From: Jeffrey Altman Date: Tue, 15 Mar 2005 00:55:56 +0000 (+0000) Subject: windows-notes-20050314 X-Git-Tag: openafs-devel-1_5_0~724 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=0949ca36faf493b235a4fde03b3b9a3eb3745d9c;p=packages%2Fo%2Fopenafs.git windows-notes-20050314 Update notes to describe fix for cross realm trusts to Windows multi-domain forests --- diff --git a/doc/txt/winnotes/afs-changes-since-1.2.txt b/doc/txt/winnotes/afs-changes-since-1.2.txt index f61977e17..ed248271f 100644 --- a/doc/txt/winnotes/afs-changes-since-1.2.txt +++ b/doc/txt/winnotes/afs-changes-since-1.2.txt @@ -1,4 +1,27 @@ Since 1.3.77: + * OpenAFS for Windows has failed to work at sites which are + utilizing a cross-realm trust between an MIT/Heimdal realm + and a multi-domain Windows forest when the workstation being + accessed is not located in the root domain. This is caused + by a bug in the workstation which was triggered after the + introduction of Windows 2003 Server. When the bug is triggered, + the workstation attempts to authenticate users to afsd_service.exe + by contacting the Domain Controller instead of using the + LSA loopback authentication mechanism. + + One of the reasons this bug occurs is because the workstation + does not have a reliable way of knowing that the service whose + netbios name is "AFS" is located on the workstation. This will + be fixed starting in Longhorn Beta 1 by Microsoft. The + "BackConnectionHostNames" registry value will be used to + indicate that the authentications to that service name should + be performed using the loopback authentication mechanism. + + In the meantime, when Logon Caching is enabled, we can force + afsd_service.exe to authenticate using the logon cache before + contacting the Domain Controller. This will work with both + password and smart card based logons. + * The allDown logic in cm_ConnByMServers() was wrong. The allDown flag should not be cleared if a volume's server reference is marked as "offline". In the case where all of the volume's diff --git a/doc/txt/winnotes/afs-install-notes.txt b/doc/txt/winnotes/afs-install-notes.txt index 8349d31cf..c16187ca1 100644 --- a/doc/txt/winnotes/afs-install-notes.txt +++ b/doc/txt/winnotes/afs-install-notes.txt @@ -543,7 +543,10 @@ Where: -long print all info -addrs print only host interfaces -cache print only cache configuration - +37. If you are a site which utilizes MIT/Heimdal Kerberos principals +to logon to Windows via a cross-realm relationship with a multi-domain +Windows forest, you must enable Windows logon caching unless the +workstation is Longhorn Beta 1 or later. ------------------------------------------------------------------------