From 93a09e41824ffaaeecb27b0ad9262b50cc4cce27 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Tue, 15 Mar 2005 00:55:23 +0000
Subject: [PATCH] STABLE14-windows-notes-20050314

Update notes to describe fix for cross realm trusts to Windows
multi-domain forests


(cherry picked from commit 0949ca36faf493b235a4fde03b3b9a3eb3745d9c)
---
 doc/txt/winnotes/afs-changes-since-1.2.txt | 23 +++++++++++
 doc/txt/winnotes/afs-install-notes.txt     | 48 +++++++++++++++++++++-
 2 files changed, 70 insertions(+), 1 deletion(-)

diff --git a/doc/txt/winnotes/afs-changes-since-1.2.txt b/doc/txt/winnotes/afs-changes-since-1.2.txt
index f61977e171..ed248271f9 100644
--- a/doc/txt/winnotes/afs-changes-since-1.2.txt
+++ b/doc/txt/winnotes/afs-changes-since-1.2.txt
@@ -1,4 +1,27 @@
 Since 1.3.77:
+  * OpenAFS for Windows has failed to work at sites which are 
+    utilizing a cross-realm trust between an MIT/Heimdal realm
+    and a multi-domain Windows forest when the workstation being
+    accessed is not located in the root domain.  This is caused 
+    by a bug in the workstation which was triggered after the 
+    introduction of Windows 2003 Server.  When the bug is triggered,
+    the workstation attempts to authenticate users to afsd_service.exe
+    by contacting the Domain Controller instead of using the 
+    LSA loopback authentication mechanism.
+
+    One of the reasons this bug occurs is because the workstation    
+    does not have a reliable way of knowing that the service whose
+    netbios name is "AFS" is located on the workstation.  This will
+    be fixed starting in Longhorn Beta 1 by Microsoft.  The 
+    "BackConnectionHostNames" registry value will be used to 
+    indicate that the authentications to that service name should
+    be performed using the loopback authentication mechanism.
+
+    In the meantime, when Logon Caching is enabled, we can force
+    afsd_service.exe to authenticate using the logon cache before
+    contacting the Domain Controller.  This will work with both
+    password and smart card based logons.  
+
   * The allDown logic in cm_ConnByMServers() was wrong.  The allDown
     flag should not be cleared if a volume's server reference is 
     marked as "offline".  In the case where all of the volume's 
diff --git a/doc/txt/winnotes/afs-install-notes.txt b/doc/txt/winnotes/afs-install-notes.txt
index 1ec3a34fa1..c16187ca14 100644
--- a/doc/txt/winnotes/afs-install-notes.txt
+++ b/doc/txt/winnotes/afs-install-notes.txt
@@ -1,4 +1,4 @@
-OpenAFS for Windows 1.3.78 Installation Notes
+OpenAFS for Windows 1.3.80 Installation Notes
 ---------------------------------------------
 
 The OpenAFS for Windows product was very poorly maintained throughout the 
@@ -501,6 +501,52 @@ logoff scripts (assigned by group policy) which rename all files to use
 only the supported characters for the locale.
 
 
+31. As of 1.3.80 the AFS Cache file is stored by default at %TEMP%\AFSCache
+in a persistent file marked with the Hidden and System attributes.  The 
+persistent nature of the data stored in the cache file improves the 
+performance of OpenAFS by reducing the number of times data must be read
+from the AFS file servers.
+
+
+32. Integrated Login (as of 1.3.80) supports the ability to obtain tokens
+for multiple cells.  See the "TheseCells" value in registry.txt.
+
+
+33. New command line tool:
+
+    afsdacl : Set or reset the DACL to allow starting or stopping
+         the afsd service by any ordinary user.
+
+    Usage : afsdacl [-set | -reset] [-show]
+          -set   : Sets the DACL
+          -reset : Reset the DACL
+          -show  : Show current DACL (SDSF)
+
+34. As of 1.3.80, the default @sys name list has been changed to 
+"x86_win32 i386_w2k i386_nt40" for 32-bit x86 systems.  The default 
+for itanium will be "ia64_win64" and "amd64_win64" for amd 64-bit 
+processors.
+
+
+35. As of 1.3.80, symlinks to \\AFS[\all]\... will now be treated
+the same as symlinks to /afs/...  However, please use /afs/... as
+the Windows UNC form will not work on Unix.
+
+
+36. As of 1.3.80, OpenAFS for Windows implements the Cache Manager
+Debugging RPC Interface.  The CM debugger can be queried with 
+cmdebug.exe.
+
+Usage: cmdebug -servers <server machine> [-port <IP port>] [-long]
+               [-addrs] [-cache] [-help]
+Where: -long   print all info
+       -addrs  print only host interfaces
+       -cache  print only cache configuration
+
+37.  If you are a site which utilizes MIT/Heimdal Kerberos principals
+to logon to Windows via a cross-realm relationship with a multi-domain
+Windows forest, you must enable Windows logon caching unless the 
+workstation is Longhorn Beta 1 or later.
 
 ------------------------------------------------------------------------