+++ /dev/null
-OpenAFS for Windows 1.5.0000 Installation Notes
------------------------------------------------
-
-OpenAFS for Windows 1.5.0000 is an unstable development client available for
-Microsoft Windows operating systems. It can be installed either as
-a new installation or an upgrade from previous versions of OpenAFS
-for Windows or IBM AFS for Windows. Installers are provided in two
-forms:
-
- * an executable (.exe) that is based upon the Nullsoft Scriptable
- Installation System, or
-
- * a Windows Installer package (.msi) that is built using WiX and
- can be customized for organizations via the use of MSI Transforms
- (see msi-deployment-guide.txt)
-
-System Requirements:
-
-Operating System: Windows 2000, 2000 Server, XP Home, XP Pro, 2003 Server.
-64-bit versions of Windows and Windows Vista are not supported in this
-release.
-
-Disk Space: up to 60mb required for the OpenAFS binaries plus 100MB
-for the default AFSCache file. (The size of the AFSCache file may
-be adjusted via the Registry after installation.)
-
-Additional Softare: MIT Kerberos for Windows 2.6.x if Kerberos 5
-authentication support is desired.
-
-1. The Kerberos 4 infrastructure on which the 1.2 series is reliant is no
-longer secure. Cross-realm Kerberos is very important in the AFS context and
-most sites have or are migrating to Kerberos 5 environments. The 1.3 series
-integrates with the MIT Kerberos for Windows 2.6.x product to provide Kerberos
-5 functionality including the ability to auto-renew credentials and obtain
-single sign-on capabilities with the Microsoft Windows Kerberos Logon Service.
-
-As of 1.3.65, the OpenAFS client will directly use Kerberos 5 tickets as
-tokens if KFW is installed. The client requires that all of the AFS Servers
-with which it communicates support the use of Kerberos 5 tickets as tokens
-(aka 2b tokens). This means that all of the AFS servers must be running
-OpenAFS release 1.2.8 or higher. Transarc servers do not support Kerberos 5
-tickets as tokens.
-
-When using a Microsoft Windows Active Directory as the KDC which issues the
-service ticket for the AFS cell there are two things to consider. First, the
-Kerberos 5 tickets issued by Active Directory can be quite large when compared
-to tickets issued by a traditional KDC due to the incorporation of
-authorization data in the PAC. If this is your situation you either must
-modify your 1.2.x servers to support tokens larger than a few hundred bytes;
-or install the 1.3.64 or higher release on your servers. Second, Windows 2003
-Active Directory will issue service tickets utilizing the DES-CBC-MD5 enctype.
-OpenAFS releases older than 1.3.64 will not properly support this enctype.
-
-
-2. The AFS Client Service does not provide robust behavior in an environment
-with a plug-n-play network environment. Changes to the number of network
-adapters or the assigned IP addresses will cause the service to panic. The
-recommended work around for this problem is to install the Microsoft Loopback
-Adapter on the machine. When the MLA is installed with a static IP address
-the AFS Client Service will bind only to the loopback and not be affected by
-changes to state of other network adapters installed on the system.
-
-Starting in the 1.3.65 release the installers provided by OpenAFS.org will
-install the Microsoft Loopback Adapter for you with a name of "AFS" and a
-pre-assigned IP address in the 10.x.x.x range.
-
-One of the benefits of using the MLA is that the NETBIOS names used for the
-AFS Client's SMB server do not have to be published on any adapter other than
-the MLA. This means that the names no longer need to be unique. When the MLA
-is in use, the NETBIOS name associated with the AFS Client Service is simply
-"AFS". When the MLA is not in use the NETBIOS name is "MACHINE-AFS".
-
-When the MLA is installed, UNC paths of the form \\AFS\cellname\path may be
-used.
-
-The MLA is installed with a binding to "Client for Microsoft Networks" but not
-to "File and Printer Sharing for Microsoft Networks". If you fail to bind
-"Client Microsoft Networks" you will not be able to access the AFS Client
-Service when the machine is disconnected from the network. If you bind "File
-and Printer Sharing ..." there will be a service type collision between the
-name "AFS" and the name of the machine on the published IP Address. This will
-result in a failure to be able to access files in AFS. The "NET VIEW" command
-will return a "System Error 52" message when this conflict exists. To correct
-the problem:
-
- * stop the AFS Client Service
- * bind the "Client for Microsoft Networks" to the MLA
- * unbind "File and Printer Sharing for Microsoft Networks" from the MLA
- * Disable and then Enable the MLA
- * start the AFS Client Service
-
-
-3. Traditionally, when the AFS Client Service starts it must be able to access
-the "root.afs" volume of the default cell. The "root.afs" volume contains a
-set of read-only and read-write mount points to the "root.cell" volumes of
-various cells the administrator of the default cell believes should be
-accessible. If the "root.afs" volume is inaccessible when the client service
-is started, the service will panic. Since many users now use laptops or
-otherwise operate in disconnected environments in which a VPN may be needed to
-access the cell's servers, it is often the case that the "root.afs" volume for
-the default cell is not reachable and the AFS Client Service will not
-successfully start.
-
-The OpenAFS Client Service now supports a fake "root.afs" volume which is
-dynamically constructed when the service starts. This mode is called
-Freelance mode. Freelance mode is turned on by default.
-
-The contents of the fake "root.afs" volume are constructed dynamically as
-cells are accessed. When the fake "root.afs" volume is constructed it will
-only contain two mount points: a read-only and read-write mount point used to
-access the "root.cell" volume of the default AFS cell. Any attempt to access
-a valid cell name will automatically result in a new mount point being created
-in the fake "root.afs" volume. If the cellname begins with a "." the mount
-point will be read-write; otherwise the mount point will be read-only. These
-mount points are preserved in the registry at key:
-
- HKLM\SOFTWARE\OpenAFS\Client\Freelance
-
-Additional mount points may be manually created using the "fs mkmount"
-command. Mount points may be removed using the "fs rmmount" command.
-
- >fs mkmount \\AFS\all\athena.mit.edu root.cell athena.mit.edu
- >fs mkmount \\AFS\all\.athena.mit.edu root.cell athena.mit.edu -rw
- >fs rmmount \\AFS\all\athena.mit.edu
- >fs rmmount \\AFS\all\.athena.mit.edu
-
-Beginning in 1.3.74, the Freelance fake root.afs volume will support the
-creation of symlinks.
-
- >symlink make \\afs\all\link \\afs\all\athena.mit.edu\user\j\a\jaltman
-
- >symlink list \\afs\all\link
- '\\afs\all\link' is a symlink to 'athena.mit.edu\user\j\a\jaltman'
-
- >symlink rm \\afs\all\link
-
-The symlinks are stored in the registry at:
-
- HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks
-
-
-4. The OpenAFS for Windows client will use AFSDB DNS records to discover cell
-information when it is not located in the local CellServDB file
-(\%PROGRAMFILES%\OpenAFS\Client\CellServDB).
-
-
-5. OpenAFS for Windows 1.3.72 only supports Windows 2000, Windows XP, and
-Windows 2003. Windows NT 4.0 and the entire Windows 9x/Me line are no longer
-supported. Older releases of OpenAFS are available for download if those
-operating systems must be supported. The last version with support for Win9x
-is 1.2.2b. The last version with support for Windows NT 4.0 is 1.2.10.
-
-
-6. OpenAFS for Windows installs a WinLogon Network Provider to provide
-Integrated Logon (Single Sign-on) functionality. Integrated Logon can be used
-when the Windows username and password match the username and password
-associated with the default cell's Kerberos realm. For example, if the
-windows username is "jaltman" and the default cell is "athena.mit.edu", then
-Integrated Logon can be successfully used if the windows password matches the
-password used for the Kerberos principal "jaltman@ATHENA.MIT.EDU".
-
-Integrated Logon is required if you desire the ability to store roaming user
-profiles within the AFS file system. OpenAFS does not provide tools for
-synchronizing the Windows and Kerberos user accounts and passwords.
-
-If KFW is installed, the Integrated Logon will use Kerberos 5 to obtain
-tokens. Otherwise, Kerberos 4 is used.
-
-There is a High Security mode for use with Integrated Logon when multiple
-users will share a single machine. There are known problems with this mode.
-In particular, if you are using this mode it is crucial that new AFS tokens
-not be obtained after the logon session starts except via the AFS Systray tool
-as started by the AFS Network Provider. If the AFS Systray tool is stopped
-you must log off to obtain new tokens. Do not use external tools such as
-"aklog.exe" if High Security mode is turned on. As of 1.3.70, OpenAFS supports
-Authenticated SMB connections which removes the need for High Security mode.
-DO NOT USE IT!!!!!
-
-Starting in 1.3.83, when Integrated Logon is used in conjunction with KFW, the
-Kerberos 5 tickets obtained during the process of generating AFS tokens are
-preserved and stored into the default ccache within the user logon session.
-
-What Integrated Logon does not do:
- (a) Integrated Logon does not have the ability to cache the user's
- username and password for the purpose of obtaining tokens if the
- Kerberos KDC is inaccessible at logon time.
-
-
-7. The AFS Systray tool (afscreds.exe) supports several command line
-options:
-
- -A = autoinit
- -E = force existing afscreds to exit
- -I = install startup shortcut
- -M = renew drive maps
- -N = IP address change detection
- -Q = quiet mode. do not display start service dialog
- if afsd_service is not already running
- -S = show tokens dialog on startup
- -U = uninstall startup shortcut
- -X = test and do map share
- -Z = unmap drives
- -: = magic parameter for high security mode
-
-autoinit will result in automated attempts to acquire AFS tokens when
-afscreds.exe is started. afscreds.exe will attempt to utilize tickets stored
-in the MSLSA credentials cache; any existing CCAPI credentials cache; and
-finally display an Obtain Tokens dialog to the user. When used in combination
-with IP address change detection, afscreds.exe will attempt to acquire AFS
-tokens whenever the IP address list changes and the Kerberos KDC is
-accessible.
-
-The renew drive maps option is used to ensure that the user drive maps
-constructed via the AFS tools (not NET USE) are re-constructed each time
-afscreds.exe is started.
-
-By default afscreds.exe is configured by the OpenAFS.org installers to use -A
--N -M -Q as startup options. Currently, there is no UI to change this
-selection after install time although these options may be altered via the
-registry either per machine or per user. See AfscredsShortcutParams in
-registry.txt.
-
-
-8. As of 1.3.71, the OpenAFS for Windows client supports a local Windows
-authorization group called "AFS Client Admins". This group is used in place
-of the "Administrators" group to determine which users are allowed to modify
-the AFS Client Service configuration via either afs_config.exe or fs.exe. For
-example, the following fs.exe commands are now restricted to members of the
-"AFS Client Admins" group:
-
- - checkservers with a non-zero timer value
- - setcachesize
- - newcell
- - sysname with a new sysname list
- - exportafs
- - setcell
- - setserverprefs
- - storebehind
- - setcrypt
- - cscpolicy
- - trace
-
-Setting the default sysname for a machine should be done via the registry and
-not via "fs sysname".
-
-The local "SYSTEM" account is always a member of the "AFS Client Admins"
-group.
-
-The initial membership of the "AFS Client Admins" group when created by the
-installer is equivalent to the local "Administrators" group. If a user is
-added to the "Administrators" group after the creation of the "AFS Client
-Admin" group, that user will not be an AFS Client Administrator. Only users
-that are members of the "AFS Client Admins" group are AFS Client
-Administrators.
-
-
-9. The AFS Client should support UNC paths everywhere. Power users that make
-extensive use of the command line shell, cmd.exe, might want to consider using
-JP Software's 4NT command processor. Unlike cmd.exe, 4NT does fully support
-UNC paths and can use a UNC path as the default device.
-
-
-10. The AFS Client ships with its own version of aklog.exe which should be
-used in preference to those obtained by third party sources. The OpenAFS
-aklog.exe supports Kerberos 5 as well as the ability to auto-generate pts IDs
-for user's obtaining tokens to foreign cells.
-
-Usage: aklog [-d] [[-cell | -c] cell [-k krb_realm]]
- [[-p | -path] pathname]
- [-noprdb] [-force]
- [-5 | -4]
-
- -d gives debugging information.
- krb_realm is the kerberos realm of a cell.
- pathname is the name of a directory to which you wish to authenticate.
- -noprdb means don't try to determine AFS ID.
- -5 or -4 selects whether to use Kerberos V or Kerberos IV.
- (default is Kerberos V)
- No commandline arguments means authenticate to the local cell.
-
-
-11. The AFS Server functionality provided with OpenAFS 1.3.72 might work but
-should be considered highly experimental. It has not been thoroughly tested.
-Any data which would cause pain if lost should not be stored in an OpenAFS
-Server on Windows.
-
-A few notes on the usage of the AFS Client Service if it is going to be
-used with the OpenAFS AFS Server:
-
-(a) When the AFS Server is installed Freelance mode must be turned off.
-
-(b) The AFS Server and related tools only support the built in kaserver
-(Kerberos IV). If the AFS Server is being used, MIT Kerberos for Windows
-should not be used.
-
-
-12. The OpenAFS for Windows installers now include Symbol information which
-should be installed if you are experiencing problems and need to send crash
-reports. This is true in both the release and the debug versions of the
-installers. The differences between the release and debug versions are
-whether or not the binaries were compiled with optimization; whether the debug
-symbols are installed by default; and whether additional debug statements were
-compiled into the binaries.
-
-
-13. OpenAFS for Windows does not support files larger than 2GB. This is due
-to the lack of support for the Unicode version of the SMB/CIFS protocol.
-
-
-14. Local RPC is used as the default RPC mechanism for setting tokens. TCP
-RPC is required to be installed and is used for debugging and other functions.
-
-
-15. The OpenAFS for Windows installer by default activates a weak form of
-encrypted data transfer between the AFS client and the AFS servers. This is
-often referred to as "fcrypt" mode.
-
-
-16. OpenAFS 1.3.71 adds support for authenticated SMB connections using either
-NTLM or GSS SPNEGO (NTLM, Kerberos 5, ...). In previous versions of OpenAFS
-the SMB connections were unauthenticated which left open the door for several
-security holes which could be used to obtain access to other user's tokens on
-shared machines. With the introduction of authenticated SMB connections the
-so called High Security mode should no longer be used.
-
-When GSS SPNEGO results in a Kerberos 5 authentication, the Windows SMB client
-will attempt to retrieve service tickets for "cifs/afs@REALM" (if the loopback
-adapter is in use) or "cifs/machine-afs@REALM" (if the loopback adapter is not
-being used). It is extremely important that this service principal not exist
-in the KDC database. If the request for this ticket fails, a subsequent
-request for "cifs/HOST$@REALM" will be issued. This service principal should
-exist in the KDC database. The key associated with this service principal
-must match the key assigned to "host/machine@REALM". If the local machine is
-part of a Windows Domain this will all be taken care of for you. If the local
-machine is using a non-MS KDC for authentication, then your KDC administrator
-will have to add these service principals to the list of principals to be
-maintained for each host.
-
-
-17. As of 1.3.70, INI files are no longer used for the storage of AFS
-configuration data. No longer are there any AFS related files stored in the
-%WINDIR% directory. The CellServDB file is no longer called "afsdsbmt.ini"
-and it is stored in the OpenAFS\Client directory. The afs_freelance.ini and
-afsdsbmt.ini file data has been moved to the registry.
-
-IMPORTANT: while the CellServDB file location and freelance mountpoint data
-will be automatically migrated; there is no mechanism for automatic migration
-of Submounts, Drive Mappings, Active Maps, and CSCPolicy data.
-
-
-18. As of 1.3.70, the OpenAFS Client is compatible with Windows XP SP2 and
-Windows 2003 SP1. The Internet Connection Firewall will be automatically
-adjusted to allow the receipt of incoming callback messages from the AFS file
-server. In addition, the appropriate Back Connection entries are added to the
-registry to allow SMB authentication to be performed across the loopback
-connection.
-
-
-19. As of 1.3.70, the OpenAFS Client Service supports the CIFS Remote Admin
-Protocol which provides browsing of server and share information. This
-significantly enhances the interoperability of AFS volumes within the Explorer
-Shell and Microsoft Office applications.
-
-
-20. OpenAFS will now automatically forget a user's tokens upon Logoff unless
-the user's profile was loaded from an AFS volume. In this situation there is
-no mechanism to determine when the profile has been successfully written back
-to the network. It is therefore unsafe to release the user's tokens. Whether
-or not the profile has been loaded from the registry can be determined for
-Local Accounts, Active Directory accounts and NT4 accounts.
-
-If there is a need to disable this functionality, the LogoffPreserveTokens
-registry value (see registry.txt) can be used.
-
-
-21. Terminal Server installations.
-When installing the NSIS (.exe) installer under Terminal Server, you must
-execute it from within the Add/Remove Programs Control Panel. Failure to do
-so will result in AFS not running properly. The AFS Server should not be
-installed on a machine with Terminal Server installed.
-
-
-22. AFS is a Unix native file system. As such the OpenAFS client attempts to
-treat the files stored in AFS as they would be on Unix. File and directory
-names beginning with a "." are automatically given the Hidden attribute so
-they will not normally be displayed.
-
-
-23. Some organizations which have AFS cell names and Kerberos realm names
-which differ by more then just lower and upper case rely on a modification to
-krb524d which maps a Kerberos 5 ticket from realm FOO to a Kerberos 4 ticket
-in realm BAR. This allows user@FOO to appear to be user@bar for the purposes
-of accessing the AFS cell. As of OpenAFS 1.2.8, support was added to allow
-the immediate use of Kerberos 5 tickets as AFS (2b) tokens. This is the first
-building block necessary to break away from the limitations of Kerberos 4 with
-AFS. By using Kerberos 5 directly we avoid the security holes inherent in
-Kerberos 4 cross-realm. We also gain access to cryptographically stronger
-algorithms for authentication and encryption.
-
-Another reason for using Kerberos 5 directly is because the krb524 service
-runs on a port (4444) which has become increasingly blocked by ISPs. The port
-was used to spread a worm which attacked Microsoft Windows in the summer of
-2003. When the port is blocked users find that they are unable to
-authenticate.
-
-Replacing the Kerberos 4 ticket with a Kerberos 5 ticket is a win in all
-situations except when the cell name does not match the realm name and the
-principal names placed into the ACLs are not the principal names from the
-Kerberos 5 ticket. To support this transition, OpenAFS for Windows in 1.3.72
-adds a new registry value to force the use of krb524d. However, the
-availability of this option should only be used by individuals until such time
-as their organizations can provide a more permanent solution.
-
-
-24. The Status Cache (AFS Config Control Panel: Advanced Page) is defined to
-have a maximum number of entries. Each entry represents a single file or
-directory entry accessed within the AFS file system. When the maximum number
-of entries are allocated, entries will begin to be reused according to a least
-recently used (LRU) algorithm. If the number of files or directories being
-accessed repeatedly by your applications is greater then the maximum number of
-entries, your host will begin to experience thrashing of the Status Cache and
-all requests will result in network operations.
-
-If you are experiencing poor performance you might want to increase the
-maximum number of Status Cache entries. Each entry requires approximately
-1.2K. Note that the default number of Status Cache entries was increased to
-10,000 starting in 1.3.80.
-
-
-25. "Netbios over TCP/IP" must be active on the machine in order for
-communication with the AFS Client Service to succeed. If "Netbios over
-TCP/IP" is disabled on the machine, then communication with the AFS Client
-Service will be impossible.
-
-
-26. The AFS Client Service and related binaries are digitally signed by
-"Secure Endpoints Inc." beginning with the 1.3.7400 release of OpenAFS for
-Windows. Starting in the 1.3.7500 release, the AFS Client Service will
-perform a run-time verification check to ensure that all AFS related DLLs
-loaded by the service match the same file version number and were signed by
-the same entity. This check has been added to prevent the stability problems
-caused by more then one version of AFS being installed on a machine at the
-same time. Many hours of support time have been wasted tracking down problems
-caused by the mixture of files from different releases.
-
-The registry.txt file documents the "VerifyServiceSignature" registry value
-which can be used to disable the signature check. The file version check
-cannot be disabled.
-
-
-27. The maximum cache size is approximately 1.3GB. This is the largest
-contiguous block of memory in the 2GB process address space which can be used
-for the memory mapped file. Due to fragmentation of the process spaced caused
-by the digital signature verification code, any attempt to specify a cache
-size greater then 700MB will result in the automatic disabling of the
-signature check.
-
-
-28. OpenAFS for Windows implements an SMB server which is used as a gateway to
-the AFS filesystem. Because of the use of SMB, Windows stores all files into
-AFS using the OEM code pages such as CP437 (United States) or CP850 (Western
-Europe). These code pages are incompatible with the ISO Latin-1 character set
-typically used as a default on Unix systems in both the United States and
-Western Europe. Filenames stored by OpenAFS for Windows are therefore
-unreadable on Unix systems if they include any of the following characters:
-
- [Ç] 128 08/00 200 80 C cedilla
- [ü] 129 08/01 201 81 u diaeresis
- [é] 130 08/02 202 82 e acute
- [â] 131 08/03 203 83 a circumflex
- [ä] 132 08/04 204 84 a diaeresis
- [Ã ] 133 08/05 205 85 a grave
- [Ã¥] 134 08/06 206 86 a ring
- [ç] 135 08/07 207 87 c cedilla
- [ê] 136 08/08 210 88 e circumflex
- [ë] 137 08/09 211 89 e diaeresis
- [è] 138 08/10 212 8A e grave
- [ï] 139 08/11 213 8B i diaeresis
- [î] 140 08/12 214 8C i circumflex
- [ì] 141 08/13 215 8D i grave
- [Ä] 142 08/14 216 8E A diaeresis
- [Ã…] 143 08/15 217 8F A ring
- [É] 144 09/00 220 90 E acute
- [æ] 145 09/01 221 91 ae diphthong
- [Æ] 146 09/02 222 92 AE diphthong
- [ô] 147 09/03 223 93 o circumflex
- [ö] 148 09/04 224 94 o diaeresis
- [ò] 149 09/05 225 95 o grave
- [û] 150 09/06 226 96 u circumflex
- [ù] 151 09/07 227 97 u grave
- [ÿ] 152 09/08 230 98 y diaeresis
- [Ö] 153 09/09 231 99 O diaeresis
- [Ü] 154 09/10 232 9A U diaeresis
- [ø] 155 09/11 233 9B o slash
- [£] 156 09/12 234 9C Pound sterling sign
- [Ø] 157 09/13 235 9D O slash
- [×] 158 09/14 236 9E Multiplication sign
- [\83] 159 09/15 237 9F Florin sign
-
-As of 1.3.75, a new registry value, HKLM\SOFTWARE\OpenAFS\Client
-"StoreAnsiFilenames" can be set to instruct OpenAFS for Windows to store
-filenames using the ANSI Code Page instead of the OEM Code Page. The ANSI
-Code Page is a compatible superset of Latin-1. This setting is not the
-default setting because making this change would prevent OpenAFS for Windows
-from being able to access filenames containing the above characters which were
-created without this setting.
-
-
-29. There is a known issue with storing Windows Roaming Profiles when the
-profile contains either directories or files with names which cannot be
-represented in the local OEM character set. In this case, attempts to write
-the profile back to AFS will fail. OpenAFS for Windows does not currently
-support UNICODE. To avoid this problem some sites run logoff scripts
-(assigned by group policy) which rename all files to use only the supported
-characters for the locale.
-
-
-30. As of 1.3.80 the AFS Cache file is stored by default at %TEMP%\AFSCache in
-a persistent file marked with the Hidden and System attributes. The
-persistent nature of the data stored in the cache file improves the
-performance of OpenAFS by reducing the number of times data must be read from
-the AFS file servers.
-
-
-31. Integrated Login (as of 1.3.80) supports the ability to obtain tokens for
-multiple cells. See the "TheseCells" value in registry.txt.
-
-
-32. New command line tool:
-
- afsdacl : Set or reset the DACL to allow starting or stopping
- the afsd service by any ordinary user.
-
- Usage : afsdacl [-set | -reset] [-show]
- -set : Sets the DACL
- -reset : Reset the DACL
- -show : Show current DACL (SDSF)
-
-33. As of 1.3.80, the default @sys name list has been changed to "x86_win32
-i386_w2k i386_nt40" for 32-bit x86 systems. The default for itanium will be
-"ia64_win64" and "amd64_win64" for amd 64-bit processors.
-
-
-34. As of 1.3.80, symlinks to \\AFS[\all]\... will now be treated the same as
-symlinks to /afs/... However, please use /afs/... as the Windows UNC form
-will not work on Unix.
-
-
-35. As of 1.3.80, OpenAFS for Windows implements the Cache Manager Debugging
-RPC Interface. The CM debugger can be queried with cmdebug.exe.
-
-Usage: cmdebug -servers <server machine> [-port <IP port>] [-long]
- [-addrs] [-cache] [-help]
-Where: -long print all info
- -addrs print only host interfaces
- -cache print only cache configuration
-
-
-36. If you are a site which utilizes MIT/Heimdal Kerberos principals to logon
-to Windows via a cross-realm relationship with a multi-domain Windows forest,
-you must enable Windows logon caching unless the workstation is Longhorn Beta
-1 or later.
-
-
-37. VLDB and File Server Preferences can now be provided initial values using
-registry keys. This is useful for managed machines in a Windows domain which
-are centrally located (e.g., in a computing lab.) See registry.txt for
-details on the "Server Preferences" keys.
-
-
-38. As of 1.3.81, timestamps on files stored in AFS are reported to Windows in
-UTC all year round. Previously, in locales with daylight savings time, the
-time reported by AFS to Windows when DST is active was UTC+1. This was done
-to preserve the relative local time for the user. A file stored at 11:00am
-EST in January would be reported as having been stored at 11:00am EDT in June.
- Unfortunately, this has the negative side effect of changing the reported
-timestamp from 16:00UTC to 15:00UTC. Since Windows treats all file times in
-UTC, data synchronization applications which rely on the timestamp would
-believe that all files stored in AFS had changed. This will no longer be the
-case.
-
-It should be noted that Unix based operating systems (such as Solaris) do not
-appear to report file times to applications in UTC. They do preserve the
-relative local time. This may confuse some users who are used to being able
-to compare the timestamp in an Unix shell with the timestamp from the Windows
-explorer. During DST, these two times will no longer agree even though they
-are in fact describing the same time.
-
-
-39. If the installer refuses to install and complains about an RPC
-configuration error, check to ensure that the following registry entries are
-present and that they refer to the dll "rpcrt4.dll":
-
- HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_np"
- HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_ip_tcp"
- HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncadg_ip_udp"
- HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_http"
-
-
-40. 1.3.83 adds a new command, "fs minidump". This command can be used at any
-time to generate a mini dump file containing the current stack of the
-afsd_service.exe process. This output can be very helpful when debugging the
-AFS Client Service when it is unresponsive to SMB/CIFS requests.
-
-
-41. The Windows AFS client implements Universally Unique Identifiers (UUIDs).
-They are used to provide the server with a method of identifying the client
-that is independent of IP address. The UUID is generated when the AFSCache
-file is created and is maintained as long as the contents of the AFSCache
-file are kept intact. The UUID is stored in the AFSCache file. When
-cloning machines that have Windows AFS client installed, the AFSCache files
-must be deleted as part of the cloning process.
-
-
-42. The performance of the AFS Client Service is significantly affected by
-the access times associated with the AFSCache paging file. When given the
-choice, the AFSCache file should be placed on a fast disk, preferably NTFS,
-the file should not be compressed and should consist of as few fragments as
-possible. Significant performance gains can be achieved by defragmenting
-the AFSCache file with Sysinternal's Contig utility.
-
-------------------------------------------------------------------------
-
-How to Debug Problems with OpenAFS for Windows:
-
-OpenAFS for Windows provides a wide range of tools to assist you in debugging
-problems. The techniques available to you are varied because of the wide
-range of issues that have been discovered over the years.
-
-* pioctl debugging (IoctlDebug registry key)
-
- pioctl (path-based ioctl) calls are used by various tools to
- communicate with the AFS Client Service. Some of the operations performed
- include:
-
- - setting/querying tokens (tokens.exe, aklog.exe, afscreds.exe)
- - setting/querying ACLs
- - setting/querying cache parameters
- - flushing files or volumes
- - setting/querying server preferences
- - querying path location
- - checking the status of servers and volumes
- - setting/querying the sysname list
-
- pioctl calls are implemented by writing to a special UNC path that
- is processed by the AFS Client Service. If there is a failure to
- communicate with the AFS Client Service via SMB/CIFS, it will be
- impossible to perform any of the above operations.
-
- To assist in debugging these problems, the registry value:
-
- [HKLM\SOFTWARE\OpenAFS\Client]
- REG_DWORD: IoctlDebug = 0x01
-
- should be set. Then any of the commands that perform pioctl calls should
- be executed from the command prompt. With this key set the pioctl library
- will generate debugging output to stderr. The output will contain the
- Win32 API calls executed along with their most important parameters and
- their return code. The MSDN Library and the Microsoft KnowledgeBase can
- be used as a reference to help you determine the configuration probem with
- your system.
-
-* afsd_service initialization log (%WinDir%\TEMP\afsd_init.log)
-
- Every time the AFS Client Service starts it appends data about its progress
- and configuration to a file. This file provides information crucial to
- determining why the service cannot start when there are problems. When
- the process terminates due to a panic condition it will write to this
- file the source code file and line number of the error. In many cases
- the panic condition is due to a misconfiguration of the machine. In other
- cases it might be due to a programming error in the software.
- A quick review of the location in the source code will quickly reveal
- the reason for the termination.
-
-
-* afsd_service debug logs (fs trace {-on, -off, -dump} ->
- %WinDir%\TEMP\afsd.log)
-
- When attempting to debug the behavior of the SMB/CIFS Server and the
- Cache Manager it is often useful to examine a log of the operations
- being performed. While running the AFS Client Service keeps an in memory
- log of many of its actions. The default number of actions preserved
- at any one time is 5000. This can be adjusted with the registry value:
-
- [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
- REG_DWORD TraceBufferSize
-
- A restart of the service is necessary when adjusting this value.
- Execute "fs trace -on" to clear to the log and "fs trace -dump" to
- output the contents of the log to the file.
-
- An alternatve option to the use of "fs trace" is to use a tool such as
- Sysinternal's DbgView to capture real-time debugging output. Set Bit 2
- of the TraceOption value in the registry to activate.
-
- [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
- REG_DWORD TraceOption = 0x04
-
-
-* Microsoft MiniDumps (fs minidump -> %WinDir%\TEMP\afsd.dmp)
-
- If the AFS Client Service become unresponsive to any form of communication
- there may be a serious error that can only be debugged by someone with
- access to the source code and a debugger. The "fs minidump" command can
- be used to force the generation of a MiniDump file containing the state
- of all of the threads in the AFS Client Service process.
-
-
-* Integrated Logon debugging (TraceOption registry key)
-
- If you are having trouble with the Integrated Logon operations
- it is often useful to be able to obtain a log of what it is attempting
- to do. Setting Bit 0 of the registry value:
-
- [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
- REG_DWORD TraceOption = 0x01
-
- will instruct the Integrated Logon Network Provider and Event Handlers
- to log information to the Windows Event Log: Application under the name
- "AFS Logon".
-
-
-* RX (AFS RPC) debugging (rxdebug)
-
- The rxdebug.exe tool can be used to query a variety of information
- about the AFS services installed on a given machine. The port for
- the AFS Cache Manager is 7001.
-
-
-* Cache Manager debugging (cmdebug)
-
- The cmdebug.exe tool can be used to query the state of the AFS Cache
- Manager on a given machine.
-
-
-* Persistent Cache consistency check
-
- The persistent cache is stored in a Hidden System file at
- %WinDir%\TEMP\AFSCache. If there is a problem with the persistent
- cache that prevent the AFS Client Service from being able to start
- a validation check on the file can be performed.
-
- afsd_service.exe --validate-cache <cache-path>
-
-
-------------------------------------------------------------------------
-
-Reporting Bugs:
-
-Bug reports should be sent to openafs-bugs@openafs.org. Please include as
-much information as possible about the issue. If you are reporting a crash,
-please install the debugging symbols by re-running the installer. If a dump
-file is available for the problem, %WINDIR%\TEMP\afsd.dmp, include it along
-with the AFS Client Trace file %WINDIR%\TEMP\afsd.log. The AFS Client
-startup log is %WINDIR%\TEMP\afsd_init.log. Send the last continuous block of
-log information from this file.
-
-Configuring DrWatson to generate dump files for crashes:
-
- * Run drwtsn32.exe to configure or to identify where the log and the crash dump
- files are created:
- - click Start > Run...
- - type drwtsn32 <enter>.
- - Select either a Crash Dump Type: Mini or Full.
- - Clear Dump Symbol Table
- - Clear Append to Existing Log file.
- - Check Dump All Thread Contexts.
- - Check Create Crash Dump File
- * Next run the monitoring module of Dr. Watson:
- - click Start > Run...
- - type drwatson <enter>.
- - Once a crash happens, Dr. Watson generates a dump file and a report in the
- log file, including the address of the crash and the stack dump.
-
-Once you have the Dr. Watson's logfile and minidump, zip them and send them as
-attachments with your e-mail to openafs-bugs@openafs.org.
-
-When reporting a error, please be sure to include the version of OpenAFS.
-
-
-------------------------------------------------------------------------
-
-How to Contribute to the Development of OpenAFS for Windows:
-
-Contributions to the development of OpenAFS for Windows are needed.
-Contributions may take many forms including cash donations, support contracts,
-donated developer time, and even donated tech writer time.
-
-If you wish to be involved in OpenAFS for Windows development please join the
-openafs-win32-devel@openafs.org mailing list.
-
- https://lists.openafs.org/mailman/listinfo/openafs-win32-devel
-
-User questions should be sent to the openafs-info@openafs.org mailing list.
-
- https://lists.openafs.org/mailman/listinfo/openafs-info
-
-You must join the mailing lists if you wish to post to the list without
-incurring a moderation delay.
-
+++ /dev/null
-
-OpenAFS for Windows
- MSI Deployment Guide
-----------------------------------------------------------------------
-
- Contents
-
- 1. Introduction
- 1.1 Requirements
-
- 2. Configuration options
- 2.1 Configurable properties
- 2.2 Existing registry values
- 2.3 Replacing Configuration Files
- 2.4 Adding Domain Specific Registry Keys
- 2.5 Adding Site Specific Freelance Registry Keys
-
- 3. Additional resources
-
- 4. Upgrades
-
- 5. FAQ
-
-
-----------------------------------------------------------------------
-
-1. Introduction
-
- Beginning with OpenAFS for Windows version 1.3.65 a MSI installer
- option is available for those who wish to use Windows
- Installer for installing OpenAFS and for organizations that wish
- to deploy OpenAFS through Group Policy.
-
- This document provides a guide for authoring transforms used to
- customize the MSI package for a particular organization. Although
- many settings can be deployed via transforms, in an Active
- Directory environment it is advisable to deploy registry settings
- and configuration files through group policy and/or startup
- scripts so that machines where OpenAFS for Windows is already
- installed will pick up these customizations.
-
-1.1 Requirements
-
- The information in this document applies to MSI packages
- distributed with OpenAFS for Windows releases from 1.3.65 and
- onwards or MSI packages built from corresponding source
- releases. Not all releases support all the configuration options
- documented here.
-
- Authoring a "Windows Installer" transform requires additional
- software for editing the MSI database tables and generating the
- transform from the modified MSI package. ORCA.EXE and MSITRAN.EXE
- which are included in the Windows Platform SDK ("Windows Installer"
- SDK) can be used for this purpose.
-
- For reference, the schema for the MSI package is based on
- SCHEMA.MSI distributed with the Platform SDK.
-
- For general information about "Windows Installer", refer to :
-
- http://msdn.microsoft.com/library/en-us/msi/setup/windows_installer_start_page.asp
-
- For general information about authoring MSI transforms, refer to :
-
- http://msdn.microsoft.com/library/en-us/msi/setup/transforms.asp
-
- The remainder of this document assumes some familiarity with
- authoring transforms. While the MSDN documentation for Windows
- Installer is a bit dense, it is recommended that you read through
- the guide on MSI transforms found at the second link above. Also
- MSDN includes a step-by-step example for creating a transform at:
-
- http://msdn.microsoft.com/library/en-us/msi/setup/a_customization_transform_example.asp
-
-1.2 Authoring a Transform
-
- Transforms describe a set of modifications to be performed on an
- existing MSI for the purpose of customizing it. This is
- ordinarily done by making a copy of the MSI to be customized,
- modifying the copy and then using the old and the new MSI to
- generate a transform.
-
- E.g:
- > copy openafs.msi openafs-modified.msi
-
- (edit the openafs-modified.msi to include the necessary changes)
-
- > msitran -g openafs.msi openafs-modified.msi openafs-transform.mst
-
- (generates openafs-transform.mst, which is the transform)
-
- Transforms have an extension of .mst. 'msitran' is a tool
- distributed as part of the "Windows Installer" SDK (which in turn is
- a part of the Windows Platform SDK).
-
- You can test a transform by :
-
- > copy openafs.msi openafs-test.msi
- > msitran -a openafs-transform.mst openafs-test.msi
-
- and then checking the resulting openafs-test.msi to see if all the
- changes you have made above to openafs-modified.msi is present in
- openafs-test.msi. 'msitran' will complain if some modification in the
- transform can not be successfully applied.
-
- As mentioned above, you can use a tool like ORCA.EXE to edit the
- MSI databases directly when editing openafs-modified.msi. More
- details are given below.
-
-----------------------------------------------------------------------
-
-2. Configuration Options
-
- The logic necessary to implement many of the settings described in
- the registry.txt file are present in the MSI. Most of these can be
- controlled by setting the corresponding properties to the desired
- value. Some settings may require modifying existing registry
- entries (though not recommended) or adding new resources (like
- files or registry keys). Instructions for performing these tasks
- are below.
-
-2.1 Configurable Properties
-
- Most configurable properties correspond to registry keys or
- values. Please refer to the release notes for more information
- about how these registry settings are used.
-
- Due to the logic invoked based on the existence of these registry
- keys or values, they are only set if the associated property is
- defined to have a non null value. If the associated property is
- not defined in the MSI, the registry key or value will not be
- touched. By default, the MSI does not contain these properties
- and hence will not set the registry keys. You will need to add
- properties as needed to the MSI.
-
- When one of the configurable properties is set, the installer will
- use the property value to set the corresponding setting in the
- HKEY_LOCAL_MACHINE registry hive. HKEY_CURRENT_USER hive is not
- touched by the installer.
-
- For each property, the associated registry setting is referenced
- by the same text used in the registry.txt file.
-
- Strings are quoted using single quotes (e.g. 'a string'). An empty
- string is denoted as ''. Note that you can't author null values
- into the 'Property' table.
-
- Numeric values should be authored as decimal strings.
-
-2.1.1 Setting Properties
-
- In order to set a property,
-
- a. Open the MSI in ORCA.EXE
-
- b. Select the 'Property' table from the list of tables on the left.
-
- c. Find the property in the list of properties on the right,
- double click the value and type the new value.
-
- d. If the property does not exist in the property list, right
- click the list and select 'Add Row', type the property name
- and the desired value.
-
-
-2.1.2 OpenAFS for Windows properties
-
- (Service parameters):
- [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
-
- (Network provider):
- [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
-
- (OpenAFS Client):
- [HKLM\SOFTWARE\OpenAFS\Client]
-
- The configurable properties are as follows:
-
- AFSCACHEPATH
- Registry key : (Service parameters)
- Registry value : CachePath
- Valid values : string
-
- AFSCACHESIZE
- Registry key : (Service parameters)
- Registry value : CacheSize
- Valid values : numeric
-
- AFSCELLNAME
-
- Registry key : (Service parameters)
- Registry value : Cell
- Valid values : string
-
- CREDSAUTOINIT
- Valid values : '-a' or ''
-
- Option for AFSCREDS.EXE. Enables automatic initialization.
- (see below)
-
- CREDSIPCHDET
- Valid values : '-n' or ''
-
- Option for AFSCREDS.EXE. Enables IP address change detection.
- (see below)
-
- CREDSQUIET
- Valid values : '-q' or ''
-
- Option for AFSCREDS.EXE. Enables quiet mode.
- (see below)
-
- CREDSRENEWDRMAP
- Valid values : '-m' or ''
-
- Option for AFSCREDS.EXE. Enables renewing drive map at
- startup.
- (see below)
-
- CREDSSHOW
- Valid values : '-s' or ''
-
- Option for AFSCREDS.EXE. Enables displaying the credential
- manager window when AFSCREDS starts up.
-
- The five properties above determine the behavior of the AFS
- credential manager ( AFSCREDS.EXE ). Each property adds a
- command line option to the shortcut that will be created in
- the Program Menu, both under 'OpenAFS' and 'Startup' folders
- (see CREDSSTARTUP).
-
- The way in which the options are specified was chosen for easy
- integration with the Windows Installer user interface.
- Although you can come up with creative ways to provide other
- options to AFSCREDS.EXE, we advise against it because such
- transforms may not apply to future releases of OpenAFS.
-
- CREDSSTARTUP
- Valid values : '1' or '0'
-
- Controls whether AFSCREDS.EXE starts up automatically when a
- user logs on. When CREDSSTARTUP is '1' a shortcut is added
- to the 'Startup' folder in the 'Program menu' which starts
- AFSCREDS.EXE with the options that are determined by the
- other CREDS* properties.
-
- FREELANCEMODE
-
- Registry key : (Service parameters)
- Registry value : FreelanceClient
- Valid values : '1' or '0'
-
- HIDEDOTFILES
-
- Registry key : (Service parameters)
- Registry value : HideDotFiles
- Valid values : '1' or '0'
-
- LOGONOPTIONS
-
- Registry key : (Network provider)
- Registry value : LogonOptions
- Valid values : '0','1' or '3'
-
- See section 2.1 of registry.txt (Domain specific configuration
- keys for Network Provider) and section [filler] of this
- document (filler) for more details.
-
- MOUNTROOT
-
- Registry key : (Service parameters)
- Registry value : Mountroot
- Valid values : string
-
- NETBIOSNAME
-
- Registry key : (Service parameters)
- Registry value : NetbiosName
- Valid values : string (at most 15 characters)
-
- NOFINDLANABYNAME
-
- Registry key : (Service parameters)
- Registry value : NoFindLanaByName
- Valid values : '1' or '0'
-
- RXMAXMTU
-
- Registry key : (Service parameters)
- Registry value : RxMaxMTU
- Valid values : numeric
-
- SECURITYLEVEL
-
- Registry key : (Service parameters)
- Registry value : SecurityLevel
- Valid values : '1' or '0'
-
- SMBAUTHTYPE
-
- Registry key : (Service parameters)
- Registry value : SMBAuthType
- Valid values : '0','1' or '2'
-
- STOREANSIFILENAMES
-
- Registry key : (OpenAFS Client)
- Registry value : StoreAnsiFilenames
- Valid values : '0' or '1'
-
- USEDNS
-
- Registry key : (Service parameters)
- Registry value : UseDNS
- Valid values : '1' or '0'
-
-
-2.2 Existing Registry Entries
-
- You can change existing registry values subject to the
- restrictions mentioned in the Windows Platform SDK. Pay special
- attention to component keypaths and try to only change the 'Value'
- column in the 'Registry' table. If you want to add additional
- registry keys please refer to section 3 (Additional Resources).
-
-2.3 Replacing Configuration Files
-
- The OpenAFS configuration files (CellServDB)
- can be replaced by your own configuration files. These files are
- contained in separate MSI components so that you can disable them
- individually.
-
- The recommended method for replacing these files is to first
- disable the components containing the configuration files that you
- want to replace, and then add new components for the replacement
- files. This is outlined below (assuming you are using ORCA.EXE to
- author the transform).
-
- Note that transforms are not a good way to add a new file as an
- embedded stream. The method outlined here places the file in the
- same directory as the MSI for deployment.
-
- The walkthrough below is to add a custom 'CellServDB' file.
-
- 1) Disable the component that contains the configuration file that
- you want to replace.
-
- 1.1) Locate and select the 'Component' table in the 'Tables'
- list.
-
- 1.2) In the Component table, locate the component you need to
- change ( Ctrl-F invokes the 'Find' dialog). The component
- names are listed below in section 2.3.1. For this
- example, the component name is 'elf_CellServDB'.
-
- 1.3) Go to the 'Condition' column of the component.
-
- 1.4) Enter a condition that evaluates to
- false. I.e. 'DONOTINSTALL'. (Note that an undefined
- property always evaluates to false).
-
- Note that you can also use this step to disable other
- configuration files without providing replacements.
-
- 2) Add a new component containing the new configuration file.
-
- 2.1) Select the 'Component' table in the 'Tables' list.
-
- 2.2) Select 'Tables'->'Add Row' (Ctrl-R).
-
- 2.3) Enter the following :
-
- Component : cmf_my_CellServDB
- ComponentId : {7019836F-BB2C-4AF6-9463-0D6EC9035CF1}
- Directory_ : dirClient
- Attributes : 144
- Condition :
- KeyPath : fil_my_CellServDB
-
- Note that the ComponentId is an uppercase GUID. You can
- generate one using GUIDGEN.EXE or UUIDGEN.EXE, both of
- which are included in the Platform SDK.
-
- The Attributes value of 144 is a sum of
- msidbComponentAttributesPermanent (16) and
- msidbComponentAttributesNeverOverwrite (128). This
- ensures that local modifications are not overwritten or
- lost during an installation or uninstallation. These are
- the same settings used on the default configuration files.
-
- 'fil_my_CellServDB' is a key into the 'File' table which we
- will fill later.
-
- 3) Add a new feature to hold the new component.
-
- 3.1) Select the 'Feature' table.
-
- 3.2) Add a new row (Ctrl-R or 'Tables'->'Add Row') with the
- following values:
-
- Feature : fea_my_CellServDB
- Feature_Parent: feaClient
- Title :
- Description :
- Display : 0
- Level : 30
- Directory_ :
- Attributes : 8
-
- It is important to create the new feature under the
- 'feaClient' feature, which will ensure that the
- configuration file will be installed when the client
- binaries are installed.
-
- Setting 'Display' to 0 will hide this feature from the
- feature selection dialog during an interactive
- installation. A value of 30 for 'Level' allows this
- feature to be installed by default (on a 'Typical'
- installation).
-
- The 'Attributes' value is
- msidbFeatureAttributesDisallowAdvertise (8), which is set
- on all features in the OpenAFS MSI. The OpenAFS MSI is not
- designed for an advertised installation.
-
- 4) Join the component and the feature.
-
- 4.1) Select the 'FeatureComponents' table.
-
- 4.2) Add a new row with the following values:
-
- Feature : fea_my_CellServDB
- Component : cmf_my_CellServDB
-
- 5) Add an entry to the 'File' table.
-
- 5.1) Select the 'File' table.
-
- 5.2) Add a new row with the following values:
-
- File : fil_my_CellServDB
- Component_ : cmf_my_CellServDB
- FileName : CellServDB
- FileSize : (enter file size here)
- ...
- Attributes : 8192
- Sequence : 1000
- (leave other fields blank)
-
- The 'Attributes' value is msidbFileAttributesNonCompressed
- (8192). This is because we will be placing this file in
- the same directory as the MSI instead of embedding the
- file in it. Transforms do not support updating compressed
- sources or adding new cabinet streams.
-
- Finally, the 'Sequence' value of 1000 will be used later
- to distinguish the file as being in a separate source
- location than the other files in the MSI.
-
- 6) Set a media source for the file.
-
- 6.1) Select the 'Media' table.
-
- 6.2) Add a row with the following values :
-
- DiskId : 2
- LastSequence : 1000
- ...
- (leave other fields blank)
-
- The sequence number of 1000 designates this as the media
- source for the newly added file.
-
-2.3.1 Components for Configuration Files
-
- CellServDB : 'cpf_CellServDB' (ID {D5BA4C15-DBEC-4292-91FC-B54C30F24F2A})
-
-2.4 Adding Domain Specific Registry Keys
-
- Following is an example for adding domain specific registry keys.
- Refer to section 2.1 in REGISTRY.TXT for more information.
-
- Columns that are unspecified should be left empty.
-
- We create a new feature and component to hold the new registry keys.
-
- 'Feature' table:
-
- (new row)
- Feature : 'feaDomainKeys'
- Feature Parent : 'feaClient'
- Display : 0
- Level : 30
- Attributes : 10
-
- 'Component' table:
-
- (new row)
- Component : 'rcm_DomainKeys'
- ComponentId : '{4E3FCBF4-8BE7-40B2-A108-C47CF743C627}'
- Directory : 'TARGETDIR'
- Attributes : 4
- KeyPath : 'reg_domkey0'
-
- 'FeatureComponents' table:
-
- (new row)
- Feature : 'feaDomainKeys'
- Component : 'rcm_DomainKeys'
-
- 'Registry' table:
-
- (new row)
- Registry : 'reg_domkey0'
- Root : 2
- Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain'
- Component : 'rcm_DomainKeys'
-
- (new row)
- Registry : 'reg_domkey1'
- Root : 2
- Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain'
- Name : '*'
- Component : 'rcm_DomainKeys'
-
- (new row)
- Registry : 'reg_domkey2'
- Root : 2
- Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\ATHENA.MIT.EDU'
- Name : '*'
- Component : 'rcm_DomainKeys'
-
- (new row)
- Registry : 'reg_domkey3'
- Root : 2
- Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\ATHENA.MIT.EDU'
- Name : 'LogonOptions'
- Value : 1
- Component : 'rcm_DomainKeys'
-
- (new row)
- Registry : 'reg_domkey4'
- Root : 2
- Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST'
- Name : '*'
- Component : 'rcm_DomainKeys'
-
- (new row)
- Registry : 'reg_domkey5'
- Root : 2
- Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST'
- Name : 'LogonOptions'
- Value : 0
- Component : 'rcm_DomainKeys'
-
- (new row)
- Registry : 'reg_domkey6'
- Root : 2
- Key : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST'
- Name : 'FailLoginsSilently'
- Value : 1
- Component : 'rcm_DomainKeys'
-
- The example adds domain specific keys for 'ATHENA.MIT.EDU' (enable
- integrated logon) and 'LOCALHOST' (disable integrated logon and
- fail logins silently).
-
-2.5 Adding Site Specific Freelance Registry Keys
-
- Following is an example for adding site specific Freelance registry keys
- to pre-populate the Mountpoints and Symlinks in the fake root.afs volume.
-
- Columns that are unspecified should be left empty.
-
- We create a new feature and component to hold the new registry keys.
-
- 'Feature' table:
-
- (new row)
- Feature : 'feaFreelanceKeys'
- Feature Parent : 'feaClient'
- Display : 0
- Level : 30
- Attributes : 10
-
- 'Component' table:
-
- (new row)
- Component : 'rcm_FreelanceKeys'
- ComponentId : '{4E3B3CBF4-9AE7-40C3-7B09-C48CF842C583}'
- Directory : 'TARGETDIR'
- Attributes : 4
- KeyPath : 'reg_freekey0'
-
- 'FeatureComponents' table:
-
- (new row)
- Feature : 'feaFreelanceKeys'
- Component : 'rcm_FreelanceKeys'
-
- 'Registry' table:
-
- (new row)
- Registry : 'reg_freekey0'
- Root : 2
- Key : 'SOFTWARE\OpenAFS\Client\Freelance'
- Component : 'rcm_FreelanceKeys'
-
- (new row)
- Registry : 'reg_freekey1'
- Root : 2
- Key : 'SOFTWARE\OpenAFS\Client\Freelance'
- Name : '0'
- Value : 'athena.mit.edu#athena.mit.edu:root.cell.'
- Component : 'rcm_FreelanceKeys'
-
- (new row)
- Registry : 'reg_freekey2'
- Root : 2
- Key : 'SOFTWARE\OpenAFS\Client\Freelance'
- Name : '1'
- Value : '.athena.mit.edu%athena.mit.edu:root.cell.'
- Component : 'rcm_FreelanceKeys'
-
- (new row)
- Registry : 'reg_freekey3'
- Root : 2
- Key : 'SOFTWARE\OpenAFS\Client\Freelance\Symlinks'
- Component : 'rcm_FreelanceKeys'
-
- (new row)
- Registry : 'reg_freekey4'
- Root : 2
- Key : 'SOFTWARE\OpenAFS\Client\Freelance\Symlinks'
- Name : '0'
- Value : 'athena:athena.mit.edu.'
- Component : 'rcm_FreelanceKeys'
-
- (new row)
- Registry : 'reg_freekey5'
- Root : 2
- Key : 'SOFTWARE\OpenAFS\Client\Freelance\Symlinks'
- Name : '1'
- Value : '.athena:.athena.mit.edu.'
- Component : 'rcm_FreelanceKeys'
-
- The example adds a read-only mountpoint to the athena.mit.edu
- cell's root.afs volume as well as a read-write mountpoint. Aliases
- are also provided using symlinks.
-
-----------------------------------------------------------------------
-
-3 Additional Resources
-
- If you want to add registry keys or files you need to create new
- components and features for those. Refer to the Windows Platform
- SDK for details.
-
- It is beyond the scope of this document to provide a comprehensive
- overview of how to add new resources through a transform. Please
- refer to the "Windows Installer" documentation for details. The
- relevant section is at :
-
- http://msdn.microsoft.com/library/en-us/msi/setup/using_transforms_to_add_resources.asp
-
- A sample walkthrough of adding a new configuration file is in
- section 2.3.
-
- Add new features under the 'feaClient' or 'feaServer' as
- appropriate and set the 'Level' column for those features to equal
- the 'Level' for their parent features for consistency. Note that
- none of the features in the OpenAFS for Windows MSI package are
- designed to be installed to run from 'source' or 'advertised'. It
- is recommended that you set 'msidbFeatureAttributesFavorLocal' (0),
- 'msidbFeatureAttributesFollowParent' (2) and
- 'msidbFeatureAttributesDisallowAdvertise' (8) attributes for new
- features.
-
- If you are creating new components, retain the same component GUID
- when creating new transforms against new releases of the OpenAFS
- MSI package.
-
- After making the adjustments to the MSI database using ORCA.EXE
- you can generate a transform with MSITRAN.EXE as follows :
-
- (Modified MSI package is 'openafs-en_US_new.msi' and the original
- MSI package is 'openafs-en_US.msi'. Generates transform
- 'openafs-transform.mst')
-
- > msitran.exe -g openafs-en_US.msi openafs-en_US_new.msi openafs-transform.mst
-
- See the Platform SDK documentation for information on command line
- options for MSITRAN.EXE.
-
-----------------------------------------------------------------------
-
-4. Upgrades
-
- The MSI package is designed to uninstall previous versions of
- OpenAFS for Windows during installation. Note that it doesn't
- directly upgrade an existing installation. This is intentional
- and ensures that development releases which do not have strictly
- increasing version numbers are properly upgraded.
-
- Versions of OpenAFS that are upgraded by the MSI package are :
-
- 1) OpenAFS MSI package
- Upgrade code {6823EEDD-84FC-4204-ABB3-A80D25779833}
- Upto current release
-
- 2) MIT's Transarc AFS MSI package
- Upgrade code {5332B94F-DE38-4927-9EAB-51F4A64193A7}
- Upto version 3.6.2
-
- 3) OpenAFS NSIS package
- All versions
-
- Note that versions of the OpenAFS NSIS package prior to 1.3.65
- had a bug where it couldn't be uninstalled properly in
- unattended mode. Therefore the MSI package will not try to
- uninstall an OpenAFS NSIS package if running unattended. This
- means that group policy based deployments will fail on machines
- that have the OpenAFS NSIS package installed.
-
- If you have used a different MSI package to install OpenAFS and
- wish to upgrade it you can author rows into the 'Upgrade' table as
- described in the Platform SDK.
-
- When performing an upgrade with msiexec.exe execute the MSI with
- the repair options "vomus".
-
-----------------------------------------------------------------------
-
-5. FAQ
-
- (Q/A's will be added here as needed)
-
-----------------------------------------------------------------------
-$Id$
+++ /dev/null
-Registry keys and Environment Variables used in the Windows AFS Client
-as of release 1.5.0000
-======================================================================
-
-REGISTRY KEYS:
-
-1. Service parameters
----------------------
-
-The service parameters primarily affect the behavior of the AFS client
-service (afsd_service.exe).
-
-Regkey:
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
-
-Value : LANadapter
-Type : DWORD
-Default : -1
-Variable: LANadapter
-
- LAN adapter number to use. This is the lana number of the LAN
- adapter that the SMB server should bind to. If unspecified or set
- to -1, a LAN adapter with named 'AFS' or a loopback adapter will be
- selected. If neither are present, then all available adapters will
- be bound to. When binding to a non-loopback adapter, the NetBIOS
- name '%hostname%-AFS' will be used (where %hostname% is the NetBIOS
- name of the host truncated to 11 characters). Otherwise, the NetBIOS
- name will be 'AFS'.
-
-Value : CacheSize
-Type : DWORD
-Default : 98304 (CM_CONFIGDEFAULT_CACHESIZE)
-Variable: cm_initParams.cacheSize
-
- Size of the AFS cache in 1k blocks.
-
-Value : ChunkSize
-Type : DWORD
-Default : 17 (CM_CONFIGDEFAULT_CHUNKSIZE)
-Variable: cm_logChunkSize (cm_chunkSize = 1 << cm_logChunkSize)
-
- Size of chunk for reading and writing. Actual chunk size is 2^cm_logChunkSize.
-
-Value : Daemons
-Type : DWORD
-Default : 2 (CM_CONFIGDEFAULT_DAEMONS)
-Variable: numBkgD
-
- Number of background daemons (number of threads of
- cm_BkgDaemon). (see cm_BkgDaemon in cm_daemon.c)
-
-Value : ServerThreads
-Type : DWORD
-Default : 25 (CM_CONFIGDEFAULT_SVTHREADS)
-Variable: numSvThreads
-
- Number of SMB server threads (number of threads of smb_Server). (see
- smb_Server in smb.c).
-
-Value : Stats
-Type : DWORD
-Default : 10000 (CM_CONFIGDEFAULT_STATS)
-Variable: cm_initParams.nStatCaches
-
- Cache configuration.
-
-Value : LogoffPreserveTokens
-Type : DWORD {1,0}
-Default : 0
-
- If enabled (set to 1), the Logoff Event handler will not attempt
- to delete the user's tokens if the user's profile is stored outside
- of AFS.
-
-Value : RootVolume
-Type : REG_SZ
-Default : "root.afs"
-Variable: cm_rootVolumeName
-
- Root volume name.
-
-Value : Mountroot
-Type : REG_SZ
-Default : "/afs"
-Variable: cm_mountRoot
-
- Name of root mount point. In symlinks, if a path starts with
- cm_mountRoot, it is assumed that the path is absolute (as opposed to
- relative) and is adjusted accordingly. Eg: if a path is specified as
- /afs/athena.mit.edu/foo/bar/baz and cm_mountRoot is "/afs", then the
- path is interpreted as \\afs\all\athena.mit.edu\foo\bar\baz. If a
- path does not start with with cm_mountRoot, the path is assumed to
- be relative and suffixed to the reference directory (i.e. directory
- where the symlink exists)
-
-
-Value : CachePath
-Type : REG_SZ or REG_EXPAND_SZ
-Default : "%TEMP%\AFSCache"
-Variable: cm_CachePath
-
- Location of on-disk cache file. The default is the SYSTEM account's
- TEMP directory. The attributes assigned to the file are HIDDEN and
- SYSTEM.
-
-
-Value : NonPersistentCaching
-Type : DWORD [0..1]
-Default : 0
-Variable: buf_CacheType
-
- When this registry value is set to a non-zero value, the CachePath
- value is ignored and the cache data is stored in the windows paging
- file. This prevents the use of persistent caching (when available)
- as well as the ability to alter the size of the cache at runtime
- using the "fs setcachesize" command.
-
-
-Value : ValidateCache
-Type : DWORD [0..2]
-Default : 1
-Variable: buf_CacheType
-
- This value determines if and when persistent cache validation is
- performed.
- 0 - Validation is disabled
- 1 - Validation is performed at startup
- 2 - Validation is performed at shutdown
-
-
-Value : TrapOnPanic
-Type : DWORD {1,0}
-Default : 0
-Variable: traceOnPanic
-
- Issues a breakpoint in the event of a panic. (breakpoint: _asm int 3).
-
-Value : NetbiosName
-Type : REG_EXPAND_SZ
-Default : "AFS"
-Variable: cm_NetbiosName
-
- Specifies the NetBIOS name to be used when binding to a Loopback
- adapter. To provide the old behavior specify a value of
- "%COMPUTERNAME%-AFS"
-
-Value : IsGateway
-Type : DWORD {1,0}
-Default : 0
-Variable: isGateway
-
- Select whether or not this AFS client should act as a gateway. If
- set and the NetBIOS name hostname-AFS is bound to a physical NIC,
- other machines in the subnet can access AFS via SMB connections to
- hostname-AFS.
-
- When IsGateway is non-zero, the LAN adapter detection code will
- avoid binding to a loopback adapter. This will ensure that the
- NetBIOS name will be of the form hostname-AFS instead of the value
- set by the "NetbiosName" registry value.
-
-Value : ReportSessionStartups
-Type : DWORD {1,0}
-Default : 0
-Variable: reportSessionStartups
-
- If enabled, all SMB sessions created are recorded in the Application
- event log. This also enables other events such as drive mappings
- or various error types to be logged.
-
-Value : TraceBufferSize
-Type : DWORD
-Default : 5000 (CM_CONFIGDEFAULT_TRACEBUFSIZE)
-Variable: traceBufSize
-
- Number of entries to keep in trace log.
-
-Value : SysName
-Type : REG_SZ
-Default : "i386_nt40"
-Variable: cm_sysName
-
- Provides an initial value for "fs sysname". The string can contain
- one or more replacement values for @sys in order of preference separated
- by whitespace.
-
-Value : SecurityLevel
-Type : DWORD {1,0}
-Default : 0
-Variable: cryptall
-
- Enables encryption on RX calls.
-
-Value : UseDNS
-Type : DWORD {1,0}
-Default : 1
-Variable: cm_dnsEnabled
-
- Enables resolving volservers using AFSDB DNS queries. (see
- afsdb-freelance-notes).
-
- As of 1.3.60, this value is ignored as the DNS query support
- utilizes the Win32 DNSQuery API which is available on Win2000
- and above.
-
-Value : FreelanceClient
-Type : DWORD {1,0}
-Default : 0
-Variable: cm_freelanceEnabled
-
- Enables freelance client. (see afsdb-freelance-notes)
-
-Value : HideDotFiles
-Type : DWORD {1,0}
-Default : 1
-Variable: smb_hideDotFiles
-
- Enables marking dotfiles with the hidden attribute. Dot files are
- files whose name starts with a period (excluding "." and "..").
-
-Value : MaxMpxRequests
-Type : DWORD
-Default : 50
-Variable: smb_maxMpxRequests
-
- Maximum number of multiplexed SMB requests that can be made.
-
-Value : MaxVCPerServer
-Type : DWORD
-Default : 100
-Variable: smb_maxVCPerServer
-
- Maximum number of SMB virtual circuits.
-
-Value : Cell
-Type : REG_SZ
-Default : <none>
-Variable: rootCellName
-
- Name of root cell (the cell from which root.afs should be mounted in
- \\afs\all).
-
-Value : RxNoJumbo
-Type : DWORD {0,1}
-Default : 0
-Variable: rx_nojumbo
-
- If enabled, does not send or indicate that we are able to send or
- receive RX jumbograms.
-
-Value : RxMaxMTU
-Type : DWORD
-Default : -1
-Variable: rx_mtu
-
- If set to anything other than -1, uses that value as the maximum MTU
- supported by the RX interface.
-
- In order to enable OpenAFS to operate across the Cisco IPSec VPN
- client, this value must be set to 1264 or smaller.
-
-Value : ConnDeadTimeout
-Type : DWORD
-Default : 60 (seconds)
-Variable: ConnDeadtimeout
-
- The Connection Dead Time is enforced to be at a minimum 15 seconds
- longer than the minimum SMB timeout as specified by
-
- HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
- SessTimeout
-
- If the minimum SMB timeout is not specified the value is 45 seconds.
- See http://support.microsoft.com:80/support/kb/articles/Q102/0/67.asp
-
-
-Value : HardDeadTimeout
-Type : DWORD
-Default : 120 (seconds)
-Variable: HardDeadtimeout
-
- The Hard Dead Time is enforced to be at least double the ConnDeadTimeout.
- The provides an opportunity for at least one retry.
-
-
-Value : TraceOption
-Type : DWORD {0-15}
-Default : 0
-
- Enables logging of debug output to the Windows Event Log.
- Bit 0 enables logging of "Logon Events" processed by the Network Provider
- and Winlogon Event Notification Handler.
- Bit 1 enables logging of events captured by the AFS Client Service.
- Bit 2 enables real-time viewing of "fs trace" logging with DbgView
- or similar tools.
- Bit 3 enables "fs trace" logging on startup.
-
-Value : AllSubmount
-Type : DWORD {0, 1}
-Default : 1
-Variable: allSubmount (smb.c)
-
- By setting this value to 0, the "\\NetbiosName\all" mount point
- will not be created. This allows the read-write versions of
- root.afs to be hidden.
-
-Value : NoFindLanaByName
-Type : DWORD {0, 1}
-Default : 0
-
- Disables the attempt to identity the network adapter to use by
- looking for an adapter with a display name of "AFS".
-
-Value : MaxCPUs
-Type : DWORD {1..32} or {1..64} depending on the architecture
-Default : <no default>
-
- If this value is specified, afsd_service.exe will restrict itself
- to executing on the specified number of CPUs if there are a greater
- number installed in the machine.
-
- NOTE: Setting this entry to "1" may be required on hyperthreaded
- systems to avoid crashes in the RX library.
-
-Value : smbAuthType
-Type : DWORD {0..2}
-Default : 2
-
- If this value is specified, it defines the type of SMB authentication
- which must be present in order for the Windows SMB client to connect
- to the AFS Client Service's SMB server. The values are:
- 0 = No authentication required
- 1 = NTLM authentication required
- 2 = Extended (GSS SPNEGO) authentication required
- The default is Extended authentication
-
-Value : MaxLogSize
-Type : DWORD {0 .. MAXDWORD}
-Default : 100K
-
- This entry determines the maximum size of the %WINDIR%\TEMP\afsd_init.log
- file. If the file is larger than this value when afsd_service.exe starts
- the file will be reset to 0 bytes. If this value is 0, it means the file
- should be allowed to grow indefinitely.
-
-Value : FlushOnHibernate
-Type : DWORD {0,1}
-Default : 1
-
- If set, flushes all volumes before the machine goes on hibernate or
- stand-by.
-
-Regkey:
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters\GlobalAutoMapper]
-
-Value : <Drive Letter:> for example "G:"
-Type : SZ
-
- Specifies the submount name to be mapped by afsd_service.exe at startup
- to the provided drive letter.
-
-
-Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client]
-
-Value : CellServDBDir
-Type : REG_SZ
-Default : <not defined>
-
- Specifies the directory containing the CellServDB file.
- When this value is not specified, the AFS Client install
- directory is used.
-
-
-Value : VerifyServiceSignature
-Type : REG_DWORD
-Default : 0x1
-
- This value can be used to disable the runtime verification of
- the digital signatures applied to afsd_service.exe and the
- OpenAFS DLLs it loads. This test is performed to verify that
- the DLLs which are loaded by afsd_service.exe are from the
- same distribution as afsd_service.exe. This is to prevent
- random errors caused when DLLs from one distribution of AFS
- are loaded by another one. This is not a security test. The
- reason for disabling this test is to free up additional memory
- which can be used for a large cache size.
-
-
-Value : IoctlDebug
-Type : REG_DWORD
-Default : 0x0
-
- This value can be used to debug the cause of pioctl() failures.
- Set a non-zero value and the pioctl() library will output status
- information to stdout. Executing command line tools such as
- tokens.exe, fs.exe, etc can then be used to determine why the
- pioctl() call is failing.
-
-
-Value : MiniDumpType
-Type : REG_DWORD
-Default : 0x0 (MiniDumpNormal)
-
- This value is used to specify the type of minidump generated by
- afsd_service.exe either when the process crashes or when a user
- initiated is dump file is generated with the "fs.exe minidump"
- command.
-
- Valid values are dependent on the version of DbgHelp.dll installed
- on the machine. See the Microsoft Developer Library for further
- information.
-
- MiniDumpNormal = 0x00000000,
- MiniDumpWithDataSegs = 0x00000001,
- MiniDumpWithFullMemory = 0x00000002,
- MiniDumpWithHandleData = 0x00000004,
- MiniDumpFilterMemory = 0x00000008,
- MiniDumpScanMemory = 0x00000010,
- MiniDumpWithUnloadedModules = 0x00000020,
- MiniDumpWithIndirectlyReferencedMemory = 0x00000040,
- MiniDumpFilterModulePaths = 0x00000080,
- MiniDumpWithProcessThreadData = 0x00000100,
- MiniDumpWithPrivateReadWriteMemory = 0x00000200,
- MiniDumpWithoutOptionalData = 0x00000400,
- MiniDumpWithFullMemoryInfo = 0x00000800,
- MiniDumpWithThreadInfo = 0x00001000,
- MiniDumpWithCodeSegs = 0x00002000
-
-
-Value : StoreAnsiFilenames
-Type : REG_DWORD
-Default : 0x0
-
- This value can be used to force the AFS Client Service to
- store filenames using the Windows system's ANSI character set
- instead of the OEM Code Page character set which has traditionally
- been used by SMB file systems.
-
- Note: The use of ANSI characters will render access to files
- with 8-bit OEM file names unaccessible from Windows. This option
- is of use primarily when you wish to allow file names produced
- on Windows to be accessible from Latin-1 Unix systems and vice
- versa.
-
-
-Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy]
-
-Value : "smb/cifs share name"
-Type : REG_SZ
-Default : <none>
-
- This key is used to map SMB/CIFS shares to Client Side Caching
- (off-line access) policies. For each share one of the following
- policies may be used: "manual", "programs", "documents", "disable"
-
- These values used to be stored in afsdsbmt.ini
-
-Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client\Freelance]
-
-Value : "numeric value"
-Type : REG_SZ
-Default : <none>
-
- This key is used to store dot terminated mount point strings
- for use in constructing the fake root.afs volume when Freelance
- (dynamic roots) mode is activated.
-
- "athena.mit.edu#athena.mit.edu:root.cell."
- ".athena.mit.edu%athena.mit.edu:root.cell."
-
- These values used to be stored in afs_freelance.ini
-
-
-Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks]
-
-Value : "numeric value"
-Type : REG_SZ
-Default : <none>
-
- This key is used to store a dot terminated symlink strings
- for use in constructing the fake root.afs volume when Freelance
- (dynamic roots) mode is activated.
-
- "linkname:destination-path."
- "athena:athena.mit.edu."
- "home:athena.mit.edu\user\j\a\jaltman."
- "filename:path\file."
-
-
-Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client\Submounts]
-
-Value : "submount name"
-Type : REG_EXPAND_SZ
-Default : <none>
-
- This key is used to store mappings of unix style AFS paths
- to submount names which can be referenced as UNC paths.
- For example the submount string "/athena.mit.edu/user/j/a/jaltman"
- can be associated with the submount name "jaltman.home".
- This can then be referenced as the UNC path \\AFS\jaltman.home.
-
- These values used to be stored in afsdsbmt.ini
-
- NOTE: Submounts should no longer be used with OpenAFS.
- Use the Windows Explorer to create drive mappings to AFS UNC
- paths instead of using the AFS Submount mechanism.
-
-
-Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client\Server Preferences\VLDB]
-
-Value : "hostname or ip address"
-Type : REG_DWORD
-Default : <none>
-
- This key is used to specify a default set of VLDB server preferences.
- For each entry the value name will be either the IP address of a server
- or a fully qualified domain name. The value will be the ranking. The
- ranking will be adjusted by a random value between 0 and 256 prior to
- the preference being set.
-
-
-Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client\Server Preferences\File]
-
-Value : "hostname or ip address"
-Type : REG_DWORD
-Default : <none>
-
- This key is used to specify a default set of File server preferences.
- For each entry the value name will be either the IP address of a server
- or a fully qualified domain name. The value will be the ranking. The
- ranking will be adjusted by a random value between 0 and 256 prior to
- the preference being set.
-
-
-
-2. Network provider parameters
-------------------------------
-Affects the network provider (afslogon.dll).
-
-Regkey:
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
-
-Value : FailLoginsSilently
-Type : DWORD
-Default : 0
-
- Do not display message boxes if the login fails.
-
-Regkey:
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
-
-Value : NoWarnings
-Type : DWORD
-Default : 0
-
- Disables visible warnings during logon.
-
-Value : AuthentProviderPath
-Type : REG_SZ
-NSIS : %WINDIR%\SYSTEM32\afslogon.dll
-
- Specifies the install location of the authentication provider dll.
-
-Value : Class
-Type : DWORD
-NSIS : 0x02
-
- Specifies the class of network provider
-
-Value : DependOnGroup
-Type : REG_MULTI_SZ
-NSIS : PNP_TDI
-
- Specifies the service groups upon which the AFS Client Service
- depends. Windows should not attempt to start the AFS Client Service
- until all of the services within these groups have successfully
- started.
-
-Value : DependOnService
-Type : REG_MULTI_SZ
-NSIS : Tcpip NETBIOS RpcSs
-
- Specifies a list of services upon which the AFS Client Service
- depends. Windows should not attempt to start the AFS Client Service
- until all of the specified services have successfully started.
-
-Value : Name
-Type : REG_SZ
-NSIS : "OpenAFSDaemon"
-
- Specifies the display name of the AFS Client Service
-
-Value : ProviderPath
-Type : REG_SZ
-NSIS : %WINDIR%\SYSTEM32\afslogon.dll
-
- Specifies the DLL to use for the network provider
-
-
-2.1 Domain specific configuration keys for the Network Provider
----------------------------------------------------------------
-
-The network provider can be configured to have different behavior
-depending on the domain that the user logs into. These settings are
-only relevant when using integrated login. A domain refers to an
-Active Directory (AD) domain, a trusted Kerberos (non-AD) realm or the
-local machine (i.e. local account logins). The domain name that is
-used for selecting the domain would be the domain that is passed into
-the NPLogonNotify function of the network provider.
-
-Domain specific registry keys are :
-
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
- (NP key)
-
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain]
- (Domains key)
-
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain name"]
- (Specific domain key. One per domain.)
-
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST]
- (Localhost key)
-
-eg:
- HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider
- |
- +- Domain
- +-AD1.EXAMPLE.COM
- +-AD2.EXAMPLE.NET
- +-LOCALHOST
-
-Each of the domain specific keys can have the set of values described
-in 2.1.1. The effective values are chosen as described in 2.1.2.
-
-2.1.1 Domain specific configuration values
--------------------------------------------
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain]
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain name"]
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST]
-
- Value : LogonOptions
- Type : DWORD
- Default : 0x01
- NSIS/WiX: depends on user configuration
-
- 0x00 - Integrated Logon is not used
- 0x01 - Integrated Logon is used
- 0x02 - High Security Mode is used
- 0x03 - Integrated Logon with High Security Mode is used
-
- High Security Mode generates random SMB names for the creation of
- Drive Mappings. This mode should not be used without Integrated Logon.
-
- As of 1.3.65 the SMB server supports SMB authentication. The High
- Security Mode should not be used when using SMB authentication
- (SMBAuthType setting is non zero).
-
- Value : FailLoginsSilently
- Type : DWORD (1|0)
- Default : 0
- NSIS/WiX: (not set)
-
- If true, does not display any visible warnings in the event of an
- error during the integrated login process.
-
- Value : LogonScript
- Type : REG_SZ or REG_EXPAND_SZ
- Default : (null)
- NSIS/WiX: (only value under NP key) <install path>\afscreds.exe -:%s -x -a -m -n -q
-
- A logon script that will be scheduled to be run after the profile
- load is complete. If using the REG_EXPAND_SZ type, you can use
- any system environment variable as "%varname%" which would be
- expanded at the time the network provider is run. Optionally
- using a "%s" in the value would result in it being expanded into
- the AFS SMB username for the session.
-
- Value : LoginRetryInterval
- Type : DWORD
- Default : 30
- NSIS/WiX: (not set)
-
- If the OpenAFS client service has not started yet, the network
- provider will wait for a maximum of "LoginRetryInterval" seconds
- while retrying every "LoginSleepInterval" seconds to check if the
- service is up.
-
- Value : LoginSleepInterval
- Type : DWORD
- Default : 5
- NSIS/WiX: (not set)
-
- See description of LoginRetryInterval.
-
- Value : TheseCells
- Type : REG_MULTI_SZ
- NSIS : <not set>
-
- When Kerberos 5 is being used, TheseCells provides a list of additional
- cells for which tokens should be obtained with the default Kerberos 5
- principal.
-
-
-2.1.2 Selection of effective values for domain specific configuration
-----------------------------------------------------------------------
-
- During login to domain X, where X is the domain passed into
- NPLogonNotify as lpAuthentInfo->LogonDomainName or the string
- 'LOCALHOST' if lpAuthentInfo->LogonDomainName equals the name of the
- computer, the following keys will be looked up.
-
- 1. NP key. ("HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider")
- 2. Domains key. (NP key\"Domain")
- 3. Specific domain key. (Domains key\X)
-
- If the specific domain key does not exist, then the domains key will
- be ignored. All the configuration information in this case will
- come from the NP key.
-
- If the specific domain key exists, then for each of the values
- metioned in (2), they will be looked up in the specific domain key,
- domains key and the NP key successively until the value is found.
- The first instance of the value found this way will be the effective
- for the login session. If no such instance can be found, the
- default will be used. To re-iterate, a value in a more specific key
- supercedes a value in a less specific key. The exceptions to this
- rule are stated below.
-
-2.1.3 Exceptions to 2.1.2
---------------------------
-
- To retain backwards compatibility, the following exceptions are made
- to 2.1.2.
-
-2.1.3.1 'FailLoginsSilently'
-
- Historically, the 'FailLoginsSilently' value was in
- HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters
- key and not in the NP key. Therefore, for backwards compatibility,
- the value in the Parameters key will supercede all instances of this
- value in other keys. In the absence of this value in the Parameters
- key, normal scope rules apply.
-
-2.1.3.2 'LogonScript'
-
- If a 'LogonScript' is not specified in the specific domain key nor
- in the domains key, the value in the NP key will only be checked if
- the effective 'LogonOptions' specify a high security integrated
- login. If a logon script is specified in the specific domain key or
- the domains key, it will be used regardless of the high security
- setting. Please be aware of this when setting this value.
-
-
-3. AFS Credentials System Tray Tool parameters
-----------------------------------------------
-Affects the behavior of afscreds.exe
-
-Regkey:
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
-
-Value : Gateway
-Type : REG_SZ
-Default : ""
-Function: GetGatewayName()
-
- If the AFS client is utilizing a gateway to obtain AFS access,
- the name of the gateway is specified by this value.
-
-Value : Cell
-Type : REG_SZ
-Default : <none>
-Variable: IsServiceConfigured()
-
- The value Cell is used to determine if the AFS Client Service has
- been properly configured or not.
-
-
-Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client]
-[HKCU\SOFTWARE\OpenAFS\Client]
-
-Value : ShowTrayIcon
-Type : DWORD {0, 1}
-Default : 1
-Function: InitApp(), Main_OnCheckTerminate()
-
- This value is used to determine whether or not a shortcut should be
- maintained in the user's Start Menu->Programs->Startup folder.
-
- This value used to be stored at
- [HKLM\Software\TransarcCorporation\AFS Client\AfsCreds].
-
- The current user value is checked first; if it does not exist the local
- machine value is checked.
-
-
-Value : EnableKFW
-Type : DWORD {0, 1}
-Default : 1
-Function: KFW_is_available()
-
- When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used
- to obtain AFS credentials. By setting this value to 0, the internal
- Kerberos 4 implementation will be used instead. The current user value
- is checked first; if it does not exist the local machine value is checked.
-
-Value : Use524
-Type : DWORD {0, 1}
-Default : 0
-Function: KFW_use_krb524()
-
- When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used
- to obtain AFS credentials. By setting this value to 1, the Kerberos 5
- tickets will be converted to Kerberos 4 tokens via a call to the krb524
- daemon. The current user value is checked first; if it does not exist
- the local machine value is checked.
-
-Value : AfscredsShortcutParams
-Type : REG_SZ
-Default : "-A -M -N -Q"
-Function: Shortcut_FixStartup
-
- This value specifies the command line options which should be set
- as part of the shortcut to afscreds.exe. afscreds.exe rewrites the
- shortcut each time it exits so as to ensure that the shortcut points
- to the latest version of the program. This value is used to determine
- which values should be used for command line parameters. The current
- user value is checked first; if it does not exist the local machine
- value is checked.
-
- The following subset of the command line options are appropriate for
- use in this registry setting:
-
- -A = autoinit
- -M = renew drive maps
- -N = ip address change detection
- -Q = quiet mode. do not display start service dialog
- if afsd_service is not already running
- -S = show tokens dialog on startup
- -Z = unmap drives
-
-
-Regkey:
-[HKCU\SOFTWARE\OpenAFS\Client]
-
-Value : Authentication Cell
-Type : REG_SZ
-Default : <none>
-Function: Afscreds.exe GetDefaultCell()
-
- This value allows the user to configure a different cell name to
- be used as the default cell when acquiring tokens in afscreds.exe
-
-
-Regkey:
-[HKCU\SOFTWARE\OpenAFS\Client\Reminders]
-
-Value : "afs cell name"
-Type : DWORD {0, 1}
-Default : <none>
-Function: LoadRemind(), SaveRemind()
-
- These values are used to save and restore the state of the reminder
- flag for each cell for which the user has obtained tokens.
-
- This value used to be stored at
- [HKLM\Software\TransarcCorporation\AFS Client\AfsCreds].
-
-
-Regkey:
-[HKCU\SOFTWARE\OpenAFS\Client\Active Maps]
-
-Value : "upper case drive letter"
-Type : DWORD {0, 1}
-Default : <none>
-
- These values are used to store the persistence state of the AFS
- drive mappings as listed in the [...\Client\Mappings] key
-
- These values used to be stored in the afsdsbmt.ini file
-
-Regkey:
-[HKCU\SOFTWARE\OpenAFS\Client\Mappings]
-
-Value : "upper case drive letter"
-Type : REG_SZ
-Default : <none>
-
- These values are used to store the AFS path in Unix notation
- to which the drive letter is to be mapped.
-
- These values used to be stored in the afsdsbmt.ini file.
-
-
-ENVIRONMENT VARIABLES:
-
-Variable: AFS_RPC_ENCRYPT
-Values: "OFF" disables the use of RPC encryption
- any other value allows RPC encryption to be used
-Default: RPC encryption is on
-
-
-Variable: AFS_RPC_PROTSEQ
-Values: "ncalrpc" - local RPC
- "ncacn_np" - named pipes
- "ncacn_ip_tcp" - tcp/ip
-Default: local RPC
-
projects / packages / o / openafs.git / commitdiff