Apparently the problem with multi-domain forests with cross-
realm trusts to non-Windows realms was not entirely solved.
The authentication to the AFS SMB service failed because
the wrong name was being used. Using ASU as an example,
the authentication was being performed with the name
"QAAD\user" (an account in the forest root) and not
"user@ASU.EDU (the MIT Kerberos principal used to login with)
The solution was to add an additional dependency on KFW
in order or to be able to easily obtain the client principal
name stored in the MSLSA ccache TGT. This information is
used in two locations:
- the pioctl() function
- a new WinLogon Event Handler for the "logon" event.
The pioctl function will now be able to use the correct
name when calling WNetAddConnection2() and the "logon"
event handler will now be able to call WNetAddConnection2().
The hope is that the "logon" event handler will be called
before the profile is loaded but I have not guarrantee
that will happen.
updates for 1.3.80
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
update issues list
This patch applies all of the work done to add persistent cache support,
cache manager debugging, and a variety of bug fixes. A full description
will be committed within doc/txt/winnotes as part of a later commit.
* The variable used to determine whether a file or virtual memory
mapped cache is used was not properly initialized to a default
value. If the registry setting "NonPersistentCaching" was not
set, the choice would be random. Properly initialized to be
"file".
* The memory mapped view was never unmapped before closing the file
at service shutdown. This is now properly cleaned up.
* Default location of Cache file is now %TEMP%\AFSCache
Add new Property for StoreAnsiFilenames
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
Add property for StoreAnsiFilenames
update text files for StoreAnsiFilenames.
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
Allow users to choose to store file names in AFS using ANSI code pages
instead of OEM code pages.
Install registry values to force a mapping from afsdsbmt.ini file updates
via the old profile API to the new HKLM\Software\OpenAFS\Client\Submounts
key.
update docs
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
conditionalize the cleanup of language files on their existence
====================
reformat parts of afsd_init.c
add support for version number checking to afsd_service.exe
====================
Fix the afs_config.exe submount dialog operations: Edit Submount name and
Remove submount entry.
====================
Fix the version info data stored in the resource block to
use the same language identifier as is advertised.
the VC++ 2003 Toolkit is missing some important libraries.
remove it from the README-NT file
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
update docs
====================
simplify the freelance import from afs_freelance.ini code. don't generate
an new file if the old one does not exist.
begin conversion from old string functions to new strsafe functions.
this will need to be done for all of the afsd_service.exe source
modules before we can regularly use VS .NET 2005
Add support for VL_GetEntryByNameN. Still need to figure out what needs
to be done for VL_GetEntryByNameU. (multi-homed support)
====================
fix a deadlock situation if an Obtain Tokens dialog is produced
by an expiration event and the user chooses to cancel instead of
obtain new credentials.
Fix the registry query in afskfw.lib to read the HKLM machine value
even if the HKCU key is present.
Update text in the install notes to better describe the krb524
issues
Provide mechanisms to force the use of krb524 via afscreds, afslogon,
and aklog. afslogon and afscreds rely on a new "Use524" registry value
(see registry.txt) and aklog has a new "-m" command line option.
The pattern matching algorithm was failing to match strings when the
pattern terminated in a '*'. The logic was also too complex because
it failed to simply the patterns prior to processing. Any combination
of '*' and '?' == '*' according to the Windows file name pattern
matching rules.
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
FIXES 15365
The pattern matching algorithm was failing to match strings when the
pattern terminated in a '*'. The logic was also too complex because
it failed to simply the patterns prior to processing. Any combination
of '*' and '?' == '*' according to the Windows file name pattern
matching rules.
FIXES 915
FIXES 15250
* smb_ReceiveCoreRename() was factored to produce smb_Rename()
which is used by both the original function and the new
smb_ReceiveNTRename(). smb_ReceiveNTRename() supports the
creation of HardLinks in addition to Renaming. smb_Link()
is a new function which creates HardLinks via cm_Link().
cm_Link() is a new vnodeops function which creates links
using RXAFS_Link().
smb_ReceiveNTRename() does not support the File Copy and
Move Cluster Information operations described in its interface.
ReceiveNTRename is under documented in CIFS-TR-1p00_FINAL.pdf.
* When opening files via symlinks, we should follow the symlinks
until we reach the actual file stat cache entry. The stat cache
entry of the file should then be stored in the FID instead of
stat scache entry of the symlink.
* return bad operation errors for all unimplemented functions
even if we do not know the functions exist.
* Log bad packets and unknown operation packets to the trace log
* Map CM_ERROR_BADOP to STATUS_NOT_SUPPORTED instead of
0xC09820FF
* Update list of known CIFS operations to include all those listed
in CIFS-TR-1p00_FINAL.pdf.
* modify registry.txt to replace QWORD with DWORD
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
* add expanded registry support to "submounts"
Update text files for 1.3.71 and describe the new Windows Authorization
Group "AFS Client Admins"
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
Add support for "AFS Client Admins" windows authortization group
====================
NTMakefile changes for Admin Group
* Fix aklog.exe to not add the AFS ID to the username
* PTS registration of new users to foreign cells has been added to
afscreds.exe
* The cm_Daemon thread is used to perform checks for
down servers, up servers, volumes, callback expirations,
lock maintenance and token expiration. Due to a gaff in
larger integer division the thread never performed any
work. Instead the current time computation would always
be less then the trigger times. This had an adverse affect
on the client's ability to maintain communication with servers,
keep volumes up to date, and flush user tokens and acls
when they have expired. This was broken when the 1.3 branch
was modified to support VC7 which no longer included
largeint.lib
* An initialization problem with the Freelance code was
detected while fixing the callbackRequest. The cm_rootSCachep
object is obtained during afsd_InitDaemons() but the callback
information is incomplete. The callback information will not
be obtained until cm_MergeStatus is called from within
cm_GetCallback. Unfortunately, cm_SyncOp did not properly
test for the conditions under which the callback information
must be obtained.
* Reports have been filed indicating that callbacks were
being lost. An examination of the code indicated that the
cm_server_t objects were not being properly reference
counted by the cm_scache_t and cm_callbackRequest_t objects.
In particular, the cm_server_t objects may have been freed
from beneath the cm_conn_t objects.
All of the reference counting is now done via the functions:
cm_GetServer
cm_GetServerNoLock
cm_PutServer
cm_PutServerNoLock
this improves the ability to track the referrals.
Each cm_BeginCallbackGranting Call now allocates a reference
to the cm_server_t. The cm_EndCallbackGrantingCall either
frees the reference or transfers it to the cm_scache_t
cbServerp field. These are then appropriately tracked
through the cm_Analyze call.
* Ensure that the dnlc hash table is the same size as the
dir name hash table (as per original author's note).
Increase the dnlc CM_AFSNCNAMESIZE to a multiple of 8
for compatibility with 64-bit systems.
* fix smb_ApplyV3DirListPatches to properly apply the hidden
attribute to dotfiles when the infoLevel < 0x101 and
cm_SyncOp has failed.
* Fix the Freelance registry initialization code. There
was a possibility that some systems could end up with
garbage in the registry during a clean install.
Restore the installation of afslogon.dll as a winlogon event handler.
Microsoft identified the problem as being a newly added restriction
on the behavior of DllMain entry points. Network operations such
as bind() may no longer be called. The ICF blocks them but does not
cause an error to be returned.
Disable the installation of the WinLogon Event Handlers to avoid
problems with XP SP2 Final Release booting and profiles being released
on logoff.
Update version to 1.3.7000
Add VS8 entries to the build system
document new freelance functionality and update install notes
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
more updates
Updates winnotes with current info
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
summary of changes performed this week for 1.3.70
Update documentation on cache control and credential manager options
in MSI deployment guide.
'CachePath' setting in registry allows REG_EXPAND_SZ type.
Update registry documentation for 'CachePath' setting.
Both installers save the credential manager command line options in
registry.
Fix handling of existing 'afsdcell.ini' file in WiX installer.
WiX 2.0.1927 changed the XML schema. The WiX installer has beed
updated accordingly.
* update winnotes
* add osi trace log entries to help diagnose issues with overlapped writes
from CIFS client
* fix osi trace log entries for freelance add mount to use osi_SaveLogString
* fix afscreds "Start Service" to automatically obtain tokens if kerberos
tickets are available
* update afscreds systray menu to use "..." after Remove Icon
* remove extra "." in wix installer resource
Update the install notes to describe conflicts between SMB Authentication
and Windows machines configured with non-Windows Kerberos authentication
used to map to local accounts.
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
More updates to smb auth vs external kerberos login
the procedure used to obtain the profile directory failed in Domains
which were not Forests. If ADS_NAME_INITTYPE_GC fails, we must try
ADS_NAME_INITTYPE_DOMAIN which requires the Domain. Added a Domain
parameter to QueryAdHomePathFromSid. This was easy to obtain in
the NPLogonNotify since the logon domain is provided as a parameter.
Unfortunately, the domain provided to the winlogon event notification
routine is the user authentication domain, not the logon domain for
the local machine. Needed to create a GetLocalShortDomain function
which uses the IADsADSystemInfo COM interface to obtain the local
short domain. With this in place, we can now properly detect the
profile directory in all cases.
Document MaxLogSize in registry.txt
TraceLogging is supposed to be activated for different purposes
with bit flags. The osi log and afslogon both used the same bit
flag. Bit 0 is now for afslogon; and Bit 1 is for osi log.
* Update Windows Notes files
* Modify logoff procedure to use a pioctl to check if an arbitrary path
exists within AFS
* Add a new registry value HKLM\Software\OpenAFS\Client CellServDBDir
which can be used to locate the CellServDB file in an arbitrary directory
- Fix NTMakefiles in many directories to define WIN32_LEAN_AND_MEAN NOGDI
to avoid macro redefinitions
- update text files
- add "authentication cell" registry value for afscreds.exe
From asanka@mit.edu:
Network provider :
- If the user is logging into an AD domain, then look up the user's
profile path, find out which cell it's in and then authenticate to
that cell instead of the default cell.
- Domain specific registry keys
- A few fixes for handling UNICODE_STRINGs
smb3.c :
- Delete partial security context during negotiation
client_cpa :
- As per the SDK which says we must handle CPL_INQUIRE message, we do.
Also fixes a small bug where the icon isn't properly set when viewing
the Control Panel folder.
loopbackutils.cpp
- Don't bother setting the app data template, because we are setting
it in the MSI anyway.
install/wix/NTMakefile
- Add a configurable symbol AFSDEV_AUXWIXDEFINES which can be used to
customize a build of the msi.
install/wix
- Move afslogon.dll to SYSTEM32 directory
- Add registry keys to support WinLogon notifications.
- Rename afsdcell.ini to CellServDB and move it to the client directory.
- If there's already an afsdcell.ini in the Windows directory, copy
that over to the client directory instead.
- Add descriptions to AFS client and server services
Over last several years significant efforts have been made to work around
the inability to protect user tokens from use by inappropriate entities.
The tokens are associated with a given userid and session by a combination
of an SMB based ioctl and an authenticated/encrypted RPC. This has opened
the door for tokens to be borrowed by other users if they could connect
to the same SMB server with the identical userid. This was trivially
possible because the SMB connections were unauthenticated.
This patch adds two forms of authenticated SMB connections: NTLM and
Extended Security (aka GSS SPNEGO). By default Extended Security mode
is used. This patch has been tested on 2000 workstation, 2000 server,
XP SP1, and 2003 Server, and XP SP2 RC2. The Extended Security works on
all platforms except for XP SP2 RC2 regards of whether or not the machine
is part of a domain or not; and whether or not a local or domain account
is used.
On XP SP2 RC2, attempts to use negotiate Extended Security result in a
Logon Denied error from AcceptSecurityContext() and a substatus code of
0x7C90486A is logged to the Security Event log via the NTLM SSP.
The SMB AUTH NTLM mode succeeds on XP SP2 RC2.
Disabling SMB Authentication or specifying the use of NTLM mode may be done
via the registry.
Value : smbAuthType
Type : DWORD {0..2}
Default : 2
If this value is specified, it defines the type of SMB authentication
which must be present in order for the Windows SMB client to connect
to the AFS Client Service's SMB server. The values are:
0 = No authentication required
1 = NTLM authentication required
2 = Extended (GSS SPNEGO) authentication required
The default is Extended authentication
Change the NetbiosName registry value from REG_SZ to REG_EXPAND_SZ
and add the necessary code to expand the strings. This will allow
the use of %COMPUTERNAME%-AFS in case people want to explicitly use
a non-portable name.
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
Update text for NetbiosName value.
From Skyrope:
The Skyrope work attempted to improve on the end user experience of using
OpenAFS in the following ways:
* Obtain tokens using renewable Kerberos 5 tickets in order to
reduce the need for end users to renew expired tokens
* Monitor the list of IP Addresses in order to detect changes
in the network configuration which might affect the reachability
of cells or the state of the AFS Client Service. When cells
are newly reachable, obtain tokens for the cells. If the AFS
Client Service is not running, start it. If tokens are expiring
attempt to renew them.
* Use KDC probes to detect the accessibility of realms/cells. If
the KDC is not reachable, do not prompt the end user for a
username and password. (fs probe is not implemented on windows)
* Automatically obtain tokens using the Windows Logon Session
Kerberos credentials (if available)
* Allow tokens for multiple cells to be obtained by using the
same Kerberos 5 tickets. (no UI yet implemented)
* Perform drive mapping persistance by tracking it within the
afsdsbmt.ini file instead of relying on the Windows Shell
to persist the state.
* Add new afscreds.exe command line options and change the
default set used when creating the "AFS Credentials" shortcut
in the Start Menu->Programs->Startup folder.
From MIT:
* Auto-detection of loopback adapters. Use "AFS" as the netbios
name when a loopback adapter is installed.
* Support for responding to power management events. Used to
flush the cache when the machine is about to suspend, hibernate,
or shutdown
* Documentation of Registry entries
* Support for Extended SMB Requests
* Beginning of support for true Event Log reporting from a
message database
* Hidden Dot File support (configured via the HideDotFiles
registry option)
* Configurable Max number of Multiplexed Sessions (MaxMpxRequests
registry option)
* Configurable Max MTU size (RxMaxMTU registry option)
* Configurable Jumbogram support (RxNoJumbo registry option)
* Configurable Max number of Virtual Connections per Server
(MaxVCPerServer registry option)
* Win32 DNS API support
* Addition of SMB_ATTR_xxxx defines for use instead of hex numbers
* A variety of heap access and resource deallocation errors corrected
in the SMB code
* Support for recursive directory creation
* Modifications to the en_US version of the client configuration
dialog (need to port to other languages)
Notes on the current check-in:
* The KfW code will always be used when installed on the machine.
This code only supports Krb5 and will not work with Krb4 only
realms. A registry flag indicating whether or not KfW should be
used if found needs to be added.
* afscreds.exe needs to have a registry entry created to control
the parameter list it should be started with. There should be
a dialog to control this in the installer and within afscreds.exe
* The MIT method of auto-assigning the mount-root and the netbios
name is in conflict with the morgan stanley submissions in some
parts of the code. If you are using the loopback adapter with
this code both the "NetbiosName" = "AFS" and "Mountroot" = "/afs"
registry options must be specified. This will be fixed in coming
days.