It is strongly advised that the AFS servers be installed only on systems that will not be shutdown or suspended unexpectedly. An inadvertent shutdown will corrupt volume data.</para>
<para>The OpenAFS for Windows installers include Debugging Symbol files which should be installed if you are experiencing problems and need to send crash reports. This is true for both the release and the debug versions of the installers. The difference between the release and debug versions are:</para>
<para>The OpenAFS for Windows installer by default activates a weak form of encrypted data transfer between the AFS client and the AFS servers. This is often referred to as "fcrypt" mode. Encrypted data transfer can be turned on or off with the "fs setcrypt" command. Transitions between "crypt" and "non-crypt" modes are logged to the Windows Application Event Log. </para>
<para><emphasis>This section is maintained for historical reference and those sites that are manually configuring the OpenAFS Service to act as an SMB gateway. This section does not apply when the OpenAFS IFS redirector driver is in use.</emphasis></para>
<para>OpenAFS authenticates SMB connections using either NTLM or GSS SPNEGO (NTLM). In previous versions of OpenAFS, the SMB connections were unauthenticated which opened the door for several attacks which could be used to obtain access to another user's tokens on shared machines. </para>
<para>When GSS SPNEGO attempts a Kerberos v5 authentication, the Windows SMB client will attempt to retrieve service tickets for "cifs/afs@REALM" (if the loopback adapter is in use) or "cifs/machine-afs@REALM" (if the loopback adapter is not being used). It is extremely important that this service principal not exist in the KDC database as the Kerberos authentication must fail allowing automatic fallback to NTLM. When NTLM is used a special local authentication mode will be used that does not require access to the user's password. Instead, Windows will internally recognize the request as coming from a local logon session.</para>
<para>It should also be noted that because Kerberos v5 authentication cannot be used, it is not possible to digitally sign the SMB communications. On systems that require Digital Signing of SMB Client connections, access to \\AFS will fail with a connection error.</para>
<titleid="No_More_INI_Files">3.16. IBM AFS INI Files Replaced By Windows Registry Keys</title>
<indextermsignificance="normal">
<primary>INI files</primary>
</indexterm>
<indextermsignificance="normal">
<primary>CellServDB</primary>
</indexterm>
<indextermsignificance="normal">
<primary>AFSCONF</primary>
</indexterm>
<para>IBM AFS and OpenAFS 1.2 Windows clients stored configuration data in Windows .INI files. This OpenAFS client does not use Windows .INI files for the storage of configuration data. All settings are stored in the registry (see
<linklinkend="appendix_a">Appendix A</link>). The CellServDB file is now stored in either the %ALLUSERSPROFILE%\Application Data\OpenAFS\Client directory (aka \ProgramData\OpenAFS\Client on Vista\Win7\2008) or the %PROGRAMFILES%\OpenAFS\Client directory. The
<linklinkend="Value_CellServDBDir">CellServDBDir</link> registry value or the AFSCONF environment variable can be used to specify an alternative location.
<para>For users converting from IBM AFS clients, during installation OpenAFS will relocate the contents of the "afsdcell.ini" file to the new CellServDB file. OpenAFS will also import the contents of the "afs_freelance.ini" file to the Windows registry. OpenAFS will not process the contents of the "afsddbmt.ini".</para>
<para>The OpenAFS Client Service implements the CIFS Remote Admin Protocol and the Microsoft RPC SVRSVC and WKSSVC services which allows Explorer to browse server and share information. This significantly enhances the interoperability of AFS volumes within the Explorer Shell and Microsoft Office applications.</para>
<titleid="Byte_Range_Locking">3.19. Byte Range Locking</title>
<indextermsignificance="normal">
<primary>byte range locking</primary>
</indexterm>
<indextermsignificance="normal">
<primary>Microsoft Office</primary>
</indexterm>
<indextermsignificance="normal">
<primary>EnableServerLocks</primary>
</indexterm>
<para>Many applications on Windows (e.g. Microsoft Office) require the use of byte range locks applied to a file either to protect against simultaneous file access or as a signaling mechanism. OpenAFS for Windows release 1.5 (or greater) implements byte range locking within the CIFS-AFS gateway server. This support for byte range locking obtains AFS' advisory file server locks to simulate Microsoft Windows mandatory locks. When an application opens a file, a lock will be obtained from AFS indicating that the file is in use. If the lock is a write lock, access to the file will be restricted to other applications running on the same machine as the first application to request the lock. Applications running on other machines will see the AFS full file lock and will be unable to access the file.</para>
<para>Most Windows applications and Windows itself opens files in shared read mode. When this is done, a read lock is applied to the file. This does not prevent shared read access across multiple machines but is used to ensure that no one writes to the file while it is in use.</para>
<para>As the CIFS-AFS gateway server attempts to implement Windows lock semantics on top of AFS lock semantics it is important to understand how AFS file locks work. In Windows there are no special privileges associated with obtaining file locks. If you can read or execute a file, then you can obtain shared and exclusive locks. In general, a Windows shared lock equates to an AFS read lock and a Windows exclusive lock equates to an AFS write lock. In AFS if you can write to a file, then you can obtain a write lock. However, in AFS if you can read a file it does not mean that you can obtain a read lock on it. The ability to obtain read locks is granted only if you have the lock (or ‘k') privilege. This behavior is required in order to allow anonymous users to read files while preventing them from being able to deny access to the files to other users.
<emphasis>OpenAFS 1.4.0 and earlier as well as all IBM AFS file servers have an implementation bug that prevents users with write privileges from being able to obtain locks without the lock privilege.</emphasis> When AFS serves data out of read-only volumes the file server will deny all requests for read and write locks because the contents of the volume cannot be changed by the client.
<para>Since Microsoft Windows applications almost always attempt to obtain a temporary exclusive lock when accessing files the OpenAFS Client's CIFS-AFS gateway implements the following semantics in order to reduce the inconvenience on end users. </para>
<para>If the file is located on a read-only volume and the application requests a shared lock, the CIFS-AFS server will grant the lock request without asking the AFS file server.</para>
</listitem>
<listitem>
<para>If the file is located on a read-only volume and the application opens the file with write access and requests an exclusive lock, the CIFS-AFS server will refuse the lock request and return a read only error.</para>
</listitem>
<listitem>
<para>If the file is located on a read-only volume and the application opens the file with only read access and requests an exclusive lock, the CIFS-AFS server will fulfill the lock request with a read lock.</para>
<para>If the file is located on a read-write volume and the application requests an exclusive lock, the CIFS-AFS server will request a write lock from the AFS file server. If granted by the file server, then the CIFS-AFS server will grant the lock request. If the request is denied due to an access denied error and the user has the lookup, read and lock privileges and the file was opened for read only access, then the CIFS-AFS server will request a read lock from the file server. If the request is denied due to an access denied error and the user has the lookup and read privileges but not the lock privilege, then the CIFS-AFS server will grant the request even though the AFS file server said ‘no'. If the user does not have at least those permissions, the CIFS-AFS server will deny the request.</para>
<para>If the file is located on a read-write volume and the application requests a shared lock, the CIFS-AFS server will request a read lock from the AFS file server. If granted by the file server, then the CIFS-AFS server grants the lock request. If the request is denied due to an access denied error and the user has the lookup and read privileges but not the lock privilege, then the CIFS-AFS server will grant the request even though the AFS file server said ‘no'. If the user does not have at least those permissions, the CIFS-AFS server will deny the request.</para>
<para>If multiple processes on the same machine attempt to access the same file simultaneously, the CIFS-AFS server will locally manage the granted locks and all processes will share a single lock on the AFS file server.</para>
<para>If the CIFS-AFS server is unable to renew the AFS file server locks, then it will invalidate the associated file handles. This is the same behavior that an application will experience if it was using a Windows File Share and the connection was broken. Invalidating the file handles prevents subsequent data corruption from taking place.</para>
<para>The OpenAFS Client will automatically forget a user's tokens upon Logoff unless the user's profile was loaded from an AFS volume. In this situation there is no mechanism to determine when the profile has been successfully written back to the network. It is therefore unsafe to release the user's tokens. Whether or not the profile has been loaded from the registry can be determined for Local Accounts, Active Directory accounts and NT4 accounts.</para>
<para>AFS is a UNIX native file system. The OpenAFS client attempts to treat the files stored in AFS as they would be on UNIX. File and directory names beginning with a "." are automatically given the Hidden attribute so they will not normally be displayed. This behavior can be altered via the
<titleid="Status_Cache_Limits">3.23. Status Cache Limits</title>
<indextermsignificance="normal">
<primary>afs_config.exe</primary>
</indexterm>
<indextermsignificance="normal">
<primary>AFS Configuration Control Panel</primary>
</indexterm>
<indextermsignificance="normal">
<primary>cache limits</primary>
</indexterm>
<indextermsignificance="normal">
<primary>Stats</primary>
</indexterm>
<para>The Status Cache (AFS Configuration Control Panel: Advanced Page) is defined to have a maximum number of entries. Each entry represents a single file or directory entry accessed within the AFS file system. When the maximum number of entries are allocated, entries will begin to be reused according to a least recently used (LRU) algorithm. If the number of files or directories being accessed repeatedly by your applications is greater then the maximum number of entries, your host will begin to experience thrashing of the Status Cache and all requests will result in network operations.</para>
<para>If you are experiencing poor performance try increasing the maximum number of Status Cache entries. Each entry requires approximately 1.2K. The default number of Status Cache entries is 10,000. This can be adjusted using the
<para>"Netbios over TCP/IP" must be active on the machine in order for communication with the AFS Client Service to succeed. If "Netbios over TCP/IP" is disabled on the machine, then communication with the AFS Client Service will be impossible. If you are using the Microsoft Loopback Adapter, configure the "Netbios over TCP/IP" setting for the adapter.</para>
<para>The OpenAFS Client Service and related binaries distributed by OpenAFS.org are digitally signed by "Secure Endpoints Inc." or "Your File System Inc.". The OpenAFS Client Service will perform a run-time verification check to ensure that all OpenAFS related DLLs loaded by the service match the same file version number and were signed by the same entity. This check has been added to prevent the stability problems caused when more than one AFS installation is present on a machine simultaneously. Many hours of support time have been wasted tracking down problems caused by the mixture of files from different releases. </para>
<linklinkend="appendix_a">Appendix A</link> documents the "
<linklinkend="Value_VerifyServiceSignature">VerifyServiceSignature</link>" registry value which can be used to disable the signature check. The file version check cannot be disabled.
<titleid="Maximum_Cache_Size">3.26. Maximum Size of the AFSCache File</title>
<indextermsignificance="normal">
<primary>cache size</primary>
</indexterm>
<para>The maximum cache size on 32-bit Windows is approximately 1.2GB. This is the largest contiguous block of memory in the 2GB process address space which can be used for constructing a memory mapped file. Due to fragmentation of the process space caused by the loading of libraries required by the digital signature verification code, any attempt to specify a cache size greater then 700MB will result in the automatic disabling of the signature check. Significantly larger cache sizes can be used on 64-bit Windows.</para>
<para>On 32-bit systems that have Apple Bonjour 1.0.6 installed, the maximum cache size is further constrained due design flaw in the Apple mdnsNSP.dll which is injected into all processes that use network services. On these systems the maximum is approximately 512MB.</para>
<para><emphasis>This section describes functionality and concerns related to pre-1.5.50 releases of OpenAFS for Windows. This release stores all file names on the file servers as Unicode encoded using UTF-8.</emphasis></para>
<para>OpenAFS for Windows implements an SMB server which is used as a gateway to the AFS filesystem. Because of limitations of the SMB implementation in pre-1.5.50 releases, Windows stored all files into AFS using OEM code pages such as CP437 (United States) or CP850 (Western Europe). These code pages are incompatible with the ISO Latin-1 or Unicode (UTF-8) character sets typically used as the default on UNIX systems in both the United States and Western Europe. Filenames stored by OpenAFS for Windows were therefore unreadable on UNIX systems if they include any of the following characters:</para>
<linklinkend="Value_StoreAnsiFilenames">StoreAnsiFilenames</link>, that could be set to instruct OpenAFS to store filenames using the ANSI Code Page instead of the OEM Code Page. The ANSI Code Page is a compatible superset of Latin-1. This setting is not the default setting because making this change would prevent OpenAFS for Windows from being able to access filenames containing the above characters which were created without this setting.
<para>All versions of OpenAFS for Windows 1.5.50 and above exchange file names with Microsoft Windows using the Unicode character set. All file names are read from and stored to AFS file servers using the UTF-8 encoding of Unicode. As a result the
<para><emphasis>This section describes functionality and concerns related to pre-1.5.50 releases of OpenAFS for Windows. This release stores all file names on the file servers as Unicode encoded using UTF-8.</emphasis></para>
<para>There is a known issue with storing Windows Roaming Profiles when the profile contains either directories or files with names which cannot be represented in the local OEM character set. In this case, attempts to write the profile back to AFS will fail during the character set conversion. The pre-1.5.50 OpenAFS Client's CIFS gateway did not support UNICODE. To avoid this problem some sites run custom logoff scripts (assigned by group policy) which rename all files to use only the supported characters for the locale.</para>
<titleid="AFSCache_File">3.29. The AFSCache File</title>
<indextermsignificance="normal">
<primary>AFSCache</primary>
</indexterm>
<indextermsignificance="normal">
<primary>cache file</primary>
</indexterm>
<indextermsignificance="normal">
<primary>SysInternals</primary>
</indexterm>
<para>The AFS Cache file is stored by default at %TEMP%\AFSCache in a persistent file marked with the Hidden and System attributes. The persistent nature of the data stored in the cache file improves the performance of OpenAFS by reducing the number of times data must be read from the AFS file servers. </para>
<para>The performance of the AFS Client Service is significantly affected by the access times associated with the AFSCache paging file. When given the choice, the AFSCache file should be placed on a fast disk, preferably formatted NTFS and using a Solid State Disk, the file should not be compressed and should consist of as few fragments as possible. Significant performance gains can be achieved by defragmenting the AFSCache file with SysInternal's Contig utility while the AFS Client Service is stopped.</para>
<titleid="SysName_List">3.31. The @sys Name List</title>
<indextermsignificance="normal">
<primary>@sys</primary>
</indexterm>
<indextermsignificance="normal">
<primary>fs sysname</primary>
</indexterm>
<indextermsignificance="normal">
<primary>SysName</primary>
</indexterm>
<para>The default @sys name list in the OpenAFS Client is set to "x86_win32 i386_w2k i386_nt40" for 32-bit x86 systems. The default is "amd64_win64" for amd 64-bit versions of Windows.</para>
<titleid="Symlinks_to_AFS_UNC_Paths">3.32. Symlinks to AFS UNC Paths</title>
<indextermsignificance="normal">
<primary>UNC paths</primary>
</indexterm>
<indextermsignificance="normal">
<primary>symlinks</primary>
</indexterm>
<indextermsignificance="normal">
<primary>path separators</primary>
</indexterm>
<indextermsignificance="normal">
<primary>symlink.exe</primary>
</indexterm>
<indextermsignificance="normal">
<primary>symlink make</primary>
</indexterm>
<para>In OpenAFS, symlinks to AFS UNC paths, \\AFS[\all]\..., are treated the same as symlinks to /afs/... However, please use /afs/... as the Windows UNC form will not work on UNIX client.</para>
<para>The OpenAFS Client implements the Cache Manager Debugging RPC Interface. The CM debugger can be queried with <ulinkurl="http://docs.openafs.org/Reference/1/cmdebug.html">cmdebug.exe</ulink>. </para>
<para>If you are a site which utilizes MIT/Heimdal Kerberos principals to logon to Windows via a cross-realm relationship with a multi-domain Windows forest, you must enable Windows logon caching unless the workstation is Windows Vista or Windows 7.</para>
<titleid="Initial_Server_Preferences">3.35. Initial Server Preferences</title>
<indextermsignificance="normal">
<primary>server preferences</primary>
</indexterm>
<indextermsignificance="normal">
<primary>fs setserverprefs</primary>
</indexterm>
<indextermsignificance="normal">
<primary>setting server preferences</primary>
</indexterm>
<para>VLDB and File Server Preferences can now be provided initial values using registry keys. This is useful for managed machines in a Windows domain which are centrally located (e.g., in a computing lab.) See
<linklinkend="appendix_a">Appendix A</link> for details on the "
<titleid="File_Timestamps_and_DST">3.36. File Timestamps and Daylight Saving Time</title>
<indextermsignificance="normal">
<primary>timestamps</primary>
</indexterm>
<indextermsignificance="normal">
<primary>DST</primary>
</indexterm>
<indextermsignificance="normal">
<primary>UTC</primary>
</indexterm>
<para>The OpenAFS Client reports timestamps on files stored in AFS in UTC all year round. In locales with daylight savings time, previous versions of AFS for Windows reported the time when DST is active as UTC+1. This was done to preserve the relative local time for the user. A file stored at 11:00am EST in January would be reported as having been stored at 11:00am EDT in June. Unfortunately, this has the negative side effect of changing the reported timestamp from 16:00UTC to 15:00UTC. Since Windows treats all file times in UTC, data synchronization applications which rely on the timestamp would believe that all files stored in AFS had changed.</para>
<para>It should be noted that UNIX based operating systems (such as Solaris) do not appear to report file times to applications in UTC. They do preserve the relative local time. This may confuse some users who are used to being able to compare the timestamp in an UNIX shell with the timestamp from the Windows explorer. During DST, these two times will no longer agree even though they are in fact representing the same moment in time.</para>
<para>If the installer refuses to install and complains about an RPC configuration error, check to ensure that the following registry entries are present and that they refer to the dll "rpcrt4.dll":</para>
<titleid="Generating_Minidumps">3.38. Generating Minidumps of the OpenAFS Client Service</title>
<indextermsignificance="normal">
<primary>minidumps</primary>
</indexterm>
<indextermsignificance="normal">
<primary>fs minidump</primary>
</indexterm>
<para>OpenAFS 1.4 added a new command, "fs minidump". This command can be used at any time to generate a mini dump file containing the current stack of the afsd_service.exe process. This output can be very helpful when debugging the AFS Client Service when it is unresponsive to SMB/CIFS requests.</para>
<para>The OpenAFS Client implements Universally Unique Identifiers (UUIDs). They are used to provide the AFS file server with a method of identifying the client that is independent of IP address. This permits the AFS file server to track mobile clients or those behind Network Address Translators when they move from address to address or port to port. Tracking the client improves client performance by permitting callback state to be maintained across location changes. The UUID is generated when the AFSCache file is created and is maintained as long as the contents of the AFSCache file are valid. The UUID is stored in the AFSCache file.</para>
<para>When cloning machines that have Windows AFS client installed it is necessary to generate a new UUID for each client. This will be done automatically if the Windows Machine SID is re-generated using Microsoft SysPrep. If the SID is not being re-generated either the AFSCache file should be deleted or the command
<emphasis>fs uuid -generate</emphasis> must be executed after the the clone is created.
<emphasisrole="bold">Multiple AFS clients reporting the same UUID will not only result in horrible AFS client performance and cache inconsistencies, but they will also put a tremendous strain on the AFS file servers.</emphasis></para>
<linklinkend="Value_NonPersistentCaching">NonPersistentCaching</link> option will disable the use of the persistent cache file. As a side effect, a new UUID will be generated for the AFS client service on each restart.
<para>Microsoft Office makes heavy use of asynchronous input/output methods for reading and writing to file streams. This can result in hundreds of requests being simultaneously queued for service by the CIFS client with a fixed timeout period. As the AFS CIFS server is local to the machine the Windows CIFS client believes that it can respond almost instantaneously to write requests as the actual writing to the AFS file server is performed by a background daemon thread. When the actual network bandwidth to the AFS file server is slow and the file size is large it is possible for the CIFS client to time out the connection. When this happens a "delayed write error" will be reported to the user and the application may crash. The only workaround at the current time is to save first to a local disk and subsequently copy the file to AFS as copying a file with the explorer shell does not use asynchronous i/o. </para>
<para>Beginning with the 1.5.33 release, the performance characteristics of SMB Write Data operations can be adjusted. In prior releases all writes were performed using a restricted asynchronous store model in which only one asynchronous store operation per file can be performed at a time. The reason for this restriction is limit the amount of data the cache manager will accept without it having been written to the file server. If too much unwritten data is accepted, the file close operation will block until all of the unwritten data is output and this could trigger a CIFS client disconnect. </para>
<para>Prior to 1.5.33 the size of the asynchronous store was always equal to the chunk size which was often too large for low bandwidth connections. The asynchronous store size now defaults to 32KB and is configurable using the
<linklinkend="Value_SMBAsyncStoreSize">SMBAsyncStoreSize</link> registry value. Asynchronous store operations can also be disabled using the
<linklinkend="Value_EnableSMBAsyncStore">EnableSMBAsyncStore</link> registry value in which case all writes received by the cache manager block until the Rx StoreData operation completes.
<para>Although 64-bit Windows platforms support both 64-bit and 32-bit applications, the OpenAFS Service installed on the machine must be 64-bit. The 64-bit installer contains only 64-bit executables. In order to support 32-bit applications it is required that a separate 32-bit OpenAFS Tools set be installed. This is especially true when the IFS redirector is in use as the 32-bit Network Provider DLL must be installed in order for 32-bit applications to access drive letters mapped to \\AFS.</para>
<para>OpenAFS on 64-bit Windows benefits from the lifting of the 2GB process memory restriction that is present in 32-bit Windows. Without this restriction the AFS Cache File can become arbitrarily large limited only by available disk space.</para>
<para>Windows Vista, Windows 7, and Server 2008 [R2] implement
<ulinkurl="http://www.microsoft.com/technet/windowsvista/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d9.mspx">User Account Control</ulink> (UAC), a new security feature that implements least user privilege. With UAC, applications only run with the minimum required privileges. Even Administrator accounts run applications without the "Administrator" access control credentials. One side effect of this is that existing applications that mix user and system configuration capabilities must be re-written to separate those functions that require "Administrator" privileges into a separate process space. Future updates to OpenAFS will incorporate the necessary privilege separation, until that time some functions such as the Start and Stop Service features of the AFS Authentication Tool and the AFS Control Panel will not work unless they are "Run as Administrator". When a Vista user account that is a member of the "Administrators" group is used to access the AFS Control Panel (afs_config.exe), the process must be "Run as Administrator". Otherwise, attempts to modify the OpenAFS configuration will appear to succeed but in reality will have failed due to Vista's system file and registry virtualization feature.
<para>Starting with the 1.5.21 release of OpenAFS for Windows, the following syntax can be used to access any volume in any cell without requiring the creation of a mount point.</para>
<para>\\AFS\<cell><mount point type><volume>\</para>
<para>Where <cell> can be either a full cell name or an unambiguous prefix, the <mount point type> is '#' for a normal mount point or '%' to force the use of a read-write volume, and <volume> is either a volume name or its ID number.</para>
<emphasis>-literal</emphasis>. When specified, if the evaluated object is a symlink or a mountpoint the resulting output will describe the specified object and not the target of the symlink or mountpoint.
<para>Prior to the 1.5.31 release, out of quota errors were reported to the calling application as an out of space error. As of 1.5.31, an out of space error will indicate that the partition on which the volume is located is in fact out of space. Whereas an out of quota error indicates that the user does not have permission to allocate additional space.</para>
<para>The 1.5.55 release adds support for linked cells as implemented in the Unix OpenAFS client. When two cells are linked, a volume lookup in one cell that fails is retried in the linked cell. This functionality can be used to implement:</para>
<para>Beginning with the 1.5.60 release, the <linklinkend="Regkey_HKLM_SOFTWARE_OpenAFS_Client_CellServDB">[HKLM\SOFTWARE\OpenAFS\Client\CellServDB]</link>
registry key can be used to distribute Volume Database Server location information either as a supplement to the <emphasis>CellServDB file</emphasis> or
as a substitute for it. The precedence order for lookups is: Registry, File, and then DNS.</para>
<para>Starting with the 1.5.60 release, this document, the OpenAFS Administrator Guide and the OpenAFS User Guide are provided in HTML Help format instead
Workaround: use SUBST instead of NET USE to assign drive
letters to UNC paths.
</para>
</listitem>
<listitem>
<para>The Windows File System <ulinkurl="http://msdn.microsoft.com/en-us/library/ff549293%28v=vs.85%29.aspx">Volume Query Quota Interface</ulink> is not implemented. As a result, AFS quota information is not available to application processes or end users via Windows dialogs.</para>
</listitem>
<listitem>
<para>The Windows <ulinkurl="https://secure.wikimedia.org/wikipedia/en/wiki/Shadow_Copy">Volume Shadow Copy Service</ulink> is not implemented. As a result, AFS backup volumes are not accessible via the Explorer Shell.</para>
</listitem>
<listitem>
<para>
There is no support for storing DOS attributes such as Hidden, System, or Archive.
</para>
</listitem>
<listitem>
<para>
There is no support for Alternate Data Streams as required by Windows User Account Control to store Zone Identity data.
</para>
</listitem>
<listitem>
<para>
There is no support for Extended Attributes.
</para>
</listitem>
<listitem>
<para>
There is no support for <ulinkurl="https://blogs.technet.com/b/hugofe/archive/2010/06/21/windows-2008-access-based-enumeration-abe.aspx">Access Based Enumeration</ulink>.
</para>
</listitem>
<listitem>
<para>
There is no support for <ulinkurl="https://secure.wikimedia.org/wikipedia/en/wiki/Windows_Management_Instrumentation">Windows Management Instrumentation</ulink>
</para>
</listitem>
<listitem>
<para>
There is no support for <ulinkurl="http://msdn.microsoft.com/en-us/library/aa363997%28v=vs.85%29.aspx">Distributed Link Tracking and Object Identifiers</ulink>
</para>
</listitem>
<listitem>
<para>
There is no support for storing <ulinkurl="http://msdn.microsoft.com/en-us/magazine/cc982153.aspx">Windows Access Control Lists</ulink>. Only the AFS ACLs are enforced.
OpenAFS for Windows provides a wide range of tools to assist you in debugging problems. The techniques available to you are varied because of the wide range of issues that have been discovered over the years.</para>
<para>pioctl (path-based ioctl) calls are used by various tools to communicate with the AFS Client Service. Some of the operations performed include:</para>
<para>pioctl calls are implemented by writing to a special UNC path that is processed by the AFS Client Service. If there is a failure to communicate with the AFS Client Service via SMB/CIFS, it will be impossible to perform any of the above operations. </para>
<para>should be set. Then any of the commands that perform pioctl calls should be executed from the command prompt. With this key set the pioctl library will generate debugging output to stderr. The output will contain the Win32 API calls executed along with their most important parameters and their return code. The MSDN Library and the Microsoft KnowledgeBase can be used as a reference to help you determine the configuration probem with your system.</para>
<para>Every time the AFS Client Service starts it appends data about its progress and configuration to a file. This file provides information crucial to determining why the service cannot start when there are problems. When the process terminates due to a panic condition it will write to this file the source code file and line number of the error. In many cases the panic condition is due to a misconfiguration of the machine. In other cases it might be due to a programming error in the software. A quick review of the location in the source code will quickly reveal the reason for the termination.</para>
<linklinkend="Value_MaxLogSize">MaxLogSize</link> registry value determines the maximum size of the %WINDIR%\TEMP\afsd_init.log file. If the file is larger than this value when OpenAFS Client Service starts, the file will be reset to 0 bytes. If value is set to 0, the file will be allowed to grow indefinitely.
<para>When attempting to debug the behavior of the SMB/CIFS Server and the Cache Manager it is often useful to examine a log of the operations being performed. While running the AFS Client Service keeps an in memory log of many of its actions. The default number of actions preserved at any one time is 5000. This can be adjusted with the
<para>A restart of the service is necessary when adjusting this value. Execute "fs trace -on -reset" to begin the logging and "fs trace -dump" to output the contents of the log to the file.</para>
<ulinkurl="http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx">Debug Viewer</ulink> to capture real-time debugging output. When the OpenAFS Client Service starts and Bit 2 of the
<linklinkend="Value_TraceOption">TraceOption</link> value in the registry is set, all trace log events are output using the Windows Debug Monitor interface (OutputDebugString).
<para>Use "fs trace –on" and "fs trace –off" to toggle the generation of log messages. </para>
<para>Sysinternal's
<ulinkurl="http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx">Process Monitor</ulink> can be use to monitor the file operations requested by applications and their success or failure.
<para>In Process Monitor, set a filter to include only events on file paths that refer to the AFS name space. Be sure to include both the UNC path as well as any drive letters mapped to AFS. </para>
<emphasis>Show Milliseconds</emphasis> options in both tools to make it easier to synchronize the application requests and the resulting OpenAFS Client Service operations. The captured data can be stored to files for inclusion in
<ulinkurl="http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx">Process Explorer</ulink> is a replacement for the Windows Task Manager and so much more. Process Explorer can be configured to use the DbgHelp.dll from "
<ulinkurl="http://www.microsoft.com/whdc/devtools/debugging/default.mspx">Microsoft Debugging Tools for Windows</ulink>" as well as the debug symbols shipped as an optional component of the OpenAFS for Windows installer. (Options->Configure Symbols) Once configured the "Threads" tab of the process properties dialog will permit the viewing of a fully documented stack for each displayed thread. Hint: If there is a deadlock in the cache manager, two or more of the threads will be stuck in a call to osi_TWait().
<para>If the AFS Client Service become unresponsive to any form of communication there may be a serious error that can only be debugged by someone with access to the source code and a debugger. The "fs minidump" command can be used to force the generation of a MiniDump file containing the state of all of the threads in the AFS Client Service process. The most accurate MiniDump files will be produced after installing "
<ulinkurl="http://www.microsoft.com/whdc/devtools/debugging/default.mspx">Microsoft Debugging Tools for Windows</ulink>".
<linklinkend="Value_MiniDumpType">MiniDumpType</link> registry value can be used to adjust the scope of the process information included within the dump file. By default the MiniDump only contains the stacks of all threads and the values of all global variables. A much more useful MiniDump is one that contains the contents of the heap. Be warned, a MiniDump with heap will be as large as the cache file. In addition, it will include all of the data stored within the cache. If there are privacy concerns, do not produce a MiniDump with heap.
<para>will instruct the Integrated Logon Network Provider and Event Handlers to log information to the Windows Event Log: Application under the name "AFS Logon".</para>
<para>The rxdebug.exe tool can be used to query a variety of information about the AFS services installed on a given machine. The port for the AFS Cache Manager is 7001. </para>
<para>The persistent cache is stored in a Hidden System file at %WinDir%\TEMP\AFSCache. If there is a problem with the persistent cache that prevent the AFS Client Service from being able to start a validation check on the file can be performed.</para>
<para>If you are having trouble obtaining tokens with the Network Identity Manager AFS credential provider, it is recommended that you verify your ability to obtain tokens using the command-line tools
<emphasis>klog.exe</emphasis> (if you are using kaserver) or
<emphasis>kinit.exe</emphasis> and
<emphasis>aklog.exe</emphasis> (if you are using Kerberos v5.) The aklog.exe
<emphasis>–d</emphasis> option will be quite helpful in diagnosing Kerberos v5 related problems.
<ulinkurl="mailto:openafs-bugs@openafs.org?subject=Bug%20Report">openafs-bugs@openafs.org</ulink>. Please include as much information as possible about the issue. If you are reporting a crash, please install the debugging symbols by re-running the installer. If a dump file is available for the problem, %WINDIR%\TEMP\afsd.dmp, include it along with the AFS Client Trace file %WINDIR%\TEMP\afsd.log. The AFS Client startup log is %WINDIR%\TEMP\afsd_init.log. Send the last continuous block of log information from this file.
<para>Select either a Crash Dump Type: Mini or Full. </para>
</listitem>
<listitem>
<para>Clear Dump Symbol Table</para>
</listitem>
<listitem>
<para>Clear Append to Existing Log file. </para>
</listitem>
<listitem>
<para>Check Dump All Thread Contexts.</para>
</listitem>
<listitem>
<para>Check Create Crash Dump File</para>
</listitem>
<listitem>
<para>Next run the monitoring module of Dr. Watson: </para>
</listitem>
<listitem>
<para>click Start > Run...</para>
</listitem>
<listitem>
<para>type drwatson <enter>. </para>
</listitem>
<listitem>
<para>Once a crash happens, Dr. Watson generates a dump file and a report in the log file, including the address of the crash and the stack dump.</para>
</listitem>
</orderedlist>
<para>Once you have the Dr. Watson's logfile and minidump, zip them and attach them to your e-mail.</para>
<para>When reporting a error, please be sure to include the version of OpenAFS.
Contributions to the development of OpenAFS for Windows are continuously needed. Contributions may take many forms including cash donations, support contracts, donated developer time, and even donated tech writer time.</para>
<ulinkurl="http://www.usenix.org/">USENIX</ulink>, a 501c3 non-profit corporation, has formed the USENIX OpenAFS Fund in order to accept tax deductible donations on behalf of the OpenAFS Elders. The donated funds will be allocated by the OpenAFS Elders to fund OpenAFS development, documentation, project management, and maintaining openafs.org.
<ulinkurl="http://www.secure-endpoints.com/">Secure Endpoints Inc.</ulink> provides development and support services for OpenAFS for Windows and
<ulinkurl="http://web.mit.edu/kerberos/">MIT Kerberos for Windows</ulink>. Donations provided to Secure Endpoints Inc. for the development of OpenAFS are used to cover the OpenAFS gatekeeper responsibilities; providing support to the OpenAFS community via the OpenAFS mailing lists; and furthering development of desired features that are either too small to be financed by development contracts.
<para>Secure Endpoints Inc. accepts software development agreements from organizations who wish to fund a well-defined set of bug fixes or new features. </para>
<para>Secure Endpoints Inc. provides contract based support for the OpenAFS for Windows and the
<titleid="Your_File_System_Inc">6.3. Your File System Inc. </title>
<para>
<indextermsignificance="normal">
<primary>Your File System Inc.</primary>
</indexterm>
<ulinkurl="http://www.your-file-system.com/">Your File System Inc.</ulink> provides development and support services for OpenAFS for Windows.
Donations provided to Your File System Inc. for the development of OpenAFS are used to cover the OpenAFS gatekeeper responsibilities;
providing support to the OpenAFS community via the OpenAFS mailing lists;
and furthering development of desired features that are either too small to be financed by development contracts.
</para>
<para>Your File System Inc. accepts software development agreements from organizations who wish to fund a well-defined set of bug fixes or new features. </para>
<para>Your File System Inc. provides contract based support for OpenAFS on all platforms.
</para>
</section>
<section>
<titleid="Direct_Code_Contributions">6.4. Direct contributions of code and/or documentation </title>
<para>Organizations that use OpenAFS in house and have development staffs are encouraged to contribute any code modifications they make to OpenAFS.org via openafs-bugs@openafs.org. Contributions of documentation are highly desired. </para>
<paraid="Introduction_to_MSI_Deployment">A MSI installer option is available for those who wish to use Windows Installer for installing OpenAFS and for organizations that wish to deploy OpenAFS through Group Policy. The first version of OpenAFS for Windows available as an MSI was 1.3.65.</para>
<para>This document provides a guide for authoring transforms used to customize the MSI package for a particular organization. Although many settings can be deployed via transforms, in an Active Directory environment it is advisable to deploy registry settings and configuration files through group policy and/or startup scripts so that machines where OpenAFS for Windows is already installed will pick up these customizations.</para>
<para>The information in this document applies to MSI packages distributed with OpenAFS for Windows releases from 1.3.65 and onwards or MSI packages built from corresponding source releases. Not all releases support all the configuration options documented here.</para>
<para>Authoring a "Windows Installer" transform requires additional software for editing the MSI database tables and generating the transform from the modified MSI package. ORCA.EXE and MSITRAN.EXE which are included in the Windows Platform SDK ("Windows Installer" SDK) can be used for this purpose.</para>
<para>The remainder of this document assumes some familiarity with authoring transforms. While the MSDN documentation for Windows Installer is a bit dense, the guide on MSI transforms found at the second link above is recommended reading. MSDN also includes a step-by-step example for creating a transform at:</para>
<titleid="MSI_Authoring_Transforms">7.1.2 Authoring a Transform</title>
<para>Transforms describe a set of modifications to be performed on an existing MSI for the purpose of customizing it. This is ordinarily done by making a copy of the MSI to be customized, modifying the copy and then using the old and the new MSI to generate a transform. For example:</para>
<para>Transforms have an extension of .mst. 'msitran' is a tool distributed as part of the "Windows Installer" SDK (part of the Windows Platform SDK).</para>
<para>and then checking the resulting openafs-test.msi to see if all changes you have made above to openafs-modified.msi is present in openafs-test.msi. 'msitran' will complain if some modification in the transform can not be successfully applied.</para>
<para>As mentioned above, you can use a tool like ORCA.EXE to edit the MSI databases directly when editing openafs-modified.msi. More details are given below.</para>
<linklinkend="appendix_a">Appendix A</link> are present in the MSI. Most of these can be controlled by setting the corresponding properties to the desired value. Some settings may require modifying existing registry entries (though not recommended) or adding new resources (like files or registry keys). Instructions for performing these tasks are below.
<para>Most configurable properties correspond to registry keys or values. Due to the logic invoked based on the existence of these registry keys or values, they are only set if the associated property is defined to have a non null value. If the associated property is not defined in the MSI, the registry key or value will not be touched. By default, the MSI does not contain these properties and hence will not set the registry keys. You will need to add properties as needed to the MSI.</para>
<para>When one of the configurable properties is set, the installer will use the property value to set the corresponding setting in the HKEY_LOCAL_MACHINE registry hive. The HKEY_CURRENT_USER hive is not touched by the installer.</para>
<para>Strings are quoted using single quotes (e.g. 'a string'). An empty string is denoted as ''. Note that you can't author null values into the 'Property' table.</para>
<para>Select the 'Property' table from the list of tables on the left.</para>
</listitem>
<listitem>
<para>Find the property in the list of properties on the right, double click the value and type the new value.</para>
</listitem>
<listitem>
<para>If the property does not exist in the property list, right click the list and select 'Add Row', type the property name and the desired value.</para>
<linklinkend="appendix_a">Appendix A</link><linklinkend="Domain_Specific_Configuration">section 2.1 (Domain Specific Configuration keys for Network Provider)</link> for more details.
<para>This option is no longer supported as of 1.5.50 now that all file names are stored to AFS file servers using the UTF-8 encoding of Unicode.</para>
<para>These properties are combined to add a command line option to the shortcut that will be created in the Start:Programs:OpenAFS and Start:Programs:Startup folders (see CREDSSTARTUP). The method of specifying the option was chosen for easy integration with the Windows Installer user interface. Although other methods can be used to specify options to AFSCREDS.EXE, it is advised that they be avoided as transforms including such options may not apply to future releases of OpenAFS.</para>
<para>Controls whether AFSCreds.exe starts up automatically when the user logs on. When CREDSSTARTUP is '1' a shortcut is added to the 'Startup' folder in the 'Program menu' which starts AFSCREDS.EXE with the options that are determined by the other CREDS* properties.</para>
<para>You can change existing registry values subject to the restrictions mentioned in the Windows Platform SDK. Pay special attention to component key paths and try to only change the 'Value' column in the 'Registry' table. If you want to add additional registry keys please refer to section 3 (Additional resources).</para>
<para>The OpenAFS configuration files (CellServDB) can be replaced by your own configuration files. These files are contained in separate MSI components so that you can disable them individually.</para>
<para>The recommended method for replacing these files is to first disable the components containing the configuration files that you want to replace, and then add new components for the replacement files. This is outlined below (assuming you are using ORCA.EXE to author the transform).</para>
<para>Note that transforms are not a good way to add a new file as an embedded stream. The method outlined here places the file in the same directory as the MSI for deployment.</para>
<para>In the Component table, locate the component you need to change ( Ctrl-F invokes the 'Find' dialog). The component names are listed below in section
<linklinkend="MSI_Configuration_File_Components">7.2.3.1</link>. For this example, the component name is 'elf_CellServDB'.
<para>Note that the ComponentId is an uppercase GUID. You can generate one using GUIDGEN.EXE or UUIDGEN.EXE, both of which are included in the Platform SDK.</para>
<para>The Attributes value of 144 is a sum of msidbComponentAttributesPermanent (16) and msidbComponentAttributesNeverOverwrite (128). This ensures that local modifications are not overwritten or lost during an installation or uninstallation. These are the same settings used on the default configuration files.</para>
<para> 'fil_my_CellServDB' is a key into the 'File' table which we will fill later.</para>
<para>It is important to create the new feature under the 'feaClient' feature, which will ensure that the configuration file will be installed when the client binaries are installed.</para>
<para>Setting 'Display' to 0 will hide this feature from the feature selection dialog during an interactive installation. A value of 30 for 'Level' allows this feature to be installed by default (on a 'Typical' installation).</para>
<para>The 'Attributes' value is msidbFeatureAttributesDisallowAdvertise (8), which is set on all features in the OpenAFS MSI. The OpenAFS MSI is not designed for an advertised installation.</para>
<para>The 'Attributes' value is msidbFileAttributesNonCompressed (8192). This is because we will be placing this file in the same directory as the MSI instead of embedding the file in it. Transforms do not support updating compressed sources or adding new cabinet streams.</para>
<para>Finally, the 'Sequence' value of 1000 will be used later to distinguish the file as being in a separate source location than the other files in the MSI.</para>
<para>The example adds domain specific keys for 'ATHENA.MIT.EDU' (enable integrated logon) and 'LOCALHOST' (disable integrated logon and fail logins silently).</para>
<para>Following is an example for adding site specific Freelance registry keys to pre-populate the Mountpoints and Symlinks in the fake root.afs volume.</para>
<para>The example adds a read-only mountpoint to the athena.mit.edu cell's root.afs volume as well as a read-write mountpoint. Aliases are also provided using symlinks.
<para>If you want to add registry keys or files you need to create new components and features for those. Refer to the Windows Platform SDK for details.</para>
<para>It is beyond the scope of this document to provide a comprehensive overview of how to add new resources through a transform. Please refer to the "Windows Installer" documentation for details. The relevant section is at :</para>
<para>Add new features under the 'feaClient' or 'feaServer' as appropriate and set the 'Level' column for those features to equal the 'Level' for their parent features for consistency. Note that none of the features in the OpenAFS for Windows MSI package are designed to be installed to run from 'source' or 'advertised'. It is recommended that you set 'msidbFeatureAttributesFavorLocal' (0), 'msidbFeatureAttributesFollowParent' (2) and 'msidbFeatureAttributesDisallowAdvertise' (8) attributes for new features.</para>
<para>If you are creating new components, retain the same component GUID when creating new transforms against new releases of the OpenAFS MSI package.</para>
<para>After making the adjustments to the MSI database using ORCA.EXE you can generate a transform with MSITRAN.EXE as follows :</para>
<para>(Modified MSI package is 'openafs-en_US_new.msi' and the original MSI package is 'openafs-en_US.msi'. Generates transform 'openafs-transform.mst')</para>
<para>The MSI package is designed to uninstall previous versions of OpenAFS for Windows during installation. Note that it doesn't directly upgrade an existing installation. This is intentional and ensures that development releases which do not have strictly increasing version numbers are properly upgraded.</para>
<para>Note that versions of the OpenAFS NSIS package prior to 1.3.65 had a bug where it couldn't be uninstalled properly in unattended mode. Therefore the MSI package will not try to uninstall an OpenAFS NSIS package if running unattended. This means that group policy based deployments will fail on machines that have the OpenAFS NSIS package installed.</para>
<para>If you have used a different MSI package to install OpenAFS and wish to upgrade it you can author rows into the 'Upgrade' table as described in the Platform SDK.</para>
<para>When performing an upgrade with msiexec.exe execute the MSI with the repair options "vomus".</para>
<para>LAN adapter number to use. This is the lana number of the LAN adapter that the SMB server should bind to. If unspecified or set to -1, a LAN adapter with named 'AFS' or a loopback adapter will be selected. If neither are present, then all available adapters will be bound to. When binding to a non-loopback adapter, the NetBIOS name hostname%-AFS' will be used (where %hostname% is the NetBIOS name of the host truncated to 11 characters). Otherwise, the NetBIOS name will be 'AFS'.</para>
<para>If enabled (set to 1), the Logoff Event handler will not attempt to delete the user's tokens if the user's profile is stored outside of AFS.</para>
<para>Name of root mount point. In symlinks, if a path starts with cm_mountRoot, it is assumed that the path is absolute (as opposed to relative) and is adjusted accordingly. Eg: if a path is specified as /afs/athena.mit.edu/foo/bar/baz and cm_mountRoot is "/afs", then the path is interpreted as \\afs\all\athena.mit.edu\foo\bar\baz. If a path does not start with with cm_mountRoot, the path is assumed to be relative and suffixed to the reference directory (i.e. directory where the symlink exists)</para>
<para>Location of on-disk cache file. The default is the SYSTEM account's TEMP directory. The attributes assigned to the file are HIDDEN and SYSTEM.</para>
<para>When this registry value is set to a non-zero value, the CachePath value is ignored and the cache data is stored in the windows paging file. This disables the use of persistent caching and the ability to maintain a single UUID for the AFS client service across restarts.</para>
<para>Specifies the NetBIOS name (or SMB Server Name) to be used when binding to a Loopback adapter. To provide the old behavior specify a value of "%COMPUTERNAME%-AFS".</para>
<para>Select whether or not this AFS client should act as a gateway. If set and the NetBIOS name hostname-AFS is bound to a physical NIC, other machines in the subnet can access AFS via SMB connections to hostname-AFS.</para>
<para>When IsGateway is non-zero, the LAN adapter detection code will avoid binding to a loopback adapter. This will ensure that the NetBIOS name will be of the form hostname-AFS instead of the value set by the "NetbiosName" registry value.</para>
<para>If enabled, all SMB sessions created are recorded in the Application event log. This also enables other events such as drive mappings or various error types to be logged.</para>
<para>Provides an initial value for "fs sysname". The string can contain one or more replacement values for @sys in order of preference separated by whitespace.</para>
<para>If set to anything other than 0, that value is used as the maximum send and receive MTU supported by the RX interface.</para>
<para>In order to enable OpenAFS to operate across releases of the Cisco IPSec VPN client prior than 5.0, this value must be set to 1264 or smaller.</para>
<para>The Hard Dead Time is enforced to be at least double the ConnDeadTimeout. The provides an opportunity for at least one retry. </para>
<para>The value 0 seconds means that the real timeout should be set to be equal to the minimum SMB timeout which can be configured in the registry at: </para>
<para>By setting this value to 0, the "\\NetbiosName\all" mount point will not be created. This allows the read-write versions of root.afs to be hidden.</para>
<para>If this value is specified, it defines the type of SMB authentication which must be present in order for the Windows SMB client to connect to the AFS Client Service's SMB server. The values are:</para>
<para>This entry determines the maximum size of the %WINDIR%\TEMP\afsd_init.log file. If the file is larger than this value when afsd_service.exe starts the file will be reset to 0 bytes. If this value is 0, it means the file should be allowed to grow indefinitely.</para>
<para>This value controls how frequently the AFS cache manager checks offline volumes to see if they have come back online. At the same time volumes which were determined to be busy have their state reset to online.</para>
<para>This value specifies which port number should be used for receiving callbacks from the file server. The standard AFS Callback port is 7001. Alternative values can be useful if the client is behind a NAT and a permanent port mapping for the client is being configured.</para>
<para>Determines whether or not the AFS Cache Manager will permit files marked with the "Read Only" DOS attribute to be deleted or not. For compatibility with Explorer, the default is ‘no'.</para>
<para>0: do not permit "Read Only" files to be deleted.</para>
<para>1: delete files that have the "Read Only" attribute set without complaint.</para>
<para>The AFS Cache Manager will pre-fetch the entire contents of any file whose name matches ends with one of the specified extensions. This option is intended for use primarily with executables and dynamic link libraries that should be fully cached prior to a machine losing its connection with the file server.</para>
<para>Determines whether or not cached data from .readonly volumes is considered valid even if a callback cannot be registered with a file server. This option is meant to be used by organizations for whom .readonly volume content very rarely changes (if ever.)</para>
<para>0: do not treat offline .readonly content as valid</para>
<para>1: treat offline .readonly content as valid</para>
<para>Determines whether or not the AFS Cache Manager will give up all callbacks prior to the service being suspended or shutdown. Doing so will have significant performance benefits for the file servers. However, file servers older than 1.4.6 can become unstable if the GiveUpAllCallBacks RPC is executed.</para>
<para>0: do not perform GiveUpAllCallBacks RPCs</para>
<para>Determines whether or not the AFS Cache Manager will give preference to .backup volumes when following mount points that originate in a .backup volume.</para>
<para>0: do not prefer .backup volumes when the mount point originates in a .backup volume.</para>
<para>1: prefer .backup volumes when the mount point originates in a .backup volume.</para>
<para>Specifies the directory containing the CellServDB file. When this value is not specified, the ProgramData directory is searched and if the CellServDB file is not found, the AFS Client install directory is used.</para>
<para>This value can be used to disable the runtime verification of the digital signatures applied to afsd_service.exe and the OpenAFS DLLs it loads. This test is performed to verify that the DLLs which are loaded by afsd_service.exe are from the same distribution as afsd_service.exe. This is to prevent random errors caused when DLLs from one distribution of AFS are loaded by another one. This is not a security test. The reason for disabling this test is to free up additional memory which can be used for a large cache size.</para>
<para>This value can be used to debug the cause of pioctl() failures. Set a non-zero value and the pioctl() library will output status information to stdout. Executing command line tools such as tokens.exe, fs.exe, etc can then be used to determine why the pioctl() call is failing. </para>
<para>This value is used to specify the type of minidump generated by afsd_service.exe either when the process crashes or when a user initiated is dump file is generated with the "fs.exe minidump" command.</para>
<para>Valid values are dependent on the version of DbgHelp.dll installed on the machine. The best version to use is not the version that comes with the operating system but the version that is included in the most recent release of "
<ulinkurl="http://www.microsoft.com/whdc/devtools/debugging/default.mspx">Microsoft Debugging Tools for Windows</ulink>". See the Microsoft Developer Library for further information.
<para>This value determines the size of SMB Asynchronous Store operations.This value can be used to increase the write performance on higher speed networks by increasing the value. The value must be a multiple of the cache buffer block size and cannot be larger than the cache manager chunk size. The specified value will be adjusted to enforce its compliance with these restrictions.</para>
<para>This value can be used to force the AFS Client Service to store filenames using the Windows system's ANSI character set instead of the OEM Code Page character set which has traditionally been used by SMB file systems. </para>
<para>Note: The use of ANSI characters will render access to files with 8-bit OEM file names inaccessible from Windows. This option is of use primarily when you wish to allow file names produced on Windows to be accessible from Latin-1 UNIX systems and vice versa.</para>
<para>This value is ignored now that all file names are processed as Unicode and stored on the file server as UTF-8.</para>
<para>This key is used to map SMB/CIFS shares to Client Side Caching (off-line access) policies. For each share one of the following policies may be used: "manual", "programs", "documents", "disable". </para>
<para>These values used to be stored in afsdsbmt.ini</para>
<para>At the present time the <emphasis>CellServDB</emphasis> key contains no values; only subkeys. Each subkey is the name of a <emphasis>Cell</emphasis>. For example, <emphasis>grand.central.org</emphasis>.
<para>The actual name of the <emphasis><cellname></emphasis> key is the full name of the cell whose configuration is being specified. The <emphasis><cellname></emphasis> key contains both values and subkeys. Each subkey represents a single host name or IP address. When a host is to be known by more than one name or IP address, a separate subkey should be created for each.
Unlike the <cellname> key name, the <server> key names do not have to be actual host names.</para>
<para>Default: 0 if <server> subkeys exist; 1 otherwise</para>
<para>When set to 1 all server configuration provided in the registry or the <emphasis>CellServDB file</emphasis> is ignored and DNS AFSDB lookups are used instead.</para>
<para>This value names an alternative cell to which this cell should be linked. When two cells are linked by the OpenAFS client, volume lookups that fail in the specified cell will be searched for in the linked cell
and when tokens are requested for one of the cells they will be obtained for both.
This functionality can be used for example to develop a test cell that is equivalent to a production cell with the exception that it substitutes test versions of volumes
for the production versions. Another use is to assist in the transition from one cell name to another.</para>
<para>The actual name of the <emphasis><server></emphasis> key may be a fully qualified domain name of the server whose configuration is being specified.
<para>This value is used to specify a fully qualified domain name appropriate that matches either a DNS A or DNS CNAME record. If provided, this value supercedes
the name of the <server> key. It is recommended that the value of this field be terminated with a period in order to avoid the use of domain substitution
<para>This key is used to store dot terminated mount point strings for use in constructing the fake root.afs volume when Freelance (dynamic roots) mode is activated.</para>
<para>This key is used to store a dot terminated symlink strings for use in constructing the fake root.afs volume when Freelance (dynamic roots) mode is activated.</para>
<para>The Realms key is used to provide initialization data to be used when new identities are added to the Network Identity Manager. The AFS Provider will search for a subkey that matches the realm of the identity. If such a key exists, its values will be used to populate the AFS configuration for the identity.</para>
<para>This key is used to specify whether the new identity should be configured to obtain AFS credentials. In general, it is only specified when disabling the acquisition of AFS credentials is desired. The default is to obtain AFS credentials.</para>
<para>This key is used to specify the token acquisition method to be used. When unspecified, the AFS provider will automatically try Kerberos v5 and then Kerberos v5 (if available). As of this writing valid method names include "Auto", "Kerberos5", "Kerberos524", "Kerberos4".</para>
<para>Note: Kerberos524 and Kerberos4 cannot be used with 64-bit Kerberos for Windows.</para>
<para>This key is used to specify the realm to be used when acquiring AFS tokens. If not specified, the realm will be determined by performing a domain to realm mapping on the domain of a random volume location database server for the cell.</para>
<para>This key is used to store mappings of UNIX style AFS paths to submount names which can be referenced as UNC paths. For example the submount string "/athena.mit.edu/user/j/a/jaltman" can be associated with the submount name "jaltman.home". This can then be referenced as the UNC path \\AFS\jaltman.home.</para>
<para>These values used to be stored in afsdsbmt.ini</para>
<para>NOTE: Submounts should no longer be used with OpenAFS. Use the Windows Explorer to create drive mappings to AFS UNC paths instead of using the AFS Submount mechanism.</para>
<para>This key is used to specify a default set of VLDB server preferences. For each entry the value name will be either the IP address of a server or a fully qualified domain name. The value will be the ranking. The ranking will be adjusted by a random value between 0 and 15 prior to the preference being set.</para>
<para>This key is used to specify a default set of File server preferences. For each entry the value name will be either the IP address of a server or a fully qualified domain name. The value will be the ranking. The ranking will be adjusted by a random value between 0 and 15 prior to the preference being set.</para>
<para>Specifies the service groups upon which the AFS Client Service depends. Windows should not attempt to start the AFS Client Service until all of the services within these groups have successfully started.</para>
<para>Specifies a list of services upon which the AFS Client Service depends. Windows should not attempt to start the AFS Client Service until all of the specified services have successfully started.</para>
<para>When MIT Kerberos for Windows can be loaded, Kerberos v5 will be used to obtain AFS credentials. By setting this value to 0, the internal Kerberos v4 implementation will be used instead. The current user value is checked first; if it does not exist the local machine value is checked.</para>
<para>Kerberos v5 principal names are traditionally mapped to Kerberos v4 names by the AFS servers before they can be looked up in the Protection database. The mapping algorithm used permits collisions to occur. Both of the Kerberos v5 names, "user.admin@REALM" and "user/admin@REALM" are interpreted as the same user identity within the cell. To enable both names to be sent to the server by AFSCreds or Integrated Logon, set this value to 1.</para>
<para>When MIT Kerberos for Windows can be loaded, Kerberos v5 will be used to obtain AFS credentials. By setting this value to 1, the Kerberos v5 tickets will be converted to Kerberos v4 tokens via a call to the krb524 daemon. The current user value is checked first; if it does not exist the local machine value is checked.</para>
<para>This value specifies the command line options which should be set as part of the shortcut to afscreds.exe. afscreds.exe rewrites the shortcut each time it exits so as to ensure that the shortcut points to the latest version of the program. This value is used to determine which values should be used for command line parameters. The current user value is checked first; if it does not exist the local machine value is checked.</para>
<para>The following subset of the command line options is appropriate for use in this registry setting:</para>
<simplelisttype="vert"><member> "OFF" disables the use of RPC encryption </member><member>any other value allows RPC encryption to be used</member></simplelist></para>
