jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-19 15:30:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

STABLE14-winnotes-cummulative-20041017

Browse Source 
Changes for 1.3.72
This commit is contained in:
Jeffrey Altman 2004-10-18 05:11:49 +00:00 committed by Jeffrey Altman
parent 9ea40ebfb7
commit 9999c1faeb
4 changed files with 117 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
doc/txt/winnotes/afs-changes-since-1.2.txt
View File

@ -1,4 +1,51 @@
Since 1.3.71:
* Add code to block the issuance of AFS tokens by aklog.exe or
afscreds.exe when the Kerberos 5 principal name contains a dot.
* Modify the IsAdmin() function to always treat the local SYSTEM
account as an AFS client administrator. Affects fs.exe and
afs_config.exe.
* Modify the internal handling of Quota Exceeded errors
* Upgrade all reference count fields in the Windows cache manager
and the osi library to use unsigned long instead of signed short.
A similar fix has been applied to the afs rpc (rx) library.
* fix the Windows cache manager to prevent it from replacing the
rx_connection object associated with the cm_conn_t object on each
and every operation if "fs crypt" was set. This explains the
dramatic performance difference when crypt is used vs clear.
The problem: 'cryptall', a boolean flag indicating whether or not
"fs crypt" is set, was being compared to the rx_connection
cryptlevel which is either rxkad_clear:0 or rxkad_crypt:2.
1 != 2 and therefore the rx_connection was always destroyed
and replaced on each and every operation.
Lock the cm_conn_t object around every call to RXAFS_xxxx functions.
It is not safe for the cm_conn_t object to not be locked because
rx_DestroyConnection might be called from another thread if:
- the user's tokens have changed or expired
- the crypt mode has changed
This fix appears to have also taken care of the problems associated
with Overlapped Writes resulting in Delayed Write errors.
* fix NSIS installer's AdminGroup.exe to properly create and
remove groups when given -create or -remove. The string comparison
test was wrong.
* fs sysname now accepts a list of sysname values
* added a new registry value HKLM\SOFTWARE\OpenAFS\Client "IoctlDebug"
DWORD which when set to a non-zero value will cause error message
text to be output to stderr from the pioctl() routine. Useful in
debugging failures of fs.exe, tokens.exe, etc.
* added a test to the power management code to only perform a
flush operation if there is at least one network adapter which
is not a loopback adapter.
* Fix bug in loading of registry value HKLM\SOFTWARE\OpenAFS\Client
"EnableKFW". This value will not be read if the key
HKCU\SOFTWARE\OpenAFS\Client exists; even if the "EnableKFW"
@ -40,6 +87,9 @@ Since 1.3.71:
* Update list of known CIFS operations to include all those listed
in CIFS-TR-1p00_FINAL.pdf.
* Modify the handling of HKLM\SOFTWARE\OpenAFS\Client\Submounts
to support the REG_EXPAND_SZ type.
Since 1.3.70:
* A new Windows authorization group "AFS Client Admins" is now
created and populated with the members of the "Administrators"

77
doc/txt/winnotes/afs-install-notes.txt
View File

@ -1,4 +1,4 @@
OpenAFS for Windows 1.3.71 Installation Notes
OpenAFS for Windows 1.3.72 Installation Notes
---------------------------------------------
The OpenAFS for Windows product was very poorly maintained throughout the
@ -97,7 +97,7 @@ discover cell information when it is not located in the local CellServDB file
(\Program Files\OpenAFS\Client\CellServDB).
5. OpenAFS for Windows 1.3.71 only supports Windows 2000, Windows XP, and
5. OpenAFS for Windows 1.3.72 only supports Windows 2000, Windows XP, and
Windows 2003. Windows NT 4.0 and the entire Windows 9x/Me line are no
longer supported. Older releases of OpenAFS are available for download
if those operating systems must be supported. The last version with support
@ -167,10 +167,12 @@ after install time although these options may be altered via the registry either
per machine or per user. See AfscredsShortcutParams in registry.txt.
8. Some attempts have been made to restrict the ability
of users to alter the state of the AFS Client
Service. For example, the following fs.exe commands are now restricted to
Administrator:
8. As of 1.3.71, the OpenAFS for Windows client supports a local Windows
authorization group called "AFS Client Admins". This group is used in
place of the "Administrators" group to determine which users are allowed
to modify the AFS Client Service configuration via either afs_config.exe
or fs.exe. For example, the following fs.exe commands are now restricted
to members of the "AFS Client Admin" group:
- checkservers with a non-zero timer value
- setcachesize
@ -184,11 +186,13 @@ Administrator:
- cscpolicy
- trace
setting the default sysname for a machine should be done via the registry and
Setting the default sysname for a machine should be done via the registry and
not via "fs sysname".
Some of the AFS Client Configuration Control Panel options are also restricted
to use by the "Administrator" account.
The local "SYSTEM" account is always a member of the "AFS Client Admin" group.
The initial membership of the "AFS Client Admin" group when created by the
installer is equivalent to the local "Administrators" group.
9. The AFS Client should support UNC paths everywhere. Power users that make
@ -216,7 +220,7 @@ Usage: aklog [-d] [[-cell | -c] cell [-k krb_realm]]
No commandline arguments means authenticate to the local cell.
11. The AFS Server functionality provided with OpenAFS 1.3.71 might work but
11. The AFS Server functionality provided with OpenAFS 1.3.72 might work but
should be considered highly experimental. It has not been thoroughly tested.
Any data which would cause pain if lost should not be stored in an OpenAFS
Server on Windows.
@ -243,29 +247,21 @@ statements were compiled into the binaries.
13. OpenAFS for Windows does not support files larger than 2GB.
14. There are reported problems running the AFS Client on Hyperthreaded
Pentium 4 machines. A registry entry may be created to specify
that the AFS Client Service should only use a single processor. If you have
a hyperthreaded system and you are experiencing crashes, it is advised that
you create the "MaxCPUs" registry value and set it to "1".
See "registry.txt" for details.
15. Local RPC is used as the default RPC mechanism for setting
14. Local RPC is used as the default RPC mechanism for setting
tokens. TCP RPC is required to be installed and is used for debugging
and other functions.
16. OpenAFS for Windows automatically open ports in the Windows
15. OpenAFS for Windows automatically open ports in the Windows
Internet Connection Firewall.
17. The OpenAFS for Windows installer by default activates a weak form of
16. The OpenAFS for Windows installer by default activates a weak form of
encrypted data transfer between the AFS client and the AFS servers. This
is often referred to as "fcrypt" mode.
18. OpenAFS 1.3.71 adds support for authenticated SMB connections using
17. OpenAFS 1.3.71 adds support for authenticated SMB connections using
either NTLM or GSS SPNEGO (NTLM, Kerberos 5, ...). In previous versions
of OpenAFS the SMB connections were unauthenticated which left open the
door for several security holes which could be used to obtain access to
@ -288,7 +284,7 @@ add these service principals to the list of principals to be maintained
for each host.
19. As of 1.3.70, INI files are no longer used for the storage of AFS
18. As of 1.3.70, INI files are no longer used for the storage of AFS
configuration data. No longer are there any AFS related files stored in the
%WINDIR% directory. The CellServDB file is no longer called "afsdsbmt.ini"
and it is stored in the OpenAFS\Client directory. The afs_freelance.ini
@ -299,7 +295,7 @@ data will be automatically migrated; there is no mechanism for automatic
migration of Submounts, Drive Mappings, Active Maps, and CSCPolicy data.
20. As of 1.3.70, the OpenAFS Client is compatible with Windows XP SP2
19. As of 1.3.70, the OpenAFS Client is compatible with Windows XP SP2
and Windows 2003 SP1. The Internet Connection Firewall will be
automatically adjusted to allow the receipt of incoming callback messages
from the AFS file server. In addition, the appropriate Back Connection
@ -307,52 +303,35 @@ entries are added to the registry to allow SMB authentication to be
performed across the loopback connection.
21. As of 1.3.70, the OpenAFS Client Service supports the CIFS Remote
20. As of 1.3.70, the OpenAFS Client Service supports the CIFS Remote
Admin Protocol which provides browsing of server and share information.
This significantly enhances the interoperability of AFS volumes within the
Explorer Shell and Microsoft Office applications.
Note: This functionality has been disabled in the 1.3.70 installers due
to problems discovered with the final release build of XP SP2. To enable
this functionality on other versions of Windows the following registry
entries should be added:
REG_DWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\AfsLogon" "Asynchronous" 0
REG_DWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\AfsLogon" "Impersonate" 1
REG_SZ HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\AfsLogon" "DLLName" "afslogon.dll"
REG_SZ HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\AfsLogon" "Logoff" "AFS_Logoff_Event"
REG_SZ HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\AfsLogon" "Startup" "AFS_Startup_Event"
22. OpenAFS will now automatically forget a user's tokens upon Logoff
21. OpenAFS will now automatically forget a user's tokens upon Logoff
unless the user's profile was loaded from an AFS volume. In this situation
there is no mechanism to determine when the profile has been successfully
written back to the network. It is therefore unsafe to release the user's
tokens.
tokens. Whether or not the profile has been loaded from the registry can
be determined for Local Accounts, Active Directory accounts and NT4
accounts.
23. Terminal Server installations.
22. Terminal Server installations.
When installing under Terminal Server, you must execute the NSIS installer
(.exe) from within the Add/Remove Programs Control Panel. Failure to do so
will result in AFS not running properly. The AFS Server should not
be installed on a machine with Terminal Server installed.
24. AFS is a Unix native file system. As such the OpenAFS client attempts
23. AFS is a Unix native file system. As such the OpenAFS client attempts
to treat the files stored in AFS as they would be on Unix. File and directory
names beginning with a "." are automatically given the Hidden attribute so
they will not normally be displayed.
25. As of 1.3.71, the OpenAFS for Windows client supports a local Windows
authorization group called "AFS Client Admins". This group is used in
place of the "Administrators" group to determine which users are allowed
to modify the AFS Client Service configuration via either afs_config.exe
or fs.exe. During installation this group is created and the current
contents of the Administrators group is copied.
26. Some organizations which have AFS cell names and Kerberos realm names
24. Some organizations which have AFS cell names and Kerberos realm names
which differ by more then just lower and upper case rely on a modification
to krb524d which maps a Kerberos 5 ticket from realm FOO to a Kerberos 4
ticket in realm BAR. This allows user@FOO to appear to be user@bar for

57
doc/txt/winnotes/afs-issues.txt
View File

@ -1,4 +1,4 @@
This file is a rough list of known issues with the 1.3.70 release of OpenAFS
This file is a rough list of known issues with the 1.3.72 release of OpenAFS
on Windows. This list is not complete. There are probably other issues
which can be found in the RT database or on the mailing list.
@ -108,28 +108,27 @@ directories.
and per-machine settings. All of the new registry items need to
be added to the UI
(27) There appears to be a thread safety issue in the Rx library when
running on Intel processors which support hyper-threading
(28) Thread initialization versus Global Drive Mapping. There is no
(27) Thread initialization versus Global Drive Mapping. There is no
mechanism in the afsd_init.c to ensure that all of the threads
complete initializing in the correct sequence. In the case of
Global Drive Maps this is a problem because the Global Drive Maps
can be executed prior to the completion of the SMB registration
and service thread initialization.
(29) Should we allow the AFSCACHE file to be stored in the Virtual Paging
(28) Should we allow the AFSCACHE file to be stored in the Virtual Paging
file as long as we do not support persistent caches?
(30) CIFS Remote Administration Protocol implementation is incomplete.
(29) CIFS Remote Administration Protocol implementation is incomplete.
Notifications are not made to requestors when the view of a file
or folder changes due to token acquisition; token expiration; or
token destruction
(31) Microsoft Office appears to have trouble editing files of ~20MB
(30) Microsoft Office appears to have trouble editing files of ~20MB
or larger from within AFS. Performance is particularly slow and
applications such as Word often crash upon saving the files.
(31) The Cache Manager Flush routines do not return or check error
codes.
-------------------------------------------------------------------------
List of unfunded projects:
@ -144,22 +143,21 @@ List of unfunded projects:
the AFS Client Server is not using Freelance mode
5. Prevent panic situation when the IP address to which the SMB server is bound is removed
from the local machine's network configuration
6. Identify and fix the problems with running the RX library on Hyperthreaded systems
7. Add support for Named Pipes within the afs filesystem
6. Add support for Named Pipes within the afs filesystem
(This is not currently a supported feature of AFS; it will require
changes to the servers as well as the clients.)
8. Re-write afscreds.exe to support:
7. Re-write afscreds.exe to support:
1. choosing between Kerberos 5 and Kerberos 4 on a per principal basis
2. providing users with the ability to map multiple cells to a single principal
3. providing change password functionality on a per principal basis
4. no longer include drive mapping
5. configuration of afscreds startup options in shortcut
9. Re-write afs_config.exe to be only "per user" functionality which does not require admin
8. Re-write afs_config.exe to be only "per user" functionality which does not require admin
privileges
1. default cell and principal for the user
2. drive mappings
3. visibility of afs creds and setting of afs creds startup options
10. Create new afs_admin.exe tool to be installed in the administrator folder (or use MMS)
9. Create new afs_admin.exe tool to be installed in the administrator folder (or use MMS)
which contains
1. afs client service cell name
2. integrated logon configuration
@ -174,29 +172,29 @@ List of unfunded projects:
11. network configuration
12. miscellaneous
13. need to add support for all of the new registry values since 1.2.8
11. Identify why 16-bit DOS applications executed out of AFS fail
12. Add support for configurable Icon file representing AFS folders within the Explorer Shell
13. Documentation Documentation Documentation
14. Large File support (> 2GB)
15. Integrate KFW installation into the NSIS installer
16. Add support for record locking to AFS (requires changes to the servers)
17. Unicode enable the SMB/CIFS server. OEM Code Pages:
10. Identify why 16-bit DOS applications executed out of AFS fail
11. Add support for configurable Icon file representing AFS folders within the Explorer Shell
12. Documentation Documentation Documentation
13. Large File support (> 2GB)
14. Integrate KFW installation into the NSIS installer
15. Add support for record locking to AFS (requires changes to the servers)
16. Unicode enable the SMB/CIFS server. OEM Code Pages:
1. prevent the use of interoperable file names
2. force the use of paths no longer than 256 characters
3. force share names to be no longer than 13 characters
4. restrict authentication to ASCII only names and passwords
18. Complete implementation of CIFS Remote Administration Protocol
19. Correct the problems with overlapped writes which adversely affect
17. Complete implementation of CIFS Remote Administration Protocol
18. Correct the problems with overlapped writes which adversely affect
Microsoft Office applications storing documents and temporary files
within AFS volumes
20. Add support for SMB/CIFS Digital Signatures
21. Development of afsmap.exe tool to provide AFS aware NET USE functionality
19. Add support for SMB/CIFS Digital Signatures
20. Development of afsmap.exe tool to provide AFS aware NET USE functionality
afsmap.exe <drive> <afs-path> [/PERSISTENT]
afsmap.exe <drive> <unc-path> [/PERSISTENT]
afsmap.exe <drive> /DELETE
22. Write-through caching appears to be unsupported. Files copied to AFS
21. Write-through caching appears to be unsupported. Files copied to AFS
do not end up in the local cache.
23. Missing SMB/CIFS functions:
22. Missing SMB/CIFS functions:
Find
FindUnique
FindClose
@ -204,8 +202,11 @@ List of unfunded projects:
WriteBulk
WriteBulkData
Tran2::SessionSetup
24. StoreBehind mode is not implemented. Or more correctly, all data is
23. StoreBehind mode is not implemented. Or more correctly, all data is
written directly to the server and is not cached. Writes invalidate
the local cache entries which are then read back from the server.
24. The Power Management Flush Cache code does not work on Terminal
Server nor does it always successfully flush all of the dirty buffers
to the AFS servers before suspend/hibernate operations occur.

12
doc/txt/winnotes/registry.txt
View File

@ -176,7 +176,9 @@ Type : REG_SZ
Default : "i386_nt40"
Variable: cm_sysName
Self explanatory.
Provides an initial value for "fs sysname". The string can contain
one or more replacement values for @sys in order of preference separated
by whitespace.
Value : SecurityLevel
Type : DWORD {1,0}
@ -334,6 +336,12 @@ Default : 100K
the file will be reset to 0 bytes. If this value is 0, it means the file
should be allowed to grow indefinitely.
Value : FlushOnHibernate
Type : DWORD {0,1}
Default : 1
If set, flushes all volumes before the machine goes on hibernate or
stand-by.
Regkey:
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters\GlobalAutoMapper]
@ -739,7 +747,7 @@ Regkey:
[HKLM\SOFTWARE\OpenAFS\Client\Submounts]
Value : "submount name"
Type : REG_SZ
Type : REG_EXPAND_SZ
Default : <none>
This key is used to store mappings of unix style AFS paths