Updates winnotes with current info
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
summary of changes performed this week for 1.3.70
* update winnotes
* add osi trace log entries to help diagnose issues with overlapped writes
from CIFS client
* fix osi trace log entries for freelance add mount to use osi_SaveLogString
* fix afscreds "Start Service" to automatically obtain tokens if kerberos
tickets are available
* update afscreds systray menu to use "..." after Remove Icon
* remove extra "." in wix installer resource
Update the install notes to describe conflicts between SMB Authentication
and Windows machines configured with non-Windows Kerberos authentication
used to map to local accounts.
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
More updates to smb auth vs external kerberos login
* Update Windows Notes files
* Modify logoff procedure to use a pioctl to check if an arbitrary path
exists within AFS
* Add a new registry value HKLM\Software\OpenAFS\Client CellServDBDir
which can be used to locate the CellServDB file in an arbitrary directory
Over last several years significant efforts have been made to work around
the inability to protect user tokens from use by inappropriate entities.
The tokens are associated with a given userid and session by a combination
of an SMB based ioctl and an authenticated/encrypted RPC. This has opened
the door for tokens to be borrowed by other users if they could connect
to the same SMB server with the identical userid. This was trivially
possible because the SMB connections were unauthenticated.
This patch adds two forms of authenticated SMB connections: NTLM and
Extended Security (aka GSS SPNEGO). By default Extended Security mode
is used. This patch has been tested on 2000 workstation, 2000 server,
XP SP1, and 2003 Server, and XP SP2 RC2. The Extended Security works on
all platforms except for XP SP2 RC2 regards of whether or not the machine
is part of a domain or not; and whether or not a local or domain account
is used.
On XP SP2 RC2, attempts to use negotiate Extended Security result in a
Logon Denied error from AcceptSecurityContext() and a substatus code of
0x7C90486A is logged to the Security Event log via the NTLM SSP.
The SMB AUTH NTLM mode succeeds on XP SP2 RC2.
Disabling SMB Authentication or specifying the use of NTLM mode may be done
via the registry.
Value : smbAuthType
Type : DWORD {0..2}
Default : 2
If this value is specified, it defines the type of SMB authentication
which must be present in order for the Windows SMB client to connect
to the AFS Client Service's SMB server. The values are:
0 = No authentication required
1 = NTLM authentication required
2 = Extended (GSS SPNEGO) authentication required
The default is Extended authentication
