jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-21 08:20:16 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4586c298ae
openafs/doc/txt/winnotes/afs-install-notes.txt
Jeffrey Altman 4586c298ae windows-install-notes-20040624 
A first cut at installation notes for windows.
2004-06-24 19:24:14 +00:00

227 lines
10 KiB
Plaintext
Raw Blame History

OpenAFS for Windows 1.3.65 Installation Notes
---------------------------------------------
The OpenAFS for Windows product was very poorly maintained throughout the
1.2.x release cycle. While the Unix version was being enhanced and its
quality was improving the Windows version stagnated. The IBM AFS 3.6 product
was not designed for the Windows 2000/XP/2003 operating system nor was it
constructed with highly disconnected environments in mind.
The 1.3.x series of releases not only fixes a large number of bugs in the 1.2
series but also attempts to enhance the functionality of the product to better
fit the usage model of today's users. Several items standout.
1. The Kerberos 4 infrastructure on which the 1.2 series is reliant is no
longer secure. Cross-realm Kerberos is very important in the AFS context and
most sites have or are migrating to Kerberos 5 environments. The 1.3 series
integrates with the MIT Kerberos for Windows 2.6.x product to provide Kerberos
5 functionality including the ability to auto-renew credentials and obtain
single sign-on capabilities with the Microsoft Windows Kerberos Logon Service.
The 1.3.65 OpenAFS client will directly use Kerberos 5 tickets as tokens if
KFW is installed. It requires that all of the AFS Servers which it
communicates support Kerberos 5 tickets. For OpenAFS this is any release 1.2.8
or higher.
When using a Microsoft Windows Active Directory as your KDC for the AFS cell
extremely large tickets may be issued. If this is your situation you either
must modify your 1.2.x servers to support tokens larger than a few hundred
bytes; or install the 1.3.64 or higher release on your servers.
2. The AFS Client Service does not provide robust behavior in an environment
with a plug-n-play network environment. Changes to the number of network
adapters or the assigned IP addresses will cause the client to panic. The
recommended work around for this problem is to install on the machine the
Microsoft Loopback Adapter. When the MLA is installed with a static IP
address the AFS Client Service will bind only to the loopback and not be
affected by changes to state of other network adapters installed on the
system.
Starting in the 1.3.65 release the installers provided by OpenAFS.org will
install the Microsoft Loopback Adapter for you with a name of "AFS" and a
pre-assigned IP address in the 10.x.x.x range.
One of the benefits of using the MLA is that the NETBIOS names used for the
AFS Client's SMB server do not have to be published on any adapter other than
the MLA. This means that the names no longer need to be unique. When the MLA
is in use, the NETBIOS name associated with the AFS Client Service is simply
"AFS". When the MLA is not in use the NETBIOS name is "MACHINE-AFS".
With the MLA installed, UNC paths of the form \\AFS\cellname\path may be used.
3. When the AFS Client Service starts it must be able to contact the root.afs
volume of the default cell. If the root.afs volume is not accessible when the
client service is started, the service will panic. Since many users now use
laptops or otherwise operate in disconnected environments in which a VPN may
be needed to access the cell's servers, it is often the case that the root.afs
volume for the default cell will not be reachable and the client service
cannot successfully start.
In the 1.3.65 release there is support for a fake root.afs volume which is
dynamically constructed when the afs client service starts. This is called
Freelance mode. Freelance mode is turned on by default in the OpenAFS.org
installers.
A couple of notes about Freelance mode. First, since the fake root.afs volume
is constructed on the fly, when it is first used there will be no entries in
the volume. Do not be concerned. Any attempt to access a valid cell name will
automatically result in a new read-only mount point being created in the fake
root.afs volume. These mount points are preserved between service starts in
the %WINDIR%\afs_freelance.ini file.
Unfortunately, at the current time it is not possible to create read-write
mount points in the fake root.afs cell. This is a limitation which will be
addressed in a future release.
4. The OpenAFS for Windows client will make use of AFSDB DNS records to
discover cell information when it is not located in the local CellServDB file
(%WINDIR%\afsdcell.ini).
5. OpenAFS for Windows 1.3.65 only supports Windows 2000, Windows XP, and
Windows 2003. Windows NT 4.0 and the entire Windows 9x/Me line are not
supported. If OpenAFS for Windows runs on those platforms it is by sheer
luck.
6. OpenAFS for Windows installs a Network Provider for use in supporting an
Integrated Logon (Single Sign-on) functionality. Integrated Logon can be used
when the Windows username and password match the username and password
associated with the default cell's Kerberos realm. For example, if the
windows username is "jaltman" and the default cell is "athena.mit.edu", then
Integrated Logon can be successfully used if the windows password matches the
password used for the Kerberos principal "jaltman@ATHENA.MIT.EDU".
Integrated Logon is required if you desire the ability to store roaming user
profiles within the AFS file system. OpenAFS does not provide tools for
synchronizing the Windows and Kerberos user accounts and passwords.
If KFW is installed, the Integrated Logon will use Kerberos 5 to obtain
tokens. Otherwise, Kerberos 4 is used.
There is a High Security mode for use with Integrated Logon when multiple
users will share a single machine. There are known problems with this mode.
In particular, if you are using this mode it is crucial that new AFS tokens
not be obtained after the logon session starts except via the AFS Systray tool
as started by the AFS Network Provider. If the AFS Systray tool is stopped
you must log off to obtain new tokens. Do not use external tools such as
"aklog.exe" if High Security mode is turned on.
7. The AFS Systray tool (afscreds.exe) supports several new command line
options:
-A = autoinit
-M = renew drive maps
-N = ip address change detection
-Z = unmap drives
autoinit will result in automated attempts to acquire AFS tokens when
afscreds.exe is started. When used in combination with ip address change
detection, afscreds.exe will attempt to acquire AFS tokens whenever a new IP
address is added to the system.
The renew drive maps option is used to ensure that the user drive maps
constructs via the AFS tools (not NET USE) are re-constructed at afscreds.exe
start time.
By default afscreds.exe is configured by the OpenAFS.org installers to use -A
-N -M as startup options. Currently, there is no UI to change this selection
after install time although these options may be set via the registry either
per machine or per user.
8. Some attempts in the 1.3.65 release have been made to restrict the behavior
of users with regards to their ability to alter the state of the AFS Client
Service. For example, the following fs.exe commands are now restricted to
Administrator:
- checkservers with a non-zero timer value
- setcachesize
- newcell
- sysname with a new sysname list
- exportafs
- setcell
- setserverprefs
- storebehind
- setcrypt
- cscpolicy
- trace
setting the default sysname for a machine should be done via the registry and
not via "fs sysname".
Some of the AFS Client Configuration Control Panel options are also restricted
to use by the "Administrator" account.
9. As of 1.3.65, the AFS Client should support UNC paths everywhere.
10. The AFS Client ships with its own version of aklog.exe which should be
used in preference to those obtained by third party sources.
Usage: aklog [-d] [[-cell | -c] cell [-k krb_realm]]
[[-p | -path] pathname]
[-noprdb] [-force]
[-5 | -4]
-d gives debugging information.
krb_realm is the kerberos realm of a cell.
pathname is the name of a directory to which you wish to authenticate.
-noprdb means don't try to determine AFS ID.
-5 or -4 selects whether to use Kerberos V or Kerberos IV.
(default is Kerberos V)
No commandline arguments means authenticate to the local cell.
11. The AFS Server functionality provided with OpenAFS 1.3.65 does work but
should be considered experimental. It has not been thoroughly tested.
12. The OpenAFS for Windows installers now include Symbol information which
should be installed if you are experiencing problems and need to send crash
reports.
13. OpenAFS for Windows does not support files larger than 2GB.
14. There are documented problems running the AFS Client on Hyperthreaded
Pentium 4 machines. At the current time it is recommended that hyper-
threading be disabled in the machine configuration.
15. OpenAFS for Windows currently requires the use of TCP based RPC. If the
machine is restricted to Local RPC only, you will be unable to store tokens.
16. OpenAFS for Windows does not automatically open ports in the Windows
Internet Connection Firewall. You must manually open port 7001 to allow for
incoming callback messages to be received by AFS file servers.
17. The OpenAFS for Windows installer by default activates a weak form of
encrypted data transfer between the AFS client and the AFS servers. This
is often referred to as "crypt" mode.
------------------------------------------------------------------------
Reporting Bugs:
Bug reports should be sent to openafs-bugs@openafs.org. Please include as
much information as possible about the issue. If you are reporting a crash,
please install the debugging symbols by re-running the installer. If a dump
file is available for the problem include it along with the AFS Client Trace
file %WINDIR%\TEMP\afsd.log. The AFS Client startup log is
%WINDIR%\TEMP\afsd_init.log. Send the last continuous block of log
information from this file.
------------------------------------------------------------------------
How to Contribute to the Development of OpenAFS for Windows:
Contributions to the development of OpenAFS for Windows are needed.
Contributions may take many forms including cash donations, support contracts,
donated developer time, and even donated tech writer time.
If you wish to be involved in OpenAFS for Windows development please join the
openafs-win32-devel@openafs.org mailing list.
https://lists.openafs.org/mailman/listinfo/openafs-win32-devel
User questions should be sent to the openafs-info@openafs.org mailing list.
https://lists.openafs.org/mailman/listinfo/openafs-info
You must join mailing lists if you wish to post to the list without incurring
a moderation delay.
Reference in New Issue View Git Blame Copy Permalink