Add function configureBackConnectionHostNames(void)
On Windows XP SP2, Windows 2003 SP1, and all future Windows operating systems
there is a restriction on the use of SMB authentication on loopback connections.
There are two work arounds available:
(1) We can disable the check for matching host names. This does not
require a reboot:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"DisableLoopbackCheck"=dword:00000001
(2) We can add the AFS SMB/CIFS service name to an approved list. This
does require a reboot:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"BackConnectionHostNames"=multi-sz
The algorithm will be:
Check to see if cm_NetbiosName exists in the BackConnectionHostNames list
If not, add it to the list. (This will not take effect until the next reboot.)
and check to see if DisableLoopbackCheck is set.
If not set, set the DisableLoopbackCheck value to 0x1
and create HKLM\SOFTWARE\OpenAFS\Client UnsetDisableLoopbackCheck
else If cm_NetbiosName exists in the BackConnectionHostNames list,
check for the UnsetDisableLoopbackCheck value.
If set, set the DisableLoopbackCheck flag to 0x0
and delete the UnsetDisableLoopbackCheck value
Over last several years significant efforts have been made to work around
the inability to protect user tokens from use by inappropriate entities.
The tokens are associated with a given userid and session by a combination
of an SMB based ioctl and an authenticated/encrypted RPC. This has opened
the door for tokens to be borrowed by other users if they could connect
to the same SMB server with the identical userid. This was trivially
possible because the SMB connections were unauthenticated.
This patch adds two forms of authenticated SMB connections: NTLM and
Extended Security (aka GSS SPNEGO). By default Extended Security mode
is used. This patch has been tested on 2000 workstation, 2000 server,
XP SP1, and 2003 Server, and XP SP2 RC2. The Extended Security works on
all platforms except for XP SP2 RC2 regards of whether or not the machine
is part of a domain or not; and whether or not a local or domain account
is used.
On XP SP2 RC2, attempts to use negotiate Extended Security result in a
Logon Denied error from AcceptSecurityContext() and a substatus code of
0x7C90486A is logged to the Security Event log via the NTLM SSP.
The SMB AUTH NTLM mode succeeds on XP SP2 RC2.
Disabling SMB Authentication or specifying the use of NTLM mode may be done
via the registry.
Value : smbAuthType
Type : DWORD {0..2}
Default : 2
If this value is specified, it defines the type of SMB authentication
which must be present in order for the Windows SMB client to connect
to the AFS Client Service's SMB server. The values are:
0 = No authentication required
1 = NTLM authentication required
2 = Extended (GSS SPNEGO) authentication required
The default is Extended authentication
change the default RPC type from "ncacn_np" to "ncalrpc"
This says to use local rpc instead of named pipes from the
client to the server. Named pipes can still be used by
specifying the "AFS_RPC_PROTSEQ" environment variable.
FIXES 5396
as substantially done by Jeff Woodward <Jeffrey.B.Woodward@Dartmouth.EDU>,
work diffed out and slightly rewritten
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
FIXES 5396
this should be the correct way to give up the socket on all solaris versions
Give folks an option of running afsd_service.exe on fewer processors
than are installed in the machine. A new registry value
TransarcAfsDaemon/Parameters MaxCPUs
allows a restriction to be applied. Set to 1 to use a single CPU
(or hyperthreading instance)
The restriction is applied with SetProcessAffinityMask()
properly set dependencies for NSIS and wix targets to build loopback target
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
do not install a second loopback adapter if one is already installed.
====================
1. Custom actions should not depend on any library that is not in the Windows distribution. Change makefile to link
with a static runtime.
2. Add common reporting mechanism to report ActionData messages back to the MSI process during the loopback
installation.
3. CoInitializeSecurity can be called only once per process. When running as a custom action DLL under the MSI process
we won't be able to successfully call this since the MSI process beats us to it.
====================
Compensate for difference in argument passing in MSI and RunDll32
1. We are packaging debug symbols for all builds. In a checked build the default is to install debug symbols while on a
free build debug symbols won't be installed unless asked to.
2. Change impersonation level for loopback installation.
3. Change UI to allow for ActionData messages during the long wait while the loopback is installed.
4. Add templates for displaying ActionData.
5. Parameterize language resources.
The afsloopback.dll will configure the LMHOSTS and HOSTS files for "AFS"
therefore it is safe to use the loopback adapter on win2000 even though
it does not support broadcasts
Construct a new afsloopback.dll which contains the routines
for installing, removing, and verifying the existance of
a loopback adapter. This dll will be used by both the NSIS
and the Wix installers.
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
Update the wix installer to use the new version of instloop.exe
which uses the new afsloopback.dll
1. Fix choice for logon options to include only 'not integrated',
'integrated' and 'integrated with high security'.
2. Add configuration page to select whether or not to run afscreds.exe
when logging in and also choose the command line
options for afscreds.exe.
3. Assert that all dependencies are satisfied at install time when
installing the server component.
4. If running in full UI mode and installing the server component,
the user is notified about dependencies and given a
choice to review selections or just let the installer add the
required components.
