From 8d2f5431acf9501f82072801b3d9abbcc269af4b Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Mon, 26 Sep 2005 02:10:45 +0000 Subject: [PATCH] STABLE14-windows-notes-remove-20050925 remove files whose contents are now maintained in the HTML files src/WINNT/doc/... (cherry picked from commit da213bfa2904bdb3899982640822e9434d515b6c) --- doc/txt/winnotes/afs-install-notes.txt | 800 ------------------- doc/txt/winnotes/msi-deployment-guide.txt | 739 ----------------- doc/txt/winnotes/registry.txt | 917 ---------------------- 3 files changed, 2456 deletions(-) delete mode 100644 doc/txt/winnotes/afs-install-notes.txt delete mode 100644 doc/txt/winnotes/msi-deployment-guide.txt delete mode 100644 doc/txt/winnotes/registry.txt diff --git a/doc/txt/winnotes/afs-install-notes.txt b/doc/txt/winnotes/afs-install-notes.txt deleted file mode 100644 index b4eb2d4038..0000000000 --- a/doc/txt/winnotes/afs-install-notes.txt +++ /dev/null @@ -1,800 +0,0 @@ -OpenAFS for Windows 1.4.0000 Installation Notes ------------------------------------------------ - -OpenAFS for Windows 1.4.0000 is the best client available for -Microsoft Windows operating systems. It can be installed either as -a new installation or an upgrade from previous versions of OpenAFS -for Windows or IBM AFS for Windows. Installers are provided in two -forms: - - * an executable (.exe) that is based upon the Nullsoft Scriptable - Installation System, or - - * a Windows Installer package (.msi) that is built using WiX and - can be customized for organizations via the use of MSI Transforms - (see msi-deployment-guide.txt) - -System Requirements: - -Operating System: Windows 2000, 2000 Server, XP Home, XP Pro, 2003 Server. -64-bit versions of Windows and Windows Vista are not supported in this -release. - -Disk Space: up to 60mb required for the OpenAFS binaries plus 100MB -for the default AFSCache file. (The size of the AFSCache file may -be adjusted via the Registry after installation.) - -Additional Softare: MIT Kerberos for Windows 2.6.x if Kerberos 5 -authentication support is desired. - -1. The Kerberos 4 infrastructure on which the 1.2 series is reliant is no -longer secure. Cross-realm Kerberos is very important in the AFS context and -most sites have or are migrating to Kerberos 5 environments. The 1.3 series -integrates with the MIT Kerberos for Windows 2.6.x product to provide Kerberos -5 functionality including the ability to auto-renew credentials and obtain -single sign-on capabilities with the Microsoft Windows Kerberos Logon Service. - -As of 1.3.65, the OpenAFS client will directly use Kerberos 5 tickets as -tokens if KFW is installed. The client requires that all of the AFS Servers -with which it communicates support the use of Kerberos 5 tickets as tokens -(aka 2b tokens). This means that all of the AFS servers must be running -OpenAFS release 1.2.8 or higher. Transarc servers do not support Kerberos 5 -tickets as tokens. - -When using a Microsoft Windows Active Directory as the KDC which issues the -service ticket for the AFS cell there are two things to consider. First, the -Kerberos 5 tickets issued by Active Directory can be quite large when compared -to tickets issued by a traditional KDC due to the incorporation of -authorization data in the PAC. If this is your situation you either must -modify your 1.2.x servers to support tokens larger than a few hundred bytes; -or install the 1.3.64 or higher release on your servers. Second, Windows 2003 -Active Directory will issue service tickets utilizing the DES-CBC-MD5 enctype. -OpenAFS releases older than 1.3.64 will not properly support this enctype. - - -2. The AFS Client Service does not provide robust behavior in an environment -with a plug-n-play network environment. Changes to the number of network -adapters or the assigned IP addresses will cause the service to panic. The -recommended work around for this problem is to install the Microsoft Loopback -Adapter on the machine. When the MLA is installed with a static IP address -the AFS Client Service will bind only to the loopback and not be affected by -changes to state of other network adapters installed on the system. - -Starting in the 1.3.65 release the installers provided by OpenAFS.org will -install the Microsoft Loopback Adapter for you with a name of "AFS" and a -pre-assigned IP address in the 10.x.x.x range. - -One of the benefits of using the MLA is that the NETBIOS names used for the -AFS Client's SMB server do not have to be published on any adapter other than -the MLA. This means that the names no longer need to be unique. When the MLA -is in use, the NETBIOS name associated with the AFS Client Service is simply -"AFS". When the MLA is not in use the NETBIOS name is "MACHINE-AFS". - -When the MLA is installed, UNC paths of the form \\AFS\cellname\path may be -used. - -The MLA is installed with a binding to "Client for Microsoft Networks" but not -to "File and Printer Sharing for Microsoft Networks". If you fail to bind -"Client Microsoft Networks" you will not be able to access the AFS Client -Service when the machine is disconnected from the network. If you bind "File -and Printer Sharing ..." there will be a service type collision between the -name "AFS" and the name of the machine on the published IP Address. This will -result in a failure to be able to access files in AFS. The "NET VIEW" command -will return a "System Error 52" message when this conflict exists. To correct -the problem: - - * stop the AFS Client Service - * bind the "Client for Microsoft Networks" to the MLA - * unbind "File and Printer Sharing for Microsoft Networks" from the MLA - * Disable and then Enable the MLA - * start the AFS Client Service - - -3. Traditionally, when the AFS Client Service starts it must be able to access -the "root.afs" volume of the default cell. The "root.afs" volume contains a -set of read-only and read-write mount points to the "root.cell" volumes of -various cells the administrator of the default cell believes should be -accessible. If the "root.afs" volume is inaccessible when the client service -is started, the service will panic. Since many users now use laptops or -otherwise operate in disconnected environments in which a VPN may be needed to -access the cell's servers, it is often the case that the "root.afs" volume for -the default cell is not reachable and the AFS Client Service will not -successfully start. - -The OpenAFS Client Service now supports a fake "root.afs" volume which is -dynamically constructed when the service starts. This mode is called -Freelance mode. Freelance mode is turned on by default. - -The contents of the fake "root.afs" volume are constructed dynamically as -cells are accessed. When the fake "root.afs" volume is constructed it will -only contain two mount points: a read-only and read-write mount point used to -access the "root.cell" volume of the default AFS cell. Any attempt to access -a valid cell name will automatically result in a new mount point being created -in the fake "root.afs" volume. If the cellname begins with a "." the mount -point will be read-write; otherwise the mount point will be read-only. These -mount points are preserved in the registry at key: - - HKLM\SOFTWARE\OpenAFS\Client\Freelance - -Additional mount points may be manually created using the "fs mkmount" -command. Mount points may be removed using the "fs rmmount" command. - - >fs mkmount \\AFS\all\athena.mit.edu root.cell athena.mit.edu - >fs mkmount \\AFS\all\.athena.mit.edu root.cell athena.mit.edu -rw - >fs rmmount \\AFS\all\athena.mit.edu - >fs rmmount \\AFS\all\.athena.mit.edu - -Beginning in 1.3.74, the Freelance fake root.afs volume will support the -creation of symlinks. - - >symlink make \\afs\all\link \\afs\all\athena.mit.edu\user\j\a\jaltman - - >symlink list \\afs\all\link - '\\afs\all\link' is a symlink to 'athena.mit.edu\user\j\a\jaltman' - - >symlink rm \\afs\all\link - -The symlinks are stored in the registry at: - - HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks - - -4. The OpenAFS for Windows client will use AFSDB DNS records to discover cell -information when it is not located in the local CellServDB file -(\%PROGRAMFILES%\OpenAFS\Client\CellServDB). - - -5. OpenAFS for Windows 1.3.72 only supports Windows 2000, Windows XP, and -Windows 2003. Windows NT 4.0 and the entire Windows 9x/Me line are no longer -supported. Older releases of OpenAFS are available for download if those -operating systems must be supported. The last version with support for Win9x -is 1.2.2b. The last version with support for Windows NT 4.0 is 1.2.10. - - -6. OpenAFS for Windows installs a WinLogon Network Provider to provide -Integrated Logon (Single Sign-on) functionality. Integrated Logon can be used -when the Windows username and password match the username and password -associated with the default cell's Kerberos realm. For example, if the -windows username is "jaltman" and the default cell is "athena.mit.edu", then -Integrated Logon can be successfully used if the windows password matches the -password used for the Kerberos principal "jaltman@ATHENA.MIT.EDU". - -Integrated Logon is required if you desire the ability to store roaming user -profiles within the AFS file system. OpenAFS does not provide tools for -synchronizing the Windows and Kerberos user accounts and passwords. - -If KFW is installed, the Integrated Logon will use Kerberos 5 to obtain -tokens. Otherwise, Kerberos 4 is used. - -There is a High Security mode for use with Integrated Logon when multiple -users will share a single machine. There are known problems with this mode. -In particular, if you are using this mode it is crucial that new AFS tokens -not be obtained after the logon session starts except via the AFS Systray tool -as started by the AFS Network Provider. If the AFS Systray tool is stopped -you must log off to obtain new tokens. Do not use external tools such as -"aklog.exe" if High Security mode is turned on. As of 1.3.70, OpenAFS supports -Authenticated SMB connections which removes the need for High Security mode. -DO NOT USE IT!!!!! - -Starting in 1.3.83, when Integrated Logon is used in conjunction with KFW, the -Kerberos 5 tickets obtained during the process of generating AFS tokens are -preserved and stored into the default ccache within the user logon session. - -What Integrated Logon does not do: - (a) Integrated Logon does not have the ability to cache the user's - username and password for the purpose of obtaining tokens if the - Kerberos KDC is inaccessible at logon time. - - -7. The AFS Systray tool (afscreds.exe) supports several command line -options: - - -A = autoinit - -E = force existing afscreds to exit - -I = install startup shortcut - -M = renew drive maps - -N = IP address change detection - -Q = quiet mode. do not display start service dialog - if afsd_service is not already running - -S = show tokens dialog on startup - -U = uninstall startup shortcut - -X = test and do map share - -Z = unmap drives - -: = magic parameter for high security mode - -autoinit will result in automated attempts to acquire AFS tokens when -afscreds.exe is started. afscreds.exe will attempt to utilize tickets stored -in the MSLSA credentials cache; any existing CCAPI credentials cache; and -finally display an Obtain Tokens dialog to the user. When used in combination -with IP address change detection, afscreds.exe will attempt to acquire AFS -tokens whenever the IP address list changes and the Kerberos KDC is -accessible. - -The renew drive maps option is used to ensure that the user drive maps -constructed via the AFS tools (not NET USE) are re-constructed each time -afscreds.exe is started. - -By default afscreds.exe is configured by the OpenAFS.org installers to use -A --N -M -Q as startup options. Currently, there is no UI to change this -selection after install time although these options may be altered via the -registry either per machine or per user. See AfscredsShortcutParams in -registry.txt. - - -8. As of 1.3.71, the OpenAFS for Windows client supports a local Windows -authorization group called "AFS Client Admins". This group is used in place -of the "Administrators" group to determine which users are allowed to modify -the AFS Client Service configuration via either afs_config.exe or fs.exe. For -example, the following fs.exe commands are now restricted to members of the -"AFS Client Admins" group: - - - checkservers with a non-zero timer value - - setcachesize - - newcell - - sysname with a new sysname list - - exportafs - - setcell - - setserverprefs - - storebehind - - setcrypt - - cscpolicy - - trace - -Setting the default sysname for a machine should be done via the registry and -not via "fs sysname". - -The local "SYSTEM" account is always a member of the "AFS Client Admins" -group. - -The initial membership of the "AFS Client Admins" group when created by the -installer is equivalent to the local "Administrators" group. If a user is -added to the "Administrators" group after the creation of the "AFS Client -Admin" group, that user will not be an AFS Client Administrator. Only users -that are members of the "AFS Client Admins" group are AFS Client -Administrators. - - -9. The AFS Client should support UNC paths everywhere. Power users that make -extensive use of the command line shell, cmd.exe, might want to consider using -JP Software's 4NT command processor. Unlike cmd.exe, 4NT does fully support -UNC paths and can use a UNC path as the default device. - - -10. The AFS Client ships with its own version of aklog.exe which should be -used in preference to those obtained by third party sources. The OpenAFS -aklog.exe supports Kerberos 5 as well as the ability to auto-generate pts IDs -for user's obtaining tokens to foreign cells. - -Usage: aklog [-d] [[-cell | -c] cell [-k krb_realm]] - [[-p | -path] pathname] - [-noprdb] [-force] - [-5 | -4] - - -d gives debugging information. - krb_realm is the kerberos realm of a cell. - pathname is the name of a directory to which you wish to authenticate. - -noprdb means don't try to determine AFS ID. - -5 or -4 selects whether to use Kerberos V or Kerberos IV. - (default is Kerberos V) - No commandline arguments means authenticate to the local cell. - - -11. The AFS Server functionality provided with OpenAFS 1.3.72 might work but -should be considered highly experimental. It has not been thoroughly tested. -Any data which would cause pain if lost should not be stored in an OpenAFS -Server on Windows. - -A few notes on the usage of the AFS Client Service if it is going to be -used with the OpenAFS AFS Server: - -(a) When the AFS Server is installed Freelance mode must be turned off. - -(b) The AFS Server and related tools only support the built in kaserver -(Kerberos IV). If the AFS Server is being used, MIT Kerberos for Windows -should not be used. - - -12. The OpenAFS for Windows installers now include Symbol information which -should be installed if you are experiencing problems and need to send crash -reports. This is true in both the release and the debug versions of the -installers. The differences between the release and debug versions are -whether or not the binaries were compiled with optimization; whether the debug -symbols are installed by default; and whether additional debug statements were -compiled into the binaries. - - -13. OpenAFS for Windows does not support files larger than 2GB. This is due -to the lack of support for the Unicode version of the SMB/CIFS protocol. - - -14. Local RPC is used as the default RPC mechanism for setting tokens. TCP -RPC is required to be installed and is used for debugging and other functions. - - -15. The OpenAFS for Windows installer by default activates a weak form of -encrypted data transfer between the AFS client and the AFS servers. This is -often referred to as "fcrypt" mode. - - -16. OpenAFS 1.3.71 adds support for authenticated SMB connections using either -NTLM or GSS SPNEGO (NTLM, Kerberos 5, ...). In previous versions of OpenAFS -the SMB connections were unauthenticated which left open the door for several -security holes which could be used to obtain access to other user's tokens on -shared machines. With the introduction of authenticated SMB connections the -so called High Security mode should no longer be used. - -When GSS SPNEGO results in a Kerberos 5 authentication, the Windows SMB client -will attempt to retrieve service tickets for "cifs/afs@REALM" (if the loopback -adapter is in use) or "cifs/machine-afs@REALM" (if the loopback adapter is not -being used). It is extremely important that this service principal not exist -in the KDC database. If the request for this ticket fails, a subsequent -request for "cifs/HOST$@REALM" will be issued. This service principal should -exist in the KDC database. The key associated with this service principal -must match the key assigned to "host/machine@REALM". If the local machine is -part of a Windows Domain this will all be taken care of for you. If the local -machine is using a non-MS KDC for authentication, then your KDC administrator -will have to add these service principals to the list of principals to be -maintained for each host. - - -17. As of 1.3.70, INI files are no longer used for the storage of AFS -configuration data. No longer are there any AFS related files stored in the -%WINDIR% directory. The CellServDB file is no longer called "afsdsbmt.ini" -and it is stored in the OpenAFS\Client directory. The afs_freelance.ini and -afsdsbmt.ini file data has been moved to the registry. - -IMPORTANT: while the CellServDB file location and freelance mountpoint data -will be automatically migrated; there is no mechanism for automatic migration -of Submounts, Drive Mappings, Active Maps, and CSCPolicy data. - - -18. As of 1.3.70, the OpenAFS Client is compatible with Windows XP SP2 and -Windows 2003 SP1. The Internet Connection Firewall will be automatically -adjusted to allow the receipt of incoming callback messages from the AFS file -server. In addition, the appropriate Back Connection entries are added to the -registry to allow SMB authentication to be performed across the loopback -connection. - - -19. As of 1.3.70, the OpenAFS Client Service supports the CIFS Remote Admin -Protocol which provides browsing of server and share information. This -significantly enhances the interoperability of AFS volumes within the Explorer -Shell and Microsoft Office applications. - - -20. OpenAFS will now automatically forget a user's tokens upon Logoff unless -the user's profile was loaded from an AFS volume. In this situation there is -no mechanism to determine when the profile has been successfully written back -to the network. It is therefore unsafe to release the user's tokens. Whether -or not the profile has been loaded from the registry can be determined for -Local Accounts, Active Directory accounts and NT4 accounts. - -If there is a need to disable this functionality, the LogoffPreserveTokens -registry value (see registry.txt) can be used. - - -21. Terminal Server installations. -When installing the NSIS (.exe) installer under Terminal Server, you must -execute it from within the Add/Remove Programs Control Panel. Failure to do -so will result in AFS not running properly. The AFS Server should not be -installed on a machine with Terminal Server installed. - - -22. AFS is a Unix native file system. As such the OpenAFS client attempts to -treat the files stored in AFS as they would be on Unix. File and directory -names beginning with a "." are automatically given the Hidden attribute so -they will not normally be displayed. - - -23. Some organizations which have AFS cell names and Kerberos realm names -which differ by more then just lower and upper case rely on a modification to -krb524d which maps a Kerberos 5 ticket from realm FOO to a Kerberos 4 ticket -in realm BAR. This allows user@FOO to appear to be user@bar for the purposes -of accessing the AFS cell. As of OpenAFS 1.2.8, support was added to allow -the immediate use of Kerberos 5 tickets as AFS (2b) tokens. This is the first -building block necessary to break away from the limitations of Kerberos 4 with -AFS. By using Kerberos 5 directly we avoid the security holes inherent in -Kerberos 4 cross-realm. We also gain access to cryptographically stronger -algorithms for authentication and encryption. - -Another reason for using Kerberos 5 directly is because the krb524 service -runs on a port (4444) which has become increasingly blocked by ISPs. The port -was used to spread a worm which attacked Microsoft Windows in the summer of -2003. When the port is blocked users find that they are unable to -authenticate. - -Replacing the Kerberos 4 ticket with a Kerberos 5 ticket is a win in all -situations except when the cell name does not match the realm name and the -principal names placed into the ACLs are not the principal names from the -Kerberos 5 ticket. To support this transition, OpenAFS for Windows in 1.3.72 -adds a new registry value to force the use of krb524d. However, the -availability of this option should only be used by individuals until such time -as their organizations can provide a more permanent solution. - - -24. The Status Cache (AFS Config Control Panel: Advanced Page) is defined to -have a maximum number of entries. Each entry represents a single file or -directory entry accessed within the AFS file system. When the maximum number -of entries are allocated, entries will begin to be reused according to a least -recently used (LRU) algorithm. If the number of files or directories being -accessed repeatedly by your applications is greater then the maximum number of -entries, your host will begin to experience thrashing of the Status Cache and -all requests will result in network operations. - -If you are experiencing poor performance you might want to increase the -maximum number of Status Cache entries. Each entry requires approximately -1.2K. Note that the default number of Status Cache entries was increased to -10,000 starting in 1.3.80. - - -25. "Netbios over TCP/IP" must be active on the machine in order for -communication with the AFS Client Service to succeed. If "Netbios over -TCP/IP" is disabled on the machine, then communication with the AFS Client -Service will be impossible. - - -26. The AFS Client Service and related binaries are digitally signed by -"Secure Endpoints Inc." beginning with the 1.3.7400 release of OpenAFS for -Windows. Starting in the 1.3.7500 release, the AFS Client Service will -perform a run-time verification check to ensure that all AFS related DLLs -loaded by the service match the same file version number and were signed by -the same entity. This check has been added to prevent the stability problems -caused by more then one version of AFS being installed on a machine at the -same time. Many hours of support time have been wasted tracking down problems -caused by the mixture of files from different releases. - -The registry.txt file documents the "VerifyServiceSignature" registry value -which can be used to disable the signature check. The file version check -cannot be disabled. - - -27. The maximum cache size is approximately 1.3GB. This is the largest -contiguous block of memory in the 2GB process address space which can be used -for the memory mapped file. Due to fragmentation of the process spaced caused -by the digital signature verification code, any attempt to specify a cache -size greater then 700MB will result in the automatic disabling of the -signature check. - - -28. OpenAFS for Windows implements an SMB server which is used as a gateway to -the AFS filesystem. Because of the use of SMB, Windows stores all files into -AFS using the OEM code pages such as CP437 (United States) or CP850 (Western -Europe). These code pages are incompatible with the ISO Latin-1 character set -typically used as a default on Unix systems in both the United States and -Western Europe. Filenames stored by OpenAFS for Windows are therefore -unreadable on Unix systems if they include any of the following characters: - - [Ç] 128 08/00 200 80 C cedilla - [ü] 129 08/01 201 81 u diaeresis - [é] 130 08/02 202 82 e acute - [â] 131 08/03 203 83 a circumflex - [ä] 132 08/04 204 84 a diaeresis - [à] 133 08/05 205 85 a grave - [å] 134 08/06 206 86 a ring - [ç] 135 08/07 207 87 c cedilla - [ê] 136 08/08 210 88 e circumflex - [ë] 137 08/09 211 89 e diaeresis - [è] 138 08/10 212 8A e grave - [ï] 139 08/11 213 8B i diaeresis - [î] 140 08/12 214 8C i circumflex - [ì] 141 08/13 215 8D i grave - [Ä] 142 08/14 216 8E A diaeresis - [Å] 143 08/15 217 8F A ring - [É] 144 09/00 220 90 E acute - [æ] 145 09/01 221 91 ae diphthong - [Æ] 146 09/02 222 92 AE diphthong - [ô] 147 09/03 223 93 o circumflex - [ö] 148 09/04 224 94 o diaeresis - [ò] 149 09/05 225 95 o grave - [û] 150 09/06 226 96 u circumflex - [ù] 151 09/07 227 97 u grave - [ÿ] 152 09/08 230 98 y diaeresis - [Ö] 153 09/09 231 99 O diaeresis - [Ü] 154 09/10 232 9A U diaeresis - [ø] 155 09/11 233 9B o slash - [£] 156 09/12 234 9C Pound sterling sign - [Ø] 157 09/13 235 9D O slash - [×] 158 09/14 236 9E Multiplication sign - [ƒ] 159 09/15 237 9F Florin sign - -As of 1.3.75, a new registry value, HKLM\SOFTWARE\OpenAFS\Client -"StoreAnsiFilenames" can be set to instruct OpenAFS for Windows to store -filenames using the ANSI Code Page instead of the OEM Code Page. The ANSI -Code Page is a compatible superset of Latin-1. This setting is not the -default setting because making this change would prevent OpenAFS for Windows -from being able to access filenames containing the above characters which were -created without this setting. - - -29. There is a known issue with storing Windows Roaming Profiles when the -profile contains either directories or files with names which cannot be -represented in the local OEM character set. In this case, attempts to write -the profile back to AFS will fail. OpenAFS for Windows does not currently -support UNICODE. To avoid this problem some sites run logoff scripts -(assigned by group policy) which rename all files to use only the supported -characters for the locale. - - -30. As of 1.3.80 the AFS Cache file is stored by default at %TEMP%\AFSCache in -a persistent file marked with the Hidden and System attributes. The -persistent nature of the data stored in the cache file improves the -performance of OpenAFS by reducing the number of times data must be read from -the AFS file servers. - - -31. Integrated Login (as of 1.3.80) supports the ability to obtain tokens for -multiple cells. See the "TheseCells" value in registry.txt. - - -32. New command line tool: - - afsdacl : Set or reset the DACL to allow starting or stopping - the afsd service by any ordinary user. - - Usage : afsdacl [-set | -reset] [-show] - -set : Sets the DACL - -reset : Reset the DACL - -show : Show current DACL (SDSF) - -33. As of 1.3.80, the default @sys name list has been changed to "x86_win32 -i386_w2k i386_nt40" for 32-bit x86 systems. The default for itanium will be -"ia64_win64" and "amd64_win64" for amd 64-bit processors. - - -34. As of 1.3.80, symlinks to \\AFS[\all]\... will now be treated the same as -symlinks to /afs/... However, please use /afs/... as the Windows UNC form -will not work on Unix. - - -35. As of 1.3.80, OpenAFS for Windows implements the Cache Manager Debugging -RPC Interface. The CM debugger can be queried with cmdebug.exe. - -Usage: cmdebug -servers [-port ] [-long] - [-addrs] [-cache] [-help] -Where: -long print all info - -addrs print only host interfaces - -cache print only cache configuration - - -36. If you are a site which utilizes MIT/Heimdal Kerberos principals to logon -to Windows via a cross-realm relationship with a multi-domain Windows forest, -you must enable Windows logon caching unless the workstation is Longhorn Beta -1 or later. - - -37. VLDB and File Server Preferences can now be provided initial values using -registry keys. This is useful for managed machines in a Windows domain which -are centrally located (e.g., in a computing lab.) See registry.txt for -details on the "Server Preferences" keys. - - -38. As of 1.3.81, timestamps on files stored in AFS are reported to Windows in -UTC all year round. Previously, in locales with daylight savings time, the -time reported by AFS to Windows when DST is active was UTC+1. This was done -to preserve the relative local time for the user. A file stored at 11:00am -EST in January would be reported as having been stored at 11:00am EDT in June. - Unfortunately, this has the negative side effect of changing the reported -timestamp from 16:00UTC to 15:00UTC. Since Windows treats all file times in -UTC, data synchronization applications which rely on the timestamp would -believe that all files stored in AFS had changed. This will no longer be the -case. - -It should be noted that Unix based operating systems (such as Solaris) do not -appear to report file times to applications in UTC. They do preserve the -relative local time. This may confuse some users who are used to being able -to compare the timestamp in an Unix shell with the timestamp from the Windows -explorer. During DST, these two times will no longer agree even though they -are in fact describing the same time. - - -39. If the installer refuses to install and complains about an RPC -configuration error, check to ensure that the following registry entries are -present and that they refer to the dll "rpcrt4.dll": - - HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_np" - HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_ip_tcp" - HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncadg_ip_udp" - HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_http" - - -40. 1.3.83 adds a new command, "fs minidump". This command can be used at any -time to generate a mini dump file containing the current stack of the -afsd_service.exe process. This output can be very helpful when debugging the -AFS Client Service when it is unresponsive to SMB/CIFS requests. - - -41. The Windows AFS client implements Universally Unique Identifiers (UUIDs). -They are used to provide the server with a method of identifying the client -that is independent of IP address. The UUID is generated when the AFSCache -file is created and is maintained as long as the contents of the AFSCache -file are kept intact. The UUID is stored in the AFSCache file. When -cloning machines that have Windows AFS client installed, the AFSCache files -must be deleted as part of the cloning process. - - -42. The performance of the AFS Client Service is significantly affected by -the access times associated with the AFSCache paging file. When given the -choice, the AFSCache file should be placed on a fast disk, preferably NTFS, -the file should not be compressed and should consist of as few fragments as -possible. Significant performance gains can be achieved by defragmenting -the AFSCache file with Sysinternal's Contig utility. - ------------------------------------------------------------------------- - -How to Debug Problems with OpenAFS for Windows: - -OpenAFS for Windows provides a wide range of tools to assist you in debugging -problems. The techniques available to you are varied because of the wide -range of issues that have been discovered over the years. - -* pioctl debugging (IoctlDebug registry key) - - pioctl (path-based ioctl) calls are used by various tools to - communicate with the AFS Client Service. Some of the operations performed - include: - - - setting/querying tokens (tokens.exe, aklog.exe, afscreds.exe) - - setting/querying ACLs - - setting/querying cache parameters - - flushing files or volumes - - setting/querying server preferences - - querying path location - - checking the status of servers and volumes - - setting/querying the sysname list - - pioctl calls are implemented by writing to a special UNC path that - is processed by the AFS Client Service. If there is a failure to - communicate with the AFS Client Service via SMB/CIFS, it will be - impossible to perform any of the above operations. - - To assist in debugging these problems, the registry value: - - [HKLM\SOFTWARE\OpenAFS\Client] - REG_DWORD: IoctlDebug = 0x01 - - should be set. Then any of the commands that perform pioctl calls should - be executed from the command prompt. With this key set the pioctl library - will generate debugging output to stderr. The output will contain the - Win32 API calls executed along with their most important parameters and - their return code. The MSDN Library and the Microsoft KnowledgeBase can - be used as a reference to help you determine the configuration probem with - your system. - -* afsd_service initialization log (%WinDir%\TEMP\afsd_init.log) - - Every time the AFS Client Service starts it appends data about its progress - and configuration to a file. This file provides information crucial to - determining why the service cannot start when there are problems. When - the process terminates due to a panic condition it will write to this - file the source code file and line number of the error. In many cases - the panic condition is due to a misconfiguration of the machine. In other - cases it might be due to a programming error in the software. - A quick review of the location in the source code will quickly reveal - the reason for the termination. - - -* afsd_service debug logs (fs trace {-on, -off, -dump} -> - %WinDir%\TEMP\afsd.log) - - When attempting to debug the behavior of the SMB/CIFS Server and the - Cache Manager it is often useful to examine a log of the operations - being performed. While running the AFS Client Service keeps an in memory - log of many of its actions. The default number of actions preserved - at any one time is 5000. This can be adjusted with the registry value: - - [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters] - REG_DWORD TraceBufferSize - - A restart of the service is necessary when adjusting this value. - Execute "fs trace -on" to clear to the log and "fs trace -dump" to - output the contents of the log to the file. - - An alternatve option to the use of "fs trace" is to use a tool such as - Sysinternal's DbgView to capture real-time debugging output. Set Bit 2 - of the TraceOption value in the registry to activate. - - [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters] - REG_DWORD TraceOption = 0x04 - - -* Microsoft MiniDumps (fs minidump -> %WinDir%\TEMP\afsd.dmp) - - If the AFS Client Service become unresponsive to any form of communication - there may be a serious error that can only be debugged by someone with - access to the source code and a debugger. The "fs minidump" command can - be used to force the generation of a MiniDump file containing the state - of all of the threads in the AFS Client Service process. - - -* Integrated Logon debugging (TraceOption registry key) - - If you are having trouble with the Integrated Logon operations - it is often useful to be able to obtain a log of what it is attempting - to do. Setting Bit 0 of the registry value: - - [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters] - REG_DWORD TraceOption = 0x01 - - will instruct the Integrated Logon Network Provider and Event Handlers - to log information to the Windows Event Log: Application under the name - "AFS Logon". - - -* RX (AFS RPC) debugging (rxdebug) - - The rxdebug.exe tool can be used to query a variety of information - about the AFS services installed on a given machine. The port for - the AFS Cache Manager is 7001. - - -* Cache Manager debugging (cmdebug) - - The cmdebug.exe tool can be used to query the state of the AFS Cache - Manager on a given machine. - - -* Persistent Cache consistency check - - The persistent cache is stored in a Hidden System file at - %WinDir%\TEMP\AFSCache. If there is a problem with the persistent - cache that prevent the AFS Client Service from being able to start - a validation check on the file can be performed. - - afsd_service.exe --validate-cache - - ------------------------------------------------------------------------- - -Reporting Bugs: - -Bug reports should be sent to openafs-bugs@openafs.org. Please include as -much information as possible about the issue. If you are reporting a crash, -please install the debugging symbols by re-running the installer. If a dump -file is available for the problem, %WINDIR%\TEMP\afsd.dmp, include it along -with the AFS Client Trace file %WINDIR%\TEMP\afsd.log. The AFS Client -startup log is %WINDIR%\TEMP\afsd_init.log. Send the last continuous block of -log information from this file. - -Configuring DrWatson to generate dump files for crashes: - - * Run drwtsn32.exe to configure or to identify where the log and the crash dump - files are created: - - click Start > Run... - - type drwtsn32 . - - Select either a Crash Dump Type: Mini or Full. - - Clear Dump Symbol Table - - Clear Append to Existing Log file. - - Check Dump All Thread Contexts. - - Check Create Crash Dump File - * Next run the monitoring module of Dr. Watson: - - click Start > Run... - - type drwatson . - - Once a crash happens, Dr. Watson generates a dump file and a report in the - log file, including the address of the crash and the stack dump. - -Once you have the Dr. Watson's logfile and minidump, zip them and send them as -attachments with your e-mail to openafs-bugs@openafs.org. - -When reporting a error, please be sure to include the version of OpenAFS. - - ------------------------------------------------------------------------- - -How to Contribute to the Development of OpenAFS for Windows: - -Contributions to the development of OpenAFS for Windows are needed. -Contributions may take many forms including cash donations, support contracts, -donated developer time, and even donated tech writer time. - -If you wish to be involved in OpenAFS for Windows development please join the -openafs-win32-devel@openafs.org mailing list. - - https://lists.openafs.org/mailman/listinfo/openafs-win32-devel - -User questions should be sent to the openafs-info@openafs.org mailing list. - - https://lists.openafs.org/mailman/listinfo/openafs-info - -You must join the mailing lists if you wish to post to the list without -incurring a moderation delay. - diff --git a/doc/txt/winnotes/msi-deployment-guide.txt b/doc/txt/winnotes/msi-deployment-guide.txt deleted file mode 100644 index 63cf941dfb..0000000000 --- a/doc/txt/winnotes/msi-deployment-guide.txt +++ /dev/null @@ -1,739 +0,0 @@ - -OpenAFS for Windows - MSI Deployment Guide ----------------------------------------------------------------------- - - Contents - - 1. Introduction - 1.1 Requirements - - 2. Configuration options - 2.1 Configurable properties - 2.2 Existing registry values - 2.3 Replacing Configuration Files - 2.4 Adding Domain Specific Registry Keys - 2.5 Adding Site Specific Freelance Registry Keys - - 3. Additional resources - - 4. Upgrades - - 5. FAQ - - ----------------------------------------------------------------------- - -1. Introduction - - Beginning with OpenAFS for Windows version 1.3.65 a MSI installer - option is available for those who wish to use Windows - Installer for installing OpenAFS and for organizations that wish - to deploy OpenAFS through Group Policy. - - This document provides a guide for authoring transforms used to - customize the MSI package for a particular organization. Although - many settings can be deployed via transforms, in an Active - Directory environment it is advisable to deploy registry settings - and configuration files through group policy and/or startup - scripts so that machines where OpenAFS for Windows is already - installed will pick up these customizations. - -1.1 Requirements - - The information in this document applies to MSI packages - distributed with OpenAFS for Windows releases from 1.3.65 and - onwards or MSI packages built from corresponding source - releases. Not all releases support all the configuration options - documented here. - - Authoring a "Windows Installer" transform requires additional - software for editing the MSI database tables and generating the - transform from the modified MSI package. ORCA.EXE and MSITRAN.EXE - which are included in the Windows Platform SDK ("Windows Installer" - SDK) can be used for this purpose. - - For reference, the schema for the MSI package is based on - SCHEMA.MSI distributed with the Platform SDK. - - For general information about "Windows Installer", refer to : - - http://msdn.microsoft.com/library/en-us/msi/setup/windows_installer_start_page.asp - - For general information about authoring MSI transforms, refer to : - - http://msdn.microsoft.com/library/en-us/msi/setup/transforms.asp - - The remainder of this document assumes some familiarity with - authoring transforms. While the MSDN documentation for Windows - Installer is a bit dense, it is recommended that you read through - the guide on MSI transforms found at the second link above. Also - MSDN includes a step-by-step example for creating a transform at: - - http://msdn.microsoft.com/library/en-us/msi/setup/a_customization_transform_example.asp - -1.2 Authoring a Transform - - Transforms describe a set of modifications to be performed on an - existing MSI for the purpose of customizing it. This is - ordinarily done by making a copy of the MSI to be customized, - modifying the copy and then using the old and the new MSI to - generate a transform. - - E.g: - > copy openafs.msi openafs-modified.msi - - (edit the openafs-modified.msi to include the necessary changes) - - > msitran -g openafs.msi openafs-modified.msi openafs-transform.mst - - (generates openafs-transform.mst, which is the transform) - - Transforms have an extension of .mst. 'msitran' is a tool - distributed as part of the "Windows Installer" SDK (which in turn is - a part of the Windows Platform SDK). - - You can test a transform by : - - > copy openafs.msi openafs-test.msi - > msitran -a openafs-transform.mst openafs-test.msi - - and then checking the resulting openafs-test.msi to see if all the - changes you have made above to openafs-modified.msi is present in - openafs-test.msi. 'msitran' will complain if some modification in the - transform can not be successfully applied. - - As mentioned above, you can use a tool like ORCA.EXE to edit the - MSI databases directly when editing openafs-modified.msi. More - details are given below. - ----------------------------------------------------------------------- - -2. Configuration Options - - The logic necessary to implement many of the settings described in - the registry.txt file are present in the MSI. Most of these can be - controlled by setting the corresponding properties to the desired - value. Some settings may require modifying existing registry - entries (though not recommended) or adding new resources (like - files or registry keys). Instructions for performing these tasks - are below. - -2.1 Configurable Properties - - Most configurable properties correspond to registry keys or - values. Please refer to the release notes for more information - about how these registry settings are used. - - Due to the logic invoked based on the existence of these registry - keys or values, they are only set if the associated property is - defined to have a non null value. If the associated property is - not defined in the MSI, the registry key or value will not be - touched. By default, the MSI does not contain these properties - and hence will not set the registry keys. You will need to add - properties as needed to the MSI. - - When one of the configurable properties is set, the installer will - use the property value to set the corresponding setting in the - HKEY_LOCAL_MACHINE registry hive. HKEY_CURRENT_USER hive is not - touched by the installer. - - For each property, the associated registry setting is referenced - by the same text used in the registry.txt file. - - Strings are quoted using single quotes (e.g. 'a string'). An empty - string is denoted as ''. Note that you can't author null values - into the 'Property' table. - - Numeric values should be authored as decimal strings. - -2.1.1 Setting Properties - - In order to set a property, - - a. Open the MSI in ORCA.EXE - - b. Select the 'Property' table from the list of tables on the left. - - c. Find the property in the list of properties on the right, - double click the value and type the new value. - - d. If the property does not exist in the property list, right - click the list and select 'Add Row', type the property name - and the desired value. - - -2.1.2 OpenAFS for Windows properties - - (Service parameters): - [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters] - - (Network provider): - [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider] - - (OpenAFS Client): - [HKLM\SOFTWARE\OpenAFS\Client] - - The configurable properties are as follows: - - AFSCACHEPATH - Registry key : (Service parameters) - Registry value : CachePath - Valid values : string - - AFSCACHESIZE - Registry key : (Service parameters) - Registry value : CacheSize - Valid values : numeric - - AFSCELLNAME - - Registry key : (Service parameters) - Registry value : Cell - Valid values : string - - CREDSAUTOINIT - Valid values : '-a' or '' - - Option for AFSCREDS.EXE. Enables automatic initialization. - (see below) - - CREDSIPCHDET - Valid values : '-n' or '' - - Option for AFSCREDS.EXE. Enables IP address change detection. - (see below) - - CREDSQUIET - Valid values : '-q' or '' - - Option for AFSCREDS.EXE. Enables quiet mode. - (see below) - - CREDSRENEWDRMAP - Valid values : '-m' or '' - - Option for AFSCREDS.EXE. Enables renewing drive map at - startup. - (see below) - - CREDSSHOW - Valid values : '-s' or '' - - Option for AFSCREDS.EXE. Enables displaying the credential - manager window when AFSCREDS starts up. - - The five properties above determine the behavior of the AFS - credential manager ( AFSCREDS.EXE ). Each property adds a - command line option to the shortcut that will be created in - the Program Menu, both under 'OpenAFS' and 'Startup' folders - (see CREDSSTARTUP). - - The way in which the options are specified was chosen for easy - integration with the Windows Installer user interface. - Although you can come up with creative ways to provide other - options to AFSCREDS.EXE, we advise against it because such - transforms may not apply to future releases of OpenAFS. - - CREDSSTARTUP - Valid values : '1' or '0' - - Controls whether AFSCREDS.EXE starts up automatically when a - user logs on. When CREDSSTARTUP is '1' a shortcut is added - to the 'Startup' folder in the 'Program menu' which starts - AFSCREDS.EXE with the options that are determined by the - other CREDS* properties. - - FREELANCEMODE - - Registry key : (Service parameters) - Registry value : FreelanceClient - Valid values : '1' or '0' - - HIDEDOTFILES - - Registry key : (Service parameters) - Registry value : HideDotFiles - Valid values : '1' or '0' - - LOGONOPTIONS - - Registry key : (Network provider) - Registry value : LogonOptions - Valid values : '0','1' or '3' - - See section 2.1 of registry.txt (Domain specific configuration - keys for Network Provider) and section [filler] of this - document (filler) for more details. - - MOUNTROOT - - Registry key : (Service parameters) - Registry value : Mountroot - Valid values : string - - NETBIOSNAME - - Registry key : (Service parameters) - Registry value : NetbiosName - Valid values : string (at most 15 characters) - - NOFINDLANABYNAME - - Registry key : (Service parameters) - Registry value : NoFindLanaByName - Valid values : '1' or '0' - - RXMAXMTU - - Registry key : (Service parameters) - Registry value : RxMaxMTU - Valid values : numeric - - SECURITYLEVEL - - Registry key : (Service parameters) - Registry value : SecurityLevel - Valid values : '1' or '0' - - SMBAUTHTYPE - - Registry key : (Service parameters) - Registry value : SMBAuthType - Valid values : '0','1' or '2' - - STOREANSIFILENAMES - - Registry key : (OpenAFS Client) - Registry value : StoreAnsiFilenames - Valid values : '0' or '1' - - USEDNS - - Registry key : (Service parameters) - Registry value : UseDNS - Valid values : '1' or '0' - - -2.2 Existing Registry Entries - - You can change existing registry values subject to the - restrictions mentioned in the Windows Platform SDK. Pay special - attention to component keypaths and try to only change the 'Value' - column in the 'Registry' table. If you want to add additional - registry keys please refer to section 3 (Additional Resources). - -2.3 Replacing Configuration Files - - The OpenAFS configuration files (CellServDB) - can be replaced by your own configuration files. These files are - contained in separate MSI components so that you can disable them - individually. - - The recommended method for replacing these files is to first - disable the components containing the configuration files that you - want to replace, and then add new components for the replacement - files. This is outlined below (assuming you are using ORCA.EXE to - author the transform). - - Note that transforms are not a good way to add a new file as an - embedded stream. The method outlined here places the file in the - same directory as the MSI for deployment. - - The walkthrough below is to add a custom 'CellServDB' file. - - 1) Disable the component that contains the configuration file that - you want to replace. - - 1.1) Locate and select the 'Component' table in the 'Tables' - list. - - 1.2) In the Component table, locate the component you need to - change ( Ctrl-F invokes the 'Find' dialog). The component - names are listed below in section 2.3.1. For this - example, the component name is 'elf_CellServDB'. - - 1.3) Go to the 'Condition' column of the component. - - 1.4) Enter a condition that evaluates to - false. I.e. 'DONOTINSTALL'. (Note that an undefined - property always evaluates to false). - - Note that you can also use this step to disable other - configuration files without providing replacements. - - 2) Add a new component containing the new configuration file. - - 2.1) Select the 'Component' table in the 'Tables' list. - - 2.2) Select 'Tables'->'Add Row' (Ctrl-R). - - 2.3) Enter the following : - - Component : cmf_my_CellServDB - ComponentId : {7019836F-BB2C-4AF6-9463-0D6EC9035CF1} - Directory_ : dirClient - Attributes : 144 - Condition : - KeyPath : fil_my_CellServDB - - Note that the ComponentId is an uppercase GUID. You can - generate one using GUIDGEN.EXE or UUIDGEN.EXE, both of - which are included in the Platform SDK. - - The Attributes value of 144 is a sum of - msidbComponentAttributesPermanent (16) and - msidbComponentAttributesNeverOverwrite (128). This - ensures that local modifications are not overwritten or - lost during an installation or uninstallation. These are - the same settings used on the default configuration files. - - 'fil_my_CellServDB' is a key into the 'File' table which we - will fill later. - - 3) Add a new feature to hold the new component. - - 3.1) Select the 'Feature' table. - - 3.2) Add a new row (Ctrl-R or 'Tables'->'Add Row') with the - following values: - - Feature : fea_my_CellServDB - Feature_Parent: feaClient - Title : - Description : - Display : 0 - Level : 30 - Directory_ : - Attributes : 8 - - It is important to create the new feature under the - 'feaClient' feature, which will ensure that the - configuration file will be installed when the client - binaries are installed. - - Setting 'Display' to 0 will hide this feature from the - feature selection dialog during an interactive - installation. A value of 30 for 'Level' allows this - feature to be installed by default (on a 'Typical' - installation). - - The 'Attributes' value is - msidbFeatureAttributesDisallowAdvertise (8), which is set - on all features in the OpenAFS MSI. The OpenAFS MSI is not - designed for an advertised installation. - - 4) Join the component and the feature. - - 4.1) Select the 'FeatureComponents' table. - - 4.2) Add a new row with the following values: - - Feature : fea_my_CellServDB - Component : cmf_my_CellServDB - - 5) Add an entry to the 'File' table. - - 5.1) Select the 'File' table. - - 5.2) Add a new row with the following values: - - File : fil_my_CellServDB - Component_ : cmf_my_CellServDB - FileName : CellServDB - FileSize : (enter file size here) - ... - Attributes : 8192 - Sequence : 1000 - (leave other fields blank) - - The 'Attributes' value is msidbFileAttributesNonCompressed - (8192). This is because we will be placing this file in - the same directory as the MSI instead of embedding the - file in it. Transforms do not support updating compressed - sources or adding new cabinet streams. - - Finally, the 'Sequence' value of 1000 will be used later - to distinguish the file as being in a separate source - location than the other files in the MSI. - - 6) Set a media source for the file. - - 6.1) Select the 'Media' table. - - 6.2) Add a row with the following values : - - DiskId : 2 - LastSequence : 1000 - ... - (leave other fields blank) - - The sequence number of 1000 designates this as the media - source for the newly added file. - -2.3.1 Components for Configuration Files - - CellServDB : 'cpf_CellServDB' (ID {D5BA4C15-DBEC-4292-91FC-B54C30F24F2A}) - -2.4 Adding Domain Specific Registry Keys - - Following is an example for adding domain specific registry keys. - Refer to section 2.1 in REGISTRY.TXT for more information. - - Columns that are unspecified should be left empty. - - We create a new feature and component to hold the new registry keys. - - 'Feature' table: - - (new row) - Feature : 'feaDomainKeys' - Feature Parent : 'feaClient' - Display : 0 - Level : 30 - Attributes : 10 - - 'Component' table: - - (new row) - Component : 'rcm_DomainKeys' - ComponentId : '{4E3FCBF4-8BE7-40B2-A108-C47CF743C627}' - Directory : 'TARGETDIR' - Attributes : 4 - KeyPath : 'reg_domkey0' - - 'FeatureComponents' table: - - (new row) - Feature : 'feaDomainKeys' - Component : 'rcm_DomainKeys' - - 'Registry' table: - - (new row) - Registry : 'reg_domkey0' - Root : 2 - Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain' - Component : 'rcm_DomainKeys' - - (new row) - Registry : 'reg_domkey1' - Root : 2 - Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain' - Name : '*' - Component : 'rcm_DomainKeys' - - (new row) - Registry : 'reg_domkey2' - Root : 2 - Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\ATHENA.MIT.EDU' - Name : '*' - Component : 'rcm_DomainKeys' - - (new row) - Registry : 'reg_domkey3' - Root : 2 - Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\ATHENA.MIT.EDU' - Name : 'LogonOptions' - Value : 1 - Component : 'rcm_DomainKeys' - - (new row) - Registry : 'reg_domkey4' - Root : 2 - Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST' - Name : '*' - Component : 'rcm_DomainKeys' - - (new row) - Registry : 'reg_domkey5' - Root : 2 - Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST' - Name : 'LogonOptions' - Value : 0 - Component : 'rcm_DomainKeys' - - (new row) - Registry : 'reg_domkey6' - Root : 2 - Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST' - Name : 'FailLoginsSilently' - Value : 1 - Component : 'rcm_DomainKeys' - - The example adds domain specific keys for 'ATHENA.MIT.EDU' (enable - integrated logon) and 'LOCALHOST' (disable integrated logon and - fail logins silently). - -2.5 Adding Site Specific Freelance Registry Keys - - Following is an example for adding site specific Freelance registry keys - to pre-populate the Mountpoints and Symlinks in the fake root.afs volume. - - Columns that are unspecified should be left empty. - - We create a new feature and component to hold the new registry keys. - - 'Feature' table: - - (new row) - Feature : 'feaFreelanceKeys' - Feature Parent : 'feaClient' - Display : 0 - Level : 30 - Attributes : 10 - - 'Component' table: - - (new row) - Component : 'rcm_FreelanceKeys' - ComponentId : '{4E3B3CBF4-9AE7-40C3-7B09-C48CF842C583}' - Directory : 'TARGETDIR' - Attributes : 4 - KeyPath : 'reg_freekey0' - - 'FeatureComponents' table: - - (new row) - Feature : 'feaFreelanceKeys' - Component : 'rcm_FreelanceKeys' - - 'Registry' table: - - (new row) - Registry : 'reg_freekey0' - Root : 2 - Key : 'SOFTWARE\OpenAFS\Client\Freelance' - Component : 'rcm_FreelanceKeys' - - (new row) - Registry : 'reg_freekey1' - Root : 2 - Key : 'SOFTWARE\OpenAFS\Client\Freelance' - Name : '0' - Value : 'athena.mit.edu#athena.mit.edu:root.cell.' - Component : 'rcm_FreelanceKeys' - - (new row) - Registry : 'reg_freekey2' - Root : 2 - Key : 'SOFTWARE\OpenAFS\Client\Freelance' - Name : '1' - Value : '.athena.mit.edu%athena.mit.edu:root.cell.' - Component : 'rcm_FreelanceKeys' - - (new row) - Registry : 'reg_freekey3' - Root : 2 - Key : 'SOFTWARE\OpenAFS\Client\Freelance\Symlinks' - Component : 'rcm_FreelanceKeys' - - (new row) - Registry : 'reg_freekey4' - Root : 2 - Key : 'SOFTWARE\OpenAFS\Client\Freelance\Symlinks' - Name : '0' - Value : 'athena:athena.mit.edu.' - Component : 'rcm_FreelanceKeys' - - (new row) - Registry : 'reg_freekey5' - Root : 2 - Key : 'SOFTWARE\OpenAFS\Client\Freelance\Symlinks' - Name : '1' - Value : '.athena:.athena.mit.edu.' - Component : 'rcm_FreelanceKeys' - - The example adds a read-only mountpoint to the athena.mit.edu - cell's root.afs volume as well as a read-write mountpoint. Aliases - are also provided using symlinks. - ----------------------------------------------------------------------- - -3 Additional Resources - - If you want to add registry keys or files you need to create new - components and features for those. Refer to the Windows Platform - SDK for details. - - It is beyond the scope of this document to provide a comprehensive - overview of how to add new resources through a transform. Please - refer to the "Windows Installer" documentation for details. The - relevant section is at : - - http://msdn.microsoft.com/library/en-us/msi/setup/using_transforms_to_add_resources.asp - - A sample walkthrough of adding a new configuration file is in - section 2.3. - - Add new features under the 'feaClient' or 'feaServer' as - appropriate and set the 'Level' column for those features to equal - the 'Level' for their parent features for consistency. Note that - none of the features in the OpenAFS for Windows MSI package are - designed to be installed to run from 'source' or 'advertised'. It - is recommended that you set 'msidbFeatureAttributesFavorLocal' (0), - 'msidbFeatureAttributesFollowParent' (2) and - 'msidbFeatureAttributesDisallowAdvertise' (8) attributes for new - features. - - If you are creating new components, retain the same component GUID - when creating new transforms against new releases of the OpenAFS - MSI package. - - After making the adjustments to the MSI database using ORCA.EXE - you can generate a transform with MSITRAN.EXE as follows : - - (Modified MSI package is 'openafs-en_US_new.msi' and the original - MSI package is 'openafs-en_US.msi'. Generates transform - 'openafs-transform.mst') - - > msitran.exe -g openafs-en_US.msi openafs-en_US_new.msi openafs-transform.mst - - See the Platform SDK documentation for information on command line - options for MSITRAN.EXE. - ----------------------------------------------------------------------- - -4. Upgrades - - The MSI package is designed to uninstall previous versions of - OpenAFS for Windows during installation. Note that it doesn't - directly upgrade an existing installation. This is intentional - and ensures that development releases which do not have strictly - increasing version numbers are properly upgraded. - - Versions of OpenAFS that are upgraded by the MSI package are : - - 1) OpenAFS MSI package - Upgrade code {6823EEDD-84FC-4204-ABB3-A80D25779833} - Upto current release - - 2) MIT's Transarc AFS MSI package - Upgrade code {5332B94F-DE38-4927-9EAB-51F4A64193A7} - Upto version 3.6.2 - - 3) OpenAFS NSIS package - All versions - - Note that versions of the OpenAFS NSIS package prior to 1.3.65 - had a bug where it couldn't be uninstalled properly in - unattended mode. Therefore the MSI package will not try to - uninstall an OpenAFS NSIS package if running unattended. This - means that group policy based deployments will fail on machines - that have the OpenAFS NSIS package installed. - - If you have used a different MSI package to install OpenAFS and - wish to upgrade it you can author rows into the 'Upgrade' table as - described in the Platform SDK. - - When performing an upgrade with msiexec.exe execute the MSI with - the repair options "vomus". - ----------------------------------------------------------------------- - -5. FAQ - - (Q/A's will be added here as needed) - ----------------------------------------------------------------------- -$Id$ diff --git a/doc/txt/winnotes/registry.txt b/doc/txt/winnotes/registry.txt deleted file mode 100644 index 76650c6ba4..0000000000 --- a/doc/txt/winnotes/registry.txt +++ /dev/null @@ -1,917 +0,0 @@ -Registry keys and Environment Variables used in the Windows AFS Client -as of release 1.4.0000 -====================================================================== - -REGISTRY KEYS: - -1. Service parameters ---------------------- - -The service parameters primarily affect the behavior of the AFS client -service (afsd_service.exe). - -Regkey: -[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters] - -Value : LANadapter -Type : DWORD -Default : -1 -Variable: LANadapter - - LAN adapter number to use. This is the lana number of the LAN - adapter that the SMB server should bind to. If unspecified or set - to -1, a LAN adapter with named 'AFS' or a loopback adapter will be - selected. If neither are present, then all available adapters will - be bound to. When binding to a non-loopback adapter, the NetBIOS - name '%hostname%-AFS' will be used (where %hostname% is the NetBIOS - name of the host truncated to 11 characters). Otherwise, the NetBIOS - name will be 'AFS'. - -Value : CacheSize -Type : DWORD -Default : 98304 (CM_CONFIGDEFAULT_CACHESIZE) -Variable: cm_initParams.cacheSize - - Size of the AFS cache in 1k blocks. - -Value : ChunkSize -Type : DWORD -Default : 17 (CM_CONFIGDEFAULT_CHUNKSIZE) -Variable: cm_logChunkSize (cm_chunkSize = 1 << cm_logChunkSize) - - Size of chunk for reading and writing. Actual chunk size is 2^cm_logChunkSize. - -Value : Daemons -Type : DWORD -Default : 2 (CM_CONFIGDEFAULT_DAEMONS) -Variable: numBkgD - - Number of background daemons (number of threads of - cm_BkgDaemon). (see cm_BkgDaemon in cm_daemon.c) - -Value : ServerThreads -Type : DWORD -Default : 25 (CM_CONFIGDEFAULT_SVTHREADS) -Variable: numSvThreads - - Number of SMB server threads (number of threads of smb_Server). (see - smb_Server in smb.c). - -Value : Stats -Type : DWORD -Default : 10000 (CM_CONFIGDEFAULT_STATS) -Variable: cm_initParams.nStatCaches - - Cache configuration. - -Value : LogoffPreserveTokens -Type : DWORD {1,0} -Default : 0 - - If enabled (set to 1), the Logoff Event handler will not attempt - to delete the user's tokens if the user's profile is stored outside - of AFS. - -Value : RootVolume -Type : REG_SZ -Default : "root.afs" -Variable: cm_rootVolumeName - - Root volume name. - -Value : Mountroot -Type : REG_SZ -Default : "/afs" -Variable: cm_mountRoot - - Name of root mount point. In symlinks, if a path starts with - cm_mountRoot, it is assumed that the path is absolute (as opposed to - relative) and is adjusted accordingly. Eg: if a path is specified as - /afs/athena.mit.edu/foo/bar/baz and cm_mountRoot is "/afs", then the - path is interpreted as \\afs\all\athena.mit.edu\foo\bar\baz. If a - path does not start with with cm_mountRoot, the path is assumed to - be relative and suffixed to the reference directory (i.e. directory - where the symlink exists) - - -Value : CachePath -Type : REG_SZ or REG_EXPAND_SZ -Default : "%TEMP%\AFSCache" -Variable: cm_CachePath - - Location of on-disk cache file. The default is the SYSTEM account's - TEMP directory. The attributes assigned to the file are HIDDEN and - SYSTEM. - - -Value : NonPersistentCaching -Type : DWORD [0..1] -Default : 0 -Variable: buf_CacheType - - When this registry value is set to a non-zero value, the CachePath - value is ignored and the cache data is stored in the windows paging - file. This prevents the use of persistent caching (when available) - as well as the ability to alter the size of the cache at runtime - using the "fs setcachesize" command. - - -Value : ValidateCache -Type : DWORD [0..2] -Default : 1 -Variable: buf_CacheType - - This value determines if and when persistent cache validation is - performed. - 0 - Validation is disabled - 1 - Validation is performed at startup - 2 - Validation is performed at shutdown - - -Value : TrapOnPanic -Type : DWORD {1,0} -Default : 0 -Variable: traceOnPanic - - Issues a breakpoint in the event of a panic. (breakpoint: _asm int 3). - -Value : NetbiosName -Type : REG_EXPAND_SZ -Default : "AFS" -Variable: cm_NetbiosName - - Specifies the NetBIOS name to be used when binding to a Loopback - adapter. To provide the old behavior specify a value of - "%COMPUTERNAME%-AFS" - -Value : IsGateway -Type : DWORD {1,0} -Default : 0 -Variable: isGateway - - Select whether or not this AFS client should act as a gateway. If - set and the NetBIOS name hostname-AFS is bound to a physical NIC, - other machines in the subnet can access AFS via SMB connections to - hostname-AFS. - - When IsGateway is non-zero, the LAN adapter detection code will - avoid binding to a loopback adapter. This will ensure that the - NetBIOS name will be of the form hostname-AFS instead of the value - set by the "NetbiosName" registry value. - -Value : ReportSessionStartups -Type : DWORD {1,0} -Default : 0 -Variable: reportSessionStartups - - If enabled, all SMB sessions created are recorded in the Application - event log. This also enables other events such as drive mappings - or various error types to be logged. - -Value : TraceBufferSize -Type : DWORD -Default : 5000 (CM_CONFIGDEFAULT_TRACEBUFSIZE) -Variable: traceBufSize - - Number of entries to keep in trace log. - -Value : SysName -Type : REG_SZ -Default : "i386_nt40" -Variable: cm_sysName - - Provides an initial value for "fs sysname". The string can contain - one or more replacement values for @sys in order of preference separated - by whitespace. - -Value : SecurityLevel -Type : DWORD {1,0} -Default : 0 -Variable: cryptall - - Enables encryption on RX calls. - -Value : UseDNS -Type : DWORD {1,0} -Default : 1 -Variable: cm_dnsEnabled - - Enables resolving volservers using AFSDB DNS queries. (see - afsdb-freelance-notes). - - As of 1.3.60, this value is ignored as the DNS query support - utilizes the Win32 DNSQuery API which is available on Win2000 - and above. - -Value : FreelanceClient -Type : DWORD {1,0} -Default : 0 -Variable: cm_freelanceEnabled - - Enables freelance client. (see afsdb-freelance-notes) - -Value : HideDotFiles -Type : DWORD {1,0} -Default : 1 -Variable: smb_hideDotFiles - - Enables marking dotfiles with the hidden attribute. Dot files are - files whose name starts with a period (excluding "." and ".."). - -Value : MaxMpxRequests -Type : DWORD -Default : 50 -Variable: smb_maxMpxRequests - - Maximum number of multiplexed SMB requests that can be made. - -Value : MaxVCPerServer -Type : DWORD -Default : 100 -Variable: smb_maxVCPerServer - - Maximum number of SMB virtual circuits. - -Value : Cell -Type : REG_SZ -Default : -Variable: rootCellName - - Name of root cell (the cell from which root.afs should be mounted in - \\afs\all). - -Value : RxNoJumbo -Type : DWORD {0,1} -Default : 0 -Variable: rx_nojumbo - - If enabled, does not send or indicate that we are able to send or - receive RX jumbograms. - -Value : RxMaxMTU -Type : DWORD -Default : -1 -Variable: rx_mtu - - If set to anything other than -1, uses that value as the maximum MTU - supported by the RX interface. - - In order to enable OpenAFS to operate across the Cisco IPSec VPN - client, this value must be set to 1264 or smaller. - -Value : ConnDeadTimeout -Type : DWORD -Default : 60 (seconds) -Variable: ConnDeadtimeout - - The Connection Dead Time is enforced to be at a minimum 15 seconds - longer than the minimum SMB timeout as specified by - - HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters - SessTimeout - - If the minimum SMB timeout is not specified the value is 45 seconds. - See http://support.microsoft.com:80/support/kb/articles/Q102/0/67.asp - - -Value : HardDeadTimeout -Type : DWORD -Default : 120 (seconds) -Variable: HardDeadtimeout - - The Hard Dead Time is enforced to be at least double the ConnDeadTimeout. - The provides an opportunity for at least one retry. - - -Value : TraceOption -Type : DWORD {0-15} -Default : 0 - - Enables logging of debug output to the Windows Event Log. - Bit 0 enables logging of "Logon Events" processed by the Network Provider - and Winlogon Event Notification Handler. - Bit 1 enables logging of events captured by the AFS Client Service. - Bit 2 enables real-time viewing of "fs trace" logging with DbgView - or similar tools. - Bit 3 enables "fs trace" logging on startup. - -Value : AllSubmount -Type : DWORD {0, 1} -Default : 1 -Variable: allSubmount (smb.c) - - By setting this value to 0, the "\\NetbiosName\all" mount point - will not be created. This allows the read-write versions of - root.afs to be hidden. - -Value : NoFindLanaByName -Type : DWORD {0, 1} -Default : 0 - - Disables the attempt to identity the network adapter to use by - looking for an adapter with a display name of "AFS". - -Value : MaxCPUs -Type : DWORD {1..32} or {1..64} depending on the architecture -Default : - - If this value is specified, afsd_service.exe will restrict itself - to executing on the specified number of CPUs if there are a greater - number installed in the machine. - - NOTE: Setting this entry to "1" may be required on hyperthreaded - systems to avoid crashes in the RX library. - -Value : smbAuthType -Type : DWORD {0..2} -Default : 2 - - If this value is specified, it defines the type of SMB authentication - which must be present in order for the Windows SMB client to connect - to the AFS Client Service's SMB server. The values are: - 0 = No authentication required - 1 = NTLM authentication required - 2 = Extended (GSS SPNEGO) authentication required - The default is Extended authentication - -Value : MaxLogSize -Type : DWORD {0 .. MAXDWORD} -Default : 100K - - This entry determines the maximum size of the %WINDIR%\TEMP\afsd_init.log - file. If the file is larger than this value when afsd_service.exe starts - the file will be reset to 0 bytes. If this value is 0, it means the file - should be allowed to grow indefinitely. - -Value : FlushOnHibernate -Type : DWORD {0,1} -Default : 1 - - If set, flushes all volumes before the machine goes on hibernate or - stand-by. - -Regkey: -[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters\GlobalAutoMapper] - -Value : for example "G:" -Type : SZ - - Specifies the submount name to be mapped by afsd_service.exe at startup - to the provided drive letter. - - -Regkey: -[HKLM\SOFTWARE\OpenAFS\Client] - -Value : CellServDBDir -Type : REG_SZ -Default : - - Specifies the directory containing the CellServDB file. - When this value is not specified, the AFS Client install - directory is used. - - -Value : VerifyServiceSignature -Type : REG_DWORD -Default : 0x1 - - This value can be used to disable the runtime verification of - the digital signatures applied to afsd_service.exe and the - OpenAFS DLLs it loads. This test is performed to verify that - the DLLs which are loaded by afsd_service.exe are from the - same distribution as afsd_service.exe. This is to prevent - random errors caused when DLLs from one distribution of AFS - are loaded by another one. This is not a security test. The - reason for disabling this test is to free up additional memory - which can be used for a large cache size. - - -Value : IoctlDebug -Type : REG_DWORD -Default : 0x0 - - This value can be used to debug the cause of pioctl() failures. - Set a non-zero value and the pioctl() library will output status - information to stdout. Executing command line tools such as - tokens.exe, fs.exe, etc can then be used to determine why the - pioctl() call is failing. - - -Value : MiniDumpType -Type : REG_DWORD -Default : 0x0 (MiniDumpNormal) - - This value is used to specify the type of minidump generated by - afsd_service.exe either when the process crashes or when a user - initiated is dump file is generated with the "fs.exe minidump" - command. - - Valid values are dependent on the version of DbgHelp.dll installed - on the machine. See the Microsoft Developer Library for further - information. - - MiniDumpNormal = 0x00000000, - MiniDumpWithDataSegs = 0x00000001, - MiniDumpWithFullMemory = 0x00000002, - MiniDumpWithHandleData = 0x00000004, - MiniDumpFilterMemory = 0x00000008, - MiniDumpScanMemory = 0x00000010, - MiniDumpWithUnloadedModules = 0x00000020, - MiniDumpWithIndirectlyReferencedMemory = 0x00000040, - MiniDumpFilterModulePaths = 0x00000080, - MiniDumpWithProcessThreadData = 0x00000100, - MiniDumpWithPrivateReadWriteMemory = 0x00000200, - MiniDumpWithoutOptionalData = 0x00000400, - MiniDumpWithFullMemoryInfo = 0x00000800, - MiniDumpWithThreadInfo = 0x00001000, - MiniDumpWithCodeSegs = 0x00002000 - - -Value : StoreAnsiFilenames -Type : REG_DWORD -Default : 0x0 - - This value can be used to force the AFS Client Service to - store filenames using the Windows system's ANSI character set - instead of the OEM Code Page character set which has traditionally - been used by SMB file systems. - - Note: The use of ANSI characters will render access to files - with 8-bit OEM file names unaccessible from Windows. This option - is of use primarily when you wish to allow file names produced - on Windows to be accessible from Latin-1 Unix systems and vice - versa. - - -Regkey: -[HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy] - -Value : "smb/cifs share name" -Type : REG_SZ -Default : - - This key is used to map SMB/CIFS shares to Client Side Caching - (off-line access) policies. For each share one of the following - policies may be used: "manual", "programs", "documents", "disable" - - These values used to be stored in afsdsbmt.ini - -Regkey: -[HKLM\SOFTWARE\OpenAFS\Client\Freelance] - -Value : "numeric value" -Type : REG_SZ -Default : - - This key is used to store dot terminated mount point strings - for use in constructing the fake root.afs volume when Freelance - (dynamic roots) mode is activated. - - "athena.mit.edu#athena.mit.edu:root.cell." - ".athena.mit.edu%athena.mit.edu:root.cell." - - These values used to be stored in afs_freelance.ini - - -Regkey: -[HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks] - -Value : "numeric value" -Type : REG_SZ -Default : - - This key is used to store a dot terminated symlink strings - for use in constructing the fake root.afs volume when Freelance - (dynamic roots) mode is activated. - - "linkname:destination-path." - "athena:athena.mit.edu." - "home:athena.mit.edu\user\j\a\jaltman." - "filename:path\file." - - -Regkey: -[HKLM\SOFTWARE\OpenAFS\Client\Submounts] - -Value : "submount name" -Type : REG_EXPAND_SZ -Default : - - This key is used to store mappings of unix style AFS paths - to submount names which can be referenced as UNC paths. - For example the submount string "/athena.mit.edu/user/j/a/jaltman" - can be associated with the submount name "jaltman.home". - This can then be referenced as the UNC path \\AFS\jaltman.home. - - These values used to be stored in afsdsbmt.ini - - NOTE: Submounts should no longer be used with OpenAFS. - Use the Windows Explorer to create drive mappings to AFS UNC - paths instead of using the AFS Submount mechanism. - - -Regkey: -[HKLM\SOFTWARE\OpenAFS\Client\Server Preferences\VLDB] - -Value : "hostname or ip address" -Type : REG_DWORD -Default : - - This key is used to specify a default set of VLDB server preferences. - For each entry the value name will be either the IP address of a server - or a fully qualified domain name. The value will be the ranking. The - ranking will be adjusted by a random value between 0 and 256 prior to - the preference being set. - - -Regkey: -[HKLM\SOFTWARE\OpenAFS\Client\Server Preferences\File] - -Value : "hostname or ip address" -Type : REG_DWORD -Default : - - This key is used to specify a default set of File server preferences. - For each entry the value name will be either the IP address of a server - or a fully qualified domain name. The value will be the ranking. The - ranking will be adjusted by a random value between 0 and 256 prior to - the preference being set. - - - -2. Network provider parameters ------------------------------- -Affects the network provider (afslogon.dll). - -Regkey: -[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters] - -Value : FailLoginsSilently -Type : DWORD -Default : 0 - - Do not display message boxes if the login fails. - -Regkey: -[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider] - -Value : NoWarnings -Type : DWORD -Default : 0 - - Disables visible warnings during logon. - -Value : AuthentProviderPath -Type : REG_SZ -NSIS : %WINDIR%\SYSTEM32\afslogon.dll - - Specifies the install location of the authentication provider dll. - -Value : Class -Type : DWORD -NSIS : 0x02 - - Specifies the class of network provider - -Value : DependOnGroup -Type : REG_MULTI_SZ -NSIS : PNP_TDI - - Specifies the service groups upon which the AFS Client Service - depends. Windows should not attempt to start the AFS Client Service - until all of the services within these groups have successfully - started. - -Value : DependOnService -Type : REG_MULTI_SZ -NSIS : Tcpip NETBIOS RpcSs - - Specifies a list of services upon which the AFS Client Service - depends. Windows should not attempt to start the AFS Client Service - until all of the specified services have successfully started. - -Value : Name -Type : REG_SZ -NSIS : "OpenAFSDaemon" - - Specifies the display name of the AFS Client Service - -Value : ProviderPath -Type : REG_SZ -NSIS : %WINDIR%\SYSTEM32\afslogon.dll - - Specifies the DLL to use for the network provider - - -2.1 Domain specific configuration keys for the Network Provider ---------------------------------------------------------------- - -The network provider can be configured to have different behavior -depending on the domain that the user logs into. These settings are -only relevant when using integrated login. A domain refers to an -Active Directory (AD) domain, a trusted Kerberos (non-AD) realm or the -local machine (i.e. local account logins). The domain name that is -used for selecting the domain would be the domain that is passed into -the NPLogonNotify function of the network provider. - -Domain specific registry keys are : - -[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider] - (NP key) - -[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] - (Domains key) - -[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain name"] - (Specific domain key. One per domain.) - -[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST] - (Localhost key) - -eg: - HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider - | - +- Domain - +-AD1.EXAMPLE.COM - +-AD2.EXAMPLE.NET - +-LOCALHOST - -Each of the domain specific keys can have the set of values described -in 2.1.1. The effective values are chosen as described in 2.1.2. - -2.1.1 Domain specific configuration values -------------------------------------------- -[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider] -[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] -[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain name"] -[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST] - - Value : LogonOptions - Type : DWORD - Default : 0x01 - NSIS/WiX: depends on user configuration - - 0x00 - Integrated Logon is not used - 0x01 - Integrated Logon is used - 0x02 - High Security Mode is used - 0x03 - Integrated Logon with High Security Mode is used - - High Security Mode generates random SMB names for the creation of - Drive Mappings. This mode should not be used without Integrated Logon. - - As of 1.3.65 the SMB server supports SMB authentication. The High - Security Mode should not be used when using SMB authentication - (SMBAuthType setting is non zero). - - Value : FailLoginsSilently - Type : DWORD (1|0) - Default : 0 - NSIS/WiX: (not set) - - If true, does not display any visible warnings in the event of an - error during the integrated login process. - - Value : LogonScript - Type : REG_SZ or REG_EXPAND_SZ - Default : (null) - NSIS/WiX: (only value under NP key) \afscreds.exe -:%s -x -a -m -n -q - - A logon script that will be scheduled to be run after the profile - load is complete. If using the REG_EXPAND_SZ type, you can use - any system environment variable as "%varname%" which would be - expanded at the time the network provider is run. Optionally - using a "%s" in the value would result in it being expanded into - the AFS SMB username for the session. - - Value : LoginRetryInterval - Type : DWORD - Default : 30 - NSIS/WiX: (not set) - - If the OpenAFS client service has not started yet, the network - provider will wait for a maximum of "LoginRetryInterval" seconds - while retrying every "LoginSleepInterval" seconds to check if the - service is up. - - Value : LoginSleepInterval - Type : DWORD - Default : 5 - NSIS/WiX: (not set) - - See description of LoginRetryInterval. - - Value : TheseCells - Type : REG_MULTI_SZ - NSIS : - - When Kerberos 5 is being used, TheseCells provides a list of additional - cells for which tokens should be obtained with the default Kerberos 5 - principal. - - -2.1.2 Selection of effective values for domain specific configuration ----------------------------------------------------------------------- - - During login to domain X, where X is the domain passed into - NPLogonNotify as lpAuthentInfo->LogonDomainName or the string - 'LOCALHOST' if lpAuthentInfo->LogonDomainName equals the name of the - computer, the following keys will be looked up. - - 1. NP key. ("HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider") - 2. Domains key. (NP key\"Domain") - 3. Specific domain key. (Domains key\X) - - If the specific domain key does not exist, then the domains key will - be ignored. All the configuration information in this case will - come from the NP key. - - If the specific domain key exists, then for each of the values - metioned in (2), they will be looked up in the specific domain key, - domains key and the NP key successively until the value is found. - The first instance of the value found this way will be the effective - for the login session. If no such instance can be found, the - default will be used. To re-iterate, a value in a more specific key - supercedes a value in a less specific key. The exceptions to this - rule are stated below. - -2.1.3 Exceptions to 2.1.2 --------------------------- - - To retain backwards compatibility, the following exceptions are made - to 2.1.2. - -2.1.3.1 'FailLoginsSilently' - - Historically, the 'FailLoginsSilently' value was in - HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters - key and not in the NP key. Therefore, for backwards compatibility, - the value in the Parameters key will supercede all instances of this - value in other keys. In the absence of this value in the Parameters - key, normal scope rules apply. - -2.1.3.2 'LogonScript' - - If a 'LogonScript' is not specified in the specific domain key nor - in the domains key, the value in the NP key will only be checked if - the effective 'LogonOptions' specify a high security integrated - login. If a logon script is specified in the specific domain key or - the domains key, it will be used regardless of the high security - setting. Please be aware of this when setting this value. - - -3. AFS Credentials System Tray Tool parameters ----------------------------------------------- -Affects the behavior of afscreds.exe - -Regkey: -[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters] - -Value : Gateway -Type : REG_SZ -Default : "" -Function: GetGatewayName() - - If the AFS client is utilizing a gateway to obtain AFS access, - the name of the gateway is specified by this value. - -Value : Cell -Type : REG_SZ -Default : -Variable: IsServiceConfigured() - - The value Cell is used to determine if the AFS Client Service has - been properly configured or not. - - -Regkey: -[HKLM\SOFTWARE\OpenAFS\Client] -[HKCU\SOFTWARE\OpenAFS\Client] - -Value : ShowTrayIcon -Type : DWORD {0, 1} -Default : 1 -Function: InitApp(), Main_OnCheckTerminate() - - This value is used to determine whether or not a shortcut should be - maintained in the user's Start Menu->Programs->Startup folder. - - This value used to be stored at - [HKLM\Software\TransarcCorporation\AFS Client\AfsCreds]. - - The current user value is checked first; if it does not exist the local - machine value is checked. - - -Value : EnableKFW -Type : DWORD {0, 1} -Default : 1 -Function: KFW_is_available() - - When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used - to obtain AFS credentials. By setting this value to 0, the internal - Kerberos 4 implementation will be used instead. The current user value - is checked first; if it does not exist the local machine value is checked. - -Value : Use524 -Type : DWORD {0, 1} -Default : 0 -Function: KFW_use_krb524() - - When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used - to obtain AFS credentials. By setting this value to 1, the Kerberos 5 - tickets will be converted to Kerberos 4 tokens via a call to the krb524 - daemon. The current user value is checked first; if it does not exist - the local machine value is checked. - -Value : AfscredsShortcutParams -Type : REG_SZ -Default : "-A -M -N -Q" -Function: Shortcut_FixStartup - - This value specifies the command line options which should be set - as part of the shortcut to afscreds.exe. afscreds.exe rewrites the - shortcut each time it exits so as to ensure that the shortcut points - to the latest version of the program. This value is used to determine - which values should be used for command line parameters. The current - user value is checked first; if it does not exist the local machine - value is checked. - - The following subset of the command line options are appropriate for - use in this registry setting: - - -A = autoinit - -M = renew drive maps - -N = ip address change detection - -Q = quiet mode. do not display start service dialog - if afsd_service is not already running - -S = show tokens dialog on startup - -Z = unmap drives - - -Regkey: -[HKCU\SOFTWARE\OpenAFS\Client] - -Value : Authentication Cell -Type : REG_SZ -Default : -Function: Afscreds.exe GetDefaultCell() - - This value allows the user to configure a different cell name to - be used as the default cell when acquiring tokens in afscreds.exe - - -Regkey: -[HKCU\SOFTWARE\OpenAFS\Client\Reminders] - -Value : "afs cell name" -Type : DWORD {0, 1} -Default : -Function: LoadRemind(), SaveRemind() - - These values are used to save and restore the state of the reminder - flag for each cell for which the user has obtained tokens. - - This value used to be stored at - [HKLM\Software\TransarcCorporation\AFS Client\AfsCreds]. - - -Regkey: -[HKCU\SOFTWARE\OpenAFS\Client\Active Maps] - -Value : "upper case drive letter" -Type : DWORD {0, 1} -Default : - - These values are used to store the persistence state of the AFS - drive mappings as listed in the [...\Client\Mappings] key - - These values used to be stored in the afsdsbmt.ini file - -Regkey: -[HKCU\SOFTWARE\OpenAFS\Client\Mappings] - -Value : "upper case drive letter" -Type : REG_SZ -Default : - - These values are used to store the AFS path in Unix notation - to which the drive letter is to be mapped. - - These values used to be stored in the afsdsbmt.ini file. - - -ENVIRONMENT VARIABLES: - -Variable: AFS_RPC_ENCRYPT -Values: "OFF" disables the use of RPC encryption - any other value allows RPC encryption to be used -Default: RPC encryption is on - - -Variable: AFS_RPC_PROTSEQ -Values: "ncalrpc" - local RPC - "ncacn_np" - named pipes - "ncacn_ip_tcp" - tcp/ip -Default: local RPC -