OpenAFS for Windows 1.5.20
+

OpenAFS for Windows 1.5.21
Release Notes

The Andrew File System (AFS) is a location-independent @@ -639,9 +646,9 @@ none;text-underline:none'>. 2

Operational Notes

4. How to Debug -Problems with OpenAFS for Windows: 11

4. How to +Debug Problems with OpenAFS for Windows: 11

5. Reporting Bugs: 13

Contribute to the Development of OpenAFS for Windows

7. MSI Deployment -Guide. 15

7. MSI +Deployment Guide. 15

Appendix A: Registry Values. 26

1. Installer Options

It can be installed either as a new installation or an @@ -671,24 +678,25 @@ Windows. Installers are provided in two forms:

1. -an executable (.exe) that is built using the Nullsoft Scriptable -Installation System, or

+an executable (.exe) that is built using the Nullsoft Scriptable Installation System, or

2. -a Windows Installer package (.msi) that is built using WiX and can be -customized for organizations via the use of MSI Transforms (see a Windows Installer package (.msi) that is built using WiX and +can be customized for organizations via the use of MSI Transforms (see MSI Deployment Guide)

2. System Requirements

2.1 Supported Operating Systems

@@ -732,9 +740,9 @@ style='font-size:9.0pt;font-family:Symbol'> font-family:"Times New Roman"'> Microsoft Windows Vista (32-bit and 64-bit Intel)

2.1.1 Unsupported Operating Systems

2.2 Disk Space

Up to 60mb required for the OpenAFS binaries plus 100MB for -the default AFSCache file. (The size of the AFSCache file may be -adjusted via the Registry after installation.)

+the default AFSCache file. (The size of +the AFSCache file may be adjusted via the Registry +after installation.)

2.3 Additional Software Packages

MIT -Kerberos for Windows 2.6.x or 3.1.x if Kerberos v5 authentication support -is desired.

+Kerberos for Windows 2.6.x or 3.1.x if Kerberos v5 authentication support is +desired.

3. Operational Notes

3.1. Requirements for Kerberos v5 Authentication

The Kerberos v4 infrastructure on which the OpenAFS 1.2 series is reliant is no longer secure. Cross-realm Kerberos is very -important in the AFS context and most sites have or are migrating to Kerberos v5 -environments. The OpenAFS 1.4 series (and later) integrates with MIT Kerberos for Windows 2.6.5 and above to support Kerberos v5 authentication including automatic renewal of AFS tokens and single sign-on via the Microsoft Windows Kerberos Logon -Service.

+Service.

The recommended version of MIT Kerberos for Windows is 3.2. KFW 3.2 includes Network Identity Manager 1.2 +href="http://web.mit.edu/kerberos/">MIT Kerberos for Windows is 3.2. KFW 3.2 includes Network Identity Manager 1.2 which integrates with the AFS Provider -installed as part of OpenAFS for Windows.

+installed as part of OpenAFS for Windows. +

When KFW is installed, the OpenAFS for Windows client will obtain Kerberos v5 tickets and use them as tokens without modification. @@ -822,12 +830,13 @@ The OpenAFS client requires that all of the AFS Servers with which it communicates support the use of Kerberos v5 tickets as tokens. If Kerberos v5 based tokens are presented to an AFS server that does not support them, the server will be unable to communicate with the client when tokens are present. -Kerberos v5 based tokens are supported by OpenAFS release 1.2.8 or later. IBM Transarc servers do not support Kerberos v5.

+Kerberos v5 based tokens are supported by OpenAFS release 1.2.8 or later. IBM Transarc +servers do not support Kerberos v5.

3.1.1. Active Directory

Microsoft Windows Active Directory can be used as a Kerberos @@ -838,14 +847,15 @@ tickets issued by Active Directory can be quite large when compared to tickets issued by a traditional KDC due to the incorporation of authorization data (the Microsoft PAC). If the issued tickets are larger than 344 bytes, the OpenAFS 1.2 servers will be unable to process them and will issue a -RXKADBADTICKET error. OpenAFS 1.4 (and beyond) -servers can support the largest tickets that Active Directory can issue. -Second, the Kerberos v5 tickets issued by Windows 2003 Active Directory are -encrypted with the DES-CBC-MD5 encryption type (enctype). OpenAFS 1.2 -servers only support the DES-CBC-CRC enctype. +RXKADBADTICKET error. OpenAFS 1.4 (and +beyond) servers can support the largest tickets that Active Directory can +issue. Second, the Kerberos v5 tickets issued by Windows 2003 Active +Directory are encrypted with the DES-CBC-MD5 encryption type (enctype). OpenAFS 1.2 servers only support the +DES-CBC-CRC enctype. As a result, OpenAFS 1.2 servers cannot process the resulting Kerberos v5 tokens. Windows 2000 Active Directory -issued tickets with the DES-CBC-CRC enctype.

+issued tickets with the DES-CBC-CRC enctype.

Microsoft has documented in Knowledge Base article 832572 @@ -856,21 +866,22 @@ style='mso-spacerun:yes'> accounts that are associated with non-Windows services and that do not understand the authorization data stored in the PAC.

3.1.2. Using the krb524 service

Some organizations which have AFS cell names and Kerberos realm names which differ by more then just lower and upper case rely on a -modification to krb524d which maps a Kerberos v5 ticket from realm FOO to a Kerberos -v4 ticket in realm BAR. This allows user@FOO to appear to be user@bar for -the purposes of accessing the AFS cell. As of OpenAFS 1.2.8, support was -added to allow the immediate use of Kerberos v5 tickets as AFS (2b) tokens. -This is the first building block necessary to break away from the limitations -of Kerberos v4 with AFS. By using Kerberos v5 directly we avoid the -security holes inherent in Kerberos v4 cross-realm. We also gain access -to cryptographically stronger algorithms for authentication and encryption.

+modification to krb524d which maps a Kerberos v5 ticket from realm FOO to a +Kerberos v4 ticket in realm BAR. This allows user@FOO +to appear to be user@bar for the purposes of +accessing the AFS cell. As of OpenAFS 1.2.8, support was added to allow +the immediate use of Kerberos v5 tickets as AFS (2b) tokens. This is the first +building block necessary to break away from the limitations of Kerberos v4 with +AFS. By using Kerberos v5 directly we avoid the security holes inherent +in Kerberos v4 cross-realm. We also gain access to cryptographically +stronger algorithms for authentication and encryption.

Another reason for using Kerberos v5 directly is because the krb524 service runs on a port (4444) which has become increasingly blocked by @@ -887,9 +898,9 @@ to force the use of krb524d. However, the availability of this option should only be used by individuals until such time as their organizations can provide a more permanent solution.

3.1.3. Network Identity Manager Provider

As of release 1.5.9, OpenAFS for Windows includes a Network Identity Manager Provider for obtaining AFS tokens.MIT Kerberos for Windows version 3.1 or above. Version 3.2 is required for the best user experience.

+src="relnotes_files/image002.jpg" v:shapes="_x0000_i1025">

The Network Identity Manager replaces the former KFW ticket manager, Leash, and when combined with the OpenAFS Provider, it is intended to @@ -937,23 +948,23 @@ Tool, Network Identity Manager with the OpenAFS Provider can easily manage AFS tokens for multiple cells from one or more Kerberos v5 identities.

+src="relnotes_files/image004.jpg" v:shapes="_x0000_i1026">

The AFS configuration panel for each Kerberos v5 identity is used to configure which cells credentials should be obtained for and how they should be obtained. If the cell to realm -mapping cannot be automatically determined, it can be explicitly -specified. If the cell does not support Kerberos -v5 tickets as tokens, then a krb524 service can be configured.

+mapping cannot be automatically determined, it can be explicitly specified. If the cell does not support Kerberos v5 +tickets as tokens, then a krb524 service can be configured.

+src="relnotes_files/image006.jpg" v:shapes="_x0000_i1027">

The OpenAFS Provider configuration panel can be used to check the status of the AFS Client Service and its version. A shortcut to the OpenAFS Control Panel is also provided.

3.2. Use of the Microsoft Loopback Adapter by the AFS Client Service

@@ -1022,99 +1033,107 @@ no longer required to be unique. Instead the NETBIOS name associated with the AFS Client Service is simply "AFS" and portable UNC paths of the form \\AFS\cellname\path can now be used on all machines.

3.3. Using Freelance (Dynamic Root) Mode to Improve Mobility

Traditionally, when the OpenAFS Client Service starts it -must be able to access the "root.afs" volume of the default -cell. The "root.afs" volume contains the set of mount points to -the "root.cell" volumes of various cells the administrator of the -default cell believes should be accessible. If the "root.afs" +must be able to access the "root.afs" +volume of the default cell. The "root.afs" +volume contains the set of mount points to the "root.cell" +volumes of various cells the administrator of the default cell believes should +be accessible. If the "root.afs" volume is inaccessible when the client service is started, the service will terminate unexpectedly. Since many users now use laptops or otherwise operate in disconnected environments in which a VPN may be required to access -the cell's servers, it is often the case that the "root.afs" volume -for the default cell is not reachable and the OpenAFS Client Service will not -successfully start.

+the cell's servers, it is often the case that the "root.afs" +volume for the default cell is not reachable and the OpenAFS Client Service +will not successfully start.

To allow the OpenAFS Client Service to operate in these -environments, Freelance mode dynamically constructs a fake "root.afs" -volume from mount points and symlinks stored in the local registry.

- -

The content of the fake root.afs volume is dynamically -modified as cells are accessed. When the fake "root.afs" volume -is initially constructed it will only contain two mount points: a regular -path and read-write path mount point used to access the -"root.cell" volume of the default AFS cell. Any attempt to access -a valid cell name will result in a new mount point being created in the fake -"root.afs" volume. If the cellname begins with a "." -the mount point will be a read-write path; otherwise the mount point -will be a regular path. These mount points are preserved in the -registry at key:

+environments, Freelance mode dynamically constructs a fake "root.afs" volume from mount points and symlinks stored +in the local registry.

+ +

The content of the fake root.afs +volume is dynamically modified as cells are accessed. When the fake +"root.afs" volume is initially constructed +it will only contain two mount points: a regular path and read-write +path mount point used to access the "root.cell" +volume of the default AFS cell. Any attempt to access a valid cell name +will result in a new mount point being created in the fake "root.afs" volume. If the cellname +begins with a "." the mount point will be a read-write path; +otherwise the mount point will be a regular path. These mount +points are preserved in the registry at key:

HKLM\SOFTWARE\OpenAFS\Client\Freelance

Additional mount points may be manually created using the -"fs mkmount" command. Mount points may be removed using the -"fs rmmount" command.

+"fs mkmount" +command. Mount points may be removed using the "fs +rmmount" command.

>fs mkmount -\\AFS\athena.mit.edu root.cell athena.mit.edu

>fs +mkmount \\AFS\athena.mit.edu root.cell +athena.mit.edu

>fs mkmount -\\AFS\.athena.mit.edu root.cell athena.mit.edu -rw

>fs +mkmount \\AFS\.athena.mit.edu root.cell +athena.mit.edu -rw

>fs rmmount -\\AFS\athena.mit.edu

>fs +rmmount \\AFS\athena.mit.edu

>fs rmmount -\\AFS\.athena.mit.edu

>fs +rmmount \\AFS\.athena.mit.edu

Symlinks may also be created within the Freelance root.afs -volume.

Symlinks may also be created within the Freelance root.afs volume.

>symlink make -\\afs\link \\afs\athena.mit.edu\user\j\a\jaltman

>symlink +make \\afs\link \\afs\athena.mit.edu\user\j\a\jaltman

>symlink list -\\afs\link

>symlink list \\afs\link

'\\afs\link' is a -symlink to 'athena.mit.edu\user\j\a\jaltman'

'\\afs\link' +is a symlink to 'athena.mit.edu\user\j\a\jaltman'

>symlink rm \\afs\link

>symlink +rm \\afs\link

The symlinks are stored in the registry at:

HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks

3.4. Locating AFS Volume Database Servers via DNS

The OpenAFS for Windows client will use DNS AFSDB records to discover the location of AFS Volume Database servers when entries for the cell -are not present in the client's CellServDB file -(\%PROGRAMFILES%\OpenAFS\Client\CellServDB).

+are not present in the client's CellServDB file +(\%PROGRAMFILES%\OpenAFS\Client\CellServDB).

3.5. Obtaining AFS Tokens as a Integrated Part of Windows Logon

OpenAFS for Windows installs a WinLogon Network Provider to -provide Single Sign-On functionality (aka Integrated Logon.) Integrated -Logon can be used when the Windows username and password match the username and -password associated with the default cell's Kerberos realm. For example, -if the Windows username is "jaltman" and the default cell is +

OpenAFS for Windows installs a WinLogon +Network Provider to provide Single Sign-On functionality (aka Integrated +Logon.) Integrated Logon can be used when the Windows username and +password match the username and password associated with the default cell's +Kerberos realm. For example, if the Windows username is "jaltman" and the default cell is "athena.mit.edu", then Integrated Logon can be successfully used if the windows password matches the password assigned to the Kerberos principal "jaltman@ATHENA.MIT.EDU". @@ -1128,9 +1147,9 @@ passwords.

When KFW is configured, Integrated Logon will use it to obtain tokens. Use of KFW for Integrated Logon can be disabled via the EnableKFW registry value. Use of the krb524 service can be configured -via the Use524 registry value.

+href="#_Value:_EnableKFW">EnableKFW registry +value. Use of the krb524 service can be +configured via the Use524 registry value.

Integrated Logon will not preserve the Kerberos v5 tickets. KFW 3.1 and above implements that functionality.

@@ -1141,27 +1160,28 @@ Kerberos KDC is inaccessible at logon time.

Integrated Login supports the ability to obtain tokens for multiple cells. For further information on how to configure this feature -read about the TheseCells +read about the TheseCells value.

3.6. AFS System Tray Command Line Options

The AFS System Tray Tool -(afscreds.exe) has been deprecated in favor of Network Identity Manager. afscreds.exe will be removed from the OpenAFS +(afscreds.exe) has been deprecated in favor of Network Identity Manager. afscreds.exe will be removed from the OpenAFS in a future release.

The AFS System Tray tool (afscreds.exe) supports several -command line options:

The AFS System Tray tool (afscreds.exe) supports several command +line options:

-A = autoinit

-A = autoinit +

-E = force existing afscreds to -exit

-E = force existing afscreds to exit

-I = install startup shortcut

@@ -1172,8 +1192,8 @@ exit

-Q = quiet mode. do not display start service dialog

if -afsd_service is not already running

if afsd_service is not already running

-S = show tokens dialog on startup

@@ -1181,15 +1201,16 @@ afsd_service is not already running

-X = test and do map share

-Z = unmap drives

-Z = unmap +drives

autoinit will result in automated attempts to acquire AFS -tokens when afscreds.exe is started. afscreds.exe will attempt to utilize -tickets stored in the MSLSA credentials cache; any existing CCAPI credentials -cache; and finally display an Obtain Tokens dialog to the user. When used -in combination with IP address change detection, afscreds.exe will attempt to acquire -AFS tokens whenever the IP address list changes and the Kerberos KDC is -accessible.

autoinit will result in automated +attempts to acquire AFS tokens when afscreds.exe is started. afscreds.exe +will attempt to utilize tickets stored in the MSLSA credentials cache; any +existing CCAPI credentials cache; and finally display an Obtain Tokens dialog +to the user. When used in combination with IP address change detection, +afscreds.exe will attempt to acquire AFS tokens whenever the IP address list +changes and the Kerberos KDC is accessible.

The renew drive maps option is used to ensure that the user drive maps constructed via the OpenAFS tools (not NET USE) are re-constructed @@ -1199,64 +1220,73 @@ each time afscreds.exe is started.

installers to use -A -N -M -Q as startup options. Currently, there is no user interface to change this selection after install time although these options may be altered via the registry on either per machine or per user -basis. See AfscredsShortcutParams -in Appendix A.

+basis. See AfscredsShortcutParams in Appendix A.

3.7. -The AFS Client Admins Authorization Group

+The AFS Client Admins Authorization Group

The OpenAFS for Windows client supports a local Windows -authorization group named "AFS Client Admins". This group is -used in place of the "Administrators" group to determine which users -are allowed to modify the AFS Client Service configuration via the AFS Control -Panel (afs_config.exe) or fs.exe command line tool. The following fs.exe -commands are now restricted to members of the "AFS Client Admins" -group:

+authorization group named "AFS Client Admins". +This group is used in place of the "Administrators" group to +determine which users are allowed to modify the AFS Client Service +configuration via the AFS Control Panel (afs_config.exe) or fs.exe command line +tool. The following fs.exe commands are now restricted to members of the +"AFS Client Admins" group:

· checkservers -with a non-zero timer value

+font-family:"Times New Roman"'> checkservers with a non-zero timer value

· setcachesize

+font-family:"Times New Roman"'> setcachesize

· newcell

+font-family:"Times New Roman"'> newcell

· sysname -with a new sysname list

+font-family:"Times New Roman"'> sysname with a new sysname list

· exportafs

+font-family:"Times New Roman"'> exportafs

· setcell

+font-family:"Times New Roman"'> setcell

· setserverprefs

+font-family:"Times New Roman"'> setserverprefs

· storebehind

+font-family:"Times New Roman"'> storebehind

· setcrypt

+font-family:"Times New Roman"'> setcrypt

· cscpolicy

+font-family:"Times New Roman"'> cscpolicy

· trace

· minidump

- -

The creation or removal of mount points and symlinks in the Freelance -root.afs volume are also restricted to members of the AFS Client Admins -group.

- -

The initial membership of the "AFS Client Admins" -group when created by the installer is equivalent to the local -"Administrators" group. If a user is added to the -"Administrators" group after the creation of the "AFS Client -Admin" group, that user will not be an AFS Client Administrator. -Only users that are members of the "AFS Client Admins" group are AFS -Client Administrators. The local "SYSTEM" account is an implicit -member of the "AFS Client Admins" group.

- -

Setting the default sysname for a machine should be done via -the registry and not via "fs -sysname".

- -

minidump
+ +
The creation or removal of mount points and symlinks in the +Freelance root.afs volume are also restricted to +members of the AFS Client Admins group.
+ +
The initial membership of the "AFS Client Admins" group when created by the installer is +equivalent to the local "Administrators" group. If a user is +added to the "Administrators" group after the creation of the +"AFS Client Admin" group, that user will not be an AFS Client +Administrator. Only users that are members of the "AFS Client Admins" group are AFS Client Administrators. The +local "SYSTEM" account is an implicit member of the "AFS Client Admins" group.
+ +
Setting the default sysname for a +machine should be done via the registry and not +via "fs sysname".
+ +

3.8. OpenAFS support for UNC paths

The OpenAFS client supports UNC paths everywhere. UNC paths provide a canonical name for resources stored within AFS. UNC paths should be used instead of drive letter mappings whenever possible. -This is especially true when specifying the location of roaming profiles and -redirected folders.

+This is especially true when specifying the location of roaming profiles and redirected +folders.

Power users that make extensive use of the command line -shell, cmd.exe, should consider using JP Software's 4NT or Take Command command -processors. Unlike cmd.exe, the JPSoftware shells fully support UNC paths -as the current directory. JPSoftware added special recognition for -OpenAFS to its command shells, 4NT 7.0 and Take Command 7.0. AFS paths -can be entered in UNIX notation (e.g., /afs/openafs.org/software), space -utilization reports the output of the volume status for the specified path, and -many AFS specific functions and variables have been added to the command -language.

- -

JPSoftware's web site is http://www.jpsoft.com.

- -

command processors. Unlike cmd.exe, the JPSoftware shells fully support UNC paths as the current +directory. JPSoftware added special recognition +for OpenAFS to its command shells, 4NT 7.0 and Take Command 7.0. AFS +paths can be entered in UNIX notation (e.g., /afs/openafs.org/software), +space utilization reports the output of the volume status for the specified +path, and many AFS specific functions and variables have been added to the +command language.
+ +
JPSoftware's web site is http://www.jpsoft.com.
+ +

3.9. aklog.exe

@@ -1319,13 +1353,14 @@ which should be used in preference to those obtained by other sources. The OpenAFS aklog.exe supports Kerberos v5 as well as the ability to auto-generate AFS IDs within foreign PTS databases.

Usage: aklog [-d] [[-cell | -c] cell [-k krb_realm]]

Usage: aklog [-d] [[-cell | +-c] cell [-k krb_realm]]

[[-p | -path] pathname]

-[-noprdb] [-force]

+[-noprdb] [-force]

[-5 [-m]| -4]

@@ -1337,13 +1372,14 @@ auto-generate AFS IDs within foreign PTS databases.

cell = zero or more cells for which tokens will be obtained

krb_realm = the kerberos realm of the -cell.

krb_realm = +the kerberos realm of the cell.

pathname = the directory for which authentication is required

-noprdb = don't try to determine AFS ID.

-noprdb = +don't try to determine AFS ID.

-5 or -4 = use Kerberos V (default) or Kerberos IV tickets

@@ -1351,9 +1387,9 @@ Kerberos IV tickets

-m = use krb524d to convert Kerberos V tickets to Kerberos IV

3.10. OpenAFS Servers on Windows are Unsupported

@@ -1362,25 +1398,27 @@ install package might work but should be considered highly experimental. It has not been thoroughly tested. Any data which would cause pain if lost should not be stored in an OpenAFS Server on Windows.

3.10.1. OpenAFS Server Installation

- -

When the OpenAFS Server is installed, the TransarcAFSServer -service (bosctlsvc.exe) will be installed and configured. The TransarcAFSServer service will auto-start -the traditional AFS bos server. The -former AFS Server Configuration wizard makes assumptions that no longer hold -true and it has therefore been disabled. -However, following the instructions for installing the AFS Servers on -UNIX it is possible to properly configure the AFS Servers on Microsoft -Windows. The AFS Server binaries, -configuration files, and log files are installed under %Program -Files%\OpenAFS\Server. kaserver has been deprecated and its use is strongly -discouraged. Instead, -Active Directory or some other Kerberos v5 KDC should be used in its place.

- -

3.10.2. Using the AFS Client Service when the +
3.10.1. OpenAFS Server Installation
+ +
When the OpenAFS Server is installed, the TransarcAFSServer service (bosctlsvc.exe) will be installed +and configured. The TransarcAFSServer +service will auto-start the traditional AFS bos +server. The former AFS Server +Configuration wizard makes assumptions that no longer hold true and it has +therefore been disabled. However, +following the instructions for installing the AFS Servers on UNIX it is +possible to properly configure the AFS Servers on Microsoft Windows. The AFS Server binaries, configuration files, +and log files are installed under %Program Files%\OpenAFS\Server. kaserver has been deprecated and its use is strongly discouraged. Instead, Active Directory or some other +Kerberos v5 KDC should be used in its place.
+ +

3.10.2. Using the AFS Client Service when the Server is installed

A few notes on the usage of the AFS Client Service if it is @@ -1391,29 +1429,31 @@ style='font-size:9.0pt;font-family:Symbol'> font-family:"Times New Roman"'> Freelance mode should be disabled when the AFS Client Service is installed on the same machine as the AFS Server,. Otherwise, you will be unable to manipulate -the contents of the root.afs volume for the hosted cell without constructing an -explicit mountpoint to the root.afs volume from another volume.

+the contents of the root.afs volume for the hosted +cell without constructing an explicit mountpoint to +the root.afs volume from another volume.

· The -AFS Server and related tools only support the built in kaserver (Kerberos -IV). If kaserver is being used, MIT -Kerberos for Windows should not be installed or must be disabled via the EnableKFW registry value.

+AFS Server and related tools only support the built in kaserver +(Kerberos IV). If kaserver is being used, MIT Kerberos for Windows should not be +installed or must be disabled via the EnableKFW registry value.

· The AFS -Servers are not aware of power management events nor are they aware of network -configuration changes. It is strongly -advised that the AFS servers be installed only on systems that will not be -shutdown or suspended unexpectedly. An inadvertent -shutdown will corrupt volume data.

- -

       The +AFS Servers are not aware of power management events nor are they aware of +network configuration changes. It is +strongly advised that the AFS servers be installed only on systems that will +not be shutdown or suspended unexpectedly.   +An inadvertent shutdown will corrupt volume data.
+ +
3.11. OpenAFS Debugging Symbol files
@@ -1436,9 +1476,9 @@ or not the debug symbols are installed by default (release: no, debug: yes)

·       whether -or not fs trace logging is turned on -by default (release: no, debug: yes)
+or not fs trace logging is turned on by default +(release: no, debug: yes)

·       wheth or not additional debug statements were compiled into the binaries (release: no, debug: yes)
-

3.12. Large Files (64-bit) Supported

@@ -1457,22 +1497,22 @@ larger than 2GB. The maximum file size is now 16777216 terabytes when the AFS File Server supports large files. If the AFS File Server does not support large files, then the file size limit remains 2GB.

3.13. Encrypted AFS Network Communication

The OpenAFS for Windows installer by default activates a weak form of encrypted data transfer between the AFS client and the AFS -servers. This is often referred to as "fcrypt" mode. -Encrypted data transfer can be turned on or off with the fs crypt -command. Transitions between crypt and non-crypt modes are logged to -the Windows Application Event Log.

+servers. This is often referred to as "fcrypt" +mode. Encrypted data transfer can be turned on or off with the fs crypt command. Transitions between crypt and +non-crypt modes are logged to the Windows Application Event Log.

3.14. Authenticated Access to the OpenAFS Client Service

@@ -1483,19 +1523,19 @@ used to obtain access to another user's tokens on shared machines.

When GSS SPNEGO attempts a Kerberos v5 authentication, the -Windows SMB client will attempt to retrieve service tickets for -"cifs/afs@REALM" (if the loopback adapter is in use) or -"cifs/machine-afs@REALM" (if the loopback adapter is not being -used). It is extremely important that this service principal not exist in -the KDC database as the Kerberos authentication must fail allowing automatic -fallback to NTLM. When NTLM is used a special local authentication mode -will be used that does not require access to the user's password. -Instead, Windows will internally recognize the request as coming from a local -logon session.

- -

cifs/afs@REALM" (if the loopback adapter is in use) or +"cifs/machine-afs@REALM" (if the loopback +adapter is not being used). It is extremely important that this service +principal not exist in the KDC database as the Kerberos authentication must fail +allowing automatic fallback to NTLM. When NTLM is used a special local +authentication mode will be used that does not require access to the user's +password. Instead, Windows will internally recognize the request as +coming from a local logon session.
+ +
3.15. No More INI Files
@@ -1503,32 +1543,33 @@ No More INI Files

in Windows .INI files. The OpenAFS client does not use Windows .INI files for the storage of configuration data. All settings are stored in the registry (see Appendix A). -The CellServDB file is now stored in the %PROGRAMFILES%\OpenAFS\Client -directory. The CellServDBDir +The CellServDB file is now stored in the +%PROGRAMFILES%\OpenAFS\Client directory. The CellServDBDir registry value can be used to specify an alternative location.

OpenAFS will relocate the contents of the afsdcell.ini -file to the new CellServDB file. OpenAFS will also import the contents of -the afs_freelance.ini file to the Windows registry. OpenAFS will -not process the contents of the afsddbmt.ini.

+file to the new CellServDB file. OpenAFS will +also import the contents of the afs_freelance.ini file to the Windows +registry. OpenAFS will not process the contents of the +afsddbmt.ini.

3.16. Microsoft Windows Internet Connection Firewall

The OpenAFS Client is compatible with the Internet Connection Firewall that debuted with Windows XP SP2 and Windows 2003 -SP1. The Internet Connection Firewall will be automatically adjusted to -allow the receipt of incoming callback messages from the AFS file server. -In addition, the appropriate Back Connection registry entries are added -to allow SMB authentication to be performed across the Microsoft Loopback -Adapter.

+SP1. The Internet Connection Firewall will be automatically adjusted to allow +the receipt of incoming callback messages from the AFS file server. In +addition, the appropriate Back Connection registry entries are added to +allow SMB authentication to be performed across the Microsoft Loopback Adapter.

3.17. Browsing AFS from the Explorer Shell and Office

@@ -1537,19 +1578,19 @@ Protocol which allows Explorer to browse server and share information. This significantly enhances the interoperability of AFS volumes within the Explorer Shell and Microsoft Office applications.

3.18. Byte Range Locking

Many applications on Windows (e.g. Microsoft Office) require the use of byte range locks applied to a file either to protect against -simultaneous file access or as a signaling mechanism. OpenAFS for Windows -release 1.5 (or greater) implements byte range locking within the CIFS-AFS -gateway server. This support for byte range locking obtains AFS -advisory file server locks to simulate Microsoft Windows mandatory +simultaneous file access or as a signaling mechanism. OpenAFS for +Windows release 1.5 (or greater) implements byte range locking within the +CIFS-AFS gateway server. This support for byte range locking +obtains AFS advisory file server locks to simulate Microsoft Windows mandatory locks. When an application opens a file, a lock will be obtained from AFS indicating that the file is in use. If the lock is a write lock, access to the file will be restricted to other applications running on the same @@ -1587,19 +1628,19 @@ CIFS-AFS gateway implements the following semantics in order to reduce the inconvenience on end users.

If +
If the file is located on a read-only volume and the application requests a shared lock, the CIFS-AFS server will grant the lock request without asking the AFS file server.
If +
If the file is located on a read-only volume and the application opens the file with write access and requests an exclusive lock, the CIFS-AFS server will refuse the lock request and return a read only error.
If +
If the file is located on a read-only volume and the application opens the file with only read access and requests an exclusive lock, the CIFS-AFS server will fulfill the lock request with a read lock.
If +
If the file is located on a read-write volume and the application requests an exclusive lock, the CIFS-AFS server will request a write lock from the AFS file server. If granted by the file server, then the CIFS-AFS server @@ -1612,7 +1653,7 @@ inconvenience on end users.
the request even though the AFS file server said no. If the user does not have at least those permissions, the CIFS-AFS server will deny the request.
If +
If the file is located on a read-write volume and the application requests a shared lock, the CIFS-AFS server will request a read lock from the AFS file server. If granted by the file server, then the CIFS-AFS server @@ -1621,11 +1662,11 @@ inconvenience on end users.
lock privilege, then the CIFS-AFS server will grant the request even though the AFS file server said no. If the user does not have at least those permissions, the CIFS-AFS server will deny the request.
If +
If multiple processes on the same machine attempt to access the same file simultaneously, the CIFS-AFS server will locally manage the granted locks and all processes will share a single lock on the AFS file server.
If +

If the CIFS-AFS server is unable to renew the AFS file server locks, then it will invalidate the associated file handles. This is the same behavior that an application will experience if it was using a Windows @@ -1635,29 +1676,31 @@ inconvenience on end users.

If you wish to disable the acquisition of locks from the file server, this can be performed using the EnableServerLocks registry value.

+href="#_Value:_EnableServerLocks">EnableServerLocks +registry value.

3.19. Automatic Discarding of AFS Tokens at Logoff

The OpenAFS Client will automatically forget a user's tokens upon Logoff unless the user's profile was loaded from an AFS volume. In this situation there is no mechanism to determine when the profile has been -successfully written back to the network. It is therefore unsafe to release -the user's tokens. Whether or not the profile has been loaded from the -registry can be determined for Local Accounts, Active Directory accounts and -NT4 accounts.

+successfully written back to the network. It is therefore unsafe to +release the user's tokens. Whether or not the profile has been loaded +from the registry can be determined for Local Accounts, Active Directory +accounts and NT4 accounts.

If there is a need to disable this functionality, the LogoffPreserveTokens registry value -can be used. (see Appendix A.)

+href="#_Value_:_LogoffPreserveTokens">LogoffPreserveTokens +registry value can be used. (see Appendix A.)

3.20. Windows Terminal Server installations

@@ -1667,9 +1710,9 @@ Panel. Failure to do so will result in AFS not running properly. The AFS Server should not be installed on a machine with Terminal Server installed.

3.21. Hidden Dot Files

@@ -1678,11 +1721,12 @@ attempts to treat the files stored in AFS as they would be on UNIX. File and directory names beginning with a "." are automatically given the Hidden attribute so they will not normally be displayed. This behavior can be altered via the HideDotFiles registry value.

+href="#_Value:_HideDotFiles">HideDotFiles +registry value.

3.22. Status Cache Limits

@@ -1702,27 +1746,28 @@ maximum number of Status Cache entries. Each entry requires approximately style='mso-spacerun:yes'> This can be adjusted using the Stats registry value.

3.23. NETBIOS over TCP/IP must be enabled

"Netbios over TCP/IP" must be active on the -machine in order for communication with the AFS Client Service to -succeed. If "Netbios over TCP/IP" is disabled on the machine, -then communication with the AFS Client Service will be impossible. If you are using the Microsoft Loopback -Adapter, configure the Netbios over TCP/IP setting for the adapter.

"Netbios over TCP/IP" +must be active on the machine in order for communication with the AFS Client +Service to succeed. If "Netbios over +TCP/IP" is disabled on the machine, then communication with the AFS Client +Service will be impossible. If you are +using the Microsoft Loopback Adapter, configure the Netbios +over TCP/IP setting for the adapter.

3.24. OpenAFS binaries are digitally signed

The OpenAFS Client Service and related binaries distributed -by OpenAFS.org are digitally signed by "Secure Endpoints Inc.". +

The OpenAFS Client Service and related binaries distributed by +OpenAFS.org are digitally signed by "Secure Endpoints Inc.". The OpenAFS Client Service will perform a run-time verification check to ensure that all OpenAFS related DLLs loaded by the service match the same file version number and were signed by the same entity. This check has been added to @@ -1732,15 +1777,16 @@ wasted tracking down problems caused by the mixture of files from different releases.

Appendix A -documents the "VerifyServiceSignature" -registry value which can be used to disable the signature check. The file -version check cannot be disabled.

+documents the "VerifyServiceSignature" registry value which can +be used to disable the signature check. The file version check cannot be +disabled.

3.25. -Maximum Size of the AFSCache File

+Maximum Size of the AFSCache File

The maximum cache size on 32-bit Windows is approximately 1.3GB. This is the largest contiguous block of memory in the 2GB process @@ -1751,21 +1797,21 @@ cache size greater then 700MB will result in the automatic disabling of the signature check. Significantly larger cache sizes can be used on 64-bit Windows.

3.26. Filename Character Sets

OpenAFS for Windows implements an SMB server which is used -as a gateway to the AFS filesystem. Because of limitations of the SMB -implementation, Windows stores all files into AFS using OEM code pages such as -CP437 (United States) or CP850 (Western Europe). These code pages are -incompatible with the ISO Latin-1 character set typically used as the default -on UNIX systems in both the United States -and Western Europe. Filenames stored by -OpenAFS for Windows are therefore unreadable on UNIX systems if they include -any of the following characters:

+as a gateway to the AFS filesystem. Because of +limitations of the SMB implementation, Windows stores all files into AFS using +OEM code pages such as CP437 (United States) or CP850 (Western Europe). +These code pages are incompatible with the ISO Latin-1 character set typically +used as the default on UNIX systems in both the United + States and Western Europe. +Filenames stored by OpenAFS for Windows are therefore unreadable on UNIX +systems if they include any of the following characters:

@@ -1824,7 +1870,7 @@ any of the following characters:

[ù] 151 09/07 227 97 u grave

- [ÿ] 152 09/08 230 98 y diaeresis

+ [ÿ] 152 09/08 230 98 y diaeresis

[Ö] 153 09/09 231 99 O diaeresis

@@ -1849,16 +1895,17 @@ any of the following characters:

The OpenAFS Client provides an optional registry value, StoreAnsiFilenames, that can be -set to instruct OpenAFS to store filenames using the ANSI Code Page instead of -the OEM Code Page. The ANSI Code Page is a compatible superset of -Latin-1. This setting is not the default setting because making this -change would prevent OpenAFS for Windows from being able to access filenames -containing the above characters which were created without this setting.

- -

StoreAnsiFilenames, that can be set to instruct OpenAFS to store filenames +using the ANSI Code Page instead of the OEM Code Page. The ANSI Code Page +is a compatible superset of Latin-1. This setting is not the default +setting because making this change would prevent OpenAFS for Windows from being +able to access filenames containing the above characters which were created +without this setting.
+ +

3.27. Known Character Set Issues with Roaming Profiles

@@ -1871,45 +1918,47 @@ UNICODE. To avoid this problem some sites run custom logoff scripts (assigned by group policy) which rename all files to use only the supported characters for the locale.

3.28. -The AFSCache File

+The AFSCache File -

The AFS Cache file is stored by default at %TEMP%\AFSCache -in a persistent file marked with the Hidden and System attributes. The -persistent nature of the data stored in the cache file improves the performance -of OpenAFS by reducing the number of times data must be read from the AFS file -servers.

The AFS Cache file is stored by default at %TEMP%\AFSCache in a persistent file marked with the Hidden and +System attributes. The persistent nature of the data stored in the cache file +improves the performance of OpenAFS by reducing the number of times data must +be read from the AFS file servers.

The performance of the AFS Client Service is significantly -affected by the access times associated with the AFSCache paging -file. When given the choice, the AFSCache file should be placed on a -fast disk, preferably NTFS, the file should not be compressed and should -consist of as few fragments as possible. Significant performance -gains can be achieved by defragmenting the AFSCache file with Sysinternal's -Contig utility while the AFS Client Service is stopped.

- -

AFSCache +paging file.   When given the choice, the AFSCache +file should be placed on a fast disk, preferably NTFS, the file should not be +compressed and should consist of as few fragments as possible.   +Significant performance gains can be achieved by defragmenting +the AFSCache file with Sysinternal's +Contig utility while the AFS Client Service is +stopped.
+ +
3.29. Restricting OpenAFS Client Service Start and Stop

A new command line tool, afsdacl.exe, can be used to restrict the ability to start and stop the OpenAFS Client Service.
-
    afsdacl : Set or reset the DACL to -allow starting or stopping
+
    afsdacl +: Set or reset the DACL to allow starting or stopping
-
         the -afsd service by any ordinary user.
+
         the afsd service by any ordinary user.

-
    Usage : afsdacl [-set | -reset] -[-show]
+
    Usage : afsdacl +[-set | -reset] [-show]

          -set   : Sets the DACL
@@ -1920,52 +1969,54 @@ afsd service by any ordinary user.

          -show : Show current DACL (SDSF)
-

3.30. The @sys Name List

The default @sys name list in the OpenAFS Client is set to "x86_win32 i386_w2k i386_nt40" for 32-bit x86 systems. The -default is "amd64_win64" for amd 64-bit versions of Windows.

+default is "amd64_win64" for amd 64-bit +versions of Windows.

3.31. Symlinks to AFS UNC paths

In OpenAFS, symlinks to AFS UNC paths, \\AFS[\all]\..., are -treated the same as symlinks to /afs/... However, please use /afs/... as -the Windows UNC form will not work on UNIX client.

+treated the same as symlinks to /afs/... +However, please use /afs/... as the Windows UNC form +will not work on UNIX client.

3.32. Cache Manager Debugging Now Supported

The OpenAFS Client implements the Cache Manager Debugging RPC Interface. The CM debugger can be queried with cmdebug.exe.

Usage: cmdebug -servers <server machine> [-port -<IP port>] [-long]

Usage: cmdebug -servers +<server machine> [-port <IP port>] [-long]

-[-addrs] [-cache] [-help]

+[-addrs] [-cache] [-help]

Where: -long print all info

-addrs -print only host interfaces

-addrs print only host interfaces

-cache print only cache configuration

3.33. Windows Logon Caching vs. Kerberos Logons

@@ -1974,22 +2025,21 @@ principals to logon to Windows via a cross-realm relationship with a multi-domain Windows forest, you must enable Windows logon caching unless the workstation is Windows Vista.

3.34. Initial Server Preferences

VLDB and File Server Preferences can now be provided initial -values using registry keys. This is useful for managed machines in a -Windows domain which are centrally located (e.g., in a computing lab.) -See Appendix A for details on the -"Server Preferences" -keys.

+values using registry keys. This is useful for managed machines in a Windows +domain which are centrally located (e.g., in a computing lab.) See Appendix A for details on the "Server Preferences" keys.

3.35. File Timestamps

@@ -2011,57 +2061,60 @@ are used to being able to compare the timestamp in an UNIX shell with the timestamp from the Windows explorer. During DST, these two times will no longer agree even though they are in fact representing the same moment in time.

3.36. Windows RPC client support must be installed

If the installer refuses to install and complains about an RPC configuration error, check to ensure that the following registry entries -are present and that they refer to the dll "rpcrt4.dll":

+are present and that they refer to the dll +"rpcrt4.dll":

HKLM -"SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_np"

HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_np"

HKLM -"SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_ip_tcp"

HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_ip_tcp"

HKLM -"SOFTWARE\Microsoft\RPC\ClientProtocols" "ncadg_ip_udp"

HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncadg_ip_udp"

HKLM -"SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_http"

HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_http"

3.37. -Generating Minidumps of the OpenAFS Client Service

+Generating Minidumps of the OpenAFS Client Service -

OpenAFS 1.4 added a new command, "fs -minidump". This command can be used at any time to generate a mini -dump file containing the current stack of the afsd_service.exe -process. This output can be very helpful when debugging the AFS -Client Service when it is unresponsive to SMB/CIFS requests.

OpenAFS 1.4 added a new command, "fs +minidump". This command can be used at any +time to generate a mini dump file containing the current stack of the +afsd_service.exe process. This output can be very helpful when +debugging the AFS Client Service when it is unresponsive to SMB/CIFS requests.

3.38. AFS Client Universally Unique Identifiers

The OpenAFS Client implements Universally Unique Identifiers -(UUIDs). They are used to provide the server with a method of identifying -the client that is independent of IP address. The UUID is generated when -the AFSCache file is created and is maintained as long as the contents of the -AFSCache file are kept intact. The UUID is stored in the AFSCache -file. When cloning machines that have Windows AFS client installed, -the AFSCache files should be deleted as part of the cloning process.

- -

3.39. Delayed Write Errors with Microsoft +(UUIDs). They are used to provide the server +with a method of identifying the client that is independent of IP +address. The UUID is generated when the AFSCache +file is created and is maintained as long as the contents of the AFSCache file are kept intact. The UUID is stored in +the AFSCache file. When cloning machines +that have Windows AFS client installed, the AFSCache +files should be deleted as part of the cloning process.
+ +
3.39. Delayed Write Errors with Microsoft Office Applications

Microsoft Office makes heavy use of asynchronous @@ -2081,16 +2134,16 @@ with the explorer shell does not use asynchronous i/o.

The CIFS session timeout defaults to 45 seconds and can be increased by modifying the registry.
-

3.40. Global Drives (aka 3.40. Global Drives (aka Service Drive +style='mso-bookmark:_Toc170268864'> Letters) are no longer supported by Microsoft

The Global DriveAuto-mount feature has been deprecated due -to the following Microsoft KB article.

The Global DriveAuto-mount +feature has been deprecated due to the following Microsoft KB article.

http://msdn.microsoft.com/library/en-us/dllproc/base/services_and_redirected_drives.asp

@@ -2105,9 +2158,9 @@ re-established until the machine is rebooted.

applications should be modified to use of \\AFS\<cellname>\<path> instead of drive letters.

3.41. 64-bit Microsoft Windows Installations

Although 64-bit Windows platforms support both 64-bit and 32-bit applications, the OpenAFS Service installed on the machine must be @@ -2122,10 +2175,10 @@ for Windows can be used with the 32-bit OpenAFS Tools to manage AFS tokens.

Without this restriction the AFS Cache File can become arbitrarily large limited only by available disk space.

3.42. Known Issues with Microsoft Windows 3.42. Known Issues with Microsoft Windows Vista

OpenAFS for Windows works with Microsoft Windows Vista @@ -2133,8 +2186,7 @@ w:st="on"> When performing an upgrade from earlier versions of Microsoft Windows the Microsoft Loopback Adapter (MSLA) may be uninstalled. OpenAFS should be -re-installed after the Microsoft Vista installation to restore the MSLA -configuration.

+re-installed after the Microsoft Vista installation to restore the MSLA configuration.

Due to a feature change in Windows Vistas Plug-n-Play network stack, during a standby/hibernate operation the MSLA is disabled just @@ -2153,9 +2205,9 @@ privilege. run with the minimum required privileges. Even Administrator accounts run applications without the Administrator access control credentials. One side -effect of this is that existing applications that mix user and system -configuration capabilities must be re-written to separate those functions that -require Administrator privileges into a separate process space. Future updates to OpenAFS will incorporate the necessary privilege separation, until that time some functions such as the Start and Stop Service features of the AFS System Tray tool and the AFS Control @@ -2163,353 +2215,457 @@ Panel will not work unless they are

The help files provided with OpenAFS are in .HLP format. Windows Vista does not include a -help engine for this format. openafs-bugs@openafs.org. -Please include as much information as possible about the issue. If you -are reporting a crash, please install the debugging symbols by re-running the -installer. If a dump file is available for the problem, -%WINDIR%\TEMP\afsd.dmp, include it along with the AFS Client Trace file -%WINDIR%\TEMP\afsd.log. The AFS Client startup log is %WINDIR%\TEMP\afsd_init.log. -Send the last continuous block of log information from this file.

- -

4. How to Debug Problems with OpenAFS for Windows:

+help engine for this format.

+ +

3.43. +New AFS Share Name Syntax Provides Direct Access to Volumes

+ +

Starting with the +1.5.21 release of OpenAFS for Windows, the following syntax can be used to +access any volume in any cell without requiring the creation of a mount point.

+ +

\\AFS\<cell><mount +point type><volume>\

+ +

Where <cell> +can be either a full cell name or an unambiguous prefix, the <mount point +type> is # for a normal mount point or % to force the use of a +read-write volume, and <volume> is either a volume name or its ID number.

+ +

Examples include:

+ +

\\AFS\athena.mit.edu#user.jaltman\

+ +

\\AFS\athena%user.jaltman\

+ +

\\AFS\athena.mit.edu# 537235559\

+ +

3.44. +Differences between Windows and UNIX fs examine

+ +

The OpenAFS for +Windows version of fs examine provide two +additional lines of output when compared to the UNIX implementation. These lines include the owner and group +information for the file as well as the volume status.

+ +

[C:\]fs examine \\afs\athena#user.jaltman

File \\afs\athena#user.jaltman (537235559.1.1) contained in cell athena.mit.edu

Owner jaltman (28180) Group 0

Volume status for vid = 537235559 named user.jaltman is

Current disk quota is 1500000

Current blocks used are 1244184

The partition has 151945877 blocks available out of 511163724

Volume is online

+ +

4. How to +Debug Problems with OpenAFS for Windows:

OpenAFS for Windows provides a wide range of tools to assist -you in debugging problems. The techniques available to you are varied because -of the wide range of issues that have been discovered over the years.

+you in debugging problems. The techniques available to you are varied +because of the wide range of issues that have been discovered over the years.

4.1. -pioctl debugging (IoctlDebug -registry key)

4.1. pioctl +debugging (IoctlDebug registry key)

pioctl (path-based ioctl) calls are used by various tools to -communicate with the AFS Client Service. Some of the operations performed -include:

pioctl (path-based ioctl) calls are used by various tools to communicate with +the AFS Client Service. Some of the operations performed include:

· -setting/querying tokens (tokens.exe, aklog.exe, afscreds.exe)

+style='font-size:9.0pt;font-family:Symbol'>· setting/querying +tokens (tokens.exe, aklog.exe, afscreds.exe)

· -setting/querying ACLs

+style='font-size:9.0pt;font-family:Symbol'>· setting/querying +ACLs

· -setting/querying cache parameters

+style='font-size:9.0pt;font-family:Symbol'>· setting/querying +cache parameters

· -flushing files or volumes

+style='font-size:9.0pt;font-family:Symbol'>· flushing +files or volumes

· -setting/querying server preferences

+style='font-size:9.0pt;font-family:Symbol'>· setting/querying +server preferences

· -querying path location

+style='font-size:9.0pt;font-family:Symbol'>· querying +path location

· -checking the status of servers and volumes

+style='font-size:9.0pt;font-family:Symbol'>· checking +the status of servers and volumes

· -setting/querying the sysname list

+style='font-size:9.0pt;font-family:Symbol'>· setting/querying +the sysname list

pioctl calls are implemented by writing to a special UNC -path that is processed by the AFS Client Service. If there is a failure to -communicate with the AFS Client Service via SMB/CIFS, it will be impossible to -perform any of the above operations.

pioctl calls are implemented by +writing to a special UNC path that is processed by the AFS Client +Service. If there is a failure to communicate with the AFS Client Service +via SMB/CIFS, it will be impossible to perform any of the above +operations.

To assist in debugging these problems, the registry value:

[HKLM\SOFTWARE\OpenAFS\Client]

REG_DWORD: IoctlDebug = 0x01

REG_DWORD: IoctlDebug += 0x01

should be set. Then any of the commands that perform pioctl -calls should be executed from the command prompt. With this key set the pioctl -library will generate debugging output to stderr. The output will contain the -Win32 API calls executed along with their most important parameters and their -return code. The MSDN Library and the Microsoft KnowledgeBase can be used as -a reference to help you determine the configuration probem with your system.

should be set. Then any of the commands that perform pioctl calls should be executed from the command +prompt. With this key set the pioctl library +will generate debugging output to stderr. The +output will contain the Win32 API calls executed along with their most +important parameters and their return code. The MSDN Library and +the Microsoft KnowledgeBase can be used as a +reference to help you determine the configuration probem +with your system.

4.2. -afsd_service initialization log (%WinDir%\TEMP\afsd_init.log)

4.2. afsd_service initialization log +(%WinDir%\TEMP\afsd_init.log)

Every time the AFS Client Service starts it appends data -about its progress and configuration to a file. This file provides information -crucial to determining why the service cannot start when there are problems. -When the process terminates due to a panic condition it will write to this file -the source code file and line number of the error. In many cases the panic -condition is due to a misconfiguration of the machine. In other cases it might -be due to a programming error in the software. A quick review of the location -in the source code will quickly reveal the reason for the termination.

- -

The MaxLogSize -registry value determines the maximum size of the %WINDIR%\TEMP\afsd_init.log -file. If the file is larger than this value when OpenAFS Client Service -starts, the file will be reset to 0 bytes. If value is set to 0, the file will -be allowed to grow indefinitely.

- -

4.3. -afsd_service debug logs (fs trace {-on, -off, -dump} -->%WinDir%\TEMP\afsd.log)

+about its progress and configuration to a file. This file provides +information crucial to determining why the service cannot start when there are +problems. When the process terminates due to a panic condition it will write +to this file the source code file and line number of the error. In many +cases the panic condition is due to a misconfiguration +of the machine. In other cases it might be due to a programming error in +the software. A quick review of the location in the source code will +quickly reveal the reason for the termination.

+ +

The MaxLogSize +registry value determines the maximum size of the %WINDIR%\TEMP\afsd_init.log file. If the file is larger than this +value when OpenAFS Client Service starts, the file will be reset to 0 +bytes. If value is set to 0, the file will be allowed to grow +indefinitely.

+ +

4.3. afsd_service debug logs (fs trace {-on, -off, -dump} ->%WinDir%\TEMP\afsd.log)

When attempting to debug the behavior of the SMB/CIFS Server and the Cache Manager it is often useful to examine a log of the operations -being performed. While running the AFS Client Service keeps an in memory log -of many of its actions. The default number of actions preserved at any one -time is 5000. This can be adjusted with the registry value:

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]

REG_DWORD TraceBufferSize

- -

A restart of the service is necessary when adjusting this -value. Execute "fs trace -on" to clear to the log and "fs -trace -dump" to output the contents of the log to the file.

- -

4.4. -Using SysInternals DbgView and ProcMon or FileMon Tools

- -

An alternatve option to the use of "fs trace -dump" -to capture internal OpenAFS Client Service events is to use a tool such as -Sysinternal's DbgView to capture real-time debugging output. When the OpenAFS -Client Service starts and Bit 2 of the TraceOption -value in the registry is set, all trace log events are output using the Windows -Debug Monitor interface (OutputDebugString).

REG_DWORD TraceBufferSize +

A restart of the service is necessary when adjusting this value. +Execute "fs trace -on" to clear to the log +and "fs trace -dump" to output the contents +of the log to the file.

+ +

4.4. Using SysInternals DbgView and ProcMon or FileMon Tools

+ +

An alternatve option to the use of +"fs trace -dump" to capture internal +OpenAFS Client Service events is to use a tool such as Sysinternal's +DbgView to capture real-time debugging output. +When the OpenAFS Client Service starts and Bit 2 of the TraceOption value in +the registry is set, all trace log events are output using the Windows Debug +Monitor interface (OutputDebugString).

+ +

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]

REG_DWORD TraceOption = -0x04

REG_DWORD TraceOption = 0x04

Use fs trace on and fs trace off to toggle the -generation of log messages.

Use fs trace on and fs trace off to toggle the generation of log messages.

Sysinternals ProcMon or FileMon utilities can be use to monitor the -file operations requested by applications and their success or failure. -

Sysinternals ProcMon or FileMon utilities can be use to monitor the file operations +requested by applications and their success or failure.

-In FileMon, use the Volumes menu to restrict monitoring to Network volumes only in -order to reduce the output to just the CIFS requests. Turn on the Advanced -Output option in order to log with finer granularity.

In FileMon, use the Volumes menu to restrict monitoring to Network +volumes only in order to reduce the output to just the CIFS requests. +Turn on the Advanced Output option in order to log with finer +granularity.

-In ProcMon, set a filter to include only events on file paths that refer to the AFS name -space. Be sure to include both the UNC path as well as any drive letters mapped to AFS. -

In ProcMon, set a filter to +include only events on file paths that refer to the AFS name space. Be sure to +include both the UNC path as well as any drive letters mapped to AFS.

Turn on the Clock Time and Show Milliseconds options in both tools to make it easier to synchronize the application requests -and the resulting OpenAFS Client Service operations. The captured data can be -stored to files for inclusion in bug -reports.

+and the resulting OpenAFS Client Service operations. The captured +data can be stored to files for inclusion in bug reports.

4.5. Microsoft -MiniDumps
-(fs minidump -> %WinDir%\TEMP\afsd.dmp)

4.5. Microsoft MiniDumps
+(fs minidump -> %WinDir%\TEMP\afsd.dmp)

If the AFS Client Service become unresponsive to any form of communication there may be a serious error that can only be debugged by someone -with access to the source code and a debugger. The "fs minidump" -command can be used to force the generation of a MiniDump file containing the -state of all of the threads in the AFS Client Service process.

+with access to the source code and a debugger. The "fsminidump" command can be +used to force the generation of a MiniDump file +containing the state of all of the threads in the AFS Client Service process.

4.6. -Single Sign-on (Integrated Logon) debugging

4.6. Single Sign-on (Integrated Logon) debugging

If you are having trouble with the Integrated Logon operations it is often useful to be able to obtain a log of what it is -attempting to do. Setting Bit 0 of the TraceOption registry -value:

+attempting to do. Setting Bit 0 of the TraceOption +registry value:

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]

REG_DWORD TraceOption = 0x01

REG_DWORD TraceOption += 0x01

will instruct the Integrated Logon Network Provider and Event Handlers to log information to the Windows Event Log: Application under the name AFS Logon".

4.7. -RX (AFS RPC) debugging (rxdebug)

4.7. RX (AFS RPC) debugging (rxdebug)

The rxdebug.exe tool can be used to query a variety of -information about the AFS services installed on a given machine. The port for -the AFS Cache Manager is 7001.

+information about the AFS services installed on a given machine. The port +for the AFS Cache Manager is 7001.

Usage: rxdebug -servers <server machine> [-port -<IP port>] [-nodally]

Usage: rxdebug -servers +<server machine> [-port <IP port>] [-nodally] +

-[-allconnections] [-rxstats] [-onlyserver] [-onlyclient]

+[-allconnections] [-rxstats] +[-onlyserver] [-onlyclient] +

[-onlyport <show -only <port>>]

[-onlyport <show only <port>>]

[-onlyhost <show -only <host>>]

[-onlyhost <show only <host>>]

[-onlyauth <show -only <auth level>>] [-version]

[-onlyauth <show only <auth level>>] [-version]

[-noconns] [-peers] -[-help]

[-noconns] [-peers] [-help]

Where: -nodally don't show dallying conns

Where: -nodally +don't show dallying conns

-allconnections don't filter out -uninteresting connections

-allconnections don't filter out uninteresting +connections

-rxstats show Rx statistics

-rxstats +show Rx statistics

-onlyserver only show server conns

-onlyclient only show client conns

-version show AFS version id

+-version show AFS version id

-noconns show no connections

-noconns +show no connections

-peers show peers

+-peers show peers

4.8. -Cache Manager debugging (cmdebug)

4.8. Cache Manager debugging (cmdebug)

The cmdebug.exe tool can be used to query the state of the AFS Cache Manager on a given machine.

Usage: cmdebug -servers <server machine> [-port -<IP port>] [-long]

Usage: cmdebug -servers <server machine> [-port <IP +port>] [-long]

[-refcounts] -[-callbacks] [-addrs] [-cache] [-help]

[-refcounts] +[-callbacks] [-addrs] [-cache] [-help]

Where: -long print all info

Where: -long +print all info

-refcounts print only cache entries with -positive reference counts

-refcounts print only cache entries with positive +reference counts

-callbacks print only cache entries with -callbacks

-callbacks +print only cache entries with callbacks

-addrs print only host interfaces

-addrs print only host +interfaces

-cache print only cache configuration

+-cache print only cache configuration

4.9. -Persistent Cache consistency check

4.9. Persistent Cache consistency check

The persistent cache is stored in a Hidden System file at -%WinDir%\TEMP\AFSCache. If there is a problem with the persistent cache that -prevent the AFS Client Service from being able to start a validation check on -the file can be performed.

The persistent cache is stored in a Hidden System file at %WinDir%\TEMP\AFSCache. If there is a problem with the +persistent cache that prevent the AFS Client Service from being able to start a +validation check on the file can be performed.

afsd_service.exe --validate-cache +

afsd_service.exe --validate-cache <cache-path>

5. Reporting Bugs:

+name="_5._Reporting_Bugs:">5. +Reporting Bugs:

Bug reports should be sent to openafs-bugs@openafs.org. -Please include as much information as possible about the issue. If you are -reporting a crash, please install the debugging symbols by re-running the -installer. If a dump file is available for the problem, -%WINDIR%\TEMP\afsd.dmp, include it along with the AFS Client Trace file -%WINDIR%\TEMP\afsd.log. The AFS Client startup log is -%WINDIR%\TEMP\afsd_init.log. Send the last continuous block of log information -from this file.

+href="mailto:openafs-bugs@openafs.org?subject=Bug%20Report">openafs-bugs@openafs.org. +Please include as much information as possible about the issue. If you +are reporting a crash, please install the debugging symbols by re-running the +installer. If a dump file is available for the problem, %WINDIR%\TEMP\afsd.dmp, include it along with the AFS Client Trace +file %WINDIR%\TEMP\afsd.log. The AFS +Client startup log is %WINDIR%\TEMP\afsd_init.log. +Send the last continuous block of log information from this file.

Configuring DrWatson to generate dump files for crashes:

Configuring DrWatson to generate +dump files for crashes:

· -Run drwtsn32.exe to configure or to identify where the log and -the crash dump files are created:

+style='font-size:9.0pt;font-family:Symbol'>· Run +drwtsn32.exe to configure or to identify where the log and the crash dump files +are created:

· -click Start > Run...

+style='font-size:9.0pt;font-family:Symbol'>· click +Start > Run...

· -type drwtsn32 <enter>.

+style='font-size:9.0pt;font-family:Symbol'>· type +drwtsn32 <enter>.

· -Select either a Crash Dump Type: Mini or Full.

+style='font-size:9.0pt;font-family:Symbol'>· Select +either a Crash Dump Type: Mini or Full.

· -Clear Dump Symbol Table

+style='font-size:9.0pt;font-family:Symbol'>· Clear +Dump Symbol Table

· -Clear Append to Existing Log file.

+style='font-size:9.0pt;font-family:Symbol'>· Clear +Append to Existing Log file.

· -Check Dump All Thread Contexts.

+style='font-size:9.0pt;font-family:Symbol'>· Check +Dump All Thread Contexts.

· -Check Create Crash Dump File

+style='font-size:9.0pt;font-family:Symbol'>· Check +Create Crash Dump File

· -Next run the monitoring module of Dr. Watson:

+style='font-size:9.0pt;font-family:Symbol'>· Next +run the monitoring module of Dr. Watson:

· -click Start > Run...

+style='font-size:9.0pt;font-family:Symbol'>· click +Start > Run...

· -type drwatson <enter>.

+style='font-size:9.0pt;font-family:Symbol'>· type +drwatson <enter>.

· -Once a crash happens, Dr. Watson generates a dump file and a -report in the log file, including the address of the crash and the stack dump.

+style='font-size:9.0pt;font-family:Symbol'>· Once +a crash happens, Dr. Watson generates a dump file and a report in the log file, +including the address of the crash and the stack dump.

Once you have the Dr. Watson's logfile and minidump, zip -them and attach them to your e-mail.

Once you have the Dr. Watson's logfile +and minidump, zip them and attach them to your +e-mail.

When reporting a error, please be sure to include the version of OpenAFS.

6. How to Contribute to the Development of OpenAFS for Windows

Contributions to the development of OpenAFS for Windows are @@ -2517,17 +2673,17 @@ continuously needed. Contributions may take many forms including cash donations, support contracts, donated developer time, and even donated tech writer time.

6.1. The USENIX OpenAFS Fund

USENIX, a 501c3 non-profit corporation, has formed the USENIX OpenAFS Fund in order to accept tax deductible donations on behalf of the OpenAFS Elders. The donated funds -will be allocated by the OpenAFS Elders to fund OpenAFS development, -documentation, project management, and maintaining openafs.org.

+will be allocated by the OpenAFS Elders to fund OpenAFS development, documentation, +project management, and maintaining openafs.org.

@@ -2549,24 +2705,24 @@ documentation, project management, and maintaining openafs.org.

Donations can be made by sending a check, drawn on a U.S. -bank, made out to the USENIX OpenAFS Fund or by making a Donations can be made by sending a check, drawn on a U.S. bank, +made out to the USENIX OpenAFS Fund or by making a donation online.

6.2. Secure Endpoints Inc.

Secure Endpoints Inc. provides development and support services for OpenAFS for Windows and MIT Kerberos for Windows. - Donations provided to Secure Endpoints Inc. for the development of OpenAFS -are used to cover the OpenAFS gatekeeper responsibilities; providing support to -the OpenAFS community via the OpenAFS mailing lists; and furthering development -of desired features that are either too small to be financed by development -contracts.

+ Donations provided to Secure Endpoints Inc. for the development of +OpenAFS are used to cover the OpenAFS gatekeeper responsibilities; providing +support to the OpenAFS community via the OpenAFS mailing lists; and furthering +development of desired features that are either too small to be financed by +development contracts.

Secure Endpoints Inc. accepts software development agreements from organizations who wish to fund a well-defined set of bug fixes @@ -2576,10 +2732,10 @@ or new features.

the OpenAFS for Windows and the MIT Kerberos for Windows products.

6.3. Direct contributions of code and/or documentation

@@ -2588,9 +2744,9 @@ development staffs are encouraged to contribute any code modifications they make to OpenAFS.org via openafs-bugs@openafs.org. Contributions of documentation are highly desired.

6.4. OpenAFS for Windows Mailing Lists

If you wish to participate in OpenAFS for Windows @@ -2609,21 +2765,21 @@ mailing list.

You must join the mailing lists if you wish to post to the list without incurring a moderation delay.

7. MSI Deployment Guide

-
- + -

7.1. Introduction

@@ -2639,9 +2795,9 @@ is advisable to deploy registry settings and configuration files through group policy and/or startup scripts so that machines where OpenAFS for Windows is already installed will pick up these customizations.

7.1.1 Requirements

The information in this document applies to MSI packages @@ -2672,16 +2828,16 @@ href="http://msdn.microsoft.com/library/en-us/msi/setup/transforms.asp">http://m

The remainder of this document assumes some familiarity with authoring transforms. While the MSDN documentation for Windows Installer -is a bit dense, the guide on MSI transforms found at the second link above is -recommended reading. MSDN also includes a step-by-step example for -creating a transform at:

+is a bit dense, the guide on MSI transforms found at the second link above is recommended +reading. MSDN also includes a step-by-step example for creating a +transform at:

http://msdn.microsoft.com/library/en-us/msi/setup/a_customization_transform_example.asp

7.1.2 Authoring a Transform

Transforms describe a set of modifications to be performed @@ -2691,60 +2847,64 @@ using the old and the new MSI to generate a transform. For example:

1. copy -openafs.msi openafs-modified.msi

+openafs.msiopenafs-modified.msi

2. (edit -the openafs-modified.msi to include the necessary changes)

+the openafs-modified.msi to include the necessary +changes)

3. msitran --g openafs.msi openafs-modified.msi openafs-transform.mst

+style='font-size:7.0pt;font-family:"Times New Roman"'> msitran -g openafs.msiopenafs-modified.msiopenafs-transform.mst

4. (generates -openafs-transform.mst, which is the transform)

+openafs-transform.mst, which is the transform)

Transforms have an extension of .mst. 'msitran' is a -tool distributed as part of the "Windows Installer" SDK (part of the -Windows Platform SDK).

Transforms have an extension of .mst. +'msitran' is a tool distributed as part of the +"Windows Installer" SDK (part of the Windows Platform SDK).

You can test a transform by:

1. copy -openafs.msi openafs-test.msi

+openafs.msiopenafs-test.msi

2. msitran --a openafs-transform.mst openafs-test.msi

- -

and then checking the resulting openafs-test.msi to see if -all changes you have made above to openafs-modified.msi is present in -openafs-test.msi. 'msitran' will complain if some modification in the +style='font-size:7.0pt;font-family:"Times New Roman"'> msitran -a openafs-transform.mst openafs-test.msi

+ +

and then checking the resulting openafs-test.msi +to see if all changes you have made above to openafs-modified.msi +is present in openafs-test.msi. 'msitran' will complain if some modification in the transform can not be successfully applied.

As mentioned above, you can use a tool like ORCA.EXE to edit -the MSI databases directly when editing openafs-modified.msi. More -details are given below.

+the MSI databases directly when editing openafs-modified.msi. +More details are given below.

7.2. Configuration Options

The logic necessary to implement many of the settings -described in Appendix A are present -in the MSI. Most of these can be controlled by setting the corresponding -properties to the desired value. Some settings may require modifying -existing registry entries (though not recommended) or adding new resources -(like files or registry keys). Instructions for performing these tasks -are below.

- -

Appendix A are present in the MSI. Most of these can be +controlled by setting the corresponding properties to the desired value. +Some settings may require modifying existing registry entries (though not +recommended) or adding new resources (like files or registry keys). +Instructions for performing these tasks are below.
+ +

7.2.1 Configurable Properties

Most configurable properties correspond to registry keys or @@ -2755,10 +2915,10 @@ the registry key or value will not be touched. By default, the MSI does not contain these properties and hence will not set the registry keys. You will need to add properties as needed to the MSI.

When one of the configurable properties is set, the -installer will use the property value to set the corresponding setting in the -HKEY_LOCAL_MACHINE registry hive. The HKEY_CURRENT_USER hive is not touched -by the installer.

When one of the configurable properties is set, the installer +will use the property value to set the corresponding setting in the +HKEY_LOCAL_MACHINE registry hive. The HKEY_CURRENT_USER hive is not +touched by the installer.

For each property, the associated registry setting is referenced by the same text used in Appendix @@ -2770,9 +2930,9 @@ into the 'Property' table.

Numeric values should be authored as decimal strings.

7.2.1.1 Setting Properties

In order to set a property,

@@ -2799,81 +2959,83 @@ style='font-size:7.0pt;font-family:"Times New Roman"'> &n If the property does not exist in the property list, right click the list and select 'Add Row', type the property name and the desired value.

7.2.1.2 OpenAFS for Windows Properties

(Service parameters):

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]

(Network provider):

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]

(OpenAFS Client):

[HKLM\SOFTWARE\OpenAFS\Client]

7.2.1.2.1 Registry Properties

These properties are used to set the values of registry entries -associated with OpenAFS for Windows.

These properties are used to set the values of registry +entries associated with OpenAFS for Windows.

AFSCACHEPATH

Registry key : (Service parameters)

Registry value : CachePath

Valid values : string .

AFSCACHESIZE

Registry key : (Service parameters)

Registry value : CacheSize

Valid values : numeric

AFSCELLNAME

Registry key : (Service parameters)

@@ -2883,37 +3045,40 @@ associated with OpenAFS for Windows.

FREELANCEMODE

Registry key : (Service parameters)

Registry value : FreelanceClient

Valid values : '1' or '0'

HIDEDOTFILES

Registry key : (Service parameters)

Registry value : HideDotFiles

Valid values : '1' or '0'

LOGONOPTIONS

Registry key : (Network provider)

Registry value : LogonOptions

Valid values : '0', '1' or '3'

See Appendix A section 2.1 (Domain specific @@ -2922,123 +3087,132 @@ associated with OpenAFS for Windows.

MOUNTROOT

Registry key : (Service parameters)

Registry value : Mountroot

Valid values : string

NETBIOSNAME

Registry key : (Service parameters)

Registry value : NetbiosName

Valid values : string (at most 15 characters)

NOFINDLANABYNAME

Registry key : (Service parameters)

Registry value : NoFindLanaByName

Valid values : '1' or '0'

RXMAXMTU

Registry key : (Service parameters)

Registry value : RxMaxMTU

Valid values : numeric

SECURITYLEVEL

Registry key : (Service parameters)

Registry value : SecurityLevel

Valid values : '1' or '0'

SMBAUTHTYPE

Registry key : (Service parameters)

Registry value : SMBAuthType

Valid values : '0','1' or '2'

STOREANSIFILENAMES

Registry key : (OpenAFS Client)

Registry value : StoreAnsiFilenames

Valid values : '0' or '1'

USEDNS

Registry key : (Service parameters)

Registry value : UseDNS

Valid values : '1' or '0'

7.2.1.2.2 AFSCreds.exe Properties

These properties are combined to add a command line option -to the shortcut that will be created in the Start:Programs:OpenAFS and Start:Programs:Startup -folders (see CREDSSTARTUP). The method of specifying the option was -chosen for easy integration with the Windows Installer user interface. -Although other methods can be used to specify options to AFSCREDS.EXE, it is -advised that they be avoided as transforms including such options may not apply -to future releases of OpenAFS.

+to the shortcut that will be created in the Start:Programs:OpenAFS +and Start:Programs:Startup folders (see +CREDSSTARTUP). The method of specifying the option was chosen for easy +integration with the Windows Installer user interface. Although other +methods can be used to specify options to AFSCREDS.EXE, it is advised that they +be avoided as transforms including such options may not apply to future +releases of OpenAFS.

CREDSSTARTUP

Valid values : '1' or '0'

Controls whether AFSCreds.exe starts up automatically when @@ -3049,9 +3223,9 @@ to future releases of OpenAFS.

CREDSAUTOINIT

Valid values : '-a' or ''

Enables automatic initialization.

@@ -3059,9 +3233,9 @@ to future releases of OpenAFS.

CREDSIPCHDET

Valid values : '-n' or ''

Enables IP address change detection.

@@ -3069,9 +3243,9 @@ to future releases of OpenAFS.

CREDSQUIET

Valid values : '-q' or ''

Enables quiet mode.

@@ -3079,9 +3253,9 @@ to future releases of OpenAFS.

CREDSRENEWDRMAP

Valid values : '-m' or '

Enables renewing drive map at startup.

@@ -3089,9 +3263,9 @@ to future releases of OpenAFS.

CREDSSHOW

Valid values : '-s' or ''

Enables displaying the credential manager window when @@ -3100,9 +3274,9 @@ to future releases of OpenAFS.

7.2.2 Existing Registry Entries

You can change existing registry values subject to the @@ -3111,14 +3285,14 @@ to component key paths and try to only change the 'Value' column in the 'Registry' table. If you want to add additional registry keys please refer to section 3 (Additional resources).

7.2.3 Replacing Configuration Files

The OpenAFS configuration files (CellServDB) can be replaced -by your own configuration files. These files are contained in separate -MSI components so that you can disable them individually.

The OpenAFS configuration files (CellServDB) +can be replaced by your own configuration files. These files are +contained in separate MSI components so that you can disable them individually.

The recommended method for replacing these files is to first disable the components containing the configuration files that you want to @@ -3129,7 +3303,8 @@ outlined below (assuming you are using ORCA.EXE to author the transform).

an embedded stream. The method outlined here places the file in the same directory as the MSI for deployment.

The walkthrough below is to add a custom 'CellServDB' file.

1. In the Component table, locate the component you need to change ( Ctrl-F invokes the 'Find' dialog). The component names are listed below in section 7.2.3.1. For this -example, the component name is 'elf_CellServDB'.

+example, the component name is 'elf_CellServDB'.

1.3.1.4. Enter a condition that evaluates -to false. I.e. 'DONOTINSTALL'. (Note that an undefined property always -evaluates to false).

+font-family:"Times New Roman"'> Enter a condition that +evaluates to false. I.e. 'DONOTINSTALL'. (Note that an undefined property +always evaluates to false).

Note that you can also use this step to disable other -configuration files without providing replacements.

Note that you can also use this step to disable other configuration +files without providing replacements.

2. @@ -3188,13 +3363,13 @@ the following :

cmf_my_CellServDB

ComponentID

dirClient

@@ -3238,29 +3413,31 @@ the following :

KeyPath

fil_my_CellServDB

Note that the ComponentId is an -uppercase GUID. You can generate one using GUIDGEN.EXE or UUIDGEN.EXE, -both of which are included in the Platform SDK.

Note that the ComponentId is an uppercase GUID. You can generate +one using GUIDGEN.EXE or UUIDGEN.EXE, both of which are included in the +Platform SDK.

The Attributes value of 144 is a -sum of msidbComponentAttributesPermanent (16) and -msidbComponentAttributesNeverOverwrite (128). This ensures that local -modifications are not overwritten or lost during an installation or -uninstallation. These are the same settings used on the default -configuration files.

+sum of msidbComponentAttributesPermanent (16) and msidbComponentAttributesNeverOverwrite (128). This +ensures that local modifications are not overwritten or lost during an +installation or uninstallation. These are the +same settings used on the default configuration files.

-'fil_my_CellServDB' is a key into the 'File' table which we will fill later.

+'fil_my_CellServDB' is a key into the 'File' table +which we will fill later.

3. @@ -3283,18 +3460,18 @@ new row (Ctrl-R or 'Tables'->'Add Row') with the following values:

fea_my_CellServDB

Feature_Parent

feaClient

@@ -3365,19 +3542,20 @@ new row (Ctrl-R or 'Tables'->'Add Row') with the following values:

It is important to create the new -feature under the 'feaClient' feature, which will ensure that the configuration -file will be installed when the client binaries are installed.

It is important to create the +new feature under the 'feaClient' feature, which will +ensure that the configuration file will be installed when the client binaries +are installed.

Setting 'Display' to 0 will hide -this feature from the feature selection dialog during an interactive installation. -A value of 30 for 'Level' allows this feature to be installed by default (on a -'Typical' installation).

+this feature from the feature selection dialog during an interactive +installation. A value of 30 for 'Level' allows this feature to be +installed by default (on a 'Typical' installation).

The 'Attributes' value is -msidbFeatureAttributesDisallowAdvertise (8), which is set on all features in -the OpenAFS MSI. The OpenAFS MSI is not designed for an advertised -installation.

The 'Attributes' value is msidbFeatureAttributesDisallowAdvertise (8), which is set +on all features in the OpenAFS MSI. The OpenAFS MSI is not designed for +an advertised installation.

4. @@ -3385,7 +3563,7 @@ style='font-size:7.0pt;font-family:"Times New Roman"'> &n

4.1. Select -the 'FeatureComponents' table.

+the 'FeatureComponents' table.

4.2. Add a @@ -3400,7 +3578,7 @@ new row with the following values:

fea_my_CellServDB

@@ -3411,7 +3589,7 @@ new row with the following values:

cmf_my_CellServDB

@@ -3437,7 +3615,7 @@ new row with the following values:

fil_my_CellServDB

@@ -3448,24 +3626,24 @@ new row with the following values:

cmf_my_CellServDB

FileName

CellServDB

FileSize

The 'Attributes' value is -msidbFileAttributesNonCompressed (8192). This is because we will be -placing this file in the same directory as the MSI instead of embedding the -file in it. Transforms do not support updating compressed sources or -adding new cabinet streams.

The 'Attributes' value is msidbFileAttributesNonCompressed (8192). This is +because we will be placing this file in the same directory as the MSI instead +of embedding the file in it. Transforms do not support updating +compressed sources or adding new cabinet streams.

Finally, the 'Sequence' value of 1000 will be used later to distinguish the file as being in a separate source @@ -3527,7 +3705,7 @@ row with the following values :

DiskId

@@ -3537,7 +3715,7 @@ row with the following values :

LastSequence

The sequence number of 1000 designates -this as the media source for the newly added file.

The sequence number of 1000 +designates this as the media source for the newly added file.

7.2.3.1 Components for Configuration Files

CellServDB: -'cpf_CellServDB' (ID {D5BA4C15-DBEC-4292-91FC-B54C30F24F2A})

CellServDB: +'cpf_CellServDB' (ID +{D5BA4C15-DBEC-4292-91FC-B54C30F24F2A})

7.2.4 Adding Domain Specific Registry Keys

Following is an example for adding domain specific registry keys.

Refer to Appendix A section 2.1 for more -information.

+href="#_Appendix_A:_Registry_Values">Appendix A +section 2.1 for more information.

Columns that are unspecified should be -left empty.

Columns that are unspecified should be left +empty.

We create a new feature and component to hold -the new registry keys.

We create a new feature and component to +hold the new registry keys.

@@ -3591,17 +3770,17 @@ the new registry keys.

            (new row)
            - Feature            : - 'feaDomainKeys'
+ Feature            : 'feaDomainKeys'
            Feature - Parent : 'feaClient'
+ Parent : 'feaClient'
            Display           : 0
            Level               : 30
-             Attributes        - : 10

+ + Attributes : 10

@@ -3614,20 +3793,23 @@ the new registry keys.

            (new row)
            - Component     : 'rcm_DomainKeys'
-             - ComponentId : '{4E3FCBF4-8BE7-40B2-A108-C47CF743C627}'
-             - Directory         : 'TARGETDIR'
+ Component     : 'rcm_DomainKeys'
+             ComponentId : + '{4E3FCBF4-8BE7-40B2-A108-C47CF743C627}'
+             Directory         + : 'TARGETDIR'
            Attributes        : 4
-             - KeyPath          : 'reg_domkey0'

+ KeyPath + : 'reg_domkey0'

@@ -3635,10 +3817,10 @@ the new registry keys.

            (new row)
            - Feature            : - 'feaDomainKeys'
+ Feature            : 'feaDomainKeys'
            - Component     : 'rcm_DomainKeys'