Get rid of all %WINDIR% INI files
afs_freelance.ini moved to the HKLM hive SOFTWARE\OpenAFS\Client\Freelance
afsdcell.ini moved to the Openafs Client install directory and renamed
to CellServDB to match Unix and the Openafs Server.
afsdsbmt.ini moved to the registry. Submounts are moved to HKLM hive
SOFTWARE\OpenAFS\Client\Submounts. Active Maps and Drive Mappings are
moved to the HKCU hive SOFTWARE\OpenAFS\Client\Active Maps and Mappings.
CSCPolicy is moved to HKCU hive.
afsdns.ini is no longer used.
NSIS installer updated to migrate the afsdcell.ini to CellServDB
The cm_freelance.ini module has been modified to migrate the afs_freelance.ini
data to the registry on first execution.
The afsdsbmt.ini file data is not currently being migrated.
* NTMakefile: missing commit from SMB AUTH patches
* cm_config.c: obtain location of CellServDB from registry
[HKLM\SOFTWARE\OpenAFS\Client] "CellServDB"=reg_sz
This will allow us to move from %WINDIR%\afsdcell.ini to
C:\Program Files\OpenAFS\Client\CellServDB. This is necessary
for compatibility with Terminal Server in which applications
are not given access to %WINDIR%.
* cm_freelance.c: migrate freelance mount point data from
%WINDIR%\afs_freelance.ini to the registry
[HKLM\SOFTWARE\OpenAFS\Client\Freelance]
Each value, whose name is unimportant, contains one mount point
entry. After the first execution of this code, the current data
in afs_freelance.ini will be moved to the registry and then all
subsequent data access will be performed via the registry.
The afs_freelance.ini file will be deleted after the migration
has occurred.
Add function configureBackConnectionHostNames(void)
On Windows XP SP2, Windows 2003 SP1, and all future Windows operating systems
there is a restriction on the use of SMB authentication on loopback connections.
There are two work arounds available:
(1) We can disable the check for matching host names. This does not
require a reboot:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"DisableLoopbackCheck"=dword:00000001
(2) We can add the AFS SMB/CIFS service name to an approved list. This
does require a reboot:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"BackConnectionHostNames"=multi-sz
The algorithm will be:
Check to see if cm_NetbiosName exists in the BackConnectionHostNames list
If not, add it to the list. (This will not take effect until the next reboot.)
and check to see if DisableLoopbackCheck is set.
If not set, set the DisableLoopbackCheck value to 0x1
and create HKLM\SOFTWARE\OpenAFS\Client UnsetDisableLoopbackCheck
else If cm_NetbiosName exists in the BackConnectionHostNames list,
check for the UnsetDisableLoopbackCheck value.
If set, set the DisableLoopbackCheck flag to 0x0
and delete the UnsetDisableLoopbackCheck value
Over last several years significant efforts have been made to work around
the inability to protect user tokens from use by inappropriate entities.
The tokens are associated with a given userid and session by a combination
of an SMB based ioctl and an authenticated/encrypted RPC. This has opened
the door for tokens to be borrowed by other users if they could connect
to the same SMB server with the identical userid. This was trivially
possible because the SMB connections were unauthenticated.
This patch adds two forms of authenticated SMB connections: NTLM and
Extended Security (aka GSS SPNEGO). By default Extended Security mode
is used. This patch has been tested on 2000 workstation, 2000 server,
XP SP1, and 2003 Server, and XP SP2 RC2. The Extended Security works on
all platforms except for XP SP2 RC2 regards of whether or not the machine
is part of a domain or not; and whether or not a local or domain account
is used.
On XP SP2 RC2, attempts to use negotiate Extended Security result in a
Logon Denied error from AcceptSecurityContext() and a substatus code of
0x7C90486A is logged to the Security Event log via the NTLM SSP.
The SMB AUTH NTLM mode succeeds on XP SP2 RC2.
Disabling SMB Authentication or specifying the use of NTLM mode may be done
via the registry.
Value : smbAuthType
Type : DWORD {0..2}
Default : 2
If this value is specified, it defines the type of SMB authentication
which must be present in order for the Windows SMB client to connect
to the AFS Client Service's SMB server. The values are:
0 = No authentication required
1 = NTLM authentication required
2 = Extended (GSS SPNEGO) authentication required
The default is Extended authentication
change the default RPC type from "ncacn_np" to "ncalrpc"
This says to use local rpc instead of named pipes from the
client to the server. Named pipes can still be used by
specifying the "AFS_RPC_PROTSEQ" environment variable.
FIXES 5396
as substantially done by Jeff Woodward <Jeffrey.B.Woodward@Dartmouth.EDU>,
work diffed out and slightly rewritten
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
FIXES 5396
this should be the correct way to give up the socket on all solaris versions
Give folks an option of running afsd_service.exe on fewer processors
than are installed in the machine. A new registry value
TransarcAfsDaemon/Parameters MaxCPUs
allows a restriction to be applied. Set to 1 to use a single CPU
(or hyperthreading instance)
The restriction is applied with SetProcessAffinityMask()
properly set dependencies for NSIS and wix targets to build loopback target
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
do not install a second loopback adapter if one is already installed.
====================
1. Custom actions should not depend on any library that is not in the Windows distribution. Change makefile to link
with a static runtime.
2. Add common reporting mechanism to report ActionData messages back to the MSI process during the loopback
installation.
3. CoInitializeSecurity can be called only once per process. When running as a custom action DLL under the MSI process
we won't be able to successfully call this since the MSI process beats us to it.
====================
Compensate for difference in argument passing in MSI and RunDll32
1. We are packaging debug symbols for all builds. In a checked build the default is to install debug symbols while on a
free build debug symbols won't be installed unless asked to.
2. Change impersonation level for loopback installation.
3. Change UI to allow for ActionData messages during the long wait while the loopback is installed.
4. Add templates for displaying ActionData.
5. Parameterize language resources.
The afsloopback.dll will configure the LMHOSTS and HOSTS files for "AFS"
therefore it is safe to use the loopback adapter on win2000 even though
it does not support broadcasts
Construct a new afsloopback.dll which contains the routines
for installing, removing, and verifying the existance of
a loopback adapter. This dll will be used by both the NSIS
and the Wix installers.
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
Update the wix installer to use the new version of instloop.exe
which uses the new afsloopback.dll
