jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-31 13:38:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

STABLE14-windows-notes-remove-20050925

Browse Source 
remove files whose contents are now maintained in the HTML files
src/WINNT/doc/...


(cherry picked from commit da213bfa2904bdb3899982640822e9434d515b6c)
This commit is contained in:
Jeffrey Altman 2005-09-26 02:10:45 +00:00
parent 548176864a
commit 8d2f5431ac
3 changed files with 0 additions and 2456 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

800
doc/txt/winnotes/afs-install-notes.txt
View File

@ -1,800 +0,0 @@
OpenAFS for Windows 1.4.0000 Installation Notes
-----------------------------------------------
OpenAFS for Windows 1.4.0000 is the best client available for
Microsoft Windows operating systems. It can be installed either as
a new installation or an upgrade from previous versions of OpenAFS
for Windows or IBM AFS for Windows. Installers are provided in two
forms:
* an executable (.exe) that is based upon the Nullsoft Scriptable
Installation System, or
* a Windows Installer package (.msi) that is built using WiX and
can be customized for organizations via the use of MSI Transforms
(see msi-deployment-guide.txt)
System Requirements:
Operating System: Windows 2000, 2000 Server, XP Home, XP Pro, 2003 Server.
64-bit versions of Windows and Windows Vista are not supported in this
release.
Disk Space: up to 60mb required for the OpenAFS binaries plus 100MB
for the default AFSCache file. (The size of the AFSCache file may
be adjusted via the Registry after installation.)
Additional Softare: MIT Kerberos for Windows 2.6.x if Kerberos 5
authentication support is desired.
1. The Kerberos 4 infrastructure on which the 1.2 series is reliant is no
longer secure. Cross-realm Kerberos is very important in the AFS context and
most sites have or are migrating to Kerberos 5 environments. The 1.3 series
integrates with the MIT Kerberos for Windows 2.6.x product to provide Kerberos
5 functionality including the ability to auto-renew credentials and obtain
single sign-on capabilities with the Microsoft Windows Kerberos Logon Service.
As of 1.3.65, the OpenAFS client will directly use Kerberos 5 tickets as
tokens if KFW is installed. The client requires that all of the AFS Servers
with which it communicates support the use of Kerberos 5 tickets as tokens
(aka 2b tokens). This means that all of the AFS servers must be running
OpenAFS release 1.2.8 or higher. Transarc servers do not support Kerberos 5
tickets as tokens.
When using a Microsoft Windows Active Directory as the KDC which issues the
service ticket for the AFS cell there are two things to consider. First, the
Kerberos 5 tickets issued by Active Directory can be quite large when compared
to tickets issued by a traditional KDC due to the incorporation of
authorization data in the PAC. If this is your situation you either must
modify your 1.2.x servers to support tokens larger than a few hundred bytes;
or install the 1.3.64 or higher release on your servers. Second, Windows 2003
Active Directory will issue service tickets utilizing the DES-CBC-MD5 enctype.
OpenAFS releases older than 1.3.64 will not properly support this enctype.
2. The AFS Client Service does not provide robust behavior in an environment
with a plug-n-play network environment. Changes to the number of network
adapters or the assigned IP addresses will cause the service to panic. The
recommended work around for this problem is to install the Microsoft Loopback
Adapter on the machine. When the MLA is installed with a static IP address
the AFS Client Service will bind only to the loopback and not be affected by
changes to state of other network adapters installed on the system.
Starting in the 1.3.65 release the installers provided by OpenAFS.org will
install the Microsoft Loopback Adapter for you with a name of "AFS" and a
pre-assigned IP address in the 10.x.x.x range.
One of the benefits of using the MLA is that the NETBIOS names used for the
AFS Client's SMB server do not have to be published on any adapter other than
the MLA. This means that the names no longer need to be unique. When the MLA
is in use, the NETBIOS name associated with the AFS Client Service is simply
"AFS". When the MLA is not in use the NETBIOS name is "MACHINE-AFS".
When the MLA is installed, UNC paths of the form \\AFS\cellname\path may be
used.
The MLA is installed with a binding to "Client for Microsoft Networks" but not
to "File and Printer Sharing for Microsoft Networks". If you fail to bind
"Client Microsoft Networks" you will not be able to access the AFS Client
Service when the machine is disconnected from the network. If you bind "File
and Printer Sharing ..." there will be a service type collision between the
name "AFS" and the name of the machine on the published IP Address. This will
result in a failure to be able to access files in AFS. The "NET VIEW" command
will return a "System Error 52" message when this conflict exists. To correct
the problem:
* stop the AFS Client Service
* bind the "Client for Microsoft Networks" to the MLA
* unbind "File and Printer Sharing for Microsoft Networks" from the MLA
* Disable and then Enable the MLA
* start the AFS Client Service
3. Traditionally, when the AFS Client Service starts it must be able to access
the "root.afs" volume of the default cell. The "root.afs" volume contains a
set of read-only and read-write mount points to the "root.cell" volumes of
various cells the administrator of the default cell believes should be
accessible. If the "root.afs" volume is inaccessible when the client service
is started, the service will panic. Since many users now use laptops or
otherwise operate in disconnected environments in which a VPN may be needed to
access the cell's servers, it is often the case that the "root.afs" volume for
the default cell is not reachable and the AFS Client Service will not
successfully start.
The OpenAFS Client Service now supports a fake "root.afs" volume which is
dynamically constructed when the service starts. This mode is called
Freelance mode. Freelance mode is turned on by default.
The contents of the fake "root.afs" volume are constructed dynamically as
cells are accessed. When the fake "root.afs" volume is constructed it will
only contain two mount points: a read-only and read-write mount point used to
access the "root.cell" volume of the default AFS cell. Any attempt to access
a valid cell name will automatically result in a new mount point being created
in the fake "root.afs" volume. If the cellname begins with a "." the mount
point will be read-write; otherwise the mount point will be read-only. These
mount points are preserved in the registry at key:
HKLM\SOFTWARE\OpenAFS\Client\Freelance
Additional mount points may be manually created using the "fs mkmount"
command. Mount points may be removed using the "fs rmmount" command.
>fs mkmount \\AFS\all\athena.mit.edu root.cell athena.mit.edu
>fs mkmount \\AFS\all\.athena.mit.edu root.cell athena.mit.edu -rw
>fs rmmount \\AFS\all\athena.mit.edu
>fs rmmount \\AFS\all\.athena.mit.edu
Beginning in 1.3.74, the Freelance fake root.afs volume will support the
creation of symlinks.
>symlink make \\afs\all\link \\afs\all\athena.mit.edu\user\j\a\jaltman
>symlink list \\afs\all\link
'\\afs\all\link' is a symlink to 'athena.mit.edu\user\j\a\jaltman'
>symlink rm \\afs\all\link
The symlinks are stored in the registry at:
HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks
4. The OpenAFS for Windows client will use AFSDB DNS records to discover cell
information when it is not located in the local CellServDB file
(\%PROGRAMFILES%\OpenAFS\Client\CellServDB).
5. OpenAFS for Windows 1.3.72 only supports Windows 2000, Windows XP, and
Windows 2003. Windows NT 4.0 and the entire Windows 9x/Me line are no longer
supported. Older releases of OpenAFS are available for download if those
operating systems must be supported. The last version with support for Win9x
is 1.2.2b. The last version with support for Windows NT 4.0 is 1.2.10.
6. OpenAFS for Windows installs a WinLogon Network Provider to provide
Integrated Logon (Single Sign-on) functionality. Integrated Logon can be used
when the Windows username and password match the username and password
associated with the default cell's Kerberos realm. For example, if the
windows username is "jaltman" and the default cell is "athena.mit.edu", then
Integrated Logon can be successfully used if the windows password matches the
password used for the Kerberos principal "jaltman@ATHENA.MIT.EDU".
Integrated Logon is required if you desire the ability to store roaming user
profiles within the AFS file system. OpenAFS does not provide tools for
synchronizing the Windows and Kerberos user accounts and passwords.
If KFW is installed, the Integrated Logon will use Kerberos 5 to obtain
tokens. Otherwise, Kerberos 4 is used.
There is a High Security mode for use with Integrated Logon when multiple
users will share a single machine. There are known problems with this mode.
In particular, if you are using this mode it is crucial that new AFS tokens
not be obtained after the logon session starts except via the AFS Systray tool
as started by the AFS Network Provider. If the AFS Systray tool is stopped
you must log off to obtain new tokens. Do not use external tools such as
"aklog.exe" if High Security mode is turned on. As of 1.3.70, OpenAFS supports
Authenticated SMB connections which removes the need for High Security mode.
DO NOT USE IT!!!!!
Starting in 1.3.83, when Integrated Logon is used in conjunction with KFW, the
Kerberos 5 tickets obtained during the process of generating AFS tokens are
preserved and stored into the default ccache within the user logon session.
What Integrated Logon does not do:
(a) Integrated Logon does not have the ability to cache the user's
username and password for the purpose of obtaining tokens if the
Kerberos KDC is inaccessible at logon time.
7. The AFS Systray tool (afscreds.exe) supports several command line
options:
-A = autoinit
-E = force existing afscreds to exit
-I = install startup shortcut
-M = renew drive maps
-N = IP address change detection
-Q = quiet mode. do not display start service dialog
if afsd_service is not already running
-S = show tokens dialog on startup
-U = uninstall startup shortcut
-X = test and do map share
-Z = unmap drives
-: = magic parameter for high security mode
autoinit will result in automated attempts to acquire AFS tokens when
afscreds.exe is started. afscreds.exe will attempt to utilize tickets stored
in the MSLSA credentials cache; any existing CCAPI credentials cache; and
finally display an Obtain Tokens dialog to the user. When used in combination
with IP address change detection, afscreds.exe will attempt to acquire AFS
tokens whenever the IP address list changes and the Kerberos KDC is
accessible.
The renew drive maps option is used to ensure that the user drive maps
constructed via the AFS tools (not NET USE) are re-constructed each time
afscreds.exe is started.
By default afscreds.exe is configured by the OpenAFS.org installers to use -A
-N -M -Q as startup options. Currently, there is no UI to change this
selection after install time although these options may be altered via the
registry either per machine or per user. See AfscredsShortcutParams in
registry.txt.
8. As of 1.3.71, the OpenAFS for Windows client supports a local Windows
authorization group called "AFS Client Admins". This group is used in place
of the "Administrators" group to determine which users are allowed to modify
the AFS Client Service configuration via either afs_config.exe or fs.exe. For
example, the following fs.exe commands are now restricted to members of the
"AFS Client Admins" group:
- checkservers with a non-zero timer value
- setcachesize
- newcell
- sysname with a new sysname list
- exportafs
- setcell
- setserverprefs
- storebehind
- setcrypt
- cscpolicy
- trace
Setting the default sysname for a machine should be done via the registry and
not via "fs sysname".
The local "SYSTEM" account is always a member of the "AFS Client Admins"
group.
The initial membership of the "AFS Client Admins" group when created by the
installer is equivalent to the local "Administrators" group. If a user is
added to the "Administrators" group after the creation of the "AFS Client
Admin" group, that user will not be an AFS Client Administrator. Only users
that are members of the "AFS Client Admins" group are AFS Client
Administrators.
9. The AFS Client should support UNC paths everywhere. Power users that make
extensive use of the command line shell, cmd.exe, might want to consider using
JP Software's 4NT command processor. Unlike cmd.exe, 4NT does fully support
UNC paths and can use a UNC path as the default device.
10. The AFS Client ships with its own version of aklog.exe which should be
used in preference to those obtained by third party sources. The OpenAFS
aklog.exe supports Kerberos 5 as well as the ability to auto-generate pts IDs
for user's obtaining tokens to foreign cells.
Usage: aklog [-d] [[-cell | -c] cell [-k krb_realm]]
[[-p | -path] pathname]
[-noprdb] [-force]
[-5 | -4]
-d gives debugging information.
krb_realm is the kerberos realm of a cell.
pathname is the name of a directory to which you wish to authenticate.
-noprdb means don't try to determine AFS ID.
-5 or -4 selects whether to use Kerberos V or Kerberos IV.
(default is Kerberos V)
No commandline arguments means authenticate to the local cell.
11. The AFS Server functionality provided with OpenAFS 1.3.72 might work but
should be considered highly experimental. It has not been thoroughly tested.
Any data which would cause pain if lost should not be stored in an OpenAFS
Server on Windows.
A few notes on the usage of the AFS Client Service if it is going to be
used with the OpenAFS AFS Server:
(a) When the AFS Server is installed Freelance mode must be turned off.
(b) The AFS Server and related tools only support the built in kaserver
(Kerberos IV). If the AFS Server is being used, MIT Kerberos for Windows
should not be used.
12. The OpenAFS for Windows installers now include Symbol information which
should be installed if you are experiencing problems and need to send crash
reports. This is true in both the release and the debug versions of the
installers. The differences between the release and debug versions are
whether or not the binaries were compiled with optimization; whether the debug
symbols are installed by default; and whether additional debug statements were
compiled into the binaries.
13. OpenAFS for Windows does not support files larger than 2GB. This is due
to the lack of support for the Unicode version of the SMB/CIFS protocol.
14. Local RPC is used as the default RPC mechanism for setting tokens. TCP
RPC is required to be installed and is used for debugging and other functions.
15. The OpenAFS for Windows installer by default activates a weak form of
encrypted data transfer between the AFS client and the AFS servers. This is
often referred to as "fcrypt" mode.
16. OpenAFS 1.3.71 adds support for authenticated SMB connections using either
NTLM or GSS SPNEGO (NTLM, Kerberos 5, ...). In previous versions of OpenAFS
the SMB connections were unauthenticated which left open the door for several
security holes which could be used to obtain access to other user's tokens on
shared machines. With the introduction of authenticated SMB connections the
so called High Security mode should no longer be used.
When GSS SPNEGO results in a Kerberos 5 authentication, the Windows SMB client
will attempt to retrieve service tickets for "cifs/afs@REALM" (if the loopback
adapter is in use) or "cifs/machine-afs@REALM" (if the loopback adapter is not
being used). It is extremely important that this service principal not exist
in the KDC database. If the request for this ticket fails, a subsequent
request for "cifs/HOST$@REALM" will be issued. This service principal should
exist in the KDC database. The key associated with this service principal
must match the key assigned to "host/machine@REALM". If the local machine is
part of a Windows Domain this will all be taken care of for you. If the local
machine is using a non-MS KDC for authentication, then your KDC administrator
will have to add these service principals to the list of principals to be
maintained for each host.
17. As of 1.3.70, INI files are no longer used for the storage of AFS
configuration data. No longer are there any AFS related files stored in the
%WINDIR% directory. The CellServDB file is no longer called "afsdsbmt.ini"
and it is stored in the OpenAFS\Client directory. The afs_freelance.ini and
afsdsbmt.ini file data has been moved to the registry.
IMPORTANT: while the CellServDB file location and freelance mountpoint data
will be automatically migrated; there is no mechanism for automatic migration
of Submounts, Drive Mappings, Active Maps, and CSCPolicy data.
18. As of 1.3.70, the OpenAFS Client is compatible with Windows XP SP2 and
Windows 2003 SP1. The Internet Connection Firewall will be automatically
adjusted to allow the receipt of incoming callback messages from the AFS file
server. In addition, the appropriate Back Connection entries are added to the
registry to allow SMB authentication to be performed across the loopback
connection.
19. As of 1.3.70, the OpenAFS Client Service supports the CIFS Remote Admin
Protocol which provides browsing of server and share information. This
significantly enhances the interoperability of AFS volumes within the Explorer
Shell and Microsoft Office applications.
20. OpenAFS will now automatically forget a user's tokens upon Logoff unless
the user's profile was loaded from an AFS volume. In this situation there is
no mechanism to determine when the profile has been successfully written back
to the network. It is therefore unsafe to release the user's tokens. Whether
or not the profile has been loaded from the registry can be determined for
Local Accounts, Active Directory accounts and NT4 accounts.
If there is a need to disable this functionality, the LogoffPreserveTokens
registry value (see registry.txt) can be used.
21. Terminal Server installations.
When installing the NSIS (.exe) installer under Terminal Server, you must
execute it from within the Add/Remove Programs Control Panel. Failure to do
so will result in AFS not running properly. The AFS Server should not be
installed on a machine with Terminal Server installed.
22. AFS is a Unix native file system. As such the OpenAFS client attempts to
treat the files stored in AFS as they would be on Unix. File and directory
names beginning with a "." are automatically given the Hidden attribute so
they will not normally be displayed.
23. Some organizations which have AFS cell names and Kerberos realm names
which differ by more then just lower and upper case rely on a modification to
krb524d which maps a Kerberos 5 ticket from realm FOO to a Kerberos 4 ticket
in realm BAR. This allows user@FOO to appear to be user@bar for the purposes
of accessing the AFS cell. As of OpenAFS 1.2.8, support was added to allow
the immediate use of Kerberos 5 tickets as AFS (2b) tokens. This is the first
building block necessary to break away from the limitations of Kerberos 4 with
AFS. By using Kerberos 5 directly we avoid the security holes inherent in
Kerberos 4 cross-realm. We also gain access to cryptographically stronger
algorithms for authentication and encryption.
Another reason for using Kerberos 5 directly is because the krb524 service
runs on a port (4444) which has become increasingly blocked by ISPs. The port
was used to spread a worm which attacked Microsoft Windows in the summer of
2003. When the port is blocked users find that they are unable to
authenticate.
Replacing the Kerberos 4 ticket with a Kerberos 5 ticket is a win in all
situations except when the cell name does not match the realm name and the
principal names placed into the ACLs are not the principal names from the
Kerberos 5 ticket. To support this transition, OpenAFS for Windows in 1.3.72
adds a new registry value to force the use of krb524d. However, the
availability of this option should only be used by individuals until such time
as their organizations can provide a more permanent solution.
24. The Status Cache (AFS Config Control Panel: Advanced Page) is defined to
have a maximum number of entries. Each entry represents a single file or
directory entry accessed within the AFS file system. When the maximum number
of entries are allocated, entries will begin to be reused according to a least
recently used (LRU) algorithm. If the number of files or directories being
accessed repeatedly by your applications is greater then the maximum number of
entries, your host will begin to experience thrashing of the Status Cache and
all requests will result in network operations.
If you are experiencing poor performance you might want to increase the
maximum number of Status Cache entries. Each entry requires approximately
1.2K. Note that the default number of Status Cache entries was increased to
10,000 starting in 1.3.80.
25. "Netbios over TCP/IP" must be active on the machine in order for
communication with the AFS Client Service to succeed. If "Netbios over
TCP/IP" is disabled on the machine, then communication with the AFS Client
Service will be impossible.
26. The AFS Client Service and related binaries are digitally signed by
"Secure Endpoints Inc." beginning with the 1.3.7400 release of OpenAFS for
Windows. Starting in the 1.3.7500 release, the AFS Client Service will
perform a run-time verification check to ensure that all AFS related DLLs
loaded by the service match the same file version number and were signed by
the same entity. This check has been added to prevent the stability problems
caused by more then one version of AFS being installed on a machine at the
same time. Many hours of support time have been wasted tracking down problems
caused by the mixture of files from different releases.
The registry.txt file documents the "VerifyServiceSignature" registry value
which can be used to disable the signature check. The file version check
cannot be disabled.
27. The maximum cache size is approximately 1.3GB. This is the largest
contiguous block of memory in the 2GB process address space which can be used
for the memory mapped file. Due to fragmentation of the process spaced caused
by the digital signature verification code, any attempt to specify a cache
size greater then 700MB will result in the automatic disabling of the
signature check.
28. OpenAFS for Windows implements an SMB server which is used as a gateway to
the AFS filesystem. Because of the use of SMB, Windows stores all files into
AFS using the OEM code pages such as CP437 (United States) or CP850 (Western
Europe). These code pages are incompatible with the ISO Latin-1 character set
typically used as a default on Unix systems in both the United States and
Western Europe. Filenames stored by OpenAFS for Windows are therefore
unreadable on Unix systems if they include any of the following characters:
[Ç] 128 08/00 200 80 C cedilla
[ü] 129 08/01 201 81 u diaeresis
[é] 130 08/02 202 82 e acute
[â] 131 08/03 203 83 a circumflex
[ä] 132 08/04 204 84 a diaeresis
[à] 133 08/05 205 85 a grave
[å] 134 08/06 206 86 a ring
[ç] 135 08/07 207 87 c cedilla
[ê] 136 08/08 210 88 e circumflex
[ë] 137 08/09 211 89 e diaeresis
[è] 138 08/10 212 8A e grave
[ï] 139 08/11 213 8B i diaeresis
[î] 140 08/12 214 8C i circumflex
[ì] 141 08/13 215 8D i grave
[Ä] 142 08/14 216 8E A diaeresis
[Å] 143 08/15 217 8F A ring
[É] 144 09/00 220 90 E acute
[æ] 145 09/01 221 91 ae diphthong
[Æ] 146 09/02 222 92 AE diphthong
[ô] 147 09/03 223 93 o circumflex
[ö] 148 09/04 224 94 o diaeresis
[ò] 149 09/05 225 95 o grave
[û] 150 09/06 226 96 u circumflex
[ù] 151 09/07 227 97 u grave
[ÿ] 152 09/08 230 98 y diaeresis
[Ö] 153 09/09 231 99 O diaeresis
[Ü] 154 09/10 232 9A U diaeresis
[ø] 155 09/11 233 9B o slash
[£] 156 09/12 234 9C Pound sterling sign
[Ø] 157 09/13 235 9D O slash
[×] 158 09/14 236 9E Multiplication sign
[ƒ] 159 09/15 237 9F Florin sign
As of 1.3.75, a new registry value, HKLM\SOFTWARE\OpenAFS\Client
"StoreAnsiFilenames" can be set to instruct OpenAFS for Windows to store
filenames using the ANSI Code Page instead of the OEM Code Page. The ANSI
Code Page is a compatible superset of Latin-1. This setting is not the
default setting because making this change would prevent OpenAFS for Windows
from being able to access filenames containing the above characters which were
created without this setting.
29. There is a known issue with storing Windows Roaming Profiles when the
profile contains either directories or files with names which cannot be
represented in the local OEM character set. In this case, attempts to write
the profile back to AFS will fail. OpenAFS for Windows does not currently
support UNICODE. To avoid this problem some sites run logoff scripts
(assigned by group policy) which rename all files to use only the supported
characters for the locale.
30. As of 1.3.80 the AFS Cache file is stored by default at %TEMP%\AFSCache in
a persistent file marked with the Hidden and System attributes. The
persistent nature of the data stored in the cache file improves the
performance of OpenAFS by reducing the number of times data must be read from
the AFS file servers.
31. Integrated Login (as of 1.3.80) supports the ability to obtain tokens for
multiple cells. See the "TheseCells" value in registry.txt.
32. New command line tool:
afsdacl : Set or reset the DACL to allow starting or stopping
the afsd service by any ordinary user.
Usage : afsdacl [-set | -reset] [-show]
-set : Sets the DACL
-reset : Reset the DACL
-show : Show current DACL (SDSF)
33. As of 1.3.80, the default @sys name list has been changed to "x86_win32
i386_w2k i386_nt40" for 32-bit x86 systems. The default for itanium will be
"ia64_win64" and "amd64_win64" for amd 64-bit processors.
34. As of 1.3.80, symlinks to \\AFS[\all]\... will now be treated the same as
symlinks to /afs/... However, please use /afs/... as the Windows UNC form
will not work on Unix.
35. As of 1.3.80, OpenAFS for Windows implements the Cache Manager Debugging
RPC Interface. The CM debugger can be queried with cmdebug.exe.
Usage: cmdebug -servers <server machine> [-port <IP port>] [-long]
[-addrs] [-cache] [-help]
Where: -long print all info
-addrs print only host interfaces
-cache print only cache configuration
36. If you are a site which utilizes MIT/Heimdal Kerberos principals to logon
to Windows via a cross-realm relationship with a multi-domain Windows forest,
you must enable Windows logon caching unless the workstation is Longhorn Beta
1 or later.
37. VLDB and File Server Preferences can now be provided initial values using
registry keys. This is useful for managed machines in a Windows domain which
are centrally located (e.g., in a computing lab.) See registry.txt for
details on the "Server Preferences" keys.
38. As of 1.3.81, timestamps on files stored in AFS are reported to Windows in
UTC all year round. Previously, in locales with daylight savings time, the
time reported by AFS to Windows when DST is active was UTC+1. This was done
to preserve the relative local time for the user. A file stored at 11:00am
EST in January would be reported as having been stored at 11:00am EDT in June.
Unfortunately, this has the negative side effect of changing the reported
timestamp from 16:00UTC to 15:00UTC. Since Windows treats all file times in
UTC, data synchronization applications which rely on the timestamp would
believe that all files stored in AFS had changed. This will no longer be the
case.
It should be noted that Unix based operating systems (such as Solaris) do not
appear to report file times to applications in UTC. They do preserve the
relative local time. This may confuse some users who are used to being able
to compare the timestamp in an Unix shell with the timestamp from the Windows
explorer. During DST, these two times will no longer agree even though they
are in fact describing the same time.
39. If the installer refuses to install and complains about an RPC
configuration error, check to ensure that the following registry entries are
present and that they refer to the dll "rpcrt4.dll":
HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_np"
HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_ip_tcp"
HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncadg_ip_udp"
HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_http"
40. 1.3.83 adds a new command, "fs minidump". This command can be used at any
time to generate a mini dump file containing the current stack of the
afsd_service.exe process. This output can be very helpful when debugging the
AFS Client Service when it is unresponsive to SMB/CIFS requests.
41. The Windows AFS client implements Universally Unique Identifiers (UUIDs).
They are used to provide the server with a method of identifying the client
that is independent of IP address. The UUID is generated when the AFSCache
file is created and is maintained as long as the contents of the AFSCache
file are kept intact. The UUID is stored in the AFSCache file. When
cloning machines that have Windows AFS client installed, the AFSCache files
must be deleted as part of the cloning process.
42. The performance of the AFS Client Service is significantly affected by
the access times associated with the AFSCache paging file. When given the
choice, the AFSCache file should be placed on a fast disk, preferably NTFS,
the file should not be compressed and should consist of as few fragments as
possible. Significant performance gains can be achieved by defragmenting
the AFSCache file with Sysinternal's Contig utility.
------------------------------------------------------------------------
How to Debug Problems with OpenAFS for Windows:
OpenAFS for Windows provides a wide range of tools to assist you in debugging
problems. The techniques available to you are varied because of the wide
range of issues that have been discovered over the years.
* pioctl debugging (IoctlDebug registry key)
pioctl (path-based ioctl) calls are used by various tools to
communicate with the AFS Client Service. Some of the operations performed
include:
- setting/querying tokens (tokens.exe, aklog.exe, afscreds.exe)
- setting/querying ACLs
- setting/querying cache parameters
- flushing files or volumes
- setting/querying server preferences
- querying path location
- checking the status of servers and volumes
- setting/querying the sysname list
pioctl calls are implemented by writing to a special UNC path that
is processed by the AFS Client Service. If there is a failure to
communicate with the AFS Client Service via SMB/CIFS, it will be
impossible to perform any of the above operations.
To assist in debugging these problems, the registry value:
[HKLM\SOFTWARE\OpenAFS\Client]
REG_DWORD: IoctlDebug = 0x01
should be set. Then any of the commands that perform pioctl calls should
be executed from the command prompt. With this key set the pioctl library
will generate debugging output to stderr. The output will contain the
Win32 API calls executed along with their most important parameters and
their return code. The MSDN Library and the Microsoft KnowledgeBase can
be used as a reference to help you determine the configuration probem with
your system.
* afsd_service initialization log (%WinDir%\TEMP\afsd_init.log)
Every time the AFS Client Service starts it appends data about its progress
and configuration to a file. This file provides information crucial to
determining why the service cannot start when there are problems. When
the process terminates due to a panic condition it will write to this
file the source code file and line number of the error. In many cases
the panic condition is due to a misconfiguration of the machine. In other
cases it might be due to a programming error in the software.
A quick review of the location in the source code will quickly reveal
the reason for the termination.
* afsd_service debug logs (fs trace {-on, -off, -dump} ->
%WinDir%\TEMP\afsd.log)
When attempting to debug the behavior of the SMB/CIFS Server and the
Cache Manager it is often useful to examine a log of the operations
being performed. While running the AFS Client Service keeps an in memory
log of many of its actions. The default number of actions preserved
at any one time is 5000. This can be adjusted with the registry value:
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
REG_DWORD TraceBufferSize
A restart of the service is necessary when adjusting this value.
Execute "fs trace -on" to clear to the log and "fs trace -dump" to
output the contents of the log to the file.
An alternatve option to the use of "fs trace" is to use a tool such as
Sysinternal's DbgView to capture real-time debugging output. Set Bit 2
of the TraceOption value in the registry to activate.
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
REG_DWORD TraceOption = 0x04
* Microsoft MiniDumps (fs minidump -> %WinDir%\TEMP\afsd.dmp)
If the AFS Client Service become unresponsive to any form of communication
there may be a serious error that can only be debugged by someone with
access to the source code and a debugger. The "fs minidump" command can
be used to force the generation of a MiniDump file containing the state
of all of the threads in the AFS Client Service process.
* Integrated Logon debugging (TraceOption registry key)
If you are having trouble with the Integrated Logon operations
it is often useful to be able to obtain a log of what it is attempting
to do. Setting Bit 0 of the registry value:
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
REG_DWORD TraceOption = 0x01
will instruct the Integrated Logon Network Provider and Event Handlers
to log information to the Windows Event Log: Application under the name
"AFS Logon".
* RX (AFS RPC) debugging (rxdebug)
The rxdebug.exe tool can be used to query a variety of information
about the AFS services installed on a given machine. The port for
the AFS Cache Manager is 7001.
* Cache Manager debugging (cmdebug)
The cmdebug.exe tool can be used to query the state of the AFS Cache
Manager on a given machine.
* Persistent Cache consistency check
The persistent cache is stored in a Hidden System file at
%WinDir%\TEMP\AFSCache. If there is a problem with the persistent
cache that prevent the AFS Client Service from being able to start
a validation check on the file can be performed.
afsd_service.exe --validate-cache <cache-path>
------------------------------------------------------------------------
Reporting Bugs:
Bug reports should be sent to openafs-bugs@openafs.org. Please include as
much information as possible about the issue. If you are reporting a crash,
please install the debugging symbols by re-running the installer. If a dump
file is available for the problem, %WINDIR%\TEMP\afsd.dmp, include it along
with the AFS Client Trace file %WINDIR%\TEMP\afsd.log. The AFS Client
startup log is %WINDIR%\TEMP\afsd_init.log. Send the last continuous block of
log information from this file.
Configuring DrWatson to generate dump files for crashes:
* Run drwtsn32.exe to configure or to identify where the log and the crash dump
files are created:
- click Start > Run...
- type drwtsn32 <enter>.
- Select either a Crash Dump Type: Mini or Full.
- Clear Dump Symbol Table
- Clear Append to Existing Log file.
- Check Dump All Thread Contexts.
- Check Create Crash Dump File
* Next run the monitoring module of Dr. Watson:
- click Start > Run...
- type drwatson <enter>.
- Once a crash happens, Dr. Watson generates a dump file and a report in the
log file, including the address of the crash and the stack dump.
Once you have the Dr. Watson's logfile and minidump, zip them and send them as
attachments with your e-mail to openafs-bugs@openafs.org.
When reporting a error, please be sure to include the version of OpenAFS.
------------------------------------------------------------------------
How to Contribute to the Development of OpenAFS for Windows:
Contributions to the development of OpenAFS for Windows are needed.
Contributions may take many forms including cash donations, support contracts,
donated developer time, and even donated tech writer time.
If you wish to be involved in OpenAFS for Windows development please join the
openafs-win32-devel@openafs.org mailing list.
https://lists.openafs.org/mailman/listinfo/openafs-win32-devel
User questions should be sent to the openafs-info@openafs.org mailing list.
https://lists.openafs.org/mailman/listinfo/openafs-info
You must join the mailing lists if you wish to post to the list without
incurring a moderation delay.

739
doc/txt/winnotes/msi-deployment-guide.txt
View File

@ -1,739 +0,0 @@
OpenAFS for Windows
MSI Deployment Guide
----------------------------------------------------------------------
Contents
1. Introduction
1.1 Requirements
2. Configuration options
2.1 Configurable properties
2.2 Existing registry values
2.3 Replacing Configuration Files
2.4 Adding Domain Specific Registry Keys
2.5 Adding Site Specific Freelance Registry Keys
3. Additional resources
4. Upgrades
5. FAQ
----------------------------------------------------------------------
1. Introduction
Beginning with OpenAFS for Windows version 1.3.65 a MSI installer
option is available for those who wish to use Windows
Installer for installing OpenAFS and for organizations that wish
to deploy OpenAFS through Group Policy.
This document provides a guide for authoring transforms used to
customize the MSI package for a particular organization. Although
many settings can be deployed via transforms, in an Active
Directory environment it is advisable to deploy registry settings
and configuration files through group policy and/or startup
scripts so that machines where OpenAFS for Windows is already
installed will pick up these customizations.
1.1 Requirements
The information in this document applies to MSI packages
distributed with OpenAFS for Windows releases from 1.3.65 and
onwards or MSI packages built from corresponding source
releases. Not all releases support all the configuration options
documented here.
Authoring a "Windows Installer" transform requires additional
software for editing the MSI database tables and generating the
transform from the modified MSI package. ORCA.EXE and MSITRAN.EXE
which are included in the Windows Platform SDK ("Windows Installer"
SDK) can be used for this purpose.
For reference, the schema for the MSI package is based on
SCHEMA.MSI distributed with the Platform SDK.
For general information about "Windows Installer", refer to :
http://msdn.microsoft.com/library/en-us/msi/setup/windows_installer_start_page.asp
For general information about authoring MSI transforms, refer to :
http://msdn.microsoft.com/library/en-us/msi/setup/transforms.asp
The remainder of this document assumes some familiarity with
authoring transforms. While the MSDN documentation for Windows
Installer is a bit dense, it is recommended that you read through
the guide on MSI transforms found at the second link above. Also
MSDN includes a step-by-step example for creating a transform at:
http://msdn.microsoft.com/library/en-us/msi/setup/a_customization_transform_example.asp
1.2 Authoring a Transform
Transforms describe a set of modifications to be performed on an
existing MSI for the purpose of customizing it. This is
ordinarily done by making a copy of the MSI to be customized,
modifying the copy and then using the old and the new MSI to
generate a transform.
E.g:
> copy openafs.msi openafs-modified.msi
(edit the openafs-modified.msi to include the necessary changes)
> msitran -g openafs.msi openafs-modified.msi openafs-transform.mst
(generates openafs-transform.mst, which is the transform)
Transforms have an extension of .mst. 'msitran' is a tool
distributed as part of the "Windows Installer" SDK (which in turn is
a part of the Windows Platform SDK).
You can test a transform by :
> copy openafs.msi openafs-test.msi
> msitran -a openafs-transform.mst openafs-test.msi
and then checking the resulting openafs-test.msi to see if all the
changes you have made above to openafs-modified.msi is present in
openafs-test.msi. 'msitran' will complain if some modification in the
transform can not be successfully applied.
As mentioned above, you can use a tool like ORCA.EXE to edit the
MSI databases directly when editing openafs-modified.msi. More
details are given below.
----------------------------------------------------------------------
2. Configuration Options
The logic necessary to implement many of the settings described in
the registry.txt file are present in the MSI. Most of these can be
controlled by setting the corresponding properties to the desired
value. Some settings may require modifying existing registry
entries (though not recommended) or adding new resources (like
files or registry keys). Instructions for performing these tasks
are below.
2.1 Configurable Properties
Most configurable properties correspond to registry keys or
values. Please refer to the release notes for more information
about how these registry settings are used.
Due to the logic invoked based on the existence of these registry
keys or values, they are only set if the associated property is
defined to have a non null value. If the associated property is
not defined in the MSI, the registry key or value will not be
touched. By default, the MSI does not contain these properties
and hence will not set the registry keys. You will need to add
properties as needed to the MSI.
When one of the configurable properties is set, the installer will
use the property value to set the corresponding setting in the
HKEY_LOCAL_MACHINE registry hive. HKEY_CURRENT_USER hive is not
touched by the installer.
For each property, the associated registry setting is referenced
by the same text used in the registry.txt file.
Strings are quoted using single quotes (e.g. 'a string'). An empty
string is denoted as ''. Note that you can't author null values
into the 'Property' table.
Numeric values should be authored as decimal strings.
2.1.1 Setting Properties
In order to set a property,
a. Open the MSI in ORCA.EXE
b. Select the 'Property' table from the list of tables on the left.
c. Find the property in the list of properties on the right,
double click the value and type the new value.
d. If the property does not exist in the property list, right
click the list and select 'Add Row', type the property name
and the desired value.
2.1.2 OpenAFS for Windows properties
(Service parameters):
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
(Network provider):
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
(OpenAFS Client):
[HKLM\SOFTWARE\OpenAFS\Client]
The configurable properties are as follows:
AFSCACHEPATH
Registry key : (Service parameters)
Registry value : CachePath
Valid values : string
AFSCACHESIZE
Registry key : (Service parameters)
Registry value : CacheSize
Valid values : numeric
AFSCELLNAME
Registry key : (Service parameters)
Registry value : Cell
Valid values : string
CREDSAUTOINIT
Valid values : '-a' or ''
Option for AFSCREDS.EXE. Enables automatic initialization.
(see below)
CREDSIPCHDET
Valid values : '-n' or ''
Option for AFSCREDS.EXE. Enables IP address change detection.
(see below)
CREDSQUIET
Valid values : '-q' or ''
Option for AFSCREDS.EXE. Enables quiet mode.
(see below)
CREDSRENEWDRMAP
Valid values : '-m' or ''
Option for AFSCREDS.EXE. Enables renewing drive map at
startup.
(see below)
CREDSSHOW
Valid values : '-s' or ''
Option for AFSCREDS.EXE. Enables displaying the credential
manager window when AFSCREDS starts up.
The five properties above determine the behavior of the AFS
credential manager ( AFSCREDS.EXE ). Each property adds a
command line option to the shortcut that will be created in
the Program Menu, both under 'OpenAFS' and 'Startup' folders
(see CREDSSTARTUP).
The way in which the options are specified was chosen for easy
integration with the Windows Installer user interface.
Although you can come up with creative ways to provide other
options to AFSCREDS.EXE, we advise against it because such
transforms may not apply to future releases of OpenAFS.
CREDSSTARTUP
Valid values : '1' or '0'
Controls whether AFSCREDS.EXE starts up automatically when a
user logs on. When CREDSSTARTUP is '1' a shortcut is added
to the 'Startup' folder in the 'Program menu' which starts
AFSCREDS.EXE with the options that are determined by the
other CREDS* properties.
FREELANCEMODE
Registry key : (Service parameters)
Registry value : FreelanceClient
Valid values : '1' or '0'
HIDEDOTFILES
Registry key : (Service parameters)
Registry value : HideDotFiles
Valid values : '1' or '0'
LOGONOPTIONS
Registry key : (Network provider)
Registry value : LogonOptions
Valid values : '0','1' or '3'
See section 2.1 of registry.txt (Domain specific configuration
keys for Network Provider) and section [filler] of this
document (filler) for more details.
MOUNTROOT
Registry key : (Service parameters)
Registry value : Mountroot
Valid values : string
NETBIOSNAME
Registry key : (Service parameters)
Registry value : NetbiosName
Valid values : string (at most 15 characters)
NOFINDLANABYNAME
Registry key : (Service parameters)
Registry value : NoFindLanaByName
Valid values : '1' or '0'
RXMAXMTU
Registry key : (Service parameters)
Registry value : RxMaxMTU
Valid values : numeric
SECURITYLEVEL
Registry key : (Service parameters)
Registry value : SecurityLevel
Valid values : '1' or '0'
SMBAUTHTYPE
Registry key : (Service parameters)
Registry value : SMBAuthType
Valid values : '0','1' or '2'
STOREANSIFILENAMES
Registry key : (OpenAFS Client)
Registry value : StoreAnsiFilenames
Valid values : '0' or '1'
USEDNS
Registry key : (Service parameters)
Registry value : UseDNS
Valid values : '1' or '0'
2.2 Existing Registry Entries
You can change existing registry values subject to the
restrictions mentioned in the Windows Platform SDK. Pay special
attention to component keypaths and try to only change the 'Value'
column in the 'Registry' table. If you want to add additional
registry keys please refer to section 3 (Additional Resources).
2.3 Replacing Configuration Files
The OpenAFS configuration files (CellServDB)
can be replaced by your own configuration files. These files are
contained in separate MSI components so that you can disable them
individually.
The recommended method for replacing these files is to first
disable the components containing the configuration files that you
want to replace, and then add new components for the replacement
files. This is outlined below (assuming you are using ORCA.EXE to
author the transform).
Note that transforms are not a good way to add a new file as an
embedded stream. The method outlined here places the file in the
same directory as the MSI for deployment.
The walkthrough below is to add a custom 'CellServDB' file.
1) Disable the component that contains the configuration file that
you want to replace.
1.1) Locate and select the 'Component' table in the 'Tables'
list.
1.2) In the Component table, locate the component you need to
change ( Ctrl-F invokes the 'Find' dialog). The component
names are listed below in section 2.3.1. For this
example, the component name is 'elf_CellServDB'.
1.3) Go to the 'Condition' column of the component.
1.4) Enter a condition that evaluates to
false. I.e. 'DONOTINSTALL'. (Note that an undefined
property always evaluates to false).
Note that you can also use this step to disable other
configuration files without providing replacements.
2) Add a new component containing the new configuration file.
2.1) Select the 'Component' table in the 'Tables' list.
2.2) Select 'Tables'->'Add Row' (Ctrl-R).
2.3) Enter the following :
Component : cmf_my_CellServDB
ComponentId : {7019836F-BB2C-4AF6-9463-0D6EC9035CF1}
Directory_ : dirClient
Attributes : 144
Condition :
KeyPath : fil_my_CellServDB
Note that the ComponentId is an uppercase GUID. You can
generate one using GUIDGEN.EXE or UUIDGEN.EXE, both of
which are included in the Platform SDK.
The Attributes value of 144 is a sum of
msidbComponentAttributesPermanent (16) and
msidbComponentAttributesNeverOverwrite (128). This
ensures that local modifications are not overwritten or
lost during an installation or uninstallation. These are
the same settings used on the default configuration files.
'fil_my_CellServDB' is a key into the 'File' table which we
will fill later.
3) Add a new feature to hold the new component.
3.1) Select the 'Feature' table.
3.2) Add a new row (Ctrl-R or 'Tables'->'Add Row') with the
following values:
Feature : fea_my_CellServDB
Feature_Parent: feaClient
Title :
Description :
Display : 0
Level : 30
Directory_ :
Attributes : 8
It is important to create the new feature under the
'feaClient' feature, which will ensure that the
configuration file will be installed when the client
binaries are installed.
Setting 'Display' to 0 will hide this feature from the
feature selection dialog during an interactive
installation. A value of 30 for 'Level' allows this
feature to be installed by default (on a 'Typical'
installation).
The 'Attributes' value is
msidbFeatureAttributesDisallowAdvertise (8), which is set
on all features in the OpenAFS MSI. The OpenAFS MSI is not
designed for an advertised installation.
4) Join the component and the feature.
4.1) Select the 'FeatureComponents' table.
4.2) Add a new row with the following values:
Feature : fea_my_CellServDB
Component : cmf_my_CellServDB
5) Add an entry to the 'File' table.
5.1) Select the 'File' table.
5.2) Add a new row with the following values:
File : fil_my_CellServDB
Component_ : cmf_my_CellServDB
FileName : CellServDB
FileSize : (enter file size here)
...
Attributes : 8192
Sequence : 1000
(leave other fields blank)
The 'Attributes' value is msidbFileAttributesNonCompressed
(8192). This is because we will be placing this file in
the same directory as the MSI instead of embedding the
file in it. Transforms do not support updating compressed
sources or adding new cabinet streams.
Finally, the 'Sequence' value of 1000 will be used later
to distinguish the file as being in a separate source
location than the other files in the MSI.
6) Set a media source for the file.
6.1) Select the 'Media' table.
6.2) Add a row with the following values :
DiskId : 2
LastSequence : 1000
...
(leave other fields blank)
The sequence number of 1000 designates this as the media
source for the newly added file.
2.3.1 Components for Configuration Files
CellServDB : 'cpf_CellServDB' (ID {D5BA4C15-DBEC-4292-91FC-B54C30F24F2A})
2.4 Adding Domain Specific Registry Keys
Following is an example for adding domain specific registry keys.
Refer to section 2.1 in REGISTRY.TXT for more information.
Columns that are unspecified should be left empty.
We create a new feature and component to hold the new registry keys.
'Feature' table:
(new row)
Feature : 'feaDomainKeys'
Feature Parent : 'feaClient'
Display : 0
Level : 30
Attributes : 10
'Component' table:
(new row)
Component : 'rcm_DomainKeys'
ComponentId : '{4E3FCBF4-8BE7-40B2-A108-C47CF743C627}'
Directory : 'TARGETDIR'
Attributes : 4
KeyPath : 'reg_domkey0'
'FeatureComponents' table:
(new row)
Feature : 'feaDomainKeys'
Component : 'rcm_DomainKeys'
'Registry' table:
(new row)
Registry : 'reg_domkey0'
Root : 2
Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain'
Component : 'rcm_DomainKeys'
(new row)
Registry : 'reg_domkey1'
Root : 2
Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain'
Name : '*'
Component : 'rcm_DomainKeys'
(new row)
Registry : 'reg_domkey2'
Root : 2
Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\ATHENA.MIT.EDU'
Name : '*'
Component : 'rcm_DomainKeys'
(new row)
Registry : 'reg_domkey3'
Root : 2
Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\ATHENA.MIT.EDU'
Name : 'LogonOptions'
Value : 1
Component : 'rcm_DomainKeys'
(new row)
Registry : 'reg_domkey4'
Root : 2
Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST'
Name : '*'
Component : 'rcm_DomainKeys'
(new row)
Registry : 'reg_domkey5'
Root : 2
Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST'
Name : 'LogonOptions'
Value : 0
Component : 'rcm_DomainKeys'
(new row)
Registry : 'reg_domkey6'
Root : 2
Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST'
Name : 'FailLoginsSilently'
Value : 1
Component : 'rcm_DomainKeys'
The example adds domain specific keys for 'ATHENA.MIT.EDU' (enable
integrated logon) and 'LOCALHOST' (disable integrated logon and
fail logins silently).
2.5 Adding Site Specific Freelance Registry Keys
Following is an example for adding site specific Freelance registry keys
to pre-populate the Mountpoints and Symlinks in the fake root.afs volume.
Columns that are unspecified should be left empty.
We create a new feature and component to hold the new registry keys.
'Feature' table:
(new row)
Feature : 'feaFreelanceKeys'
Feature Parent : 'feaClient'
Display : 0
Level : 30
Attributes : 10
'Component' table:
(new row)
Component : 'rcm_FreelanceKeys'
ComponentId : '{4E3B3CBF4-9AE7-40C3-7B09-C48CF842C583}'
Directory : 'TARGETDIR'
Attributes : 4
KeyPath : 'reg_freekey0'
'FeatureComponents' table:
(new row)
Feature : 'feaFreelanceKeys'
Component : 'rcm_FreelanceKeys'
'Registry' table:
(new row)
Registry : 'reg_freekey0'
Root : 2
Key : 'SOFTWARE\OpenAFS\Client\Freelance'
Component : 'rcm_FreelanceKeys'
(new row)
Registry : 'reg_freekey1'
Root : 2
Key : 'SOFTWARE\OpenAFS\Client\Freelance'
Name : '0'
Value : 'athena.mit.edu#athena.mit.edu:root.cell.'
Component : 'rcm_FreelanceKeys'
(new row)
Registry : 'reg_freekey2'
Root : 2
Key : 'SOFTWARE\OpenAFS\Client\Freelance'
Name : '1'
Value : '.athena.mit.edu%athena.mit.edu:root.cell.'
Component : 'rcm_FreelanceKeys'
(new row)
Registry : 'reg_freekey3'
Root : 2
Key : 'SOFTWARE\OpenAFS\Client\Freelance\Symlinks'
Component : 'rcm_FreelanceKeys'
(new row)
Registry : 'reg_freekey4'
Root : 2
Key : 'SOFTWARE\OpenAFS\Client\Freelance\Symlinks'
Name : '0'
Value : 'athena:athena.mit.edu.'
Component : 'rcm_FreelanceKeys'
(new row)
Registry : 'reg_freekey5'
Root : 2
Key : 'SOFTWARE\OpenAFS\Client\Freelance\Symlinks'
Name : '1'
Value : '.athena:.athena.mit.edu.'
Component : 'rcm_FreelanceKeys'
The example adds a read-only mountpoint to the athena.mit.edu
cell's root.afs volume as well as a read-write mountpoint. Aliases
are also provided using symlinks.
----------------------------------------------------------------------
3 Additional Resources
If you want to add registry keys or files you need to create new
components and features for those. Refer to the Windows Platform
SDK for details.
It is beyond the scope of this document to provide a comprehensive
overview of how to add new resources through a transform. Please
refer to the "Windows Installer" documentation for details. The
relevant section is at :
http://msdn.microsoft.com/library/en-us/msi/setup/using_transforms_to_add_resources.asp
A sample walkthrough of adding a new configuration file is in
section 2.3.
Add new features under the 'feaClient' or 'feaServer' as
appropriate and set the 'Level' column for those features to equal
the 'Level' for their parent features for consistency. Note that
none of the features in the OpenAFS for Windows MSI package are
designed to be installed to run from 'source' or 'advertised'. It
is recommended that you set 'msidbFeatureAttributesFavorLocal' (0),
'msidbFeatureAttributesFollowParent' (2) and
'msidbFeatureAttributesDisallowAdvertise' (8) attributes for new
features.
If you are creating new components, retain the same component GUID
when creating new transforms against new releases of the OpenAFS
MSI package.
After making the adjustments to the MSI database using ORCA.EXE
you can generate a transform with MSITRAN.EXE as follows :
(Modified MSI package is 'openafs-en_US_new.msi' and the original
MSI package is 'openafs-en_US.msi'. Generates transform
'openafs-transform.mst')
> msitran.exe -g openafs-en_US.msi openafs-en_US_new.msi openafs-transform.mst
See the Platform SDK documentation for information on command line
options for MSITRAN.EXE.
----------------------------------------------------------------------
4. Upgrades
The MSI package is designed to uninstall previous versions of
OpenAFS for Windows during installation. Note that it doesn't
directly upgrade an existing installation. This is intentional
and ensures that development releases which do not have strictly
increasing version numbers are properly upgraded.
Versions of OpenAFS that are upgraded by the MSI package are :
1) OpenAFS MSI package
Upgrade code {6823EEDD-84FC-4204-ABB3-A80D25779833}
Upto current release
2) MIT's Transarc AFS MSI package
Upgrade code {5332B94F-DE38-4927-9EAB-51F4A64193A7}
Upto version 3.6.2
3) OpenAFS NSIS package
All versions
Note that versions of the OpenAFS NSIS package prior to 1.3.65
had a bug where it couldn't be uninstalled properly in
unattended mode. Therefore the MSI package will not try to
uninstall an OpenAFS NSIS package if running unattended. This
means that group policy based deployments will fail on machines
that have the OpenAFS NSIS package installed.
If you have used a different MSI package to install OpenAFS and
wish to upgrade it you can author rows into the 'Upgrade' table as
described in the Platform SDK.
When performing an upgrade with msiexec.exe execute the MSI with
the repair options "vomus".
----------------------------------------------------------------------
5. FAQ
(Q/A's will be added here as needed)
----------------------------------------------------------------------
$Id$

917
doc/txt/winnotes/registry.txt
View File

@ -1,917 +0,0 @@
Registry keys and Environment Variables used in the Windows AFS Client
as of release 1.4.0000
======================================================================
REGISTRY KEYS:
1. Service parameters
---------------------
The service parameters primarily affect the behavior of the AFS client
service (afsd_service.exe).
Regkey:
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
Value : LANadapter
Type : DWORD
Default : -1
Variable: LANadapter
LAN adapter number to use. This is the lana number of the LAN
adapter that the SMB server should bind to. If unspecified or set
to -1, a LAN adapter with named 'AFS' or a loopback adapter will be
selected. If neither are present, then all available adapters will
be bound to. When binding to a non-loopback adapter, the NetBIOS
name '%hostname%-AFS' will be used (where %hostname% is the NetBIOS
name of the host truncated to 11 characters). Otherwise, the NetBIOS
name will be 'AFS'.
Value : CacheSize
Type : DWORD
Default : 98304 (CM_CONFIGDEFAULT_CACHESIZE)
Variable: cm_initParams.cacheSize
Size of the AFS cache in 1k blocks.
Value : ChunkSize
Type : DWORD
Default : 17 (CM_CONFIGDEFAULT_CHUNKSIZE)
Variable: cm_logChunkSize (cm_chunkSize = 1 << cm_logChunkSize)
Size of chunk for reading and writing. Actual chunk size is 2^cm_logChunkSize.
Value : Daemons
Type : DWORD
Default : 2 (CM_CONFIGDEFAULT_DAEMONS)
Variable: numBkgD
Number of background daemons (number of threads of
cm_BkgDaemon). (see cm_BkgDaemon in cm_daemon.c)
Value : ServerThreads
Type : DWORD
Default : 25 (CM_CONFIGDEFAULT_SVTHREADS)
Variable: numSvThreads
Number of SMB server threads (number of threads of smb_Server). (see
smb_Server in smb.c).
Value : Stats
Type : DWORD
Default : 10000 (CM_CONFIGDEFAULT_STATS)
Variable: cm_initParams.nStatCaches
Cache configuration.
Value : LogoffPreserveTokens
Type : DWORD {1,0}
Default : 0
If enabled (set to 1), the Logoff Event handler will not attempt
to delete the user's tokens if the user's profile is stored outside
of AFS.
Value : RootVolume
Type : REG_SZ
Default : "root.afs"
Variable: cm_rootVolumeName
Root volume name.
Value : Mountroot
Type : REG_SZ
Default : "/afs"
Variable: cm_mountRoot
Name of root mount point. In symlinks, if a path starts with
cm_mountRoot, it is assumed that the path is absolute (as opposed to
relative) and is adjusted accordingly. Eg: if a path is specified as
/afs/athena.mit.edu/foo/bar/baz and cm_mountRoot is "/afs", then the
path is interpreted as \\afs\all\athena.mit.edu\foo\bar\baz. If a
path does not start with with cm_mountRoot, the path is assumed to
be relative and suffixed to the reference directory (i.e. directory
where the symlink exists)
Value : CachePath
Type : REG_SZ or REG_EXPAND_SZ
Default : "%TEMP%\AFSCache"
Variable: cm_CachePath
Location of on-disk cache file. The default is the SYSTEM account's
TEMP directory. The attributes assigned to the file are HIDDEN and
SYSTEM.
Value : NonPersistentCaching
Type : DWORD [0..1]
Default : 0
Variable: buf_CacheType
When this registry value is set to a non-zero value, the CachePath
value is ignored and the cache data is stored in the windows paging
file. This prevents the use of persistent caching (when available)
as well as the ability to alter the size of the cache at runtime
using the "fs setcachesize" command.
Value : ValidateCache
Type : DWORD [0..2]
Default : 1
Variable: buf_CacheType
This value determines if and when persistent cache validation is
performed.
0 - Validation is disabled
1 - Validation is performed at startup
2 - Validation is performed at shutdown
Value : TrapOnPanic
Type : DWORD {1,0}
Default : 0
Variable: traceOnPanic
Issues a breakpoint in the event of a panic. (breakpoint: _asm int 3).
Value : NetbiosName
Type : REG_EXPAND_SZ
Default : "AFS"
Variable: cm_NetbiosName
Specifies the NetBIOS name to be used when binding to a Loopback
adapter. To provide the old behavior specify a value of
"%COMPUTERNAME%-AFS"
Value : IsGateway
Type : DWORD {1,0}
Default : 0
Variable: isGateway
Select whether or not this AFS client should act as a gateway. If
set and the NetBIOS name hostname-AFS is bound to a physical NIC,
other machines in the subnet can access AFS via SMB connections to
hostname-AFS.
When IsGateway is non-zero, the LAN adapter detection code will
avoid binding to a loopback adapter. This will ensure that the
NetBIOS name will be of the form hostname-AFS instead of the value
set by the "NetbiosName" registry value.
Value : ReportSessionStartups
Type : DWORD {1,0}
Default : 0
Variable: reportSessionStartups
If enabled, all SMB sessions created are recorded in the Application
event log. This also enables other events such as drive mappings
or various error types to be logged.
Value : TraceBufferSize
Type : DWORD
Default : 5000 (CM_CONFIGDEFAULT_TRACEBUFSIZE)
Variable: traceBufSize
Number of entries to keep in trace log.
Value : SysName
Type : REG_SZ
Default : "i386_nt40"
Variable: cm_sysName
Provides an initial value for "fs sysname". The string can contain
one or more replacement values for @sys in order of preference separated
by whitespace.
Value : SecurityLevel
Type : DWORD {1,0}
Default : 0
Variable: cryptall
Enables encryption on RX calls.
Value : UseDNS
Type : DWORD {1,0}
Default : 1
Variable: cm_dnsEnabled
Enables resolving volservers using AFSDB DNS queries. (see
afsdb-freelance-notes).
As of 1.3.60, this value is ignored as the DNS query support
utilizes the Win32 DNSQuery API which is available on Win2000
and above.
Value : FreelanceClient
Type : DWORD {1,0}
Default : 0
Variable: cm_freelanceEnabled
Enables freelance client. (see afsdb-freelance-notes)
Value : HideDotFiles
Type : DWORD {1,0}
Default : 1
Variable: smb_hideDotFiles
Enables marking dotfiles with the hidden attribute. Dot files are
files whose name starts with a period (excluding "." and "..").
Value : MaxMpxRequests
Type : DWORD
Default : 50
Variable: smb_maxMpxRequests
Maximum number of multiplexed SMB requests that can be made.
Value : MaxVCPerServer
Type : DWORD
Default : 100
Variable: smb_maxVCPerServer
Maximum number of SMB virtual circuits.
Value : Cell
Type : REG_SZ
Default : <none>
Variable: rootCellName
Name of root cell (the cell from which root.afs should be mounted in
\\afs\all).
Value : RxNoJumbo
Type : DWORD {0,1}
Default : 0
Variable: rx_nojumbo
If enabled, does not send or indicate that we are able to send or
receive RX jumbograms.
Value : RxMaxMTU
Type : DWORD
Default : -1
Variable: rx_mtu
If set to anything other than -1, uses that value as the maximum MTU
supported by the RX interface.
In order to enable OpenAFS to operate across the Cisco IPSec VPN
client, this value must be set to 1264 or smaller.
Value : ConnDeadTimeout
Type : DWORD
Default : 60 (seconds)
Variable: ConnDeadtimeout
The Connection Dead Time is enforced to be at a minimum 15 seconds
longer than the minimum SMB timeout as specified by
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
SessTimeout
If the minimum SMB timeout is not specified the value is 45 seconds.
See http://support.microsoft.com:80/support/kb/articles/Q102/0/67.asp
Value : HardDeadTimeout
Type : DWORD
Default : 120 (seconds)
Variable: HardDeadtimeout
The Hard Dead Time is enforced to be at least double the ConnDeadTimeout.
The provides an opportunity for at least one retry.
Value : TraceOption
Type : DWORD {0-15}
Default : 0
Enables logging of debug output to the Windows Event Log.
Bit 0 enables logging of "Logon Events" processed by the Network Provider
and Winlogon Event Notification Handler.
Bit 1 enables logging of events captured by the AFS Client Service.
Bit 2 enables real-time viewing of "fs trace" logging with DbgView
or similar tools.
Bit 3 enables "fs trace" logging on startup.
Value : AllSubmount
Type : DWORD {0, 1}
Default : 1
Variable: allSubmount (smb.c)
By setting this value to 0, the "\\NetbiosName\all" mount point
will not be created. This allows the read-write versions of
root.afs to be hidden.
Value : NoFindLanaByName
Type : DWORD {0, 1}
Default : 0
Disables the attempt to identity the network adapter to use by
looking for an adapter with a display name of "AFS".
Value : MaxCPUs
Type : DWORD {1..32} or {1..64} depending on the architecture
Default : <no default>
If this value is specified, afsd_service.exe will restrict itself
to executing on the specified number of CPUs if there are a greater
number installed in the machine.
NOTE: Setting this entry to "1" may be required on hyperthreaded
systems to avoid crashes in the RX library.
Value : smbAuthType
Type : DWORD {0..2}
Default : 2
If this value is specified, it defines the type of SMB authentication
which must be present in order for the Windows SMB client to connect
to the AFS Client Service's SMB server. The values are:
0 = No authentication required
1 = NTLM authentication required
2 = Extended (GSS SPNEGO) authentication required
The default is Extended authentication
Value : MaxLogSize
Type : DWORD {0 .. MAXDWORD}
Default : 100K
This entry determines the maximum size of the %WINDIR%\TEMP\afsd_init.log
file. If the file is larger than this value when afsd_service.exe starts
the file will be reset to 0 bytes. If this value is 0, it means the file
should be allowed to grow indefinitely.
Value : FlushOnHibernate
Type : DWORD {0,1}
Default : 1
If set, flushes all volumes before the machine goes on hibernate or
stand-by.
Regkey:
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters\GlobalAutoMapper]
Value : <Drive Letter:> for example "G:"
Type : SZ
Specifies the submount name to be mapped by afsd_service.exe at startup
to the provided drive letter.
Regkey:
[HKLM\SOFTWARE\OpenAFS\Client]
Value : CellServDBDir
Type : REG_SZ
Default : <not defined>
Specifies the directory containing the CellServDB file.
When this value is not specified, the AFS Client install
directory is used.
Value : VerifyServiceSignature
Type : REG_DWORD
Default : 0x1
This value can be used to disable the runtime verification of
the digital signatures applied to afsd_service.exe and the
OpenAFS DLLs it loads. This test is performed to verify that
the DLLs which are loaded by afsd_service.exe are from the
same distribution as afsd_service.exe. This is to prevent
random errors caused when DLLs from one distribution of AFS
are loaded by another one. This is not a security test. The
reason for disabling this test is to free up additional memory
which can be used for a large cache size.
Value : IoctlDebug
Type : REG_DWORD
Default : 0x0
This value can be used to debug the cause of pioctl() failures.
Set a non-zero value and the pioctl() library will output status
information to stdout. Executing command line tools such as
tokens.exe, fs.exe, etc can then be used to determine why the
pioctl() call is failing.
Value : MiniDumpType
Type : REG_DWORD
Default : 0x0 (MiniDumpNormal)
This value is used to specify the type of minidump generated by
afsd_service.exe either when the process crashes or when a user
initiated is dump file is generated with the "fs.exe minidump"
command.
Valid values are dependent on the version of DbgHelp.dll installed
on the machine. See the Microsoft Developer Library for further
information.
MiniDumpNormal = 0x00000000,
MiniDumpWithDataSegs = 0x00000001,
MiniDumpWithFullMemory = 0x00000002,
MiniDumpWithHandleData = 0x00000004,
MiniDumpFilterMemory = 0x00000008,
MiniDumpScanMemory = 0x00000010,
MiniDumpWithUnloadedModules = 0x00000020,
MiniDumpWithIndirectlyReferencedMemory = 0x00000040,
MiniDumpFilterModulePaths = 0x00000080,
MiniDumpWithProcessThreadData = 0x00000100,
MiniDumpWithPrivateReadWriteMemory = 0x00000200,
MiniDumpWithoutOptionalData = 0x00000400,
MiniDumpWithFullMemoryInfo = 0x00000800,
MiniDumpWithThreadInfo = 0x00001000,
MiniDumpWithCodeSegs = 0x00002000
Value : StoreAnsiFilenames
Type : REG_DWORD
Default : 0x0
This value can be used to force the AFS Client Service to
store filenames using the Windows system's ANSI character set
instead of the OEM Code Page character set which has traditionally
been used by SMB file systems.
Note: The use of ANSI characters will render access to files
with 8-bit OEM file names unaccessible from Windows. This option
is of use primarily when you wish to allow file names produced
on Windows to be accessible from Latin-1 Unix systems and vice
versa.
Regkey:
[HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy]
Value : "smb/cifs share name"
Type : REG_SZ
Default : <none>
This key is used to map SMB/CIFS shares to Client Side Caching
(off-line access) policies. For each share one of the following
policies may be used: "manual", "programs", "documents", "disable"
These values used to be stored in afsdsbmt.ini
Regkey:
[HKLM\SOFTWARE\OpenAFS\Client\Freelance]
Value : "numeric value"
Type : REG_SZ
Default : <none>
This key is used to store dot terminated mount point strings
for use in constructing the fake root.afs volume when Freelance
(dynamic roots) mode is activated.
"athena.mit.edu#athena.mit.edu:root.cell."
".athena.mit.edu%athena.mit.edu:root.cell."
These values used to be stored in afs_freelance.ini
Regkey:
[HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks]
Value : "numeric value"
Type : REG_SZ
Default : <none>
This key is used to store a dot terminated symlink strings
for use in constructing the fake root.afs volume when Freelance
(dynamic roots) mode is activated.
"linkname:destination-path."
"athena:athena.mit.edu."
"home:athena.mit.edu\user\j\a\jaltman."
"filename:path\file."
Regkey:
[HKLM\SOFTWARE\OpenAFS\Client\Submounts]
Value : "submount name"
Type : REG_EXPAND_SZ
Default : <none>
This key is used to store mappings of unix style AFS paths
to submount names which can be referenced as UNC paths.
For example the submount string "/athena.mit.edu/user/j/a/jaltman"
can be associated with the submount name "jaltman.home".
This can then be referenced as the UNC path \\AFS\jaltman.home.
These values used to be stored in afsdsbmt.ini
NOTE: Submounts should no longer be used with OpenAFS.
Use the Windows Explorer to create drive mappings to AFS UNC
paths instead of using the AFS Submount mechanism.
Regkey:
[HKLM\SOFTWARE\OpenAFS\Client\Server Preferences\VLDB]
Value : "hostname or ip address"
Type : REG_DWORD
Default : <none>
This key is used to specify a default set of VLDB server preferences.
For each entry the value name will be either the IP address of a server
or a fully qualified domain name. The value will be the ranking. The
ranking will be adjusted by a random value between 0 and 256 prior to
the preference being set.
Regkey:
[HKLM\SOFTWARE\OpenAFS\Client\Server Preferences\File]
Value : "hostname or ip address"
Type : REG_DWORD
Default : <none>
This key is used to specify a default set of File server preferences.
For each entry the value name will be either the IP address of a server
or a fully qualified domain name. The value will be the ranking. The
ranking will be adjusted by a random value between 0 and 256 prior to
the preference being set.
2. Network provider parameters
------------------------------
Affects the network provider (afslogon.dll).
Regkey:
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
Value : FailLoginsSilently
Type : DWORD
Default : 0
Do not display message boxes if the login fails.
Regkey:
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
Value : NoWarnings
Type : DWORD
Default : 0
Disables visible warnings during logon.
Value : AuthentProviderPath
Type : REG_SZ
NSIS : %WINDIR%\SYSTEM32\afslogon.dll
Specifies the install location of the authentication provider dll.
Value : Class
Type : DWORD
NSIS : 0x02
Specifies the class of network provider
Value : DependOnGroup
Type : REG_MULTI_SZ
NSIS : PNP_TDI
Specifies the service groups upon which the AFS Client Service
depends. Windows should not attempt to start the AFS Client Service
until all of the services within these groups have successfully
started.
Value : DependOnService
Type : REG_MULTI_SZ
NSIS : Tcpip NETBIOS RpcSs
Specifies a list of services upon which the AFS Client Service
depends. Windows should not attempt to start the AFS Client Service
until all of the specified services have successfully started.
Value : Name
Type : REG_SZ
NSIS : "OpenAFSDaemon"
Specifies the display name of the AFS Client Service
Value : ProviderPath
Type : REG_SZ
NSIS : %WINDIR%\SYSTEM32\afslogon.dll
Specifies the DLL to use for the network provider
2.1 Domain specific configuration keys for the Network Provider
---------------------------------------------------------------
The network provider can be configured to have different behavior
depending on the domain that the user logs into. These settings are
only relevant when using integrated login. A domain refers to an
Active Directory (AD) domain, a trusted Kerberos (non-AD) realm or the
local machine (i.e. local account logins). The domain name that is
used for selecting the domain would be the domain that is passed into
the NPLogonNotify function of the network provider.
Domain specific registry keys are :
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
(NP key)
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain]
(Domains key)
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain name"]
(Specific domain key. One per domain.)
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST]
(Localhost key)
eg:
HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider
|
+- Domain
+-AD1.EXAMPLE.COM
+-AD2.EXAMPLE.NET
+-LOCALHOST
Each of the domain specific keys can have the set of values described
in 2.1.1. The effective values are chosen as described in 2.1.2.
2.1.1 Domain specific configuration values
-------------------------------------------
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain]
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain name"]
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST]
Value : LogonOptions
Type : DWORD
Default : 0x01
NSIS/WiX: depends on user configuration
0x00 - Integrated Logon is not used
0x01 - Integrated Logon is used
0x02 - High Security Mode is used
0x03 - Integrated Logon with High Security Mode is used
High Security Mode generates random SMB names for the creation of
Drive Mappings. This mode should not be used without Integrated Logon.
As of 1.3.65 the SMB server supports SMB authentication. The High
Security Mode should not be used when using SMB authentication
(SMBAuthType setting is non zero).
Value : FailLoginsSilently
Type : DWORD (1|0)
Default : 0
NSIS/WiX: (not set)
If true, does not display any visible warnings in the event of an
error during the integrated login process.
Value : LogonScript
Type : REG_SZ or REG_EXPAND_SZ
Default : (null)
NSIS/WiX: (only value under NP key) <install path>\afscreds.exe -:%s -x -a -m -n -q
A logon script that will be scheduled to be run after the profile
load is complete. If using the REG_EXPAND_SZ type, you can use
any system environment variable as "%varname%" which would be
expanded at the time the network provider is run. Optionally
using a "%s" in the value would result in it being expanded into
the AFS SMB username for the session.
Value : LoginRetryInterval
Type : DWORD
Default : 30
NSIS/WiX: (not set)
If the OpenAFS client service has not started yet, the network
provider will wait for a maximum of "LoginRetryInterval" seconds
while retrying every "LoginSleepInterval" seconds to check if the
service is up.
Value : LoginSleepInterval
Type : DWORD
Default : 5
NSIS/WiX: (not set)
See description of LoginRetryInterval.
Value : TheseCells
Type : REG_MULTI_SZ
NSIS : <not set>
When Kerberos 5 is being used, TheseCells provides a list of additional
cells for which tokens should be obtained with the default Kerberos 5
principal.
2.1.2 Selection of effective values for domain specific configuration
----------------------------------------------------------------------
During login to domain X, where X is the domain passed into
NPLogonNotify as lpAuthentInfo->LogonDomainName or the string
'LOCALHOST' if lpAuthentInfo->LogonDomainName equals the name of the
computer, the following keys will be looked up.
1. NP key. ("HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider")
2. Domains key. (NP key\"Domain")
3. Specific domain key. (Domains key\X)
If the specific domain key does not exist, then the domains key will
be ignored. All the configuration information in this case will
come from the NP key.
If the specific domain key exists, then for each of the values
metioned in (2), they will be looked up in the specific domain key,
domains key and the NP key successively until the value is found.
The first instance of the value found this way will be the effective
for the login session. If no such instance can be found, the
default will be used. To re-iterate, a value in a more specific key
supercedes a value in a less specific key. The exceptions to this
rule are stated below.
2.1.3 Exceptions to 2.1.2
--------------------------
To retain backwards compatibility, the following exceptions are made
to 2.1.2.
2.1.3.1 'FailLoginsSilently'
Historically, the 'FailLoginsSilently' value was in
HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters
key and not in the NP key. Therefore, for backwards compatibility,
the value in the Parameters key will supercede all instances of this
value in other keys. In the absence of this value in the Parameters
key, normal scope rules apply.
2.1.3.2 'LogonScript'
If a 'LogonScript' is not specified in the specific domain key nor
in the domains key, the value in the NP key will only be checked if
the effective 'LogonOptions' specify a high security integrated
login. If a logon script is specified in the specific domain key or
the domains key, it will be used regardless of the high security
setting. Please be aware of this when setting this value.
3. AFS Credentials System Tray Tool parameters
----------------------------------------------
Affects the behavior of afscreds.exe
Regkey:
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
Value : Gateway
Type : REG_SZ
Default : ""
Function: GetGatewayName()
If the AFS client is utilizing a gateway to obtain AFS access,
the name of the gateway is specified by this value.
Value : Cell
Type : REG_SZ
Default : <none>
Variable: IsServiceConfigured()
The value Cell is used to determine if the AFS Client Service has
been properly configured or not.
Regkey:
[HKLM\SOFTWARE\OpenAFS\Client]
[HKCU\SOFTWARE\OpenAFS\Client]
Value : ShowTrayIcon
Type : DWORD {0, 1}
Default : 1
Function: InitApp(), Main_OnCheckTerminate()
This value is used to determine whether or not a shortcut should be
maintained in the user's Start Menu->Programs->Startup folder.
This value used to be stored at
[HKLM\Software\TransarcCorporation\AFS Client\AfsCreds].
The current user value is checked first; if it does not exist the local
machine value is checked.
Value : EnableKFW
Type : DWORD {0, 1}
Default : 1
Function: KFW_is_available()
When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used
to obtain AFS credentials. By setting this value to 0, the internal
Kerberos 4 implementation will be used instead. The current user value
is checked first; if it does not exist the local machine value is checked.
Value : Use524
Type : DWORD {0, 1}
Default : 0
Function: KFW_use_krb524()
When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used
to obtain AFS credentials. By setting this value to 1, the Kerberos 5
tickets will be converted to Kerberos 4 tokens via a call to the krb524
daemon. The current user value is checked first; if it does not exist
the local machine value is checked.
Value : AfscredsShortcutParams
Type : REG_SZ
Default : "-A -M -N -Q"
Function: Shortcut_FixStartup
This value specifies the command line options which should be set
as part of the shortcut to afscreds.exe. afscreds.exe rewrites the
shortcut each time it exits so as to ensure that the shortcut points
to the latest version of the program. This value is used to determine
which values should be used for command line parameters. The current
user value is checked first; if it does not exist the local machine
value is checked.
The following subset of the command line options are appropriate for
use in this registry setting:
-A = autoinit
-M = renew drive maps
-N = ip address change detection
-Q = quiet mode. do not display start service dialog
if afsd_service is not already running
-S = show tokens dialog on startup
-Z = unmap drives
Regkey:
[HKCU\SOFTWARE\OpenAFS\Client]
Value : Authentication Cell
Type : REG_SZ
Default : <none>
Function: Afscreds.exe GetDefaultCell()
This value allows the user to configure a different cell name to
be used as the default cell when acquiring tokens in afscreds.exe
Regkey:
[HKCU\SOFTWARE\OpenAFS\Client\Reminders]
Value : "afs cell name"
Type : DWORD {0, 1}
Default : <none>
Function: LoadRemind(), SaveRemind()
These values are used to save and restore the state of the reminder
flag for each cell for which the user has obtained tokens.
This value used to be stored at
[HKLM\Software\TransarcCorporation\AFS Client\AfsCreds].
Regkey:
[HKCU\SOFTWARE\OpenAFS\Client\Active Maps]
Value : "upper case drive letter"
Type : DWORD {0, 1}
Default : <none>
These values are used to store the persistence state of the AFS
drive mappings as listed in the [...\Client\Mappings] key
These values used to be stored in the afsdsbmt.ini file
Regkey:
[HKCU\SOFTWARE\OpenAFS\Client\Mappings]
Value : "upper case drive letter"
Type : REG_SZ
Default : <none>
These values are used to store the AFS path in Unix notation
to which the drive letter is to be mapped.
These values used to be stored in the afsdsbmt.ini file.
ENVIRONMENT VARIABLES:
Variable: AFS_RPC_ENCRYPT
Values: "OFF" disables the use of RPC encryption
any other value allows RPC encryption to be used
Default: RPC encryption is on
Variable: AFS_RPC_PROTSEQ
Values: "ncalrpc" - local RPC
"ncacn_np" - named pipes
"ncacn_ip_tcp" - tcp/ip
Default: local RPC