Update the install notes to describe conflicts between SMB Authentication
and Windows machines configured with non-Windows Kerberos authentication
used to map to local accounts.
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
More updates to smb auth vs external kerberos login
When all servers associated with a volume get into the CM_SERVERFLAG_DOWN
state, the error CM_ERROR_ALLOFFLINE would be returned by cm_ConnByMServers.
cm_Analyze was then supposed to be pausing for 5 seconds and then reset the
volume information. Unfortunately, although it called cm_ForceUpdateVolume,
cm_ForceUpdateVolume does not reset the CM_SERVERFLAG_DOWN state on the
servers. Therefore, when cm_ForceUpdateVolume calls cm_ConnByMServers it
would be given a CM_ERROR_ALLOFFLINE. In other words, there was no way
out of the state.
cm_Analyze will now reset the CM_SERVERFLAG_DOWN as well as setting the
server status to not_busy after its 5 second wait. This will allow
cm_ForceUpdateVolume to actually reset the volume information, and
refresh it if servers for the volume are newly accessible.
Also, added some missing locking calls in cm_Analyze.
In cm_ConnByMServers, change the error reporting to return CM_ERROR_ALLBUSY
only when all servers are busy or down; return CM_ERROR_ALLOFFLINE when all
servers are down; and only return CM_ERROR_NOSUCHVOLUME if the server list
for the volume is empty. In all other cases return CM_ERROR_TIMEDOUT.
the procedure used to obtain the profile directory failed in Domains
which were not Forests. If ADS_NAME_INITTYPE_GC fails, we must try
ADS_NAME_INITTYPE_DOMAIN which requires the Domain. Added a Domain
parameter to QueryAdHomePathFromSid. This was easy to obtain in
the NPLogonNotify since the logon domain is provided as a parameter.
Unfortunately, the domain provided to the winlogon event notification
routine is the user authentication domain, not the logon domain for
the local machine. Needed to create a GetLocalShortDomain function
which uses the IADsADSystemInfo COM interface to obtain the local
short domain. With this in place, we can now properly detect the
profile directory in all cases.
Document MaxLogSize in registry.txt
* Cleanup debug logging. In particular, allow the TraceOptions registry
value to be used as a bit flag as it was intended. Give each type of
debugging its own value instead of having each module test for the zero
bit.
* Modify the handling of the afsd_init.log file. This file originally
was replaced on each start. However, with auto-restart this causes
any error information from the previous halt to be lost. So it was
changed quite a while back to append forever. The problem with this
is that the file gets unreasonably large. Solution: add a new registry
value, MaxLogSize, which determins how large the file should be allowed
to become before truncation. The default is 100K. The magic value 0
means grow indefinitely.
* Update afslogon.dll. Cleanup logging. Fix some errors. Remove unused
variables. AND do not Forget Tokens on Logoff if the profile is located
in AFS space.
* Fix a bug introduced yesterday in cellconfig.c which caused problems
accessing the CellServDB file
* Update the NSIS installer to replace the CRTL DLLs instead of overwrite
them.
* Add new Startup Winlogon handler to initialize the TraceOption.
fstracing on a linux machine and trying to fs flush a file in the cache would trigger a hang on a machine with SMP kernel. fix it.
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
fstracing on a linux machine and trying to fs flush a file in the cache would tr
igger a hang on a machine with SMP kernel. fix it.
TraceLogging is supposed to be activated for different purposes
with bit flags. The osi log and afslogon both used the same bit
flag. Bit 0 is now for afslogon; and Bit 1 is for osi log.
* Update Windows Notes files
* Modify logoff procedure to use a pioctl to check if an arbitrary path
exists within AFS
* Add a new registry value HKLM\Software\OpenAFS\Client CellServDBDir
which can be used to locate the CellServDB file in an arbitrary directory
Do not release the AFS Tokens at logoff if the user's profile was loaded
from AFS. In this case we must keep the AFS tokens because we have no
idea how long writing back the profile might take.
Add CIFS RAP support to the SMB server. This allows AFS to be queried
with NetGetShareInfo, NetGetServerInfo, etc. This allows the AFS SMB
server to be browsed using NET VIEW.
Fix afsshare.c to strip the MountRoot off the afs-path before inserting into
the registry
Fix smb.c to read the submounts out of the registry.
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
fix submount extraction from registry
Do not perform a Cell Search when the name matches the SMB IOCTL filename.
This is a special name and is not to be treated as a cell. The failure
to find the name produces DNS queries as well as disk access.
Make sure that we do not alter the FD_SETSIZE on Windows.
On Windows this is an array of FD_SETSIZE. FD_SETSIZE does
not define the maximum socket handle value.
- Fix NTMakefiles in many directories to define WIN32_LEAN_AND_MEAN NOGDI
to avoid macro redefinitions
- update text files
- add "authentication cell" registry value for afscreds.exe
From asanka@mit.edu:
Network provider :
- If the user is logging into an AD domain, then look up the user's
profile path, find out which cell it's in and then authenticate to
that cell instead of the default cell.
- Domain specific registry keys
- A few fixes for handling UNICODE_STRINGs
smb3.c :
- Delete partial security context during negotiation
client_cpa :
- As per the SDK which says we must handle CPL_INQUIRE message, we do.
Also fixes a small bug where the icon isn't properly set when viewing
the Control Panel folder.
loopbackutils.cpp
- Don't bother setting the app data template, because we are setting
it in the MSI anyway.
install/wix/NTMakefile
- Add a configurable symbol AFSDEV_AUXWIXDEFINES which can be used to
customize a build of the msi.
install/wix
- Move afslogon.dll to SYSTEM32 directory
- Add registry keys to support WinLogon notifications.
- Rename afsdcell.ini to CellServDB and move it to the client directory.
- If there's already an afsdcell.ini in the Windows directory, copy
that over to the client directory instead.
- Add descriptions to AFS client and server services
Move afs_cpa.cpl control panel to the OpenAFS\Client\Program
directory and register it in the registry via the
HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\
key.
Add a Winlogon Event Notification handler to afslogon.dll to process
Logoff events. Upon Logoff call ktc_ForgetAllTokens() on behalf of
the logged off user.
Fix a filename wildcard matching error introduced a few versions back.
Windows XP SP2 adds a firewall which blocks all incoming ports by default.
This patch adds support to the AFS Client Service (but not the AFS Server)
to automatically open the firewall to ports in use by the application.
One of the new requirements of this functionality is the use of the
latest Platform SDK "Microsoft Platform SDK for Windows XP SP2".
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
For the XP SP2 SDK both the Core and Data Access SDKs are required
Get rid of all %WINDIR% INI files
afs_freelance.ini moved to the HKLM hive SOFTWARE\OpenAFS\Client\Freelance
afsdcell.ini moved to the Openafs Client install directory and renamed
to CellServDB to match Unix and the Openafs Server.
afsdsbmt.ini moved to the registry. Submounts are moved to HKLM hive
SOFTWARE\OpenAFS\Client\Submounts. Active Maps and Drive Mappings are
moved to the HKCU hive SOFTWARE\OpenAFS\Client\Active Maps and Mappings.
CSCPolicy is moved to HKCU hive.
afsdns.ini is no longer used.
NSIS installer updated to migrate the afsdcell.ini to CellServDB
The cm_freelance.ini module has been modified to migrate the afs_freelance.ini
data to the registry on first execution.
The afsdsbmt.ini file data is not currently being migrated.
* NTMakefile: missing commit from SMB AUTH patches
* cm_config.c: obtain location of CellServDB from registry
[HKLM\SOFTWARE\OpenAFS\Client] "CellServDB"=reg_sz
This will allow us to move from %WINDIR%\afsdcell.ini to
C:\Program Files\OpenAFS\Client\CellServDB. This is necessary
for compatibility with Terminal Server in which applications
are not given access to %WINDIR%.
* cm_freelance.c: migrate freelance mount point data from
%WINDIR%\afs_freelance.ini to the registry
[HKLM\SOFTWARE\OpenAFS\Client\Freelance]
Each value, whose name is unimportant, contains one mount point
entry. After the first execution of this code, the current data
in afs_freelance.ini will be moved to the registry and then all
subsequent data access will be performed via the registry.
The afs_freelance.ini file will be deleted after the migration
has occurred.
Add function configureBackConnectionHostNames(void)
On Windows XP SP2, Windows 2003 SP1, and all future Windows operating systems
there is a restriction on the use of SMB authentication on loopback connections.
There are two work arounds available:
(1) We can disable the check for matching host names. This does not
require a reboot:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"DisableLoopbackCheck"=dword:00000001
(2) We can add the AFS SMB/CIFS service name to an approved list. This
does require a reboot:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"BackConnectionHostNames"=multi-sz
The algorithm will be:
Check to see if cm_NetbiosName exists in the BackConnectionHostNames list
If not, add it to the list. (This will not take effect until the next reboot.)
and check to see if DisableLoopbackCheck is set.
If not set, set the DisableLoopbackCheck value to 0x1
and create HKLM\SOFTWARE\OpenAFS\Client UnsetDisableLoopbackCheck
else If cm_NetbiosName exists in the BackConnectionHostNames list,
check for the UnsetDisableLoopbackCheck value.
If set, set the DisableLoopbackCheck flag to 0x0
and delete the UnsetDisableLoopbackCheck value
Over last several years significant efforts have been made to work around
the inability to protect user tokens from use by inappropriate entities.
The tokens are associated with a given userid and session by a combination
of an SMB based ioctl and an authenticated/encrypted RPC. This has opened
the door for tokens to be borrowed by other users if they could connect
to the same SMB server with the identical userid. This was trivially
possible because the SMB connections were unauthenticated.
This patch adds two forms of authenticated SMB connections: NTLM and
Extended Security (aka GSS SPNEGO). By default Extended Security mode
is used. This patch has been tested on 2000 workstation, 2000 server,
XP SP1, and 2003 Server, and XP SP2 RC2. The Extended Security works on
all platforms except for XP SP2 RC2 regards of whether or not the machine
is part of a domain or not; and whether or not a local or domain account
is used.
On XP SP2 RC2, attempts to use negotiate Extended Security result in a
Logon Denied error from AcceptSecurityContext() and a substatus code of
0x7C90486A is logged to the Security Event log via the NTLM SSP.
The SMB AUTH NTLM mode succeeds on XP SP2 RC2.
Disabling SMB Authentication or specifying the use of NTLM mode may be done
via the registry.
Value : smbAuthType
Type : DWORD {0..2}
Default : 2
If this value is specified, it defines the type of SMB authentication
which must be present in order for the Windows SMB client to connect
to the AFS Client Service's SMB server. The values are:
0 = No authentication required
1 = NTLM authentication required
2 = Extended (GSS SPNEGO) authentication required
The default is Extended authentication
change the default RPC type from "ncacn_np" to "ncalrpc"
This says to use local rpc instead of named pipes from the
client to the server. Named pipes can still be used by
specifying the "AFS_RPC_PROTSEQ" environment variable.
