Commit Graph

20 Commits

Author SHA1 Message Date
Jeffrey Altman
1a5fbdb943 afslogon-20040722
the procedure used to obtain the profile directory failed in Domains
which were not Forests.  If ADS_NAME_INITTYPE_GC fails, we must try
ADS_NAME_INITTYPE_DOMAIN which requires the Domain.  Added a Domain
parameter to QueryAdHomePathFromSid.  This was easy to obtain in
the NPLogonNotify since the logon domain is provided as a parameter.
Unfortunately, the domain provided to the winlogon event notification
routine is the user authentication domain, not the logon domain for
the local machine.  Needed to create a  GetLocalShortDomain function
which uses the IADsADSystemInfo COM interface to obtain the local
short domain.  With this in place, we can now properly detect the
profile directory in all cases.

Document MaxLogSize in registry.txt
2004-07-22 23:15:37 +00:00
Jeffrey Altman
9bc1b6a7b9 trace-logging-20040721
TraceLogging is supposed to be activated for different purposes
with bit flags.  The osi log and afslogon both used the same bit
flag.  Bit 0 is now for afslogon; and Bit 1 is for osi log.
2004-07-21 22:41:33 +00:00
Jeffrey Altman
b0920fe9c2 registry-docs-logoff-20040721
* Update Windows Notes files

* Modify logoff procedure to use a pioctl to check if an arbitrary path
  exists within AFS

* Add a new registry value HKLM\Software\OpenAFS\Client  CellServDBDir
  which can be used to locate the CellServDB file in an arbitrary directory
2004-07-21 15:05:59 +00:00
Asanka Herath
60446a8ffe registry-20040715
Description of new afslogon functionality
2004-07-16 05:49:26 +00:00
Jeffrey Altman
fe991aa74f afslogon-wix-cleanup-20040715
- Fix NTMakefiles in many directories to define WIN32_LEAN_AND_MEAN NOGDI
  to avoid macro redefinitions

- update text files

- add "authentication cell" registry value for afscreds.exe

From asanka@mit.edu:

Network provider :

  -  If the user is logging into an AD domain, then look up the user's
     profile path, find out which cell it's in and then authenticate to
     that cell instead of the default cell.

  -  Domain specific registry keys

  -  A few fixes for handling UNICODE_STRINGs

smb3.c :

  -  Delete partial security context during negotiation

client_cpa :

  -  As per the SDK which says we must handle CPL_INQUIRE message, we do.
     Also fixes a small bug where the icon isn't properly set when viewing
     the Control Panel folder.

loopbackutils.cpp

  -  Don't bother setting the app data template, because we are setting
     it in the MSI anyway.

install/wix/NTMakefile

  -  Add a configurable symbol AFSDEV_AUXWIXDEFINES which can be used to
     customize a build of the msi.

install/wix

  -  Move afslogon.dll to SYSTEM32 directory

  -  Add registry keys to support WinLogon notifications.

  -  Rename afsdcell.ini to CellServDB and move it to the client directory.

  -  If there's already an afsdcell.ini in the Windows directory, copy
     that over to the client directory instead.

  -  Add descriptions to AFS client and server services
2004-07-16 04:38:25 +00:00
Jeffrey Altman
8063c68dc8 winnotes-20040715
Update Windows note files with the latest changes.
2004-07-15 17:26:35 +00:00
Jeffrey Altman
d03840f85c smb-auth-20040711
Over last several years significant efforts have been made to work around
the inability to protect user tokens from use by inappropriate entities.
The tokens are associated with a given userid and session by a combination
of an SMB based ioctl and an authenticated/encrypted RPC.  This has opened
the door for tokens to be borrowed by other users if they could connect
to the same SMB server with the identical userid.  This was trivially
possible because the SMB connections were unauthenticated.

This patch adds two forms of authenticated SMB connections: NTLM and
Extended Security (aka GSS SPNEGO).  By default Extended Security mode
is used.  This patch has been tested on 2000 workstation, 2000 server,
XP SP1, and 2003 Server, and XP SP2 RC2.  The Extended Security works on
all platforms except for XP SP2 RC2 regards of whether or not the machine
is part of a domain or not; and whether or not a local or domain account
is used.

On XP SP2 RC2, attempts to use negotiate Extended Security result in a
Logon Denied error from AcceptSecurityContext() and a substatus code of
0x7C90486A is logged to the Security Event log via the NTLM SSP.
The SMB AUTH NTLM mode succeeds on XP SP2 RC2.

Disabling SMB Authentication or specifying the use of NTLM mode may be done
via the registry.

Value   : smbAuthType
Type    : DWORD {0..2}
Default : 2

  If this value is specified, it defines the type of SMB authentication
  which must be present in order for the Windows SMB client to connect
  to the AFS Client Service's SMB server.  The values are:
    0 = No authentication required
    1 = NTLM authentication required
    2 = Extended (GSS SPNEGO) authentication required
  The default is Extended authentication
2004-07-11 22:22:57 +00:00
Jeffrey Altman
ec5b34b8fc winnotes-registry-20040708
Add descriptions of Global Drive Mappings; MaxCPUs, and Environment
Variables
2004-07-08 15:45:58 +00:00
Jeffrey Altman
e2149ea3f2 maxcpus-20040625
Add documentation on MaxCPUs entry.
2004-06-25 22:18:44 +00:00
Jeffrey Altman
4586c298ae windows-install-notes-20040624
A first cut at installation notes for windows.
2004-06-24 19:24:14 +00:00
Jeffrey Altman
c7d8ba8371 winnotes-20040623
Updated change list and issues list to reflect the state of the world
as of 1.3.65
2004-06-23 21:22:42 +00:00
Jeffrey Altman
6d4bdfc2f7 winnotes-20040605
Document changes up to this date since 1.3.64 and new registry values
2004-06-05 19:59:41 +00:00
Jeffrey Altman
a2c0be0661 update-winnotes-20040511
Update the changes and issues files for the 1.3.64 release
2004-05-11 21:08:57 +00:00
Jeffrey Altman
b624c2bc73 afs-release-notes-20040405
release notes as of 1.3.63
2004-04-05 07:32:57 +00:00
Jeffrey Altman
4e5c8d47a2 registry-20040320
Document "NoFindLanaByName"
2004-03-21 04:27:10 +00:00
Jeffrey Altman
ec0ba71b30 reg-expand-str-20040316
Change the NetbiosName registry value from REG_SZ to REG_EXPAND_SZ
and add the necessary code to expand the strings.   This will allow
the use of %COMPUTERNAME%-AFS in case people want to explicitly use
a non-portable name.

====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================

Update text for NetbiosName value.
2004-03-16 22:03:00 +00:00
Jeffrey Altman
6580ab0680 registry-notes-20040316
Update the registry usage for 1.3.60

Add information for the Network Provider values and the AFSCreds.exe values.
2004-03-16 16:15:36 +00:00
Jeffrey Altman
a16b140dc8 skyrope-mit-merge-hell-20040226
From Skyrope:

The Skyrope work attempted to improve on the end user experience of using
OpenAFS in the following ways:

   * Obtain tokens using renewable Kerberos 5 tickets in order to
     reduce the need for end users to renew expired tokens
   * Monitor the list of IP Addresses in order to detect changes
     in the network configuration which might affect the reachability
     of cells or the state of the AFS Client Service.  When cells
     are newly reachable, obtain tokens for the cells.  If the AFS
     Client Service is not running, start it.  If tokens are expiring
     attempt to renew them.
   * Use KDC probes to detect the accessibility of realms/cells.  If
     the KDC is not reachable, do not prompt the end user for a
     username and password.  (fs probe is not implemented on windows)
   * Automatically obtain tokens using the Windows Logon Session
     Kerberos credentials (if available)
   * Allow tokens for multiple cells to be obtained by using the
     same Kerberos 5 tickets.  (no UI yet implemented)
   * Perform drive mapping persistance by tracking it within the
     afsdsbmt.ini file instead of relying on the Windows Shell
     to persist the state.
   * Add new afscreds.exe command line options and change the
     default set used when creating the "AFS Credentials" shortcut
     in the Start Menu->Programs->Startup folder.

From MIT:

   * Auto-detection of loopback adapters.  Use "AFS" as the netbios
     name when a loopback adapter is installed.

   * Support for responding to power management events.  Used to
     flush the cache when the machine is about to suspend, hibernate,
     or shutdown

   * Documentation of Registry entries

   * Support for Extended SMB Requests

   * Beginning of support for true Event Log reporting from a
     message database

   * Hidden Dot File support (configured via the HideDotFiles
     registry option)

   * Configurable Max number of Multiplexed Sessions (MaxMpxRequests
     registry option)

   * Configurable Max MTU size (RxMaxMTU registry option)

   * Configurable Jumbogram support (RxNoJumbo registry option)

   * Configurable Max number of Virtual Connections per Server
     (MaxVCPerServer registry option)

   * Win32 DNS API support

   * Addition of SMB_ATTR_xxxx defines for use instead of hex numbers

   * A variety of heap access and resource deallocation errors corrected
     in the SMB code

   * Support for recursive directory creation

   * Modifications to the en_US version of the client configuration
     dialog (need to port to other languages)

Notes on the current check-in:

   * The KfW code will always be used when installed on the machine.
     This code only supports Krb5 and will not work with Krb4 only
     realms.  A registry flag indicating whether or not KfW should be
     used if found needs to be added.

   * afscreds.exe needs to have a registry entry created to control
     the parameter list it should be started with.  There should be
     a dialog to control this in the installer and within afscreds.exe

   * The MIT method of auto-assigning the mount-root and the netbios
     name is in conflict with the morgan stanley submissions in some
     parts of the code.  If you are using the loopback adapter with
     this code both the "NetbiosName" = "AFS" and "Mountroot" = "/afs"
     registry options must be specified.  This will be fixed in coming
     days.
2004-02-26 19:22:35 +00:00
Derrick Brashear
4e02670a22 doc-heimdal-conversion-howto-20011224
short explanation of how to convert from a kaserver to a heimdal kdc
including setting up iprop
2001-12-24 21:19:07 +00:00
Jeff Riegel
83873a8474 windows-afsdb-freelance-notes-20011120
notes from Jeff about AFSDB and Freelance clients
2001-11-21 18:29:16 +00:00