From e5cbb7c53d91893850f4abcb45c5b478556281d6 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Fri, 21 Mar 2008 18:09:06 +0000 Subject: [PATCH] DEVEL15-windows-release-notes-20080321 LICENSE MIT final changes for 1.5.34 --- .../en_US/html/ReleaseNotes/relnotes.htm | 4882 ++++++++++------- 1 file changed, 2861 insertions(+), 2021 deletions(-) diff --git a/src/WINNT/doc/install/Documentation/en_US/html/ReleaseNotes/relnotes.htm b/src/WINNT/doc/install/Documentation/en_US/html/ReleaseNotes/relnotes.htm index 70e8a76c0..bb2fa70ed 100644 --- a/src/WINNT/doc/install/Documentation/en_US/html/ReleaseNotes/relnotes.htm +++ b/src/WINNT/doc/install/Documentation/en_US/html/ReleaseNotes/relnotes.htm @@ -10,6 +10,7 @@ xmlns="http://www.w3.org/TR/REC-html40"> + + - - -
@@ -1117,15 +1287,15 @@ Release Notes

The Andrew File System (AFS) is a location-independent file system that uses a local cache to increase its performance.  An AFS -client accesses files anonymously or via a Kerberos authentication.  The global -AFS is partitioned into cells.  The AFS cell is a collection of AFS +client accesses files anonymously or via a Kerberos authentication.  The +global AFS is partitioned into cells.  The AFS cell is a collection of AFS volumes that are administered by a common entity.   AFS cells can be administered by a department even when the Kerberos realm used for local authentication is managed by a much larger organization.  AFS clients and servers take advantage of Kerberos cross realm authentication to enable authenticated access by entities located outside the local realm.  -Authorization is enforced by the use of directory level access control lists -which can consist of individual or group identities. 

+Authorization is enforced by the use of directory level access control lists which +can consist of individual or group identities. 

The AFS volume is a tree of files and sub-directories.  AFS volumes are created by administrators and are joined @@ -1133,8 +1303,8 @@ to an AFS cell via the use of a mount point.   Once a volume is created, users can create files and directories as well as mount points and symlinks within the volume without regard for the physical location of the volume.  Administrators can move the volume to another server as necessary -without the need to notify users.   In fact, the volume move can -occur while files in the volume are in use. 

+without the need to notify users.   In fact, the volume move can occur +while files in the volume are in use. 

AFS volumes can be replicated to read-only copies.   When accessing files from a read-only replica, clients will @@ -1152,7 +1322,9 @@ solution by allowing credentials for a Kerberos principal to be obtained at logon and for that principal to be used to obtain AFS tokens for one or more cells.   Although OAFW is implemented as a locally installed SMB to AFS gateway, OAFW maintains the portability of file paths by its use of the \\AFS UNC server name.

+href="file:///\\AFS">\\AFS UNC server +name.

OpenAFS is the product of an open source development effort begun on October 31 2000.  OpenAFS is maintained and developed by a @@ -1160,45 +1332,89 @@ group of volunteers with the support of the user community.   If you use OpenAFS as part of your computing infrastructure please contribute to its continued growth.

-

1. Installer -Options. 1

- -

2. System -Requirements. 2

- -

3. -Operational Notes. 2

- -

4. How to -Debug Problems with OpenAFS for Windows 11

- -

5. Reporting -Bugs 13

- -

6. How to -Contribute to the Development of OpenAFS for Windows. 14

- -

7. MSI -Deployment Guide. 15

- -

Appendix A: -Registry Values. 26

- -

1. -Installer Options

+

1. +Installer Options. 1

+ +

2. System +Requirements. 2

+ +

3. +Operational Notes. 2

+ +

4. How to +Debug Problems with OpenAFS for Windows 11

+ +

5. +Reporting Bugs 13

+ +

6. How to +Contribute to the Development of OpenAFS for Windows. 14

+ +

7. MSI +Deployment Guide. 15

+ +

Appendix +A: Registry Values. 26

+ +

1. +Installer Options

It can be installed either as a new installation or an upgrade from previous versions of OpenAFS for Windows or IBM AFS for @@ -1213,22 +1429,27 @@ Installation System, or

style='font-size:9.0pt'>2.        a Windows Installer package (.msi) that is built using WiX and can be customized for organizations via the use of MSI Transforms (see MSI Deployment Guide)

- -

2. -System Requirements

+href="#_MSI_Deployment_Guide">MSI Deployment Guide)

+ +

2. +System Requirements

-

2.1 Supported Operating -Systems

+

2.1 +Supported Operating Systems

· font-family:"Times New Roman","serif"'>       Microsoft Windows 2008 Server (32-bit and 64-bit Intel)

-

2.1.1 -Unsupported Operating Systems2.1.1 +Unsupported Operating Systems

-

2.2 Disk Space

+

2.2 +Disk Space

Up to 60mb required for the OpenAFS binaries plus 100MB for the default AFSCache file.   (The size of the AFSCache file may be adjusted via the Registry after installation.)

-

2.3 Additional Software Packages2.3 +Additional Software Packages

-

MIT -Kerberos for Windows 2.6.x or 3.x.x if Kerberos v5 authentication support -is desired.  The recommended release is -version 3.2.2. 

- -

3. -Operational Notes

+

MIT Kerberos for Windows 2.6.x or 3.x.x +if Kerberos v5 authentication support is desired.  The recommended release is version +3.2.2. 

+ +

3. +Operational Notes

-

3.1. Requirements for -Kerberos v5 Authentication

+

3.1. +Requirements for Kerberos v5 Authentication

The Kerberos v4 infrastructure on which the OpenAFS 1.2 series is reliant is no longer secure.  Cross-realm Kerberos is very important in the AFS context and most sites have or are migrating to Kerberos v5 environments.  The OpenAFS 1.4 series (and later) integrates with MIT Kerberos for Windows 2.6.5 and -above to support Kerberos v5 authentication including automatic renewal of AFS -tokens and single sign-on via the Microsoft Windows Kerberos Logon -Service.  

+href="http://web.mit.edu/kerberos/">MIT Kerberos +for Windows 2.6.5 and above to support Kerberos v5 +authentication including automatic renewal of AFS tokens and single sign-on via +the Microsoft Windows Kerberos Logon Service.   +

The recommended version of MIT Kerberos for Windows is 3.2.2.  KFW 3.2.2 includes Network Identity Manager -1.3.1 which integrates with the AFS -Provider installed as part of OpenAFS for Windows. 

+href="http://web.mit.edu/kerberos/">MIT Kerberos +for Windows is 3.2.2.  +KFW 3.2.2 includes Network Identity Manager 1.3.1 which integrates with +the AFS Provider +installed as part of OpenAFS for Windows.  +

When KFW is installed, the OpenAFS for Windows client will obtain Kerberos v5 tickets and use them as tokens without modification.  The OpenAFS client requires that all of the AFS Servers with which it communicates support the use of Kerberos v5 tickets as tokens. If Kerberos v5 based tokens are presented to an AFS server that does not support them, the -server will be unable to communicate with the client when tokens are present. -Kerberos v5 based tokens are supported by OpenAFS release 1.2.8 or later.  IBM Transarc servers do not support Kerberos v5.

-

3.1.1. -Active Directory

+

3.1.1. +Active Directory

Microsoft Windows Active Directory can be used as a Kerberos v5 KDC in conjunction with OpenAFS.  @@ -1393,36 +1636,41 @@ Kerberos realm that issues the AFS service ticket.  First, the Kerberos v5 tickets issued by Active Directory can be quite large when compared to tickets issued by a traditional KDC due to the incorporation of authorization data (the Microsoft PAC).  If the issued tickets are larger than 344 bytes, the -OpenAFS 1.2 servers will be unable to process them and will issue a RXKADBADTICKET -error.  OpenAFS 1.4 (and beyond) servers -can support the largest tickets that Active Directory can issue.  Second, -the Kerberos v5 tickets issued by Windows 2003 Active Directory are encrypted -with the DES-CBC-MD5 encryption type (enctype).  OpenAFS 1.2 servers only -support the DES-CBC-CRC enctype.  As a -result, OpenAFS 1.2 servers cannot process the resulting Kerberos v5 -tokens.  Windows 2000 Active Directory -issues tickets with the DES-CBC-CRC enctype.

+OpenAFS 1.2 servers will be unable to process them and will issue a +RXKADBADTICKET error.  OpenAFS 1.4 (and +beyond) servers can support the largest tickets that Active Directory can +issue.  Second, the Kerberos v5 tickets issued by Windows 2003 Active +Directory are encrypted with the DES-CBC-MD5 encryption type (enctype).  +OpenAFS 1.2 servers only support the DES-CBC-CRC enctype.  As a result, OpenAFS 1.2 servers cannot +process the resulting Kerberos v5 tokens.  +Windows 2000 Active Directory issues tickets with the DES-CBC-CRC +enctype.

Microsoft has documented in Knowledge Base article 832572 -a new NO_AUTH_REQUIRED flag that can be set on the account mapped to the AFS -service principal.  When this flag is -set, the PAC authorization data will not be included in the ticket.  Setting this flag is recommended for all -accounts that are associated with non-Windows services and that do not -understand the authorization data stored in the PAC.Knowledge +Base article 832572 a new NO_AUTH_REQUIRED flag that can be +set on the account mapped to the AFS service principal.  When this flag is set, the PAC authorization +data will not be included in the ticket.  +Setting this flag is recommended for all accounts that are associated +with non-Windows services and that do not understand the authorization data +stored in the PAC.  This flag cannot be used if AFS service tickets are obtained via cross-realm using an Active Directory user principal.

Note that an Active Directory computer object cannot be used for the afs service principal.

-

3.1.2. -Using the krb524 service

+

3.1.2. +Using the krb524 service

Some organizations have AFS cell names and Kerberos realm names which differ by more then just lower and upper case and rely on a @@ -1446,33 +1694,43 @@ unable to authenticate.

is a win in all situations except when the cell name does not match the realm name and the principal names placed into the ACL’s are not the principal names from the Kerberos v5 ticket.  To support this transition, OpenAFS for -Windows 1.4 adds a new registry value, Use524, -to force the use of krb524d.  However, the availability of this option -should only be used by individuals until such time as their organizations can -provide a more permanent solution.

+Windows 1.4 adds a new registry value, Use524, to force the use of +krb524d.  However, the availability of this option should only be used by +individuals until such time as their organizations can provide a more permanent +solution.

Note that the OpenAFS 1.4.x servers permit the use of a secondary realm name that can be treated as equivalent to the cell name for authentication.

-

3.1.3. -Network Identity Manager Providerrovider

-

As of release 1.5.9, OpenAFS for Windows includes a Network Identity -Manager Provider for obtaining AFS tokens.  -This plug-in is a contribution from Secure Endpoints Inc.  Network Identity Manager is a multiple -identity credential management tool that ships with MIT Kerberos for Windows version 3.0 -and above.  The OpenAFS plug-in requires MIT Kerberos for Windows version 3.1 or -above.  Version 3.2.2 is recommended for -the best user experience.

+

As of release 1.5.9, OpenAFS for Windows includes a Network +Identity Manager Provider for obtaining AFS tokens.  This plug-in is a contribution from Secure +Endpoints Inc.  Network +Identity Manager is a multiple identity credential management tool that ships +with MIT Kerberos +for Windows version 3.0 and above.  The OpenAFS plug-in requires MIT Kerberos +for Windows version 3.1 or above.  Version 3.2.2 is recommended for the best +user experience.

netidmgr_main

+src="relnotes_files/image007.jpg" alt="netidmgr_main" v:shapes="Picture_x0020_1">

The Network Identity Manager replaces the former KFW ticket manager, Leash”, and when combined with the OpenAFS Provider, it is intended to be used as a replacement for the AFS System Tray Tool (afscreds.exe).  Unlike both Leash and the AFS System Tray -Tool, Network Identity Manager with the OpenAFS Provider can easily manage AFS -tokens for multiple cells from one or more Kerberos v5 identities.

+style='mso-spacerun:yes'>  Unlike both Leash and the AFS System Tray Tool, +Network Identity Manager with the OpenAFS Provider can easily manage AFS tokens +for multiple cells from one or more Kerberos v5 identities.

netidmgr_afs_opt

+src="relnotes_files/image008.jpg" alt="netidmgr_afs_opt" v:shapes="Picture_x0020_2">

The AFS configuration panel for each Kerberos v5 identity is used to configure which cells credentials should be obtained for and how they should be obtained.  If the cell to realm -mapping cannot be automatically determined, it can be explicitly -specified.  If the cell does not support -Kerberos v5 tickets as tokens, then a krb524 service can be configured.

+mapping cannot be automatically determined, it can be explicitly specified.  If the cell does not support Kerberos v5 +tickets as tokens, then a krb524 service can be configured.

netidmgr_afs_cfg

+src="relnotes_files/image009.jpg" alt="netidmgr_afs_cfg" v:shapes="Picture_x0020_3">

The OpenAFS Provider configuration panel can be used to check the status of the AFS Client Service and its version.  An optional checkbox is provided that will -prevent the AFS System Tray Tool from being started by Windows after login.   A shortcut to the OpenAFS Control Panel is -also provided.

- -

3.2. Use of the Microsoft -Loopback Adapter -by the AFS Client Service

+prevent the AFS System Tray Tool from being started by Windows after +login.   A shortcut to the OpenAFS +Control Panel is also provided.

+ +

3.2. +Use of the Microsoft Loopback Adapter by the AFS Client Service

By itself the OpenAFS Client Service does not provide robust behavior in a plug-n-play network environment.  Changes to the number of @@ -1603,12 +1863,13 @@ no longer required to be unique.  Instead the NETBIOS name associated with the AFS Client Service is simply "AFS" and portable UNC paths of the form \\AFS\cellname\path can now be used on all machines.

-

3.3. Using Freelance (Dynamic -Root) Mode to Improve Mobility3.3. +Using Freelance (Dynamic Root) Mode to Improve Mobility

Traditionally, when the OpenAFS Client Service starts it @@ -1639,7 +1900,11 @@ mount point will be a regular path.  These mount points are preserved in the registry at key:

HKLM\SOFTWARE\OpenAFS\Client\Freelance

+href="#_Regkey:_[HKLMSOFTWAREOpenAFSClie">HKLM\SOFTWARE\OpenAFS\Client\Freelance

Additional mount points may be manually created using the "fs mkmount" command.  Mount points may be removed using the @@ -1663,8 +1928,7 @@ volume.

>symlink make \\afs\link \\afs\athena.mit.edu\user\j\a\jaltman

-

      >symlink list -\\afs\link

+

      >symlink list \\afs\link

      '\\afs\link' is a symlink to 'athena.mit.edu\user\j\a\jaltman'

@@ -1674,29 +1938,35 @@ symlink to 'athena.mit.edu\user\j\a\jaltman'

The symlinks are stored in the registry at:

HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks 

- -

3.4. Locating AFS Volume -Database Servers -via DNS -

+href="#_Regkey:_[HKLMSOFTWAREOpenAFSClie_1">HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks 

+ +

3.4. +Locating AFS Volume Database Servers via DNS

The OpenAFS for Windows client will use DNS AFSDB records to discover the location of AFS Volume Database servers when entries for the cell -are not present in the client's CellServDB file -(\%PROGRAMFILES%\OpenAFS\Client\CellServDB).

- -

3.5. Obtaining AFS Tokens as -a Integrated Part of Windows Logon + +

3.5. +Obtaining AFS Tokens as a Integrated Part of Windows Logon

OpenAFS for Windows installs a WinLogon Network Provider to @@ -1706,7 +1976,8 @@ password associated with the default cell's Kerberos realm.  For example, if the Windows username is "jaltman" and the default cell is "athena.mit.edu", then Integrated Logon can be successfully used if the windows password matches the password assigned to the Kerberos principal -"jaltman@ATHENA.MIT.EDU".  +"jaltman@ATHENA.MIT.EDU".  The realm “ATHENA.MIT.EDU” is obtained by performing a domain name to realm mapping on the hostname of one of the cell's Volume Database servers.

@@ -1717,9 +1988,12 @@ passwords.

When KFW is configured, Integrated Logon will use it to obtain tokens. Use of KFW for Integrated Logon can be disabled via the EnableKFW registry value.  Use of the krb524 service can be configured -via the Use524 registry value.

+href="#_Value:_EnableKFW">EnableKFW registry +value.  Use of the krb524 service can be +configured via the Use524 +registry value.

Integrated Logon will not transfer Kerberos v5 tickets into the user’s logon session credential cache. KFW 3.1 and above provides that @@ -1730,24 +2004,28 @@ user's username and password for the purpose of obtaining tokens if the Kerberos KDC is inaccessible at logon time.

Integrated Logon supports the ability to obtain tokens for -multiple cells.  For further information on how to configure this feature -read about the TheseCells value.

+multiple cells.  For further information on how to configure this feature read +about the TheseCells +value.

Integrated Logon can be configured based upon the domain of the Windows account used to login to the machine.  See A.2.1 Domain specific configuration keys for -the Network Provider.

- -

3.6. AFS System Tray Command -Line Options

+class=Heading1Char>A.2.1 +Domain specific configuration keys for the Network Provider.

+ +

3.6. +AFS System Tray Command Line Options

The AFS System Tray Tool (afscreds.exe) has been deprecated in favor of Network Identity Manager. installers to use “-A -N -M -Q” as startup options.  Currently, there is no user interface to change this selection after install time although these options may be altered via the registry on either per machine or per user -basis.  See AfscredsShortcutParams -in Appendix A.

- -

3.7. The “AFS Client Admins” -Authorization Group

+basis.  See AfscredsShortcutParams in Appendix A.

+ +

3.7. +The “AFS Client Admins” Authorization Group

The OpenAFS for Windows client supports a local Windows authorization group named "AFS Client Admins".  This group is @@ -1867,9 +2149,9 @@ font-family:"Times New Roman","serif"'>       ·       minidump

-

The creation or removal of mount points and symlinks in the Freelance -“root.afs” volume are also restricted to members of the “AFS Client Admins” -group.

+

The creation or removal of mount points and symlinks in the +Freelance “root.afs” volume are also restricted to members of the “AFS Client +Admins” group.

The initial membership of the "AFS Client Admins" group when created by the installer is equivalent to the local @@ -1877,20 +2159,22 @@ group when created by the installer is equivalent to the local "Administrators" group after the creation of the "AFS Client Admin" group, that user will not be an AFS Client Administrator.  Only users that are members of the "AFS Client Admins" group are AFS -Client Administrators.  The local "SYSTEM" account is an implicit -member of the "AFS Client Admins" group.

+Client Administrators.  The local "SYSTEM" account is an +implicit member of the "AFS Client Admins" group.

Setting the default sysname for a machine should be done via -the registry and not via "fs -sysname".

- -

3.8. OpenAFS support for UNC -paths -

+the registry +and not via "fs sysname".

+ +

3.8. +OpenAFS support for UNC paths

The OpenAFS client supports UNC paths everywhere.  UNC paths provide a canonical name for resources stored within AFS.  UNC paths @@ -1904,20 +2188,25 @@ processors.  Unlike cmd.exe, the JPSoftware shells fully support UNC paths as the current directory.  JPSoftware added special recognition for OpenAFS to its command shells, 4NT 7.0 and Take Command 7.0.  AFS paths can be entered in UNIX notation (e.g., /afs/openafs.org/software), space -utilization reports the output of the volume status for the specified path, and -many AFS specific functions and variables have been added to the command -language.

- -

JPSoftware's web site is http://www.jpsoft.com.

- -

3.9. aklog.exe

+href="file:///\\afs\openafs.org\software">/afs/openafs.org/software), +space utilization reports the output of the volume status for the specified +path, and many AFS specific functions and variables have been added to the +command language.

+ +

JPSoftware's web site is http://www.jpsoft.com.

+ +

3.9. +aklog.exe

The OpenAFS Client ships with its own version of aklog.exe which should be used in preference to those obtained by other sources.  @@ -1956,13 +2245,14 @@ Kerberos IV tickets

   -m = use krb524d to convert Kerberos V tickets to Kerberos IV

-

3.10. OpenAFS Servers on -Windows are Unsupported

+

3.10. +OpenAFS Servers on Windows are Unsupported

The AFS Server functionality provided as part of the OpenAFS install package might work but should be considered highly experimental.  @@ -1970,11 +2260,13 @@ It has not been thoroughly tested.  Any data which would cause pain if lost should not be stored in an OpenAFS Server on Windows.

Known issues include lack of support for power management -and dynamic network configuration.  -Salvager is also known to crash.

+and dynamic network configuration.  Salvager +is also known to crash.

-

3.10.1. -OpenAFS Server Installation3.10.1. +OpenAFS Server Installation

When the OpenAFS Server is installed, the TransarcAFSServer @@ -1984,17 +2276,21 @@ the traditional AFS bos server. former AFS Server Configuration wizard makes assumptions that no longer hold true and it has therefore been disabled.  However, following the instructions for installing the AFS Servers on -UNIX it is possible to properly configure the AFS Servers on Microsoft Windows.  The AFS Server binaries, configuration files, -and log files are installed under %Program Files%\OpenAFS\Server.   kaserver -has been deprecated and its use is strongly discouraged.  Instead, Active Directory or some other -Kerberos v5 KDC should be used in its place.

- -

3.10.2. -Using the AFS Client Service when the Server is installed  The AFS Server binaries, +configuration files, and log files are installed under %Program +Files%\OpenAFS\Server.   kaserver has been deprecated and its use is strongly +discouraged.  +Instead, Active Directory or some other Kerberos v5 KDC should be used +in its place.

+ +

3.10.2. +Using the AFS Client Service when the Server is installed

A few notes on the usage of the AFS Client Service if it is @@ -2012,9 +2308,12 @@ explicit mountpoint to the root.afs volume from another volume.

style='font-size:9.0pt;font-family:Symbol'>·       The AFS Server and related tools only support the built in kaserver (Kerberos -IV).  If kaserver is being used, MIT -Kerberos for Windows should not be installed or must be disabled via the EnableKFW registry value.

+IV).  If kaserver is being used, MIT Kerberos for Windows should not be +installed or must be disabled via the EnableKFW registry value.

·   An inadvertent shutdown will corrupt volume data.

-

3.11. OpenAFS Debugging -Symbol files

+

3.11. +OpenAFS Debugging Symbol files

-

The OpenAFS for Windows installers include Debugging Symbol -files which should be installed if you are experiencing problems and need to send +

The OpenAFS for Windows installers include Debugging Symbol files +which should be installed if you are experiencing problems and need to send crash reports.  This is true for both the release and the debug versions of the installers.  The difference between the release and debug versions are:

@@ -2062,27 +2362,31 @@ font-family:"Times New Roman","serif"'>       -

3.12. Large File (64-bit) Support

+style='mso-bookmark:_Toc115416118'>3.12. +Large +File (64-bit) Support

As of release 1.5.3, OpenAFS for Windows supports files larger than 2GB.  The maximum file size is now 16777216 terabytes when the AFS File Server supports large files.   If the AFS File Server does not support 64-bit file sizes, then the maximum file size remains 2GB.

-

3.13. Encrypted AFS Network -Communication

+

3.13. +Encrypted AFS Network Communication

The OpenAFS for Windows installer by default activates a weak form of encrypted data transfer between the AFS client and the AFS @@ -2091,13 +2395,14 @@ Encrypted data transfer can be turned on or off with the command.  Transitions between “crypt” and “non-crypt” modes are logged to the Windows Application Event Log.

-

3.14. Authenticated Access to -the OpenAFS Client Service

+

3.14. +Authenticated Access to the OpenAFS Client Service

OpenAFS authenticates SMB connections using either NTLM or GSS SPNEGO (NTLM).  In previous versions of OpenAFS, the SMB connections @@ -2107,28 +2412,34 @@ machines.   

When GSS SPNEGO attempts a Kerberos v5 authentication, the Windows SMB client will attempt to retrieve service tickets for -"cifs/afs@REALM" (if the loopback adapter is in use) or "cifs/machine-afs@REALM" -(if the loopback adapter is not being used).  It is extremely important -that this service principal not exist in the KDC database as the Kerberos -authentication must fail allowing automatic fallback to NTLM.  When NTLM -is used a special local authentication mode will be used that does not require -access to the user's password.  Instead, Windows will internally recognize -the request as coming from a local logon session.

- -

3.15. No More INI Files + +

3.15. +No More INI Files

Previous AFS clients for Windows stored configuration data in Windows .INI files.   The OpenAFS client does not use Windows .INI files for the storage of configuration data.   All settings are -stored in the registry (see Appendix A).  -The CellServDB file is now stored in either the %ALLUSERSPROFILE%\Application -Data\OpenAFS\Client directory or the %PROGRAMFILES%\OpenAFS\Client -directory.   The CellServDBDir +stored in the registry (see Appendix A).  The CellServDB file +is now stored in either the %ALLUSERSPROFILE%\Application Data\OpenAFS\Client +directory or the %PROGRAMFILES%\OpenAFS\Client directory.   The CellServDBDir registry value or the AFSCONF environment variable can be used to specify an alternative location.

@@ -2138,13 +2449,14 @@ the new CellServDB file.  OpenAFS will also import the contents of the “afs_freelance.ini” file to the Windows registry.   OpenAFS will not process the contents of the “afsddbmt.ini”.

-

3.16. Microsoft Windows -Internet Connection Firewall

+

3.16. +Microsoft Windows Internet Connection Firewall

The OpenAFS Client is compatible with the Internet Connection Firewall that debuted with Windows XP SP2 and Windows 2003 @@ -2154,35 +2466,38 @@ In addition, the appropriate Back Connection registry entries are added to allow SMB authentication to be performed across the Microsoft Loopback Adapter.

-

3.17. Browsing AFS from the -Explorer Shell and Office

+

3.17. +Browsing AFS from the Explorer Shell and Office

The OpenAFS Client Service implements the CIFS Remote Admin Protocol which allows Explorer to browse server and share information. This significantly enhances the interoperability of AFS volumes within the Explorer Shell and Microsoft Office applications.

-

3.18. Byte3.18. +Byte Range Locking Locking

Many applications on Windows (e.g. Microsoft Office) require the use of byte range locks applied to a file either to protect against simultaneous file access or as a signaling mechanism.   OpenAFS for Windows release 1.5 (or greater) implements byte range locking within the -CIFS-AFS gateway server.   This support for byte range locking obtains -AFS’ advisory file server locks to simulate Microsoft Windows mandatory +CIFS-AFS gateway server.   This support for byte range locking +obtains AFS’ advisory file server locks to simulate Microsoft Windows mandatory locks.   When an application opens a file, a lock will be obtained from AFS indicating that the file is in use.  If the lock is a write lock, access to the file will be restricted to other applications running on the same @@ -2268,15 +2583,18 @@ inconvenience on end users. 

If you wish to disable the acquisition of locks from the file server, this can be performed using the EnableServerLocks registry value.

- -

3.19. Automatic Discarding of -AFS Tokens at Logoff

+href="#_Value:_EnableServerLocks">EnableServerLocks +registry value.

+ +

3.19. +Automatic Discarding of AFS Tokens at Logoff

The OpenAFS Client will automatically forget a user's tokens upon Logoff unless the user's profile was loaded from an AFS volume.  In @@ -2287,16 +2605,20 @@ from the registry can be determined for Local Accounts, Active Directory accounts and NT4 accounts.

If there is a need to disable this functionality, the LogoffPreserveTokens registry value -can be used. (see Appendix A.)

- -

3.20. Windows Terminal Server -installations

+href="#_Value_:_LogoffPreserveTokens">LogoffPreserveTokens +registry value can be used. (see Appendix A.)

+ +

3.20. +Windows Terminal Server installations

When installing the NSIS (.exe) installer under Terminal Server, you must execute it from within the Add/Remove Programs Control @@ -2304,11 +2626,13 @@ Panel.  Failure to do so will result in AFS not running properly.  The AFS Server should not be installed on a machine with Terminal Server installed.

-

3.21. Hidden Dot Files3.21. +Hidden Dot Files

AFS is a UNIX native file system.  The OpenAFS client @@ -2316,13 +2640,17 @@ attempts to treat the files stored in AFS as they would be on UNIX.  File and directory names beginning with a "." are automatically given the Hidden attribute so they will not normally be displayed.  This behavior can be altered via the HideDotFiles registry value.

- -

3.22. Status Cache LimitsHideDotFiles +registry value.

+ +

3.22. +Status Cache Limits

The Status Cache (AFS Configuration Control Panel: Advanced @@ -2331,23 +2659,26 @@ represents a single file or directory entry accessed within the AFS file system.  When the maximum number of entries are allocated, entries will begin to be reused according to a least recently used (LRU) algorithm.  If the number of files or directories being accessed repeatedly by your -applications is greater then the maximum number of entries, your host will -begin to experience thrashing of the Status Cache and all requests will result -in network operations.

+applications is greater then the maximum number of entries, your host will begin +to experience thrashing of the Status Cache and all requests will result in +network operations.

If you are experiencing poor performance try increasing the maximum number of Status Cache entries.  Each entry requires approximately 1.2K.  The default number of Status Cache entries is 10,000.  This can be adjusted using the Stats registry value.

- -

3.23. NETBIOS over TCP/IP -must be enabled

+href="#_Value:_Stats">Stats registry +value.

+ +

3.23. +NETBIOS over TCP/IP must be enabled

"Netbios over TCP/IP" must be active on the machine in order for communication with the AFS Client Service to @@ -2356,13 +2687,14 @@ then communication with the AFS Client Service will be impossible.  If you are using the Microsoft Loopback Adapter, configure the “Netbios over TCP/IP” setting for the adapter.

-

3.24. OpenAFS binaries are -digitally signed

+

3.24. +OpenAFS binaries are digitally signed

The OpenAFS Client Service and related binaries distributed by OpenAFS.org are digitally signed by "Secure Endpoints Inc.".  @@ -2374,33 +2706,42 @@ on a machine at the same time.  Many hours of support time have been wasted tracking down problems caused by the mixture of files from different releases. 

-

Appendix A -documents the "VerifyServiceSignature" +

Appendix A documents the +"VerifyServiceSignature" registry value which can be used to disable the signature check.  The file version check cannot be disabled.

-

3.25. Maximum Size of the -AFSCache File

+

3.25. +Maximum Size of the AFSCache File

The maximum cache size on 32-bit Windows is approximately 1.3GB.  This is the largest contiguous block of memory in the 2GB process address space which can be used for constructing a memory mapped file.  -Due to fragmentation of the process space caused by the loading of libraries -required by the digital signature verification code, any attempt to specify a -cache size greater then 700MB will result in the automatic disabling of the -signature check.  Significantly larger -cache sizes can be used on 64-bit Windows.

- -

3.26. Filename Character Sets  Significantly larger cache sizes +can be used on 64-bit Windows.

+ +

3.26. +Filename Character Sets

OpenAFS for Windows implements an SMB server which is used @@ -2495,20 +2836,22 @@ any of the following characters:

 

The OpenAFS Client provides an optional registry value, StoreAnsiFilenames, that can be -set to instruct OpenAFS to store filenames using the ANSI Code Page instead of -the OEM Code Page.  The ANSI Code Page is a compatible superset of -Latin-1.  This setting is not the default setting because making this +href="#_Value___:_StoreAnsiFilenames">StoreAnsiFilenames, +that can be set to instruct OpenAFS to store filenames using the ANSI Code Page +instead of the OEM Code Page.  The ANSI Code Page is a compatible superset +of Latin-1.  This setting is not the default setting because making this change would prevent OpenAFS for Windows from being able to access filenames containing the above characters which were created without this setting.

-

3.27. Known Character Set -Issues with Roaming Profiles

+

3.27. +Known Character Set Issues with Roaming Profiles

There is a known issue with storing Windows Roaming Profiles when the profile contains either directories or files with names which cannot @@ -2519,11 +2862,13 @@ UNICODE.  To avoid this problem some sites run custom logoff scripts (assigned by group policy) which rename all files to use only the supported characters for the locale.

-

3.28. The AFSCache File3.28. +The AFSCache File

The AFS Cache file is stored by default at %TEMP%\AFSCache @@ -2540,12 +2885,13 @@ consist of as few fragments as possible.   Significant performance gains can be achieved by defragmenting the AFSCache file with Sysinternal's Contig utility while the AFS Client Service is stopped.

-

3.29. Restricting OpenAFS -Client Service Start and Stop3.29. +Restricting OpenAFS Client Service Start and Stop

A new command line tool, afsdacl.exe, can be used to @@ -2571,33 +2917,39 @@ afsd service by any ordinary user.

          -show  : Show current DACL (SDSF)

-

3.30. The @sys Name List3.30. +The @sys Name List

The default @sys name list in the OpenAFS Client is set to "x86_win32 i386_w2k i386_nt40" for 32-bit x86 systems.  The default is "amd64_win64" for amd 64-bit versions of Windows.

-

3.31. Symlinks to AFS UNC -paths

+

3.31. +Symlinks to AFS UNC paths

In OpenAFS, symlinks to AFS UNC paths, \\AFS[\all]\..., are -treated the same as symlinks to /afs/...  However, please use /afs/... as -the Windows UNC form will not work on UNIX client.

- -

3.32. Cache Manager Debugging + +

3.32. +Cache Manager Debugging

The OpenAFS Client implements the Cache Manager Debugging @@ -2618,15 +2970,16 @@ style='mso-spacerun:yes'> entries with positive reference counts

       --callbacks   print only cache -entries with callbacks

+-callbacks   print only cache entries +with callbacks

       -ctime       print human readable expiration time

-

       -addrs       print only host interfaces

+

       +-addrs       print only host +interfaces

       -cache       print only cache @@ -2636,39 +2989,45 @@ configuration

-cellservdb  print only cellservdb info

-

3.33. Windows Logon Caching -vs. Kerberos Logons

+

3.33. +Windows Logon Caching vs. Kerberos Logons

If you are a site which utilizes MIT/Heimdal Kerberos principals to logon to Windows via a cross-realm relationship with a multi-domain Windows forest, you must enable Windows logon caching unless the workstation is Windows Vista.

-

3.34. Initial Server -Preferences

+

3.34. +Initial Server Preferences

VLDB and File Server Preferences can now be provided initial values using registry keys.  This is useful for managed machines in a Windows domain which are centrally located (e.g., in a computing lab.)  -See Appendix A for details on the -"Server Preferences" -keys.

- -

3.35. File TimestampsAppendix A +for details on the "Server Preferences" keys.

+ +

3.35. +File Timestamps

The OpenAFS Client reports timestamps on files stored in AFS @@ -2689,13 +3048,14 @@ are used to being able to compare the timestamp in an UNIX shell with the timestamp from the Windows explorer.  During DST, these two times will no longer agree even though they are in fact representing the same moment in time.

-

3.36. Windows RPC client -support must be installed

+

3.36. +Windows RPC client support must be installed

If the installer refuses to install and complains about an RPC configuration error, check to ensure that the following registry entries @@ -2707,19 +3067,20 @@ are present and that they refer to the dll "rpcrt4.dll":

   HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_ip_tcp"

-

   HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" -"ncadg_ip_udp"

+

   HKLM +"SOFTWARE\Microsoft\RPC\ClientProtocols" "ncadg_ip_udp"

   HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_http"

-

3.37. Generating Minidumps of -the OpenAFS Client Service

+

3.37. +Generating Minidumps of the OpenAFS Client Service

OpenAFS 1.4 added a new command, "fs minidump".  This command can be used at any time to generate a mini @@ -2727,23 +3088,24 @@ dump file containing the current stack of the afsd_service.exe process.   This output can be very helpful when debugging the AFS Client Service when it is unresponsive to SMB/CIFS requests.

-

3.38. AFS Client Universally -Unique Identifiers (UUIDs) vs. System Cloning3.38. +AFS Client Universally Unique Identifiers (UUIDs) vs. System Cloning

The OpenAFS Client implements Universally Unique Identifiers -(UUIDs).  They are used to provide the AFS file server with a method of -identifying the client that is independent of IP address.  This permits -the AFS file server to track mobile clients or those behind Network Address -Translators when they move from address to address or port to port. Tracking -the client improves client performance by permitting callback state to be maintained -across location changes. The UUID is generated when the AFSCache file is -created and is maintained as long as the contents of the AFSCache file are -valid.  The UUID is stored in the AFSCache file. 

+(UUIDs).  They are used to provide the AFS file server with a method of identifying +the client that is independent of IP address.  This permits the AFS file +server to track mobile clients or those behind Network Address Translators when +they move from address to address or port to port. Tracking the client improves +client performance by permitting callback state to be maintained across +location changes. The UUID is generated when the AFSCache file is created and +is maintained as long as the contents of the AFSCache file are valid.  The +UUID is stored in the AFSCache file. 

When cloning machines that have Windows AFS client installed it is necessary to generate a new UUID for each client. This will be done @@ -2755,9 +3117,10 @@ only result in horrible AFS client performance and cache inconsistencies, but they will also put a tremendous strain on the AFS file servers.

For lab environments that wish to erase all cached data on -each restart, the NonPersistentCaching option will -disable the use of the persistent cache file. As a side effect, a new UUID will -be generated for the AFS client service on each restart.

+each restart, the NonPersistentCaching +option will disable the use of the persistent cache file. As a side effect, a +new UUID will be generated for the AFS client service on each restart.

When a Windows system is cloned, the Microsoft Loopback Adapter will be disabled in the cloned system.  @@ -2769,10 +3132,12 @@ style='mso-spacerun:yes'> installer by performing an administrative install via msiexec.exe /a.

-

3.39. -Delayed Write Errors with Microsoft Office Applications3.39. Delayed Write Errors +with Microsoft Office Applications

Microsoft Office makes heavy use of asynchronous @@ -2790,45 +3155,60 @@ first to a local disk and subsequently copy the file to AFS as copying a file with the explorer shell does not use asynchronous i/o.

The CIFS session timeout defaults to 45 seconds and can be -increased by modifying the registry.

+increased by modifying the registry.

Beginning with the 1.5.33 release, the performance characteristics of SMB Write Data operations can be adjusted.  In prior releases all writes were performed -using a restricted asynchronous store model in which only one asynchronous -store operation per file can be performed at a time.  The reason for this restriction is limit the -amount of data the cache manager will accept without it having been written to -the file server.  If too much unwritten -data is accepted, the file close operation will block until all of the -unwritten data is output and this could trigger a CIFS client disconnect. 

- -

Prior to 1.5.33 the size of the asynchronous store was always -equal to the chunk size which was often too large for low bandwidth connections.  The asynchronous store size now defaults to -32KB and is configurable using the SMBAsyncStoreSize -registry value.  Asynchronous store -operations can also be disabled using the EnableSMBAsyncStore -registry value in which case all writes received by the cache manager block -until the Rx StoreData operation completes.

- -

3.40. -Global Drives (aka Service - Drive Letters) are no longer supported by Microsoft  In prior releases all writes were performed using +a restricted asynchronous store model in which only one asynchronous store +operation per file can be performed at a time.  +The reason for this restriction is limit the amount of data the cache +manager will accept without it having been written to the file server.  If too much unwritten data is accepted, the +file close operation will block until all of the unwritten data is output and +this could trigger a CIFS client disconnect.  +

+ +

Prior to 1.5.33 the size of the asynchronous store was +always equal to the chunk size which was often too large for low bandwidth +connections.  The asynchronous store size +now defaults to 32KB and is configurable using the SMBAsyncStoreSize +registry value.  Asynchronous store operations +can also be disabled using the EnableSMBAsyncStore registry value in +which case all writes received by the cache manager block until the Rx +StoreData operation completes.

+ +

3.40. Global Drives (aka Service + Drive Letters) are no longer +supported by Microsoft

The Global DriveAuto-mount feature has been deprecated due to the following Microsoft KB article.

http://msdn.microsoft.com/library/en-us/dllproc/base/services_and_redirected_drives.asp

+href="http://msdn.microsoft.com/library/en-us/dllproc/base/services_and_redirected_drives.asp">http://msdn.microsoft.com/library/en-us/dllproc/base/services_and_redirected_drives.asp

It says that services mounting drive letters are no longer supported by Microsoft and may act unpredictably.  The experience other @@ -2840,10 +3220,12 @@ re-established until the machine is rebooted.

applications should be modified to use of \\AFS\<cellname>\<path> instead of drive letters.

-

3.41. -64-bit Microsoft Windows Installations3.41. 64-bit Microsoft +Windows Installations

Although 64-bit Windows platforms support both 64-bit and @@ -2859,12 +3241,15 @@ for Windows can be used with the 32-bit OpenAFS Tools to manage AFS tokens.

Without this restriction the AFS Cache File can become arbitrarily large limited only by available disk space.

-

3.42. -Known Issues with Microsoft Windows 3.42. Known Issues with +Microsoft Windows VistaVista

OpenAFS for Windows works with Microsoft Windows Vista @@ -2886,36 +3271,41 @@ and the AFS file space to become available. other tools will report that the AFS Client Service may not have been started.

Windows Vista implements User -Account Control (UAC), a new security feature that implements least user -privilege.  With UAC, applications only -run with the minimum required privileges.  -Even Administrator accounts run applications without the “Administrator” -access control credentials.  One side -effect of this is that existing applications that mix user and system -configuration capabilities must be re-written to separate those functions that -require “Administrator” privileges into a separate process space.  Future updates to OpenAFS will incorporate -the necessary privilege separation, until that time some functions such as the -Start and Stop Service features of the AFS System Tray tool and the AFS Control -Panel will not work unless they are “Run as Administrator”.  When a Vista -user account that is a member of the “Administrators” group is used to access -the AFS Control Panel (afs_config.exe), the process must be “Run as Administrator”.User Account Control (UAC), a new +security feature that implements least user privilege.  With UAC, applications only run with the +minimum required privileges.  Even +Administrator accounts run applications without the “Administrator” access +control credentials.  One side effect of +this is that existing applications that mix user and system configuration +capabilities must be re-written to separate those functions that require “Administrator” +privileges into a separate process space.  +Future updates to OpenAFS will incorporate the necessary privilege +separation, until that time some functions such as the Start and Stop Service +features of the AFS System Tray tool and the AFS Control Panel will not work +unless they are “Run as Administrator”.  +When a Vista user account that is a +member of the “Administrators” group is used to access the AFS Control Panel +(afs_config.exe), the process must be “Run as Administrator”.   Otherwise, attempts to modify the OpenAFS configuration will appear to succeed but in reality will have failed due to Vista’s system file and registry virtualization feature.

The help files provided with OpenAFS are in .HLP format. Windows Vista does not include a -help engine for this format.

- -

3.43. New AFS Share Name -Syntax Provides Direct Access to Volumes

+href="http://support.microsoft.com/kb/917607">Windows Vista +does not include a help engine for this format.

+ +

3.43. New AFS Share Name Syntax Provides Direct Access to +Volumes

Starting with the 1.5.21 release of OpenAFS for Windows, the following syntax can be used to @@ -2941,10 +3331,11 @@ style='mso-tab-count:1'>

            \\AFS\athena.mit.edu# 537235559\

-

3.44. Differences between -Windows and UNIX “fs examine”

+

3.44. Differences between Windows and UNIX “fs examine”

The OpenAFS for Windows version of “fs examine” provide two additional lines of output when @@ -2964,476 +3355,599 @@ style='mso-bookmark:_Toc115416145'>The partition has 151945877 blocks available style='mso-bookmark:_Toc115416145'>Volume is online -

3.45. Literal evaluation of -AFS objects via fs commands

+

3.45. Literal evaluation of AFS objects via fs commands

-

Beginning with -the 1.5.31 release, the fs commands examine, -flush, Beginning with the 1.5.31 release, the fs +commands examine, flush, whereis, and whichcell provide a new command-line parameter, -literal.  When specified, if the evaluated object is a symlink or a mountpoint the resulting output will describe the specified object and not the object that is the target of the symlink or mountpoint.

-

3.46. Out of Quota errors3.46. Out of Quota errors

-

Prior to the -1.5.31 release, out of quota errors were reported to the calling application as -an out of space error.  As of 1.5.31, an -out of space error will indicate that the partition on which the volume is -located is in fact out of space.  Whereas -an out of quota error indicates that the user does not have permission to -allocate additional space.

- -

4. How to Debug Problems with -OpenAFS for Windows

- -

OpenAFS for Windows provides a wide range of tools to assist -you in debugging problems.  The techniques available to you are varied -because of the wide range of issues that have been discovered over the years.

- -

4.1. -pioctl debugging (IoctlDebug registry key)

+

Prior to the 1.5.31 release, out of quota +errors were reported to the calling application as an out of space error.  As of 1.5.31, an out of space error will +indicate that the partition on which the volume is located is in fact out of +space.  Whereas an out of quota error +indicates that the user does not have permission to allocate additional space.

+ +

4. +How to Debug Problems with OpenAFS for Windows

-

pioctl (path-based ioctl) calls are used by various tools to -communicate with the AFS Client Service.  Some of the operations performed -include:

+

OpenAFS +for Windows provides a wide range of tools to assist you in debugging +problems.  The techniques available to you are varied because of the wide +range of issues that have been discovered over the years.

+ +

4.1. +pioctl debugging (IoctlDebug +registry key)

-

pioctl +(path-based ioctl) calls are used by various tools to communicate with the AFS +Client Service.  Some of the operations performed include:

+ +

·       setting/querying tokens  (tokens.exe, aklog.exe, afscreds.exe)

-

·       setting/querying ACLs

-

·       setting/querying cache parameters

-

·       flushing files or volumes

-

·       setting/querying server preferences

-

·       querying path location

-

·       checking the status of servers and volumes

-

·       setting/querying the sysname list

-

pioctl calls are implemented by writing to a special UNC -path that is processed by the AFS Client Service.   If there is a failure -to communicate with the AFS Client Service via SMB/CIFS, it will be impossible -to perform any of the above operations.  

- -

To assist in debugging these problems, the registry value:

- -

  [HKLM\SOFTWARE\OpenAFS\Client]

- -

  REG_DWORD:  IoctlDebug   = 0x01

- -

should be set.  Then any of the commands that perform -pioctl calls should be executed from the command prompt.  With this key -set the pioctl library will generate debugging output to stderr.  The -output will contain the Win32 API calls executed along with their most -important parameters and their return code.   The MSDN Library and -the Microsoft KnowledgeBase can be used as a reference to help you determine -the configuration probem with your system.

- -

4.2. -afsd_service initialization log (%WinDir%\TEMP\afsd_init.log)pioctl +calls are implemented by writing to a special UNC path that is processed by the +AFS Client Service.   If there is a failure to communicate with the +AFS Client Service via SMB/CIFS, it will be impossible to perform any of the +above operations.  

+ +

To +assist in debugging these problems, the registry value:

+ +

  +[HKLM\SOFTWARE\OpenAFS\Client]

+ +

  +REG_DWORD:  IoctlDebug   = 0x01

+ +

should +be set.  Then any of the commands that perform pioctl calls should be +executed from the command prompt.  With this key set the pioctl library +will generate debugging output to stderr.  The output will contain the +Win32 API calls executed along with their most important parameters and their return +code.   The MSDN Library and the Microsoft KnowledgeBase can be used +as a reference to help you determine the configuration probem with your system.

+ +

4.2. +afsd_service initialization log (%WinDir%\TEMP\afsd_init.log)

-

Every time the AFS Client Service starts it appends data -about its progress and configuration to a file.  This file provides -information crucial to determining why the service cannot start when there are -problems.  When the process terminates due to a panic condition it will -write to this file the source code file and line number of the error.  In -many cases the panic condition is due to a misconfiguration of the -machine.  In other cases it might be due to a programming error in the software.  -A quick review of the location in the source code will quickly reveal the -reason for the termination.

- -

The MaxLogSize +

Every +time the AFS Client Service starts it appends data about its progress and +configuration to a file.  This file provides information crucial to +determining why the service cannot start when there are problems.  When +the process terminates due to a panic condition it will write to this file the +source code file and line number of the error.  In many cases the panic +condition is due to a misconfiguration of the machine.  In other cases it +might be due to a programming error in the software.  A quick review of +the location in the source code will quickly reveal the reason for the +termination.

+ +

The +MaxLogSize registry value determines the maximum size of the %WINDIR%\TEMP\afsd_init.log file.  If the file is larger than this value when OpenAFS Client Service starts, the file will be reset to 0 bytes.  If value is set to 0, the file will be allowed to grow indefinitely.

-

4.3. +

4.3. afsd_service debug logs (fs trace {-on, -off, -dump} -->%WinDir%\TEMP\afsd.log)

-

When attempting to debug the behavior of the SMB/CIFS Server -and the Cache Manager it is often useful to examine a log of the operations -being performed.  While running the AFS Client Service keeps an in memory -log of many of its actions.   The default number of actions preserved -at any one time is 5000.  This can be adjusted with the registry value:

+

When +attempting to debug the behavior of the SMB/CIFS Server and the Cache Manager +it is often useful to examine a log of the operations being performed.  +While running the AFS Client Service keeps an in memory log of many of its +actions.   The default number of actions preserved at any one time is +5000.  This can be adjusted with the registry value:

-

  +

  [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]

-

  REG_DWORD  TraceBufferSize

+

  +REG_DWORD  TraceBufferSize

-

A restart of the service is necessary when adjusting this -value.   Execute "fs trace -on" to clear to the log and -"fs trace -dump" to output the contents of the log to the file.

+

A +restart of the service is necessary when adjusting this value.   Execute +"fs trace -on" to clear to the log and "fs trace -dump" to +output the contents of the log to the file.

-

4.4. -Using SysInternal’s Debug Viewer, Process Monitor and Process Explorer Tools4.4. +Using SysInternal’s Debug Viewer, Process Monitor and Process Explorer Tools

-

An alternatve option to the use of "fs trace --dump" to capture internal OpenAFS Client Service events is to use a tool -such as Sysinternal's -Debug Viewer to capture real-time debugging output.  When -the OpenAFS Client Service starts and Bit 2 of the TraceOption value in the registry is set, all -trace log events are output using the Windows Debug Monitor interface -(OutputDebugString). 

- -

  +

An +alternatve option to the use of "fs trace -dump" to capture internal +OpenAFS Client Service events is to use a tool such as Sysinternal's Debug Viewer to capture real-time +debugging output.  When the OpenAFS Client Service starts and Bit 2 of the +TraceOption +value in the registry is set, all trace log events are output using the Windows +Debug Monitor interface (OutputDebugString). 

+ +

  [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]

-

REG_DWORD   +

REG_DWORD   TraceOption = 0x04

-

Use “fs trace –on” and “fs trace –off” to toggle the -generation of log messages.

- -

Sysinternal’s -Process Monitor can be use to monitor the file operations +

Use +“fs trace –on” and “fs trace –off” to toggle the generation of log messages.

+ +

Sysinternal’s Process +Monitor can be use to monitor the file operations requested by applications and their success or failure.  

-

In Process Monitor, set a filter to include only events on file -paths that refer to the AFS name space. Be sure to include both the UNC path as -well as any drive letters mapped to AFS.

- -

Turn on the Clock Time and Show Milliseconds -options in both tools to make it easier to synchronize the application requests -and the resulting OpenAFS Client Service operations.   The captured -data can be stored to files for inclusion in bug -reports.

-

Sysinternal's -Process -Explorer is a replacement for the Windows Task Manager and so much more.  -Process Explorer can be configured to use the DbgHelp.dll from "Microsoft -Debugging Tools for Windows" as well as the debug symbols shipped as an -optional component of the OpenAFS for Windows installer.  -(Options->Configure Symbols)   Once configured the "Threads" tab of -the process properties dialog will permit the viewing of a fully documented -stack for each displayed thread.  Hint: If there is a deadlock in the cache -manager, two or more of the threads will be stuck in a call to osi_TWait().

- -

4.5. -Microsoft MiniDumps
-(fs minidump -> %WinDir%\TEMP\afsd.dmp)

+

In +Process Monitor, set a filter to include only events on file paths that refer +to the AFS name space. Be sure to include both the UNC path as well as any +drive letters mapped to AFS.

+ +

Turn +on the Clock Time and Show Milliseconds options in both tools to +make it easier to synchronize the application requests and the resulting +OpenAFS Client Service operations.   The captured data can be stored +to files for inclusion in bug reports.

+ +

Sysinternal's +Process Explorer is a replacement for +the Windows Task Manager and so much more.  Process Explorer can be +configured to use the DbgHelp.dll from "Microsoft Debugging Tools for Windows" +as well as the debug symbols shipped as an optional component of the OpenAFS +for Windows installer.  (Options->Configure Symbols)   Once +configured the "Threads" tab of the process properties dialog will +permit the viewing of a fully documented stack for each displayed thread.  +Hint: If there is a deadlock in the cache manager, two or more of the threads +will be stuck in a call to osi_TWait().

+ +

4.5. Microsoft MiniDumps
+(fs minidump -> %WinDir%\TEMP\afsd.dmp)

-

If the AFS Client Service become unresponsive to any form of -communication there may be a serious error that can only be debugged by someone -with access to the source code and a debugger.   The "fs -minidump" command can be used to force the generation of a MiniDump file -containing the state of all of the threads in the AFS Client Service process.  -The most accurate MiniDump files will be produced after installing "Microsoft -Debugging Tools for Windows".

- -

The MiniDumpType registry value -can be used to adjust the scope of the process information included within the -dump file.  By default the MiniDump only contains the stacks of all threads -and the values of all global variables.  A much more useful MiniDump is one -that contains the contents of the heap.  Be warned, a MiniDump with heap -will be as large as the cache file.  In addition, it will include all of -the data stored within the cache.  If there are privacy concerns, do not -produce a MiniDump with heap.

- -

4.6. -Single Sign-on (Integrated Logon) debuggingIf +the AFS Client Service become unresponsive to any form of communication there +may be a serious error that can only be debugged by someone with access to the +source code and a debugger.   The "fs minidump" command can +be used to force the generation of a MiniDump file containing the state of all +of the threads in the AFS Client Service process.  The most accurate +MiniDump files will be produced after installing "Microsoft Debugging Tools for Windows".

+ +

The +MiniDumpType +registry value can be used to adjust the scope of the process information +included within the dump file.  By default the MiniDump only contains the +stacks of all threads and the values of all global variables.  A much more +useful MiniDump is one that contains the contents of the heap.  Be warned, +a MiniDump with heap will be as large as the cache file.  In addition, it +will include all of the data stored within the cache.  If there are +privacy concerns, do not produce a MiniDump with heap.

+ +

4.6. +Single Sign-on (Integrated Logon) debugging

-

If you are having trouble with the Integrated Logon -operations it is often useful to be able to obtain a log of what it is -attempting to do.   Setting Bit 0 of the TraceOption registry value:

+

If +you are having trouble with the Integrated Logon operations it is often useful +to be able to obtain a log of what it is attempting to do.   Setting +Bit 0 of the TraceOption +registry value:

-

  [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]

+

  +[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]

-

  REG_DWORD   TraceOption = 0x01

+

  +REG_DWORD   TraceOption = 0x01

-

will instruct the Integrated Logon Network Provider and -Event Handlers to log information to the Windows Event Log: Application under -the name “AFS Logon".

+

will +instruct the Integrated Logon Network Provider and Event Handlers to log +information to the Windows Event Log: Application under the name “AFS +Logon".

-

4.7. RX -(AFS RPC) debugging (rxdebug)

+

4.7. +RX (AFS RPC) debugging (rxdebug)

-

The rxdebug.exe tool can be used to query a variety of -information about the AFS services installed on a given machine.  The port -for the AFS Cache Manager is 7001. 

+

The +rxdebug.exe tool can be used to query a variety of information about the AFS +services installed on a given machine.  The port for the AFS Cache Manager +is 7001. 

-

Usage: rxdebug -servers <server machine> [-port -<IP port>] [-nodally]

+

Usage: +rxdebug -servers <server machine> [-port <IP port>] [-nodally]

-

   +

   [-allconnections] [-rxstats] [-onlyserver] [-onlyclient]

-

   [-onlyport -<show only <port>>]

+

   +[-onlyport <show only <port>>]

-

   [-onlyhost -<show only <host>>]

+

   +[-onlyhost <show only <host>>]

-

   [-onlyauth -<show only <auth level>>] [-version]

+

   +[-onlyauth <show only <auth level>>] [-version]

-

   [-noconns] -[-peers] [-help]

+

   +[-noconns] [-peers] [-help]

-

Where: +

Where: -nodally         don't show dallying conns

-

       +

       -allconnections  don't filter out uninteresting connections

-

       +

       -rxstats         show Rx statistics

-

       +

       -onlyserver      only show server conns

-

       +

       -onlyclient      only show client conns

-

       +

       -version         show AFS version id

-

       +

       -noconns         show no connections

-

       +

       -peers           show peers

-

4.8. -Cache Manager debugging (cmdebug)

+

4.8. +Cache Manager debugging (cmdebug)

-

The cmdebug.exe tool can be used to query the state of the -AFS Cache Manager on a given machine.

+

The +cmdebug.exe tool can be used to query the state of the AFS Cache Manager on a +given machine.

-

Usage: cmdebug -servers <server machine> [-port -<IP port>] [-long] [-refcounts]

+

Usage: +cmdebug -servers <server machine> [-port <IP port>] [-long] +[-refcounts]

-

       -[-callbacks] [-ctime] [-addrs] [-cache] [-cellservdb] [-help]

+

       [-callbacks] [-ctime] [-addrs] [-cache] +[-cellservdb] [-help]

-

Where: -long        -print all info

+

Where: +-long        print all info

-

       --refcounts   print only cache -entries with positive reference counts

- -

       --callbacks   print only cache -entries with callbacks

- -

       --ctime       print human readable -expiration time

+

       -refcounts   print only cache entries with positive +reference counts

-

       --addrs       print only host -interfaces

+

       -callbacks   print only cache entries with callbacks

-

       --cache       print only cache -configuration

+

       -ctime       print human readable expiration time

-

       -cellservdb  print only cellservdb info

+

       -addrs       print only host interfaces

-

4.9. -Persistent Cache consistency check

+

       -cache       print only cache configuration

+ +

       -cellservdb  print only cellservdb +info

+ +

4.9. +Persistent Cache consistency check

-

The persistent cache is stored in a Hidden System file at +

The +persistent cache is stored in a Hidden System file at %WinDir%\TEMP\AFSCache.  If there is a problem with the persistent cache that prevent the AFS Client Service from being able to start a validation check on the file can be performed.

-

  afsd_service.exe --validate-cache -<cache-path>

- -

4.10. -Token Acquisition Debugging

- -

If you are having trouble obtaining tokens with the Network -Identity Manager AFS credential provider, it is recommended that you verify -your ability to obtain tokens using the command-line tools klog.exe (if you are using kaserver) or kinit.exe and aklog.exe -(if you are using Kerberos v5.)  The -aklog.exe –d option will be quite -helpful in diagnosing Kerberos v5 related problems.

- -

5. Reporting Bugs

+

  +afsd_service.exe --validate-cache <cache-path>

+ +

4.10. Token Acquisition +Debugging

+ +

If +you are having trouble obtaining tokens with the Network Identity Manager AFS +credential provider, it is recommended that you verify your ability to obtain +tokens using the command-line tools klog.exe +(if you are using kaserver) or kinit.exe +and aklog.exe (if you are using +Kerberos v5.)  The aklog.exe –d option will be quite helpful in +diagnosing Kerberos v5 related problems.

+ +

5. +Reporting Bugs

-

Bug reports should be sent to openafs-bugs@openafs.org.  -Please include as much information as possible about the issue.  If you -are reporting a crash, please install the debugging symbols by re-running the +

Bug +reports should be sent to openafs-bugs@openafs.org.  Please +include as much information as possible about the issue.  If you are +reporting a crash, please install the debugging symbols by re-running the installer.  If a dump file is available for the problem, %WINDIR%\TEMP\afsd.dmp, include it along with the AFS Client Trace file  %WINDIR%\TEMP\afsd.log.  The AFS Client startup log is %WINDIR%\TEMP\afsd_init.log.  Send the last continuous block of  log information from this file.

-

Configuring DrWatson to generate dump files for crashes:

+

Configuring +DrWatson to generate dump files for crashes:

-

·       Run drwtsn32.exe to configure or to identify where the log and the crash dump files are created:

-

·       click Start > Run... 

-

·       type drwtsn32 <enter>.

-

·       Select either a Crash Dump Type: Mini or Full.

-

·       Clear Dump Symbol Table

-

·       Clear Append to Existing Log file.

-

·       Check Dump All Thread Contexts.

-

·       Check Create Crash Dump File

-

·       Next run the monitoring module of Dr. Watson:

-

·       click Start > Run...

-

·       type drwatson <enter>.

-

·       Once a crash happens, Dr. Watson generates a dump file and a report in the log file, including the address of the crash and the stack dump.

-

Once you have the Dr. Watson's logfile and minidump, zip -them and attach them to your e-mail.

- -

When reporting a error, please be sure to include the -version of OpenAFS.

- -

6. How -to Contribute to the Development of OpenAFS for WindowsOnce +you have the Dr. Watson's logfile and minidump, zip them and attach them to +your e-mail.

+ +

When +reporting a error, please be sure to include the version of OpenAFS.

+ +

6. How to Contribute to the +Development of OpenAFS for Windows

-

Contributions to the development of OpenAFS for Windows are -continuously needed.  Contributions may take many forms including cash -donations, support contracts, donated developer time, and even donated tech -writer time.

- -

6.1. The USENIX OpenAFS FundContributions +to the development of OpenAFS for Windows are continuously needed.  +Contributions may take many forms including cash donations, support contracts, +donated developer time, and even donated tech writer time.

+ +

6.1. The +USENIX OpenAFS Fund

-

USENIX, a 501c3 +

USENIX, a 501c3 non-profit corporation, has formed the USENIX OpenAFS Fund in order to accept tax deductible donations on behalf of the OpenAFS Elders. The donated funds will be allocated by the OpenAFS Elders to fund OpenAFS development, @@ -3459,276 +3973,359 @@ documentation, project management, and maintaining openafs.org.

-

Donations can be made by sending a check, drawn on a U.S. -bank, made out to the USENIX OpenAFS Fund or by making a donation online.

- -

6.2. -Secure Endpoints Inc.

- -

Secure -Endpoints Inc. provides development and support services for OpenAFS for -Windows and MIT Kerberos for Windows. - Donations provided to Secure Endpoints Inc. for the development of -OpenAFS are used to cover the OpenAFS gatekeeper responsibilities; providing -support to the OpenAFS community via the OpenAFS mailing lists; and furthering -development of desired features that are either too small to be financed by -development contracts.

- -

Secure Endpoints Inc. accepts software development -agreements from organizations who wish to fund a well-defined set of bug fixes -or new features.

- -

Secure Endpoints Inc. provides contract based support for -the OpenAFS for Windows and the MIT -Kerberos for Windows products.

- -

6.3. -Direct contributions of code and/or documentationDonations +can be made by sending a check, drawn on a U.S. bank, made out to the USENIX +OpenAFS Fund or by making a donation online.

+ +

6.2. Secure Endpoints Inc.

-

Organizations that use OpenAFS in house and have -development staffs are encouraged to contribute any code modifications they -make to OpenAFS.org via openafs-bugs@openafs.org. - Contributions of documentation are highly desired.

+

Secure +Endpoints Inc. provides +development and support services for OpenAFS for Windows and MIT Kerberos +for Windows.  Donations provided to Secure Endpoints +Inc. for the development of OpenAFS are used to cover the OpenAFS gatekeeper +responsibilities; providing support to the OpenAFS community via the OpenAFS +mailing lists; and furthering development of desired features that are either +too small to be financed by development contracts.

+ +

Secure +Endpoints Inc. accepts software development agreements from organizations who +wish to fund a well-defined set of bug fixes or new features.

+ +

Secure +Endpoints Inc. provides contract based support for the OpenAFS for Windows and +the MIT Kerberos +for Windows products.

+ +

6.3. +Direct contributions of code and/or documentation

-

6.4. -OpenAFS for Windows Mailing Lists

+

Organizations +that use OpenAFS in house and have development staffs are encouraged to +contribute any code modifications they make to OpenAFS.org via openafs-bugs@openafs.org.  Contributions of +documentation are highly desired.

+ +

6.4. OpenAFS for Windows Mailing +Lists

-

If you wish to participate in OpenAFS for Windows -development please join the openafs-win32-devel@openafs.org +

If +you wish to participate in OpenAFS for Windows development please join the openafs-win32-devel@openafs.org mailing list.

-

https://lists.openafs.org/mailman/listinfo/openafs-win32-devel

- -

User questions should be sent to the openafs-info@openafs.org -mailing list. 

- -

https://lists.openafs.org/mailman/listinfo/openafs-info

- -

You must join the mailing lists if you wish to post to the -list without incurring a moderation delay.

- -

7. -MSI Deployment Guide

+

https://lists.openafs.org/mailman/listinfo/openafs-win32-devel

+ +

User +questions should be sent to the openafs-info@openafs.org mailing +list. 

+ +

https://lists.openafs.org/mailman/listinfo/openafs-info

+ +

You +must join the mailing lists if you wish to post to the list without incurring a +moderation delay.

+ +

7. MSI Deployment Guide

-
- - -

7.1. Introduction

- -

A MSI installer option is available for those who wish to -use Windows Installer for installing OpenAFS and for organizations that wish to -deploy OpenAFS through Group Policy.  The first version of OpenAFS for -Windows available as an MSI was 1.3.65.

- -

This document provides a guide for authoring transforms used -to customize the MSI package for a particular organization.  Although many -settings can be deployed via transforms, in an Active Directory environment it -is advisable to deploy registry settings    and configuration -files through group policy and/or startup scripts so that machines where -OpenAFS for Windows is already installed will pick up these customizations.

- -

7.1.1 -Requirements

- -

The information in this document applies to MSI packages -distributed with OpenAFS for Windows releases from 1.3.65 and onwards or MSI -packages built from corresponding source releases.  Not all releases -support all the configuration options documented here.

- -

Authoring a "Windows Installer" transform requires -additional software for editing the MSI database tables and generating the -transform from the modified MSI package.  ORCA.EXE and MSITRAN.EXE which -are included in the Windows Platform SDK ("Windows Installer" SDK) -can be used for this purpose.

- -

For reference, the schema for the MSI package is based on -SCHEMA.MSI distributed with the Platform SDK.

- -

For general information about "Windows Installer", -refer to:

- -

    http://msdn.microsoft.com/library/en-us/msi/setup/windows_installer_start_page.asp

- -

For general information about authoring MSI transforms, -refer to:

- -

    http://msdn.microsoft.com/library/en-us/msi/setup/transforms.asp

- -

The remainder of this document assumes some familiarity with -authoring transforms.  While the MSDN documentation for Windows Installer -is a bit dense, the guide on MSI transforms found at the second link above is recommended -reading.  MSDN also includes a step-by-step example for creating a -transform at:

+ + +

7.1. +Introduction

-

    http://msdn.microsoft.com/library/en-us/msi/setup/a_customization_transform_example.asp

+

A +MSI installer option is available for those who wish to use Windows Installer +for installing OpenAFS and for organizations that wish to deploy OpenAFS +through Group Policy.  The first version of OpenAFS for Windows available +as an MSI was 1.3.65.

+ +

This +document provides a guide for authoring transforms used to customize the MSI +package for a particular organization.  Although many settings can be +deployed via transforms, in an Active Directory environment it is advisable to +deploy registry settings    and configuration files through +group policy and/or startup scripts so that machines where OpenAFS for Windows +is already installed will pick up these customizations.

+ +

7.1.1 Requirements

-

7.1.2 -Authoring a Transform

+

The +information in this document applies to MSI packages distributed with OpenAFS +for Windows releases from 1.3.65 and onwards or MSI packages built from +corresponding source releases.  Not all releases support all the +configuration options documented here.

+ +

Authoring +a "Windows Installer" transform requires additional software for +editing the MSI database tables and generating the transform from the modified +MSI package.  ORCA.EXE and MSITRAN.EXE which are included in the Windows +Platform SDK ("Windows Installer" SDK) can be used for this purpose.

+ +

For +reference, the schema for the MSI package is based on SCHEMA.MSI distributed +with the Platform SDK.

+ +

For +general information about "Windows Installer", refer to:

+ +

    +http://msdn.microsoft.com/library/en-us/msi/setup/windows_installer_start_page.asp

+ +

For +general information about authoring MSI transforms, refer to:

+ +

    +http://msdn.microsoft.com/library/en-us/msi/setup/transforms.asp

+ +

The +remainder of this document assumes some familiarity with authoring +transforms.  While the MSDN documentation for Windows Installer is a bit +dense, the guide on MSI transforms found at the second link above is +recommended reading.  MSDN also includes a step-by-step example for +creating a transform at:

+ +

    +http://msdn.microsoft.com/library/en-us/msi/setup/a_customization_transform_example.asp

+ +

7.1.2 Authoring a Transform

-

Transforms describe a set of modifications to be performed -on an existing MSI for the purpose of customizing it.  This is ordinarily -done by making a copy of the MSI to be customized, modifying the copy and then -using the old and the new MSI to generate a transform.  For example:

+

Transforms +describe a set of modifications to be performed on an existing MSI for the +purpose of customizing it.  This is ordinarily done by making a copy of +the MSI to be customized, modifying the copy and then using the old and the new +MSI to generate a transform.  For example:

-

1.1.    copy openafs.msi openafs-modified.msi

-

2.2.    (edit the openafs-modified.msi to include the necessary changes)

-

3.3.    msitran -g openafs.msi openafs-modified.msi openafs-transform.mst

-

4.4.    (generates openafs-transform.mst, which is the transform)

-

Transforms have an extension of .mst.  'msitran' is a -tool distributed as part of the "Windows Installer" SDK (part of the -Windows Platform SDK).

+

Transforms +have an extension of .mst.  'msitran' is a tool distributed as part of the +"Windows Installer" SDK (part of the Windows Platform SDK).

-

You can test a transform by:

+

You +can test a transform by:

-

1.1.    copy openafs.msi openafs-test.msi

-

2.2.    msitran -a openafs-transform.mst openafs-test.msi

-

and then checking the resulting openafs-test.msi to see if -all changes you have made above to openafs-modified.msi is present in -openafs-test.msi.  'msitran' will complain if some modification in the -transform can not be successfully applied.

- -

As mentioned above, you can use a tool like ORCA.EXE to edit -the MSI databases directly when editing openafs-modified.msi.  More -details are given below.

- -

7.2. Configuration Optionsand +then checking the resulting openafs-test.msi to see if all changes you have +made above to openafs-modified.msi is present in openafs-test.msi.  +'msitran' will complain if some modification in the transform can not be +successfully applied.

+ +

As +mentioned above, you can use a tool like ORCA.EXE to edit the MSI databases +directly when editing openafs-modified.msi.  More details are given below.

+ +

7.2. +Configuration Options

-

The logic necessary to implement many of the settings -described in Appendix A are present -in the MSI.  Most of these can be controlled by setting the corresponding -properties to the desired value.  Some settings may require modifying -existing registry entries (though not recommended) or adding new resources -(like files or registry keys).  Instructions for performing these tasks -are below.

- -

7.2.1 -Configurable Properties

+

The +logic necessary to implement many of the settings described in Appendix A +are present in the MSI.  Most of these can be controlled by setting the +corresponding properties to the desired value.  Some settings may require +modifying existing registry entries (though not recommended) or adding new +resources (like files or registry keys).  Instructions for performing +these tasks are below.

+ +

7.2.1 Configurable Properties

-

Most configurable properties correspond to registry keys or -values.  Due to the logic invoked based on the existence of these registry -keys or values, they are only set if the associated property is defined to have -a non null value.  If the associated property is not defined in the MSI, -the registry key or value will not be touched.  By default, the MSI does -not contain these properties and hence will not set the registry keys.  -You will need to add properties as needed to the MSI.

- -

When one of the configurable properties is set, the -installer will use the property value to set the corresponding setting in the -HKEY_LOCAL_MACHINE registry hive.  The HKEY_CURRENT_USER hive is not -touched by the installer.

- -

For each property, the associated registry setting is -referenced by the same text used in Appendix -A.

- -

Strings are quoted using single quotes (e.g. 'a string'). An -empty string is denoted as ''.  Note that you can't author null values -into the 'Property' table.

- -

Numeric values should be authored as decimal strings.

- -

7.2.1.1 +

Most +configurable properties correspond to registry keys or values.  Due to the +logic invoked based on the existence of these registry keys or values, they are +only set if the associated property is defined to have a non null value.  +If the associated property is not defined in the MSI, the registry key or value +will not be touched.  By default, the MSI does not contain these +properties and hence will not set the registry keys.  You will need to add +properties as needed to the MSI.

+ +

When +one of the configurable properties is set, the installer will use the property +value to set the corresponding setting in the HKEY_LOCAL_MACHINE registry +hive.  The HKEY_CURRENT_USER hive is not touched by the installer.

+ +

For +each property, the associated registry setting is referenced by the same text +used in Appendix A.

+ +

Strings +are quoted using single quotes (e.g. 'a string'). An empty string is denoted as +''.  Note that you can't author null values into the 'Property' table.

+ +

Numeric +values should be authored as decimal strings.

+ +

7.2.1.1 Setting Properties

-

In order to set a property,

+

In +order to set a property,

1.        +margin-left:.25in;text-indent:-.25in;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>1.        Open the MSI in ORCA.EXE

2.        +margin-left:.25in;text-indent:-.25in;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>2.        Select the 'Property' table from the list of tables on the left.

3.        -Find the property in the list of properties on the right, double click -the value and type the new value.

+margin-left:.25in;text-indent:-.25in;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>3.        +Find the property in the list of properties on the right, double click the +value and type the new value.

4.        +margin-left:.25in;text-indent:-.25in;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>4.        If the property does not exist in the property list, right click the list and select 'Add Row', type the property name and the desired value.

-

7.2.1.2 +

7.2.1.2 OpenAFS for Windows Properties

@@ -3737,154 +4334,187 @@ style='mso-fareast-font-family:"Times New Roman"'>

(Service parameters):
+ name="_Toc139993158">(Service + parameters):

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]

(Network provider):
+ name="_Toc139993159">(Network + provider):

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]

(OpenAFS Client):
+ name="_Toc139993160">(OpenAFS + Client):

[HKLM\SOFTWARE\OpenAFS\Client]

-
7.2.1.2.1 +
7.2.1.2.1 Registry Properties
-

These properties are used to set the values of registry -entries associated with OpenAFS for Windows.

+

These +properties are used to set the values of registry entries associated with +OpenAFS for Windows.

@@ -3892,104 +4522,129 @@ entries associated with OpenAFS for Windows.

AFSCACHEPATH

Registry key    : (Service parameters)

-

Registry value : CachePath

+ href="#_(Service_parameters):">(Service + parameters)

+

Registry value : CachePath

Valid values    : string .
AFSCACHESIZE

Registry key    : (Service parameters)

-

Registry value : CacheSize

+ href="#_(Service_parameters):">(Service + parameters)

+

Registry value : CacheSize

Valid values    : numeric
AFSCELLNAME

Registry key    : (Service parameters)

-

Registry value : Cell

+ href="#_(Service_parameters):">(Service + parameters)

+

Registry value : Cell

Valid values    : string
FREELANCEMODE

Registry key    : (Service parameters)

-

Registry value : FreelanceClient

+ href="#_(Service_parameters):">(Service parameters)

+

Registry value : FreelanceClient

Valid values    : '1' or '0'
HIDEDOTFILES

Registry key    : (Service parameters)

-

Registry value : HideDotFiles

+ href="#_(Service_parameters):">(Service + parameters)

+

Registry value : HideDotFiles

Valid values    : '1' or '0'
LOGONOPTIONS

Registry key    : (Network provider)

-

Registry value : LogonOptions

+ href="#_(Network_provider):">(Network provider)

+

Registry value : LogonOptions

Valid values    : '0', '1' or '3'

-

See Appendix A - section 2.1 (Domain specific - configuration keys for Network Provider) for more details.

+

See Appendix A section 2.1 + (Domain specific configuration keys for Network Provider) + for more details.
MOUNTROOT

Registry key    : (Service parameters)

-

Registry value : Mountroot

+ href="#_(Service_parameters):">(Service + parameters)

+

Registry value : Mountroot

Valid values    : string
NETBIOSNAME

Registry key    : (Service parameters)

-

Registry value : NetbiosName

+ href="#_(Service_parameters):">(Service + parameters)

+

Registry value : NetbiosName

Valid values    : string (at most 15 characters)
NOFINDLANABYNAME

Registry key    : (Service parameters)

-

Registry value : NoFindLanaByName

+ href="#_(Service_parameters):">(Service + parameters)

+

Registry value : NoFindLanaByName

Valid values    : '1' or '0'
RXMAXMTU

Registry key    : (Service parameters)

-

Registry value : RxMaxMTU

+ href="#_(Service_parameters):">(Service + parameters)

+

Registry value : RxMaxMTU

Valid values    : numeric
SECURITYLEVEL

Registry key    : (Service parameters)

-

Registry value : SecurityLevel

+ href="#_(Service_parameters):">(Service + parameters)

+

Registry value : SecurityLevel

Valid values    : '1' or '0'
SMBAUTHTYPE

Registry key    : (Service parameters)

-

Registry value : SMBAuthType

+ href="#_(Service_parameters):">(Service + parameters)

+

Registry value : SMBAuthType

Valid values    : '0','1' or '2'
STOREANSIFILENAMES

Registry key    : (OpenAFS Client)

-

Registry value : StoreAnsiFilenames

+ href="#_(OpenAFS_Client):">(OpenAFS Client)

+

Registry value : StoreAnsiFilenames

Valid values    : '0' or '1'
USEDNS

Registry key    : (Service parameters)

-

Registry value : UseDNS

+ href="#_(Service_parameters):">(Service + parameters)

+

Registry value : UseDNS

Valid values    : '1' or '0'
-
7.2.1.2.2 AFSCreds.exe Properties
-

These properties are combined to add a command line option -to the shortcut that will be created in the Start:Programs:OpenAFS and -Start:Programs:Startup folders (see CREDSSTARTUP).  The method of -specifying the option was chosen for easy integration with the Windows -Installer user interface.  Although other methods can be used to specify -options to AFSCREDS.EXE, it is advised that they be avoided as transforms -including such options may not apply to future releases of OpenAFS.

+

These +properties are combined to add a command line option to the shortcut that will +be created in the Start:Programs:OpenAFS and Start:Programs:Startup folders +(see CREDSSTARTUP).  The method of specifying the option was chosen for +easy integration with the Windows Installer user interface.  Although other +methods can be used to specify options to AFSCREDS.EXE, it is advised that they +be avoided as transforms including such options may not apply to future +releases of OpenAFS.

CREDSSTARTUP
@@ -4003,7 +4658,7 @@ including such options may not apply to future releases of OpenAFS.

CREDSAUTOINIT
@@ -4014,7 +4669,7 @@ including such options may not apply to future releases of OpenAFS.

CREDSIPCHDET
@@ -4025,7 +4680,7 @@ including such options may not apply to future releases of OpenAFS.

CREDSQUIET
@@ -4036,7 +4691,7 @@ including such options may not apply to future releases of OpenAFS.

CREDSRENEWDRMAP
@@ -4047,7 +4702,7 @@ including such options may not apply to future releases of OpenAFS.

CREDSSHOW
@@ -4058,86 +4713,100 @@ including such options may not apply to future releases of OpenAFS.

-

7.2.2 -Existing Registry Entries7.2.2 Existing Registry +Entries

-

You can change existing registry values subject to the -restrictions mentioned in the Windows Platform SDK.  Pay special attention -to component key paths and try to only change the 'Value' column in the -'Registry' table.  If you want to add additional registry keys please -refer to section 3 (Additional resources).

- -

7.2.3 -Replacing Configuration Files

+

You +can change existing registry values subject to the restrictions mentioned in +the Windows Platform SDK.  Pay special attention to component key paths +and try to only change the 'Value' column in the 'Registry' table.  If you +want to add additional registry keys please refer to section 3 (Additional +resources).

+ +

7.2.3 Replacing Configuration +Files

-

The OpenAFS configuration files (CellServDB) can be replaced -by your own configuration files.  These files are contained in separate -MSI components so that you can disable them individually.

+

The +OpenAFS configuration files (CellServDB) can be replaced by your own +configuration files.  These files are contained in separate MSI components +so that you can disable them individually.

-

The recommended method for replacing these files is to first -disable the components containing the configuration files that you want to -replace, and then add new components for the replacement files.  This is -outlined below (assuming you are using ORCA.EXE to author the transform).

+

The +recommended method for replacing these files is to first disable the components +containing the configuration files that you want to replace, and then add new +components for the replacement files.  This is outlined below (assuming +you are using ORCA.EXE to author the transform).

-

Note that transforms are not a good way to add a new file as -an embedded stream.  The method outlined here places the file in the same -directory as the MSI for deployment.

+

Note +that transforms are not a good way to add a new file as an embedded +stream.  The method outlined here places the file in the same directory as +the MSI for deployment.

-

The walkthrough below is to add a custom 'CellServDB' file.

+

The +walkthrough below is to add a custom 'CellServDB' file.

1.      Disable -the component that contains the configuration file that you want to replace.

+margin-left:.25in;text-indent:-.25in;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>1.      +Disable the component that contains the configuration file that you want +to replace.

1.1.   Locate and select -the 'Component' table in the 'Tables' list.

+margin-left:.55in;text-indent:-.3in;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>1.1.   Locate +and select the 'Component' table in the 'Tables' list.

1.2.   In the Component -table, locate the component you need to change ( Ctrl-F invokes the 'Find' -dialog).  The component names are listed below in section 7.2.3.1.  For this -example, the component name is 'elf_CellServDB'.

+margin-left:.55in;text-indent:-.3in;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>1.2.   In +the Component table, locate the component you need to change ( Ctrl-F invokes +the 'Find' dialog).  The component names are listed below in section 7.2.3.1.  +For this example, the component name is 'elf_CellServDB'.

1.3.   Go to the -'Condition' column of the component.

+margin-left:.55in;text-indent:-.3in;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>1.3.   Go +to the 'Condition' column of the component.

1.4.   Enter a condition -that evaluates to false. I.e. 'DONOTINSTALL'. (Note that an undefined property -always evaluates to false).

+margin-left:.55in;text-indent:-.3in;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>1.4.   Enter +a condition that evaluates to false. I.e. 'DONOTINSTALL'. (Note that an +undefined property always evaluates to false).

-

Note that you can also use this step to disable other -configuration files without providing replacements.

+

Note +that you can also use this step to disable other configuration files without +providing replacements.

-

2.2.      Add a new component containing the new configuration file.

-

2.1.2.1.   Select the 'Component' table in the 'Tables' list.

-

2.2.2.2.   Select 'Tables'->'Add Row' (Ctrl-R).

-

2.3.2.3.   Enter the following :

@@ -4211,29 +4880,29 @@ the following :

-

Note that the ComponentId is an -uppercase GUID.  You can generate one using GUIDGEN.EXE or UUIDGEN.EXE, -both of which are included in the Platform SDK.

+

Note +that the ComponentId is an uppercase GUID.  You can generate one using +GUIDGEN.EXE or UUIDGEN.EXE, both of which are included in the Platform SDK.

-

The Attributes value of 144 is a -sum of msidbComponentAttributesPermanent (16) and +

The +Attributes value of 144 is a sum of msidbComponentAttributesPermanent (16) and msidbComponentAttributesNeverOverwrite (128).  This ensures that local modifications are not overwritten or lost during an installation or -uninstallation.  These are the same settings used on the default configuration -files.

+uninstallation.  These are the same settings used on the default +configuration files.

-

            +

            'fil_my_CellServDB' is a key into the 'File' table which we will fill later.

-

3.3.      Add a new feature to hold the new component.

-

3.1.3.1.   Select the 'Feature' table.

-

3.2.3.2.   Add a new row (Ctrl-R or 'Tables'->'Add Row') with the following values:

@@ -4329,29 +4998,30 @@ a new row (Ctrl-R or 'Tables'->'Add Row') with the following values:

-

It is important to create the -new feature under the 'feaClient' feature, which will ensure that the -configuration file will be installed when the client binaries are installed.

+

It +is important to create the new feature under the 'feaClient' feature, which +will ensure that the configuration file will be installed when the client +binaries are installed.

-

Setting 'Display' to 0 will hide -this feature from the feature selection dialog during an interactive -installation.  A value of 30 for 'Level' allows this feature to be -installed by default (on a 'Typical' installation).

+

Setting +'Display' to 0 will hide this feature from the feature selection dialog during +an interactive installation.  A value of 30 for 'Level' allows this +feature to be installed by default (on a 'Typical' installation).

-

The 'Attributes' value is -msidbFeatureAttributesDisallowAdvertise (8), which is set on all features in -the OpenAFS MSI.  The OpenAFS MSI is not designed for an advertised -installation.

+

The +'Attributes' value is msidbFeatureAttributesDisallowAdvertise (8), which is set +on all features in the OpenAFS MSI.  The OpenAFS MSI is not designed for +an advertised installation.

-

4.4.      Join the component and the feature.

-

4.1.4.1.   Select the 'FeatureComponents' table.

-

4.2.4.2.   Add a new row with the following values:

@@ -4381,15 +5051,15 @@ a new row with the following values:

-

5.5.      Add an entry to the 'File' table.

-

5.1.5.1.   Select the 'File' table.

-

5.2.5.2.   Add a new row with the following values:

@@ -4463,28 +5133,28 @@ a new row with the following values:

-

            +

                (leave other fields blank)

-

The 'Attributes' value is -msidbFileAttributesNonCompressed (8192).  This is because we will be placing -this file in the same directory as the MSI instead of embedding the file in -it.  Transforms do not support updating compressed sources or adding new -cabinet streams.

+

The +'Attributes' value is msidbFileAttributesNonCompressed (8192).  This is +because we will be placing this file in the same directory as the MSI instead +of embedding the file in it.  Transforms do not support updating +compressed sources or adding new cabinet streams.

-

Finally, the 'Sequence' value of -1000 will be used later to distinguish the file as being in a separate source -location than the other files in the MSI.

+

Finally, +the 'Sequence' value of 1000 will be used later to distinguish the file as +being in a separate source location than the other files in the MSI.

-

6.6.      Set a media source for the file.

-

6.1.6.1.   Select the 'Media' table.

-

6.2.6.2.   Add a row with the following values :

@@ -4514,41 +5184,47 @@ a row with the following values :

-

            +

                (leave other fields blank)

-

The sequence number of 1000 -designates this as the media source for the newly added file.

+

The +sequence number of 1000 designates this as the media source for the newly added +file.

-

7.2.3.1 Components for Configuration Files

-

CellServDB: +

CellServDB: 'cpf_CellServDB' (ID {D5BA4C15-DBEC-4292-91FC-B54C30F24F2A})

-

7.2.4 -Adding Domain Specific Registry Keys

+

7.2.4 Adding Domain Specific +Registry Keys

-

Following is an example for adding domain specific registry -keys.

+

Following +is an example for adding domain specific registry keys.

-

    Refer to Appendix A section 2.1 for more -information.

+

    +Refer to Appendix A +section 2.1 for more information.

-

    Columns that are unspecified should be -left empty.

+

    +Columns that are unspecified should be left empty.

-

    We create a new feature and component to -hold the new registry keys.

+

    +We create a new feature and component to hold the new registry keys.

@@ -4568,7 +5244,8 @@ hold the new registry keys.

Parent : 'feaClient'
            Display           : 0
-             Level               +             + Level               : 30
            Attributes        : 10

@@ -4589,8 +5266,8 @@ hold the new registry keys.

ComponentId  : '{4E3FCBF4-8BE7-40B2-A108-C47CF743C627}'
            Directory         : 'TARGETDIR'
-             - Attributes        : 4
+             Attributes        + : 4
            KeyPath          : 'reg_domkey0'

@@ -4630,8 +5307,8 @@ hold the new registry keys.

Key                 : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain'
-             Component     - : 'rcm_DomainKeys'

+             + Component     : 'rcm_DomainKeys'

@@ -4648,7 +5325,8 @@ hold the new registry keys.

Key                 : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain'
-             Name              +             + Name              : '*'
            Component     : 'rcm_DomainKeys'

@@ -4666,7 +5344,8 @@ hold the new registry keys.

: 2
            Key                 - : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\ATHENA.MIT.EDU'
+ : + 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\ATHENA.MIT.EDU'
            Name              : '*'
@@ -4681,12 +5360,12 @@ hold the new registry keys.

            Registry          : 'reg_domkey3'
-             Root                +             + Root                : 2
            Key                 - : - 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\ATHENA.MIT.EDU'
+ : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\ATHENA.MIT.EDU'
            Name              : 'LogonOptions'
@@ -4730,7 +5409,8 @@ hold the new registry keys.

: 2
            Key                 - : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST'
+ : + 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST'
            Name              : 'LogonOptions'
@@ -4748,12 +5428,12 @@ hold the new registry keys.

            Registry          : 'reg_domkey6'
-             Root                +             + Root                : 2
            Key                 - : - 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST'
+ : 'SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST'
            Name              : 'FailLoginsSilently'
@@ -4766,28 +5446,31 @@ hold the new registry keys.

-

 

+

 

-

The example adds domain specific keys for 'ATHENA.MIT.EDU' -(enable integrated logon) and 'LOCALHOST' (disable integrated logon and fail -logins silently).

+

The +example adds domain specific keys for 'ATHENA.MIT.EDU' (enable integrated +logon) and 'LOCALHOST' (disable integrated logon and fail logins silently).

-

7.2.5 -Adding Site Specific Freelance Registry Keys7.2.5 Adding Site Specific +Freelance Registry Keys

-

Following is an example for adding site specific Freelance -registry keys to pre-populate the Mountpoints and Symlinks in the fake root.afs -volume.

+

Following +is an example for adding site specific Freelance registry keys to pre-populate +the Mountpoints and Symlinks in the fake root.afs volume.

-

    Columns that are unspecified should be -left empty.

+

    +Columns that are unspecified should be left empty.

-

    We create a new feature and component to -hold the new registry keys.

+

    +We create a new feature and component to hold the new registry keys.

@@ -4801,8 +5484,7 @@ hold the new registry keys.

            (new row)
            - Feature            : - 'feaFreelanceKeys'
+ Feature            : 'feaFreelanceKeys'
            Feature Parent : 'feaClient'
            @@ -4843,8 +5525,8 @@ hold the new registry keys.

@@ -4967,7 +5648,8 @@ hold the new registry keys.

            Registry          : 'reg_freekey5'
-             Root                +             + Root                : 2
            Key                 @@ -4984,127 +5666,148 @@ hold the new registry keys.

-

    -         (new row)
+

            + (new row)
            Feature            : 'feaFreelanceKeys'
@@ -4902,8 +5584,7 @@ hold the new registry keys.

            (new row)
            - Registry          : - 'reg_freekey2'
+ Registry          : 'reg_freekey2'
            Root                : 2
@@ -4954,8 +5635,8 @@ hold the new registry keys.

Name              : '0'
            - Value           -    : 'athena:athena.mit.edu.'
+ Value              + : 'athena:athena.mit.edu.'
            Component     : 'rcm_FreelanceKeys'
-

The example adds a read-only mountpoint to the -athena.mit.edu cell's root.afs volume as well as a read-write mountpoint.  -Aliases are also provided using symlinks.

+

The +example adds a read-only mountpoint to the athena.mit.edu cell's root.afs +volume as well as a read-write mountpoint.  Aliases are also provided +using symlinks.

+ +

7.3 +Additional Resources

-

7.3 -Additional ResourcesIf +you want to add registry keys or files you need to create new components and +features for those.  Refer to the Windows Platform SDK for details.

+ +

It +is beyond the scope of this document to provide a comprehensive overview of how +to add new resources through a transform.  Please refer to the +"Windows Installer" documentation for details.  The relevant +section is at :

+ +

http://msdn.microsoft.com/library/en-us/msi/setup/using_transforms_to_add_resources.asp

+ +

A +sample walkthrough of adding a new configuration file is in section 2.3.

+ +

Add +new features under the 'feaClient' or 'feaServer' as appropriate and set the +'Level' column for those features to equal the 'Level' for their parent +features for consistency.  Note that none of the features in the OpenAFS +for Windows MSI package are designed to be installed to run from 'source' or +'advertised'.  It is recommended that you set 'msidbFeatureAttributesFavorLocal' +(0), 'msidbFeatureAttributesFollowParent' (2) and +'msidbFeatureAttributesDisallowAdvertise' (8) attributes for new features.

+ +

If +you are creating new components, retain the same component GUID when creating +new transforms against new releases of the OpenAFS MSI package.

+ +

After +making the adjustments to the MSI database using ORCA.EXE you can generate a +transform with MSITRAN.EXE as follows :

+ +

(Modified +MSI package is 'openafs-en_US_new.msi' and the original MSI package is +'openafs-en_US.msi'.  Generates transform 'openafs-transform.mst')

+ +

    +> msitran.exe -g openafs-en_US.msi openafs-en_US_new.msi +openafs-transform.mst

+ +

See +the Platform SDK documentation for information on command line options for +MSITRAN.EXE.

+ +

7.4. +Upgrades

-

If you want to add registry keys or files you need to create -new components and features for those.  Refer to the Windows Platform SDK -for details.

- -

It is beyond the scope of this document to provide a -comprehensive overview of how to add new resources through a transform.  -Please refer to the "Windows Installer" documentation for details.  -The relevant section is at :

- -

http://msdn.microsoft.com/library/en-us/msi/setup/using_transforms_to_add_resources.asp

- -

A sample walkthrough of adding a new configuration file is -in section 2.3.

- -

Add new features under the 'feaClient' or 'feaServer' as appropriate -and set the 'Level' column for those features to equal the 'Level' for their -parent features for consistency.  Note that none of the features in the -OpenAFS for Windows MSI package are designed to be installed to run from -'source' or 'advertised'.  It is recommended that you set -'msidbFeatureAttributesFavorLocal' (0), 'msidbFeatureAttributesFollowParent' -(2) and 'msidbFeatureAttributesDisallowAdvertise' (8) attributes for new -features.

- -

If you are creating new components, retain the same -component GUID when creating new transforms against new releases of the OpenAFS -MSI package.

+

The +MSI package is designed to uninstall previous versions of OpenAFS for Windows +during installation.  Note that it doesn't directly upgrade an existing +installation.  This is intentional and ensures that development releases +which do not have strictly increasing version numbers are properly upgraded.

-

After making the adjustments to the MSI database using -ORCA.EXE you can generate a transform with MSITRAN.EXE as follows :

+

Versions +of OpenAFS that are upgraded by the MSI package are:

-

(Modified MSI package is 'openafs-en_US_new.msi' and the -original MSI package is 'openafs-en_US.msi'.  Generates transform -'openafs-transform.mst')

- -

    > msitran.exe -g openafs-en_US.msi -openafs-en_US_new.msi openafs-transform.mst

- -

See the Platform SDK documentation for information on command -line options for MSITRAN.EXE.

- -

7.4. Upgrades

- -

The MSI package is designed to uninstall previous versions -of OpenAFS for Windows during installation.  Note that it doesn't directly -upgrade an existing installation.  This is intentional and ensures that -development releases which do not have strictly increasing version numbers are -properly upgraded.

- -

Versions of OpenAFS that are upgraded by the MSI package -are:

- -

1)1)      OpenAFS MSI package
Upgrade code {6823EEDD-84FC-4204-ABB3-A80D25779833}
Up to current release

-

2)2)      MIT's Transarc AFS MSI package
Upgrade code {5332B94F-DE38-4927-9EAB-51F4A64193A7}
Up to version 3.6.2

-

3)3)      OpenAFS NSIS package
All versions

-

Note that versions of the OpenAFS NSIS package prior to -1.3.65 had a bug where it couldn't be uninstalled properly in unattended -mode.  Therefore the MSI package will not try to uninstall an OpenAFS NSIS -package if running unattended.  This means that group policy based -deployments will fail on machines that have the OpenAFS NSIS package installed.

- -

If you have used a different MSI package to install OpenAFS -and wish to upgrade it you can author rows into the 'Upgrade' table as -described in the Platform SDK.

- -

When performing an upgrade with msiexec.exe execute the MSI -with the repair options "vomus".

- -

Appendix -A: Registry Values

+

Note +that versions of the OpenAFS NSIS package prior to 1.3.65 had a bug where it +couldn't be uninstalled properly in unattended mode.  Therefore the MSI +package will not try to uninstall an OpenAFS NSIS package if running +unattended.  This means that group policy based deployments will fail on +machines that have the OpenAFS NSIS package installed.

+ +

If +you have used a different MSI package to install OpenAFS and wish to upgrade it +you can author rows into the 'Upgrade' table as described in the Platform SDK.

+ +

When +performing an upgrade with msiexec.exe execute the MSI with the repair options +"vomus".

+ +

Appendix A: Registry Values

-

A.1. Service parametersA.1. +Service parameters

-

The service parameters primarily affect the behavior of -the AFS client service (afsd_service.exe).

+

The +service parameters primarily affect the behavior of the AFS client service +(afsd_service.exe).

-

Regkey:
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]Regkey:
+[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]

- + + + + + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + Variable: rx_enable_peer_stats

+

When set to 1, + the Rx library collects peer statistics.

+

 

+ + - + + Variable: rx_extra_process_stats

+

When set to 1, + the Rx library collects process statistics.

+

 

+ + - + + - + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
Value: LANadapter
Value: CacheSize
+ name="_Toc139993194">Value: + CacheSize

Type: DWORD
Default: 98304 (CM_CONFIGDEFAULT_CACHESIZE)
Variable: cm_initParams.cacheSize

@@ -5149,7 +5851,7 @@ style='mso-fareast-font-family:"Times New Roman"'>
Value: ChunkSize
Value: Daemons
@@ -5180,7 +5882,7 @@ style='mso-fareast-font-family:"Times New Roman"'>
Value: ServerThreads
Value: Stats
@@ -5207,15 +5909,38 @@ style='mso-fareast-font-family:"Times New Roman"'>

Cache configuration.
+
Value: Volumes
+

Type: DWORD
+ Default:  3333 (CM_CONFIGDEFAULT_STATS/3)
+ Variable: cm_initParams.nVolumes

+
Cache + configuration.
+
+
Value: Cells
+

Type: DWORD
+ Default: 1024 (CM_CONFIGDEFAULT_CELLS)
+ Variable: cm_initParams.nCells

+
Cache + configuration.
+
Value: LogoffPreserveTokens
+ name="_Toc139993199">Value: + LogoffPreserveTokens

Type: DWORD {1,0}
Default : 0

If enabled (set to 1), the Logoff Event handler will not @@ -5223,11 +5948,11 @@ style='mso-fareast-font-family:"Times New Roman"'> outside of AFS.
Value: RootVolume

Root volume name.
Value: MountRoot
+ name="_Toc139993201">Value: + MountRoot

Type: REG_SZ
Default: "/afs"
Variable: cm_mountRoot

@@ -5256,19 +5980,18 @@ style='mso-fareast-font-family:"Times New Roman"'> /afs/athena.mit.edu/foo/bar/baz and cm_mountRoot is "/afs", then the path is interpreted as \\afs\all\athena.mit.edu\foo\bar\baz.  If a path does not start with with cm_mountRoot, the path is assumed to be - relative and suffixed to the reference directory (i.e. directory where the symlink - exists)

+ relative and suffixed to the reference directory (i.e. directory where the + symlink exists)
Value: CachePath
+ name="_Toc139993202">Value: + CachePath

Type: REG_SZ or REG_EXPAND_SZ
Default: "%TEMP%\AFSCache"
Variable: cm_CachePath

@@ -5277,11 +6000,11 @@ style='mso-fareast-font-family:"Times New Roman"'> are HIDDEN and SYSTEM.
Value: NonPersistentCaching
maintain a single UUID for the AFS client service across restarts.
Value: ValidateCache
2 - Validation is performed at shutdown
Value: TrapOnPanic
(breakpoint: _asm int 3).
Value: NetbiosName
+ name="_Toc139993206">Value: + NetbiosName

Type: REG_EXPAND_SZ
Default: "AFS"
Variable: cm_NetbiosName

@@ -5347,11 +6069,11 @@ style='mso-fareast-font-family:"Times New Roman"'> "%COMPUTERNAME%-AFS".
Value: IsGateway
the "NetbiosName" registry value.
Value: ReportSessionStartups
mappings or various error types to be logged.
Value: TraceBufferSize
+ name="_Toc139993209">Value: + TraceBufferSize

Type: DWORD
Default: 10000 (CM_CONFIGDEFAULT_TRACEBUFSIZE)
Variable: traceBufSize

Number of entries to keep in trace log.
Value: SysName
+ name="_Toc139993210">Value: + SysName

Type: REG_SZ
Default: "x86_win32 i386_w2k i386_nt40" (X86)
“amd64_win64 x86_win32 i386_w2k” (AMD64)
@@ -5419,59 +6140,59 @@ style='mso-fareast-font-family:"Times New Roman"'> for @sys in order of preference separated by whitespace.
Value: SecurityLevel
+ name="_Toc139993211">Value: + SecurityLevel

Type: DWORD {1,0}
Default: 0
Variable: cryptall

Enables encryption on RX calls.
Value: UseDNS

Type: DWORD {1,0}
Default: 1
Variable: cm_dnsEnabled

Enables resolving volservers using AFSDB DNS queries.

-

As of 1.3.60, this value is ignored as the DNS query support - utilizes the Win32 DNSQuery API which is available on Win2000 and above.

+

As of 1.3.60, this value is ignored as the DNS query + support utilizes the Win32 DNSQuery API which is available on Win2000 and + above.
Value: FreelanceClient
+ name="_Toc139993213">Value: + FreelanceClient

Type: DWORD {1,0}
Default: 0
Variable: cm_freelanceEnabled

Enables freelance client.
Value: HideDotFiles

Type: DWORD {1,0}
@@ -5482,11 +6203,11 @@ style='mso-fareast-font-family:"Times New Roman"'> (excluding "." and "..").
Value: MaxMpxRequests
made.
Value: MaxVCPerServer

Maximum number of SMB virtual circuits.
Value: Cell

Type: REG_SZ
@@ -5528,72 +6249,80 @@ style='mso-fareast-font-family:"Times New Roman"'> be mounted in \\afs\all).
-
- Value: - RxEnablePeerStats
-

Type: DWORD {0, 1}
+

Value: + RxEnablePeerStats
+

Type: DWORD {0, + 1}
Default: 1
- Variable: rx_enable_peer_stats

-

When set to 1, the Rx library collects peer statistics.

-

 
-
- Value: - RxEnableProcessStats
-

Type: DWORD {0, 1}
+

Value: RxEnableProcessStats
+

Type: DWORD {0, + 1}
Default: 1
- Variable: rx_extra_process_stats

-

When set to 1, the Rx library collects process - statistics.

-  
-
- Value: - RxExtraPackets
-

Type: DWORD
+

Value: RxExtraPackets
+

Type: DWORD
Default: 120
- Variable: rx_extraPackets

-

When set, this number of extra Rx packets are allocated - at startup.

+ Variable: rx_extraPackets

+

When set, this + number of extra Rx packets are allocated at startup.
-
Value: RxMaxMTU
-

Type: DWORD
+

Value: RxMaxMTU
+

Type: DWORD
Default: 0
- Variable: rx_mtu

-

If set to anything other than 0, that value is used as the - maximum send and receive MTU supported by the RX interface.

-

In order to enable OpenAFS to operate across releases of the Cisco - IPSec VPN client prior than 5.0, this value must be set to 1264 or smaller.

+ Variable: rx_mtu

+

If set to + anything other than 0, that value is used as the maximum send and receive MTU + supported by the RX interface.

+

In order to + enable OpenAFS to operate across releases of the Cisco IPSec VPN client prior + than 5.0, this value must be set to 1264 or smaller.
-
- Value: - RxNoJumbo
+ height:101.65pt'> +
Value: RxNoJumbo

Type: DWORD {0,1}
Default: 0
Variable: rx_nojumbo

@@ -5601,31 +6330,34 @@ style='mso-fareast-font-family:"Times New Roman"'> to send or receive RX jumbograms.
Value: ConnDeadTimeout
+ name="_Toc139993220">Value: + ConnDeadTimeout

Type: DWORD
Default: 60 (seconds)
Variable: ConnDeadtimeout

The Connection Dead Time is enforced to be at a minimum - 15 seconds longer than the minimum SMB timeout as specified by [HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters] + 15 seconds longer than the minimum SMB timeout as specified by + [HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters] SessTimeout

If the minimum SMB timeout is not specified the value is 45 seconds.  See http://support.microsoft.com:80/support/kb/articles/Q102/0/67.asp

+ href="http://support.microsoft.com/support/kb/articles/Q102/0/67.asp">http://support.microsoft.com:80/support/kb/articles/Q102/0/67.asp
Value: HardDeadTimeout
ConnDeadTimeout.  The provides an opportunity for at least one retry.
Value: TraceOption
+ name="_Toc139993222">Value: + TraceOption

Type: DWORD {0-15}
Default: 0

-

Enables logging of debug output to the Windows Event - Log.

+

Enables logging of debug output to the Windows Event Log.

Bit 0 enables logging of "Logon Events" processed by the Network Provider and Winlogon Event Notification Handler. 

@@ -5660,11 +6390,11 @@ style='mso-fareast-font-family:"Times New Roman"'>

Bit 3 enables "fs trace" logging on startup.
Value: AllSubmount
allows the read-write versions of root.afs to be hidden.
Value: NoFindLanaByName
+ name="_Toc139993224">Value: + NoFindLanaByName

Type: DWORD {0, 1}
Default: 0

Disables the attempt to identity the network adapter to use by looking for an adapter with a display name of "AFS".
Value: MaxCPUs
@@ -5708,48 +6438,46 @@ style='mso-fareast-font-family:"Times New Roman"'> greater number installed in the machine. 

Value: smbAuthType
+ name="_Toc139993226">Value: + smbAuthType

Type: DWORD {0..2}
Default: 2

-

If this value is specified, it defines the type of SMB authentication - which must be present in order for the Windows SMB client to connect to the - AFS Client Service's SMB server.  The values are:

+

If this value is specified, it defines the type of SMB + authentication which must be present in order for the Windows SMB client to + connect to the AFS Client Service's SMB server.  The values are:

0 = No authentication required
1 = NTLM authentication required
2 = Extended (GSS SPNEGO) authentication required
The default is Extended authentication
Value: MaxLogSize
+ name="_Toc139993227">Value: + MaxLogSize

Type: DWORD {0 .. MAXDWORD}
Default: 100K

-

This entry determines the maximum size of the - %WINDIR%\TEMP\afsd_init.log file.  If the file is larger than this value - when afsd_service.exe starts the file will be reset to 0 bytes.  If this - value is 0, it means the file should be allowed to grow indefinitely.

+

This entry determines the maximum size of the %WINDIR%\TEMP\afsd_init.log + file.  If the file is larger than this value when afsd_service.exe + starts the file will be reset to 0 bytes.  If this value is 0, it means + the file should be allowed to grow indefinitely.
Value: FlushOnHibernate
hibernate or stand-by.
marked as “down”.
probes servers that are marked as “up”.
existing volume database information.
invalidation.
locks.
tokens.
Value: @@ -5857,7 +6585,7 @@ style='mso-fareast-font-family:"Times New Roman"'>
determined to be busy have their state reset to online.
configured.
"Times New Roman"'>

Type: DWORD {0, 1, 2}
Default: 1

-

Determines whether or not the AFS file server is - contacted for

+

Determines whether or not the AFS file server is contacted + for

0: never obtain server locks

1: @@ -5893,7 +6621,7 @@ style='mso-fareast-font-family:"Times New Roman"'> always obtain server locks
Value: @@ -5910,7 +6638,7 @@ style='mso-fareast-font-family:"Times New Roman"'>
without complaint.
Value: @@ -5925,7 +6653,7 @@ style='mso-fareast-font-family:"Times New Roman"'>
style='mso-fareast-font-family:"Times New Roman"'>
Value: @@ -5940,7 +6668,7 @@ style='mso-fareast-font-family:"Times New Roman"'>
fully cached prior to a machine losing its connection with the file server.
Value: @@ -5956,7 +6684,7 @@ style='mso-fareast-font-family:"Times New Roman"'>

1: treat offline .readonly content as valid
Value: @@ -5966,14 +6694,14 @@ style='mso-fareast-font-family:"Times New Roman"'>

Determines whether or not the AFS Cache Manager will give up all callbacks prior to the service being suspended or shutdown.  Doing so will have significant performance - benefits for the file servers.  However, - file servers older than 1.4.6 can become unstable if the GiveUpAllCallBacks - RPC is executed.

+ benefits for the file servers.  + However, file servers older than 1.4.6 can become unstable if the + GiveUpAllCallBacks RPC is executed.

0: do not perform GiveUpAllCallBacks RPCs

1: perform GiveUpAllCallBacks RPCs

Value: @@ -5991,11 +6719,14 @@ style='mso-fareast-font-family:"Times New Roman"'>
-

Regkey:
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters\GlobalAutoMapper]Regkey:
+[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters\GlobalAutoMapper]

Value: <Drive Letter:> for example "G:"

Type: REG_SZ

-

Specifies the submount name to be mapped by afsd_service.exe - at startup to the provided drive letter.

+

Specifies the submount name to be mapped by + afsd_service.exe at startup to the provided drive letter.

This option is deprecated.
-

Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client]Regkey:
+[HKLM\SOFTWARE\OpenAFS\Client]

@@ -6164,26 +6899,31 @@ style='mso-fareast-font-family:"Times New Roman"'>

Type: REG_DWORD
Default: 0x0

This value can be used to force the AFS Client Service - to store filenames using the Windows system's ANSI character set instead of the - OEM Code Page character set which has traditionally been used by SMB file + to store filenames using the Windows system's ANSI character set instead of + the OEM Code Page character set which has traditionally been used by SMB file systems. 

-

Note: The use of ANSI - characters will render access to files with 8-bit OEM file names inaccessible - from Windows.  This option is of use primarily when you wish to allow - file names produced on Windows to be accessible from Latin-1 UNIX systems and - vice versa.

+

Note: The + use of ANSI characters will render access to files with 8-bit OEM file names + inaccessible from Windows.  This option is of use primarily when you + wish to allow file names produced on Windows to be accessible from Latin-1 + UNIX systems and vice versa.

Value: CellServDBDir
+ name="_Toc139993232">Value: + CellServDBDir

Type: REG_SZ
Default: <not defined>

Specifies the directory containing the CellServDB @@ -6049,31 +6782,31 @@ style='mso-fareast-font-family:"Times New Roman"'>

Value: + name="_Toc139993233">Value: VerifyServiceSignature

Type: REG_DWORD
Default: 0x1

-

This value can be used to disable the runtime verification - of the digital signatures applied to afsd_service.exe and the OpenAFS DLLs it - loads.  This test is performed to verify that   the DLLs which - are loaded by afsd_service.exe are from the same distribution as - afsd_service.exe.  This is to prevent random errors caused when DLLs - from one distribution of AFS are loaded by another one.  This is not a - security test.  The reason for disabling this test is to free up - additional memory which can be used for a large cache size.

+

This value can be used to disable the runtime + verification of the digital signatures applied to afsd_service.exe and the + OpenAFS DLLs it loads.  This test is performed to verify + that   the DLLs which are loaded by afsd_service.exe are from the + same distribution as afsd_service.exe.  This is to prevent random errors + caused when DLLs from one distribution of AFS are loaded by another + one.  This is not a security test.  The reason for disabling this + test is to free up additional memory which can be used for a large cache + size.
Value: IoctlDebug

Type: REG_DWORD
@@ -6089,7 +6822,7 @@ style='mso-fareast-font-family:"Times New Roman"'>

Value: MiniDumpType
initiated is dump file is generated with the "fs.exe minidump" command.

Valid values are dependent on the version of DbgHelp.dll - installed on the machine.  The best version to use is not the version - that comes with the operating system but the version that is included in the - most recent release of "Microsoft - Debugging Tools for Windows".  See the Microsoft Developer Library for - further information.

+ installed on the machine.  The best version to use is not the version + that comes with the operating system but the version that is included in the + most recent release of "Microsoft Debugging Tools for Windows".  + See the Microsoft Developer Library for further information.

MiniDumpNormal = 0x00000000,
MiniDumpWithDataSegs = 0x00000001,
MiniDumpWithFullMemory = 0x00000002,
@@ -6126,9 +6861,9 @@ style='mso-fareast-font-family:"Times New Roman"'>

-
Value: EnableSMBAsyncStore

Type: REG_DWORD
@@ -6144,14 +6879,14 @@ style='mso-fareast-font-family:"Times New Roman"'> style='mso-bookmark:_Toc191662239'>Value: SMBAsyncStoreSize

Type: REG_DWORD
- Default: 32

+ Default: 32

This value determines the size of SMB Asynchronous Store operations. This value can be used to increase the write performance on higher speed networks by increasing the value.  The value must be a multiple of the cache - buffer block size and cannot be larger than the cache manager chunk size.  The specified value will be adjusted to - enforce its compliance with these restrictions.

+ buffer block size and cannot be larger than the cache manager chunk + size.  The specified value will be + adjusted to enforce its compliance with these restrictions.
-

Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy]Regkey:
+[HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy]

Value: "smb/cifs share name"
-

Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client\Freelance]Regkey:
+[HKLM\SOFTWARE\OpenAFS\Client\Freelance]

Value: "numeric value"
-

Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks]Regkey:
+[HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks]

Value: "numeric value"

Type: REG_SZ
Default: <none>

-

This key is used to store a dot terminated symlink strings - for use in constructing the fake root.afs volume when Freelance (dynamic - roots) mode is activated.

+

This key is used to store a dot terminated symlink + strings for use in constructing the fake root.afs volume when Freelance + (dynamic roots) mode is activated.

"linkname:destination-path."

"athena:athena.mit.edu."

"home:athena.mit.edu\user\j\a\jaltman."

@@ -6273,26 +7018,34 @@ style='mso-fareast-font-family:"Times New Roman"'>
-

Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client\Realms]Regkey:
+[HKLM\SOFTWARE\OpenAFS\Client\Realms]

-

The Realms key is used to provide initialization data to -be used when new identities are added to the Network Identity Manager.The +Realms key is used to provide initialization data to be used when new +identities are added to the Network Identity Manager.  The AFS Provider will search for a subkey that matches the realm of the identity.  If such a key exists, its values will be used to populate the AFS configuration for the identity.

-

Regkey:
+

Regkey:
[HKLM\SOFTWARE\OpenAFS\Client\Realms\”Realm -Name”]

+Name”]

-

In addition to the optional values, this key contains one -subkey for each cell that is to be added to the AFS Provider configuration.In +addition to the optional values, this key contains one subkey for each cell +that is to be added to the AFS Provider configuration. 

Value:
-

Regkey:
+

Regkey:
[HKLM\SOFTWARE\OpenAFS\Client\Realms\”Realm -Name”\”Cell Name”]\”Cell Name”]

Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client\Submounts]Regkey:
+[HKLM\SOFTWARE\OpenAFS\Client\Submounts]
Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client\Server Preferences\VLDB]Regkey:
+[HKLM\SOFTWARE\OpenAFS\Client\Server Preferences\VLDB]
Value: "hostname or ip address"
-

Regkey:
-[HKLM\SOFTWARE\OpenAFS\Client\Server Preferences\File]Regkey:
+[HKLM\SOFTWARE\OpenAFS\Client\Server Preferences\File]

Value: "hostname or ip address"

This key is used to specify a default set of File server preferences. For each entry the value name will be either the IP address of a server or a fully qualified domain name.  The value will be the - ranking.  The ranking will be adjusted by a random value between 0 and 256 - prior to the preference being set.

+ ranking.  The ranking will be adjusted by a random value between 0 and + 256 prior to the preference being set.
-

A.2. Integrated Logon Network -provider parameters

- -

Affects the network provider (afslogon.dll).

+

A.2. +Integrated Logon Network provider parameters

-

Regkey: -[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]Affects +the network provider (afslogon.dll).

+ +

Regkey: +[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]

Value: FailLoginsSilently
-

Regkey:
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]Regkey:
+[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]

Value: NoWarnings
Value: AuthentProviderPath
Value: Class
@@ -6559,7 +7332,7 @@ style='mso-fareast-font-family:"Times New Roman"'>
Value: DependOnGroup
Value: DependOnService
Value: Name
@@ -6605,7 +7378,7 @@ style='mso-fareast-font-family:"Times New Roman"'>
Value: ProviderPath
-

A.2.1 Domain specific -configuration keys for the Network ProviderA.2.1 +Domain specific configuration keys for the Network Provider

-

The network provider can be configured to have different -behavior depending on the domain that the user logs into.  These settings -are only relevant when using integrated login.  A domain refers to an -Active Directory (AD) domain, a trusted Kerberos (non-AD) realm or the local -machine (i.e. local account logins).  The domain name that is used for -selecting the domain would be the domain that is passed into the NPLogonNotify -function of the network provider.

- -

Domain specific registry keys are:

- -

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]The +network provider can be configured to have different behavior depending on the +domain that the user logs into.  These settings are only relevant when +using integrated login.  A domain refers to an Active Directory (AD) +domain, a trusted Kerberos (non-AD) realm or the local machine (i.e. local +account logins).  The domain name that is used for selecting the domain +would be the domain that is passed into the NPLogonNotify function of the +network provider.

+ +

Domain +specific registry keys are:

+ +

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]

-

  (NP key)

+

  +(NP key)

-

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain][HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain]

-

  (Domains key)

- -

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain -name"]  +(Domains key)

+ +

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain +name"]

-

  (Specific domain key. One per domain.)

+

  +(Specific domain key. One per domain.)

-

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST][HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST]

-

  (Localhost key)

+

  +(Localhost key)

-

Example:Example:

-

 HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider

+

 HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider

-

  |

+

  +|

-

  +- Domain

+

  ++- Domain

-

     +-AD1.EXAMPLE.COM

+

     ++-AD1.EXAMPLE.COM

-

     +-AD2.EXAMPLE.NET

+

     ++-AD2.EXAMPLE.NET

-

     +-LOCALHOST

+

     ++-LOCALHOST

-

Each of the domain specific keys can have the set of -values described in 2.1.1.  The effective values are chosen as described -in 2.1.2.

+

Each +of the domain specific keys can have the set of values described in +2.1.1.  The effective values are chosen as described in 2.1.2.

-

A.2.1.1 -Domain specific configuration valuesA.2.1.1 Domain specific +configuration values

-

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
+

[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider]
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain]
[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain name"]
@@ -6713,11 +7518,10 @@ style='mso-fareast-font-family:"Times New Roman"'>

Value: LogonOptions
+ name="_Toc139993268">Value: + LogonOptions

Type: DWORD
Default: 0x01

NSIS/WiX: depends on user configuration

@@ -6737,7 +7541,7 @@ style='mso-fareast-font-family:"Times New Roman"'>

Value: FailLoginsSilentl
Value: LogonScript
Value: LoginRetryInterval
Value: LoginSleepInterval
NSIS: <not set>

When Kerberos v5 is being used, Realm specifies the Kerberos v5 realm that should be appended to the first component of the - Domain logon username to construct the Kerberos v5 principal for which AFS - tokens should be obtained.

+ Domain logon username to construct the Kerberos v5 principal for which AFS tokens + should be obtained.

Value: TheseCells
+ name="_Toc139993273">Value: + TheseCells

Type: REG_MULTI_SZ
NSIS: <not set>

When Kerberos v5 is being used, TheseCells provides a @@ -6835,95 +7638,113 @@ style='mso-fareast-font-family:"Times New Roman"'>

-

A.2.1.2 -Selection of effective values for domain specific configurationA.2.1.2 Selection of +effective values for domain specific configuration

-

During login to domain X, where X is the domain passed -into NPLogonNotify as lpAuthentInfo->LogonDomainName or the string -'LOCALHOST' if lpAuthentInfo->LogonDomainName equals the name of the -computer, the following keys will be looked up.

+

During +login to domain X, where X is the domain passed into NPLogonNotify as +lpAuthentInfo->LogonDomainName or the string 'LOCALHOST' if +lpAuthentInfo->LogonDomainName equals the name of the computer, the +following keys will be looked up.

-

1.1.      NP key. ("HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider")

-

2.2.      Domains key. (NP key\"Domain")

-

3.3.      Specific domain key. (Domains key\X)

-

If the specific domain key does not exist, then the domains -key will be ignored.  All the configuration information in this case will -come from the NP key.

- -

If the specific domain key exists, then for each of the -values metioned in (2), they will be looked up in the specific domain key, -domains key and the NP key successively until the value is found. The first -instance of the value found this way will be the effective for the login -session.  If no such instance can be found, the default will be -used.  To re-iterate, a value in a more specific key supercedes a value in -a less specific key.  The exceptions to this rule are stated below.

- -

A.2.1.3 -Exceptions to A.2.1.2

+

If +the specific domain key does not exist, then the domains key will be +ignored.  All the configuration information in this case will come from +the NP key.

+ +

If +the specific domain key exists, then for each of the values metioned in (2), +they will be looked up in the specific domain key, domains key and the NP key +successively until the value is found. The first instance of the value found +this way will be the effective for the login session.  If no such instance +can be found, the default will be used.  To re-iterate, a value in a more +specific key supercedes a value in a less specific key.  The exceptions to +this rule are stated below.

+ +

A.2.1.3 Exceptions to A.2.1.2

-

To retain backwards compatibility, the following -exceptions are made to 2.1.2.

+

To +retain backwards compatibility, the following exceptions are made to 2.1.2.

-

2.1.3.1 +

2.1.3.1 'FailLoginsSilently'

-

Historically, the 'FailLoginsSilently' value was in +

Historically, +the 'FailLoginsSilently' value was in HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters key and not in the NP key.  Therefore, for backwards compatibility, the value in the Parameters key will supercede all instances of this value in other keys.  In the absence of this value in the Parameters key, normal scope rules apply.

-

2.1.3.2 +

2.1.3.2 'LogonScript'

-

If a 'LogonScript' is not specified in the specific domain -key nor in the domains key, the value in the NP key will only be checked if the -effective 'LogonOptions' specify a high security integrated login.  If a -logon script is specified in the specific domain key or the domains key, it -will be used regardless of the high security setting.  Please be aware of -this when setting this value.

- -

A.3. AFS Credentials System -Tray Tool parameters

+

If +a 'LogonScript' is not specified in the specific domain key nor in the domains +key, the value in the NP key will only be checked if the effective +'LogonOptions' specify a high security integrated login.  If a logon +script is specified in the specific domain key or the domains key, it will be +used regardless of the high security setting.  Please be aware of this +when setting this value.

+ +

A.3. AFS +Credentials System Tray Tool parameters

-

Affects the behavior of afscreds.exe

+

Affects +the behavior of afscreds.exe

-

Regkey:
-[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]Regkey:
+[HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]

Value: Gateway
@@ -6947,25 +7768,28 @@ style='mso-fareast-font-family:"Times New Roman"'>
Value: Cell

Type: REG_SZ
Default: <none>
Variable: IsServiceConfigured()

-

The value Cell is used to determine if the AFS Client - Service has been properly configured or not.

+

The value Cell is used to determine if the AFS Client Service + has been properly configured or not.
-

Regkey:
+

Regkey:
[HKLM\SOFTWARE\OpenAFS\Client]
-[HKCU\SOFTWARE\OpenAFS\Client]

Value: ShowTrayIcon

Type: DWORD {0, 1}
Default: 1
Function: InitApp(), Main_OnCheckTerminate()

-

This value is used to determine whether or not a shortcut - should be maintained in the user's Start Menu->Programs->Startup - folder.

+

This value is used to determine whether or not a + shortcut should be maintained in the user's Start + Menu->Programs->Startup folder.

This value used to be stored at [HKLM\Software\TransarcCorporation\AFS Client\AfsCreds].

The current user value is checked first; if it does not @@ -6995,8 +7819,8 @@ style='mso-fareast-font-family:"Times New Roman"'>

Value: EnableKFW
Kerberos v4 names by the AFS servers before they can be looked up in the Protection database.  The mapping algorithm used permits collisions to occur.  Both of the Kerberos v5 names, "user.admin@REALM" and "user/admin@REALM" are interpreted as - the same user identity within the cell.  To enable both names to be sent - to the server by AFSCreds or Integrated Logon, set this value to 1.

+ href="mailto:user.admin@REALM">user.admin@REALM" + and "user/admin@REALM" + are interpreted as the same user identity within the cell.  To enable + both names to be sent to the server by AFSCreds or Integrated Logon, set this + value to 1.
-
Value: Use524

Type: DWORD {0, 1}
@@ -7052,10 +7879,9 @@ style='mso-fareast-font-family:"Times New Roman"'>

Value: + name="_Toc139993286">Value: AfscredsShortcutParams

Type: REG_SZ
@@ -7064,10 +7890,10 @@ style='mso-fareast-font-family:"Times New Roman"'>

This value specifies the command line options which should be set as part of the shortcut to afscreds.exe.  afscreds.exe rewrites the shortcut each time it exits so as to ensure that the shortcut - points to the latest version of the program.  This value is used to determine - which values should be used for command line parameters.  The current - user value is checked first; if it does not exist the local machine value is - checked.

+ points to the latest version of the program.  This value is used to + determine which values should be used for command line parameters.  The + current user value is checked first; if it does not exist the local machine + value is checked.

The following subset of the command line options is appropriate for use in this registry setting:

-A = autoinit
@@ -7081,11 +7907,14 @@ style='mso-fareast-font-family:"Times New Roman"'>

-

Regkey:
-[HKCU\SOFTWARE\OpenAFS\Client]Regkey:
+[HKCU\SOFTWARE\OpenAFS\Client]

Value: Authentication Cell
-

Regkey:
-[HKCU\SOFTWARE\OpenAFS\Client\Reminders]Regkey:
+[HKCU\SOFTWARE\OpenAFS\Client\Reminders]

Value: "afs cell name"
-

Regkey:
-[HKCU\SOFTWARE\OpenAFS\Client\Active Maps]Regkey:
+[HKCU\SOFTWARE\OpenAFS\Client\Active Maps]

Value: "upper case drive letter"
-

Regkey:
-[HKCU\SOFTWARE\OpenAFS\Client\Mappings]Regkey:
+[HKCU\SOFTWARE\OpenAFS\Client\Mappings]

Value: "upper case drive letter"
-

A.4 OpenAFS Client Service Environment VariablesA.4 OpenAFS Client Service Environment Variables

@@ -7209,7 +8049,7 @@ FR'>

Variable: AFS_RPC_ENCRYPT
Variable: AFS_RPC_PROTSEQ
-

 

+

 

-- 2.39.5