! The AFS configuration panel for each Kerberos 5 identity is used to configure which cells credentials should be obtained for and how they should be obtained. If the cell to realm mapping cannot be automatically determined, it can be explicitly ! specified. If the cell does not support ! Kerberos 5 tickets as tokens, then a krb524 service can be configured.
The AFS configuration panel for each Kerberos v5 identity is used to configure which cells credentials should be obtained for and how they should be obtained. If the cell to realm mapping cannot be automatically determined, it can be explicitly ! specified. If the cell does not support Kerberos ! v5 tickets as tokens, then a krb524 service can be configured.
The AFS plug-in configuration panel provider can be used to
check the status of the AFS Client Service and its version. An optional checkbox is provided that will
prevent the AFS System Tray Tool from being started by Windows after
--- 954,960 ----
The OpenAFS Provider configuration panel can be used to check the status of the AFS Client Service and its version. An optional checkbox is provided that will prevent the AFS System Tray Tool from being started by Windows after *************** *** 965,974 ****
By itself the OpenAFS Client Service does not provide robust behavior in a plug-n-play network environment. Changes to the number of network adapters or their assigned IP addresses will cause the service to ! terminate unexpectedly. To avoid this behavior OpenAFS for Windows installs ! a single instance of the Microsoft Loopback Adapter (MLA) on the machine. ! With the MLA installed, the OpenAFS Client Service will not be affected by the ! configuration changes of other network adapters installed on the system.
The MLA is installed with a name of "AFS" and a pre-assigned IP address in the 10.x.x.x range. The MLA is bound to the --- 970,980 ----
By itself the OpenAFS Client Service does not provide robust behavior in a plug-n-play network environment. Changes to the number of network adapters or their assigned IP addresses will cause the service to ! terminate unexpectedly. To avoid this behavior OpenAFS for Windows ! installs a single instance of the Microsoft Loopback Adapter (MLA) on the ! machine. With the MLA installed, the OpenAFS Client Service will not be ! affected by the configuration changes of other network adapters installed on ! the system.
The MLA is installed with a name of "AFS" and a pre-assigned IP address in the 10.x.x.x range. The MLA is bound to the *************** *** 1041,1052 **** modified as cells are accessed. When the fake "root.afs" volume is initially constructed it will only contain two mount points: a regular path and read-write path mount point used to access the ! "root.cell" volume of the default AFS cell. Any attempt to ! access a valid cell name will result in a new mount point being created in the ! fake "root.afs" volume. If the cellname begins with a ! "." the mount point will be a read-write path; otherwise the ! mount point will be a regular path. These mount points are ! preserved in the registry at key:
HKLM\SOFTWARE\OpenAFS\Client\Freelance
--- 1047,1058 ---- modified as cells are accessed. When the fake "root.afs" volume is initially constructed it will only contain two mount points: a regular path and read-write path mount point used to access the ! "root.cell" volume of the default AFS cell. Any attempt to access ! a valid cell name will result in a new mount point being created in the fake ! "root.afs" volume. If the cellname begins with a "." ! the mount point will be a read-write path; otherwise the mount point ! will be a regular path. These mount points are preserved in the ! registry at key:HKLM\SOFTWARE\OpenAFS\Client\Freelance
*************** *** 1107,1116 **** provide Single Sign-On functionality (aka Integrated Logon.) Integrated Logon can be used when the Windows username and password match the username and password associated with the default cell's Kerberos realm. For example, ! if the Windows username is "jaltman" and the default cell is "athena.mit.edu", ! then Integrated Logon can be successfully used if the windows password matches ! the password assigned to the Kerberos principal "jaltman@ATHENA.MIT.EDU". The realm “ATHENA.MIT.EDU” is obtained by performing a domain name to realm mapping on the hostname of one of the cell's Volume Database servers. --- 1113,1122 ---- provide Single Sign-On functionality (aka Integrated Logon.) Integrated Logon can be used when the Windows username and password match the username and password associated with the default cell's Kerberos realm. For example, ! if the Windows username is "jaltman" and the default cell is ! "athena.mit.edu", then Integrated Logon can be successfully used if ! the windows password matches the password assigned to the Kerberos principal ! "jaltman@ATHENA.MIT.EDU". The realm “ATHENA.MIT.EDU” is obtained by performing a domain name to realm mapping on the hostname of one of the cell's Volume Database servers. *************** *** 1120,1129 **** passwords.When KFW is configured, Integrated Logon will use it to ! obtain tokens. Use of KFW for Integrated Logon can be ! disabled via the EnableKFW registry ! value. Use of the krb524 service can be ! configured via the Use524 registry value.
Integrated Logon will not preserve the Kerberos v5 tickets. KFW 3.1 and above implements that functionality.
--- 1126,1135 ---- passwords.When KFW is configured, Integrated Logon will use it to ! obtain tokens. Use of KFW for Integrated Logon can be disabled via the EnableKFW registry value. Use of the krb524 service can be configured ! via the Use524 registry value.
Integrated Logon will not preserve the Kerberos v5 tickets. KFW 3.1 and above implements that functionality.
*************** *** 1143,1148 **** --- 1149,1159 ---- style='mso-bookmark:_Toc152605047'>3.6. AFS System Tray Command Line Options +The AFS System Tray Tool
+ (afscreds.exe) has been deprecated in favor of Network Identity Manager. afscreds.exe will be removed from the OpenAFS
+ in a future release.
The AFS System Tray tool (afscreds.exe) supports several command line options:
*************** *** 1175,1182 **** tokens when afscreds.exe is started. afscreds.exe will attempt to utilize tickets stored in the MSLSA credentials cache; any existing CCAPI credentials cache; and finally display an Obtain Tokens dialog to the user. When used ! in combination with IP address change detection, afscreds.exe will attempt to ! acquire AFS tokens whenever the IP address list changes and the Kerberos KDC is accessible.The renew drive maps option is used to ensure that the user --- 1186,1193 ---- tokens when afscreds.exe is started. afscreds.exe will attempt to utilize tickets stored in the MSLSA credentials cache; any existing CCAPI credentials cache; and finally display an Obtain Tokens dialog to the user. When used ! in combination with IP address change detection, afscreds.exe will attempt to acquire ! AFS tokens whenever the IP address list changes and the Kerberos KDC is accessible.
The renew drive maps option is used to ensure that the user *************** *** 1254,1262 **** style='font-size:9.0pt;font-family:Symbol'>· minidump
!The creation or removal of mount points and symlinks in the ! Freelance “root.afs” volume are also restricted to members of the “AFS Client ! Admins” group.
The initial membership of the "AFS Client Admins" group when created by the installer is equivalent to the local --- 1265,1273 ---- style='font-size:9.0pt;font-family:Symbol'>· minidump
!The creation or removal of mount points and symlinks in the Freelance ! “root.afs” volume are also restricted to members of the “AFS Client Admins” ! group.
The initial membership of the "AFS Client Admins" group when created by the installer is equivalent to the local *************** *** 1264,1271 **** "Administrators" group after the creation of the "AFS Client Admin" group, that user will not be an AFS Client Administrator. Only users that are members of the "AFS Client Admins" group are AFS ! Client Administrators. The local "SYSTEM" account is an ! implicit member of the "AFS Client Admins" group.
Setting the default sysname for a machine should be done via the registry and not via "fs --- 1275,1282 ---- "Administrators" group after the creation of the "AFS Client Admin" group, that user will not be an AFS Client Administrator. Only users that are members of the "AFS Client Admins" group are AFS ! Client Administrators. The local "SYSTEM" account is an implicit ! member of the "AFS Client Admins" group.
Setting the default sysname for a machine should be done via the registry and not via "fs *************** *** 1300,1310 **** name="_Toc115416115">3.9. ! OpenAFS includes aklog.exe
The OpenAFS Client ships with its own version of aklog.exe which should be used in preference to those obtained by other sources. ! The OpenAFS aklog.exe supports Kerberos 5 as well as the ability to auto-generate AFS IDs within foreign PTS databases.
Usage: aklog [-d] [[-cell | -c] cell [-k krb_realm]]
--- 1311,1321 ---- name="_Toc115416115">3.9. ! aklog.exeThe OpenAFS Client ships with its own version of aklog.exe which should be used in preference to those obtained by other sources. ! The OpenAFS aklog.exe supports Kerberos v5 as well as the ability to auto-generate AFS IDs within foreign PTS databases.
Usage: aklog [-d] [[-cell | -c] cell [-k krb_realm]]
*************** *** 1357,1373 **** style='mso-spacerun:yes'> The TransarcAFSServer service will auto-start the traditional AFS bos server. The former AFS Server Configuration wizard makes assumptions that no longer hold ! true. As a result, the installation ! process will fail. However, following ! the instructions for installing the AFS Servers on UNIX it is possible to ! properly configure the AFS Servers on Microsoft Windows. The AFS Server binaries, configuration files, ! and log files are installed under %Program Files%\OpenAFS\Server. kaserver is deprecated and its ! use is strongly discouraged. ! Instead, Active Directory or some other Kerberos 5 KDC should be used in ! its place.3.10.2. Using the AFS Client Service when the Server is installed
--- 1368,1383 ---- style='mso-spacerun:yes'> The TransarcAFSServer service will auto-start the traditional AFS bos server. The former AFS Server Configuration wizard makes assumptions that no longer hold ! true and it has therefore been disabled. ! However, following the instructions for installing the AFS Servers on ! UNIX it is possible to properly configure the AFS Servers on Microsoft ! Windows. The AFS Server binaries, ! configuration files, and log files are installed under %Program ! Files%\OpenAFS\Server. kaserver has been deprecated and its use is strongly ! discouraged. Instead, ! Active Directory or some other Kerberos v5 KDC should be used in its place.3.10.2. Using the AFS Client Service when the Server is installed
*************** *** 1379,1386 **** style='font-size:9.0pt;font-family:Symbol'>· Freelance mode should be disabled when the AFS Client Service is installed on the same ! machine as the AFS Server,. Otherwise, you will be unable to manipulate the ! contents of the root.afs volume for the hosted cell without constructing an explicit mountpoint to the root.afs volume from another volume.· Freelance mode should be disabled when the AFS Client Service is installed on the same ! machine as the AFS Server,. Otherwise, you will be unable to manipulate ! the contents of the root.afs volume for the hosted cell without constructing an explicit mountpoint to the root.afs volume from another volume.
MIT Kerberos for Windows should not be installed or must be disabled via the EnableKFW registry value.
MIT Kerberos for Windows should not be installed or must be disabled via the EnableKFW registry value. ! !
· The AFS ! Servers are not aware of power management events nor are they aware of network ! configuration changes. It is strongly ! advised that the AFS servers be installed only on systems that will not be ! shutdown or suspended unexpectedly. An inadvertent ! shutdown will corrupt volume data.
3.13. ! Encrypted AFS File Access
The OpenAFS for Windows installer by default activates a weak form of encrypted data transfer between the AFS client and the AFS --- 1460,1466 ---- name="_Toc115416119">3.13. ! Encrypted AFS Network Communication
The OpenAFS for Windows installer by default activates a weak form of encrypted data transfer between the AFS client and the AFS *************** *** 1458,1469 **** Authenticated Access to the OpenAFS Client Service
OpenAFS authenticates SMB connections using either NTLM or ! GSS SPNEGO (NTLM). In previous versions of OpenAFS, the SMB connections were ! unauthenticated which opened the door for several attacks which could be used ! to obtain access to another user's tokens on shared machines. !
!When GSS SPNEGO attempts a Kerberos 5 authentication, the Windows SMB client will attempt to retrieve service tickets for "cifs/afs@REALM" (if the loopback adapter is in use) or "cifs/machine-afs@REALM" (if the loopback adapter is not being --- 1476,1487 ---- Authenticated Access to the OpenAFS Client Service
OpenAFS authenticates SMB connections using either NTLM or ! GSS SPNEGO (NTLM). In previous versions of OpenAFS, the SMB connections ! were unauthenticated which opened the door for several attacks which could be ! used to obtain access to another user's tokens on shared ! machines.
!When GSS SPNEGO attempts a Kerberos v5 authentication, the Windows SMB client will attempt to retrieve service tickets for "cifs/afs@REALM" (if the loopback adapter is in use) or "cifs/machine-afs@REALM" (if the loopback adapter is not being *************** *** 1501,1510 ****
The OpenAFS Client is compatible with the Internet Connection Firewall that debuted with Windows XP SP2 and Windows 2003 ! SP1. The Internet Connection Firewall will be automatically adjusted to allow ! the receipt of incoming callback messages from the AFS file server. In ! addition, the appropriate Back Connection registry entries are added to ! allow SMB authentication to be performed across the Microsoft Loopback Adapter.
The OpenAFS Client is compatible with the Internet
Connection Firewall that debuted with Windows XP SP2 and Windows 2003
! SP1. The Internet Connection Firewall will be automatically adjusted to
! allow the receipt of incoming callback messages from the AFS file server.
! In addition, the appropriate Back Connection registry entries are added
! to allow SMB authentication to be performed across the Microsoft Loopback
! Adapter.
Many applications on Windows (e.g. Microsoft Office) require
the use of byte range locks applied to a file either to protect against
! simultaneous file access or as a signaling mechanism. OpenAFS for
! Windows release 1.5 (or greater) implements byte range locking within the
! CIFS-AFS gateway server. This support for byte range locking
! obtains AFS’ advisory file server locks to simulate Microsoft Windows mandatory
locks. When an application opens a file, a lock will be obtained
from AFS indicating that the file is in use. If the lock is a write lock,
access to the file will be restricted to other applications running on the same
--- 1545,1554 ----
Many applications on Windows (e.g. Microsoft Office) require
the use of byte range locks applied to a file either to protect against
! simultaneous file access or as a signaling mechanism. OpenAFS for Windows
! release 1.5 (or greater) implements byte range locking within the CIFS-AFS
! gateway server. This support for byte range locking obtains AFS’
! advisory file server locks to simulate Microsoft Windows mandatory
locks. When an application opens a file, a lock will be obtained
from AFS indicating that the file is in use. If the lock is a write lock,
access to the file will be restricted to other applications running on the same
***************
*** 1547,1559 ****
lock semantics on top of AFS lock semantics it is important to understand how
AFS file locks work. In Windows there are no special privileges
associated with obtaining file locks. If you can read or execute a file,
! then you can obtain shared and exclusive locks. In general, a Windows shared
! lock equates to an AFS read lock and a Windows exclusive lock equates to an AFS
! write lock. In AFS if you can write to a file, then you
! can obtain a write lock. However, in AFS if you can read a file it does
! not mean that you can obtain a read lock on it. The ability to
! obtain read locks is granted only if you have the lock (or ‘k’) privilege.
! This behavior is required in order to allow anonymous users to read files while
preventing them from being able to deny access to the files to other
users. OpenAFS 1.4.0 and earlier as well as all IBM AFS file servers
have an implementation bug that prevents users with write privileges from being
--- 1566,1578 ----
lock semantics on top of AFS lock semantics it is important to understand how
AFS file locks work. In Windows there are no special privileges
associated with obtaining file locks. If you can read or execute a file,
! then you can obtain shared and exclusive locks. In general, a Windows
! shared lock equates to an AFS read lock and a Windows exclusive lock equates to
! an AFS write lock. In AFS if you can write to a file, then you can obtain
! a write lock. However, in AFS if you can read a file it does not mean
! that you can obtain a read lock on it. The ability to obtain read
! locks is granted only if you have the lock (or ‘k’) privilege. This
! behavior is required in order to allow anonymous users to read files while
preventing them from being able to deny access to the files to other
users. OpenAFS 1.4.0 and earlier as well as all IBM AFS file servers
have an implementation bug that prevents users with write privileges from being
***************
*** 1567,1613 ****
inconvenience on end users.
! - If
the file is located on a read-only volume and the application requests a
! shared lock, the CIFS-AFS server will grant the lock request without asking
! the AFS file server.
! - If
! the file is located on a read-only volume and the application opens the
! file with write access and requests an exclusive lock, the CIFS-AFS server
will refuse the lock request and return a read only error.
! - If
! the file is located on a read-only volume and the application opens the
! file with only read access and requests an exclusive lock, the CIFS-AFS server
! will fulfill the lock request with a read lock.
! - If
the file is located on a read-write volume and the application requests an
! exclusive lock, the CIFS-AFS server will request a write lock from the AFS file
! server. If granted by the file server, then the CIFS-AFS server will
! grant the lock request.
!
! If the request is denied due to an access denied error and the user has the
! lookup, read and lock privileges and the file was opened for read only access,
! then the CIFS-AFS server will request a read lock from the file server.
!
! If the request is denied due to an access denied error and the user has the
! lookup and read privileges but not the lock privilege, then the CIFS-AFS
! server will grant the request even though the AFS file server said ‘no’.
! If the user does not have at least those permissions, the CIFS-AFS server
! will deny the request.
! - If
the file is located on a read-write volume and the application requests a
! shared lock, the CIFS-AFS server will request a read lock from the AFS file
! server. If granted by the file server, then the CIFS-AFS server
grants the lock request. If the request is denied due to an access
denied error and the user has the lookup and read privileges but not the
lock privilege, then the CIFS-AFS server will grant the request even
though the AFS file server said ‘no’. If the user does not have at
least those permissions, the CIFS-AFS server will deny the request.
! - If
multiple processes on the same machine attempt to access the same file
simultaneously, the CIFS-AFS server will locally manage the granted locks
and all processes will share a single lock on the AFS file server.
! - If
the CIFS-AFS server is unable to renew the AFS file server locks, then it
will invalidate the associated file handles. This is the same
behavior that an application will experience if it was using a Windows
--- 1586,1630 ----
inconvenience on end users.
! - If
the file is located on a read-only volume and the application requests a
! shared lock, the CIFS-AFS server will grant the lock request without
! asking the AFS file server.
! - If
! the file is located on a read-only volume and the application opens the
! file with write access and requests an exclusive lock, the CIFS-AFS server
will refuse the lock request and return a read only error.
! - If
! the file is located on a read-only volume and the application opens the
! file with only read access and requests an exclusive lock, the CIFS-AFS
! server will fulfill the lock request with a read lock.
! - If
the file is located on a read-write volume and the application requests an
! exclusive lock, the CIFS-AFS server will request a write lock from the AFS
! file server. If granted by the file server, then the CIFS-AFS server
! will grant the lock request. If the request is denied due to an
! access denied error and the user has the lookup, read and lock privileges
! and the file was opened for read only access, then the CIFS-AFS server
! will request a read lock from the file server. If the request is
! denied due to an access denied error and the user has the lookup and read
! privileges but not the lock privilege, then the CIFS-AFS server will grant
! the request even though the AFS file server said ‘no’. If the user
! does not have at least those permissions, the CIFS-AFS server will deny
! the request.
! - If
the file is located on a read-write volume and the application requests a
! shared lock, the CIFS-AFS server will request a read lock from the AFS
! file server. If granted by the file server, then the CIFS-AFS server
grants the lock request. If the request is denied due to an access
denied error and the user has the lookup and read privileges but not the
lock privilege, then the CIFS-AFS server will grant the request even
though the AFS file server said ‘no’. If the user does not have at
least those permissions, the CIFS-AFS server will deny the request.
! - If
multiple processes on the same machine attempt to access the same file
simultaneously, the CIFS-AFS server will locally manage the granted locks
and all processes will share a single lock on the AFS file server.
! - If
the CIFS-AFS server is unable to renew the AFS file server locks, then it
will invalidate the associated file handles. This is the same
behavior that an application will experience if it was using a Windows
***************
*** 1740,1753 ****
Filename Character Sets
OpenAFS for Windows implements an SMB server which is used
! as a gateway to the AFS filesystem. Because of limitations of the SMB implementation,
! Windows stores all files into AFS using OEM code pages such as CP437 (United
! States) or CP850 (Western Europe). These code pages are incompatible with
! the ISO Latin-1 character set typically used as the default on UNIX systems in
! both the United States and Western Europe . Filenames stored by OpenAFS for
! Windows are therefore unreadable on UNIX systems if they include any of the
! following characters:
Many applications on Windows (e.g. Microsoft Office) require the use of byte range locks applied to a file either to protect against ! simultaneous file access or as a signaling mechanism. OpenAFS for Windows ! release 1.5 (or greater) implements byte range locking within the CIFS-AFS ! gateway server. This support for byte range locking obtains AFS’ ! advisory file server locks to simulate Microsoft Windows mandatory locks. When an application opens a file, a lock will be obtained from AFS indicating that the file is in use. If the lock is a write lock, access to the file will be restricted to other applications running on the same *************** *** 1547,1559 **** lock semantics on top of AFS lock semantics it is important to understand how AFS file locks work. In Windows there are no special privileges associated with obtaining file locks. If you can read or execute a file, ! then you can obtain shared and exclusive locks. In general, a Windows shared ! lock equates to an AFS read lock and a Windows exclusive lock equates to an AFS ! write lock. In AFS if you can write to a file, then you ! can obtain a write lock. However, in AFS if you can read a file it does ! not mean that you can obtain a read lock on it. The ability to ! obtain read locks is granted only if you have the lock (or ‘k’) privilege. ! This behavior is required in order to allow anonymous users to read files while preventing them from being able to deny access to the files to other users. OpenAFS 1.4.0 and earlier as well as all IBM AFS file servers have an implementation bug that prevents users with write privileges from being --- 1566,1578 ---- lock semantics on top of AFS lock semantics it is important to understand how AFS file locks work. In Windows there are no special privileges associated with obtaining file locks. If you can read or execute a file, ! then you can obtain shared and exclusive locks. In general, a Windows ! shared lock equates to an AFS read lock and a Windows exclusive lock equates to ! an AFS write lock. In AFS if you can write to a file, then you can obtain ! a write lock. However, in AFS if you can read a file it does not mean ! that you can obtain a read lock on it. The ability to obtain read ! locks is granted only if you have the lock (or ‘k’) privilege. This ! behavior is required in order to allow anonymous users to read files while preventing them from being able to deny access to the files to other users. OpenAFS 1.4.0 and earlier as well as all IBM AFS file servers have an implementation bug that prevents users with write privileges from being *************** *** 1567,1613 **** inconvenience on end users.
-
!
- If the file is located on a read-only volume and the application requests a ! shared lock, the CIFS-AFS server will grant the lock request without asking ! the AFS file server. !
- If ! the file is located on a read-only volume and the application opens the ! file with write access and requests an exclusive lock, the CIFS-AFS server will refuse the lock request and return a read only error. !
- If ! the file is located on a read-only volume and the application opens the ! file with only read access and requests an exclusive lock, the CIFS-AFS server ! will fulfill the lock request with a read lock. !
- If the file is located on a read-write volume and the application requests an ! exclusive lock, the CIFS-AFS server will request a write lock from the AFS file ! server. If granted by the file server, then the CIFS-AFS server will ! grant the lock request. ! ! If the request is denied due to an access denied error and the user has the ! lookup, read and lock privileges and the file was opened for read only access, ! then the CIFS-AFS server will request a read lock from the file server. ! ! If the request is denied due to an access denied error and the user has the ! lookup and read privileges but not the lock privilege, then the CIFS-AFS ! server will grant the request even though the AFS file server said ‘no’. ! If the user does not have at least those permissions, the CIFS-AFS server ! will deny the request. !
- If the file is located on a read-write volume and the application requests a ! shared lock, the CIFS-AFS server will request a read lock from the AFS file ! server. If granted by the file server, then the CIFS-AFS server grants the lock request. If the request is denied due to an access denied error and the user has the lookup and read privileges but not the lock privilege, then the CIFS-AFS server will grant the request even though the AFS file server said ‘no’. If the user does not have at least those permissions, the CIFS-AFS server will deny the request. !
- If multiple processes on the same machine attempt to access the same file simultaneously, the CIFS-AFS server will locally manage the granted locks and all processes will share a single lock on the AFS file server. !
- If
the CIFS-AFS server is unable to renew the AFS file server locks, then it
will invalidate the associated file handles. This is the same
behavior that an application will experience if it was using a Windows
--- 1586,1630 ----
inconvenience on end users.
-
!
- If the file is located on a read-only volume and the application requests a ! shared lock, the CIFS-AFS server will grant the lock request without ! asking the AFS file server. !
- If ! the file is located on a read-only volume and the application opens the ! file with write access and requests an exclusive lock, the CIFS-AFS server will refuse the lock request and return a read only error. !
- If ! the file is located on a read-only volume and the application opens the ! file with only read access and requests an exclusive lock, the CIFS-AFS ! server will fulfill the lock request with a read lock. !
- If the file is located on a read-write volume and the application requests an ! exclusive lock, the CIFS-AFS server will request a write lock from the AFS ! file server. If granted by the file server, then the CIFS-AFS server ! will grant the lock request. If the request is denied due to an ! access denied error and the user has the lookup, read and lock privileges ! and the file was opened for read only access, then the CIFS-AFS server ! will request a read lock from the file server. If the request is ! denied due to an access denied error and the user has the lookup and read ! privileges but not the lock privilege, then the CIFS-AFS server will grant ! the request even though the AFS file server said ‘no’. If the user ! does not have at least those permissions, the CIFS-AFS server will deny ! the request. !
- If the file is located on a read-write volume and the application requests a ! shared lock, the CIFS-AFS server will request a read lock from the AFS ! file server. If granted by the file server, then the CIFS-AFS server grants the lock request. If the request is denied due to an access denied error and the user has the lookup and read privileges but not the lock privilege, then the CIFS-AFS server will grant the request even though the AFS file server said ‘no’. If the user does not have at least those permissions, the CIFS-AFS server will deny the request. !
- If multiple processes on the same machine attempt to access the same file simultaneously, the CIFS-AFS server will locally manage the granted locks and all processes will share a single lock on the AFS file server. !
- If the CIFS-AFS server is unable to renew the AFS file server locks, then it will invalidate the associated file handles. This is the same behavior that an application will experience if it was using a Windows *************** *** 1740,1753 **** Filename Character Sets
|
! [Ç] 128 ! 08/00 200 80 C cedilla ![ü] 129 ! 08/01 201 81 u diaeresis ![é] 130 ! 08/02 202 82 e acute ![â] 131 ! 08/03 203 83 a circumflex ![ä] 132 ! 08/04 204 84 a diaeresis ![à] 133 ! 08/05 205 85 a grave ![å] 134 ! 08/06 206 86 a ring ![ç] 135 ! 08/07 207 87 c cedilla ![ê] 136 08/08 ! 210 88 e circumflex ![ë] 137 ! 08/09 211 89 e diaeresis ![è] 138 ! 08/10 212 8A e grave ![ï] 139 ! 08/11 213 8B i diaeresis ![î] 140 ! 08/12 214 8C i circumflex ![ì] 141 ! 08/13 215 8D i grave ![Ä] 142 08/14 ! 216 8E A diaeresis ![Å] 143 ! 08/15 217 8F A ring ![É] 144 ! 09/00 220 90 E acute ![æ] 145 ! 09/01 221 91 ae diphthong ![Æ] 146 ! 09/02 222 92 AE diphthong ![ô] 147 ! 09/03 223 93 o circumflex ![ö] 148 ! 09/04 224 94 o diaeresis ![ò] 149 ! 09/05 225 95 o grave ![û] 150 ! 09/06 226 96 u circumflex ![ù] 151 ! 09/07 227 97 u grave ![ÿ] 152 ! 09/08 230 98 y diaeresis ![Ö] 153 ! 09/09 231 99 O diaeresis ![Ü] 154 ! 09/10 232 9A U diaeresis ![ø] 155 ! 09/11 233 9B o slash [£] 156 09/12 234 9C Pound sterling sign ![Ø] 157 ! 09/13 235 9D O slash ![×] 158 ! 09/14 236 9E Multiplication sign ! [ƒ] 159
! 09/15 237 9F |
[Ç] 128 08/00 200
! 80 C cedilla
! [ü] 129 08/01 201 81 u diaeresis
! [é] 130 08/02 202 82 e acute
! [â] 131 08/03 203 83 a circumflex
! [ä] 132 08/04 204 84 a diaeresis
! [à] 133 08/05 205 85 a grave
! [å] 134 08/06 206 86 a ring
! [ç] 135 08/07 207 87 c cedilla
! [ê] 136 08/08 210 88 e circumflex
! [ë] 137 08/09 211 89 e diaeresis
! [è] 138 08/10 212 8A e grave
! [ï] 139 08/11 213 8B i diaeresis
! [î] 140 08/12 214 8C i circumflex
! [ì] 141 08/13 215 8D i grave
! [Ä] 142 08/14 216 8E A diaeresis
! [Å] 143 08/15 217 8F A ring
! [É] 144 09/00 220 90 E acute
! [æ] 145 09/01 221 91 ae diphthong
! [Æ] 146 09/02 222 92 AE diphthong
! [ô] 147 09/03 223 93 o circumflex
! [ö] 148 09/04 224 94 o diaeresis
! [ò] 149 09/05 225 95 o grave
! [û] 150 09/06 226 96 u circumflex
! [ù] 151
! 09/07 227 97 u grave
! [ÿ] 152 09/08 230 98 y diaeresis
! [Ö] 153
! 09/09 231 99 O diaeresis
! [Ü] 154 09/10 232 9A U diaeresis
! [ø] 155 09/11 233 9B o slash
[£] 156 09/12 234 9C Pound sterling sign
! [Ø] 157 09/13 235
! 9D O slash
! [×] 158 09/14 236 9E Multiplication sign
! [ƒ] 159 09/15 237 9F
The performance of the AFS Client Service is significantly affected by the access times associated with the AFSCache paging ! file. When given the choice, the AFSCache file should be placed on ! a fast disk, preferably NTFS, the file should not be compressed and should consist of as few fragments as possible. Significant performance gains can be achieved by defragmenting the AFSCache file with Sysinternal's Contig utility while the AFS Client Service is stopped.
--- 1884,1891 ----The performance of the AFS Client Service is significantly affected by the access times associated with the AFSCache paging ! file. When given the choice, the AFSCache file should be placed on a ! fast disk, preferably NTFS, the file should not be compressed and should consist of as few fragments as possible. Significant performance gains can be achieved by defragmenting the AFSCache file with Sysinternal's Contig utility while the AFS Client Service is stopped.
*************** *** 2007,2014 ****HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncadg_ip_udp"
!HKLM "SOFTWARE\Microsoft\RPC\ClientProtocols" ! "ncacn_http"
HKLM
"SOFTWARE\Microsoft\RPC\ClientProtocols" "ncadg_ip_udp"
! HKLM
! "SOFTWARE\Microsoft\RPC\ClientProtocols" "ncacn_http"
! 3.39. Delayed Write Errors with Microsoft
Office Applications
Microsoft Office makes heavy use of asynchronous
--- 2058,2066 ----
file. When cloning machines that have Windows AFS client installed,
the AFSCache files should be deleted as part of the cloning process.
! 3.39. Delayed Write Errors with Microsoft
Office Applications
Microsoft Office makes heavy use of asynchronous
***************
*** 2082,2090 ****
applications should be modified to use of \\AFS\<cellname>\<path>
instead of drive letters.
! 3.41. 64-bit Microsoft Windows Installations
Although 64-bit Windows platforms support both 64-bit and
32-bit applications, the OpenAFS Service installed on the machine must be
--- 2104,2112 ----
applications should be modified to use of \\AFS\<cellname>\<path>
instead of drive letters.
! 3.41. 64-bit Microsoft Windows Installations
Although 64-bit Windows platforms support both 64-bit and
32-bit applications, the OpenAFS Service installed on the machine must be
***************
*** 2138,2460 ****
Start and Stop Service features of the AFS System Tray tool and the AFS Control
Panel will not work unless they are “Run as Administrator”.
!
! The help files provided with OpenAFS are in .HLP format.
! Windows Vista does not include a help engine for this format. 4. How to Debug Problems with OpenAFS for Windows:
!
!
OpenAFS for Windows provides a wide range of tools to assist
! the developers in debugging problems. The techniques available are varied
! because of the wide range of issues that have been discovered over the
! years. When filing bug reports to the
! OpenAFS developers, please collect as much information as possible and forward
! it as part of the bug
!
! 4.1.
! pioctl debugging (IoctlDebug
! registry key)
!
! pioctl (path-based ioctl) calls are used by various tools to
! communicate with the AFS Client Service. Some of the operations performed
! include:
!
! · setting/querying
! tokens (tokens.exe, aklog.exe, afscreds.exe)
!
! · setting/querying
! ACLs
!
! · setting/querying
! cache parameters
!
! · flushing
! files or volumes
!
! · setting/querying
! server preferences
!
! · querying
! path location
!
! · checking
! the status of servers and volumes
!
! · setting/querying
! the sysname list
!
! pioctl calls are implemented by writing to a special UNC
! path that is processed by the AFS Client Service. If there is a
! failure to communicate with the AFS Client Service via SMB/CIFS, it will be
! impossible to perform any of the above operations.
!
! To assist in debugging these problems, the registry value:
!
! [HKLM\SOFTWARE\OpenAFS\Client]
!
! REG_DWORD: IoctlDebug = 0x01
!
! should be set. Then any of the commands that perform
! pioctl calls should be executed from the command prompt. With this key
! set the pioctl library will generate debugging output to stderr. The
! output will contain the Win32 API calls executed along with their most
! important parameters and their return code. The MSDN Library and
! the Microsoft KnowledgeBase can be used as a reference to help you determine
! the configuration probem with your system.
!
! 4.2.
! afsd_service initialization log (%WinDir%\TEMP\afsd_init.log)
!
! Every time the AFS Client Service starts it appends data
! about its progress and configuration to a file. This file provides
! information crucial to determining why the service cannot start when there are
! problems. When the process terminates due to a panic condition it will
! write to this file the source code file and line number of the error. In
! many cases the panic condition is due to a misconfiguration of the
! machine. In other cases it might be due to a programming error in the
! software. A quick review of the location in the source code will quickly
! reveal the reason for the termination.
!
! The MaxLogSize
! registry value determines the maximum size of the %WINDIR%\TEMP\afsd_init.log
! file. If the file is larger than this value when OpenAFS Client Service
! starts, the file will be reset to 0 bytes. If value is set to 0, the file
! will be allowed to grow indefinitely.
!
! 4.3.
! afsd_service debug logs (fs trace {-on, -off, -dump}
! ->%WinDir%\TEMP\afsd.log)
!
! When attempting to debug the behavior of the SMB/CIFS Server
! and the Cache Manager it is often useful to examine a log of the operations
! being performed. While running the AFS Client Service keeps an in memory
! log of many of its actions. The default number of actions preserved
! at any one time is 5000. This can be adjusted with the registry value:
!
!
! [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
!
! REG_DWORD TraceBufferSize
!
! A restart of the service is necessary when adjusting this
! value. Execute "fs trace -on" to clear to the log and
! "fs trace -dump" to output the contents of the log to the file.
!
! 4.4.
! Using SysInternal’s DbgView and FileMon Tools
!
! An alternatve option to the use of "fs trace
! -dump" to capture internal OpenAFS Client Service events is to use a tool
! such as Sysinternal's DbgView to capture real-time debugging output. When
! the OpenAFS Client Service starts and Bit 2 of the TraceOption value in the registry is set, all
! trace log events are output using the Windows Debug Monitor interface
! (OutputDebugString).
!
!
! [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
!
! REG_DWORD
! TraceOption = 0x04
!
! Use “fs trace –on” and “fs trace –off” to toggle the generation
! of log messages.
!
! Sysinternal’s
! FileMon utility can be use to monitor the file operations requested by
! applications and their success or failure. Use the Volumes menu to
! restrict FileMon monitor to Network volumes only in order to reduce the
! output to just the CIFS requests. Turn on the Advanced Output
! option in order to log with finer granularity.
!
! Turn on the Clock Time and Show Milliseconds
! options in both tools to make it easier to synchronize the application requests
! and the resulting OpenAFS Client Service operations. The captured
! data can be stored to files for inclusion in bug reports.
!
! 4.5. Microsoft MiniDumps
! (fs minidump -> %WinDir%\TEMP\afsd.dmp)
!
! If the AFS Client Service become unresponsive to any form of
! communication there may be a serious error that can only be debugged by someone
! with access to the source code and a debugger. The "fs
! minidump" command can be used to force the generation of a MiniDump file
! containing the state of all of the threads in the AFS Client Service process.
!
! 4.6.
! Single Sign-on (Integrated Logon) debugging
!
! If you are having trouble with the Integrated Logon
! operations it is often useful to be able to obtain a log of what it is
! attempting to do. Setting Bit 0 of the TraceOption registry value:
!
!
! [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
!
! REG_DWORD TraceOption = 0x01
!
! will instruct the Integrated Logon Network Provider and
! Event Handlers to log information to the Windows Event Log: Application under
! the name “AFS Logon".
!
! 4.7.
! RX (AFS RPC) debugging (rxdebug)
!
! The rxdebug.exe tool can be used to query a variety of
! information about the AFS services installed on a given machine. The port
! for the AFS Cache Manager is 7001.
!
! Usage: rxdebug -servers <server machine> [-port
! <IP port>] [-nodally]
!
!
! [-allconnections] [-rxstats] [-onlyserver] [-onlyclient]
!
! [-onlyport
! <show only <port>>]
!
! [-onlyhost
! <show only <host>>]
!
! [-onlyauth
! <show only <auth level>>] [-version]
!
! [-noconns]
! [-peers] [-help]
!
! Where:
! -nodally don't show dallying
! conns
!
!
! -allconnections don't filter out uninteresting connections
!
!
! -rxstats show Rx statistics
!
!
! -onlyserver only show server conns
!
!
! -onlyclient only show client conns
!
!
! -version show AFS version id
!
!
! -noconns show no connections
!
!
! -peers show peers
!
! 4.8.
! Cache Manager debugging (cmdebug)
!
! The cmdebug.exe tool can be used to query the state of the
! AFS Cache Manager on a given machine.
!
! Usage: cmdebug -servers <server machine> [-port
! <IP port>] [-long]
!
! [-refcounts]
! [-callbacks] [-addrs] [-cache] [-help]
!
! Where: -long
! print all info
!
! -refcounts
! print only cache entries with positive reference counts
!
! -callbacks
! print only cache entries with callbacks
!
!
! -addrs print only host interfaces
!
!
! -cache print only cache configuration
!
! 4.9.
! Persistent Cache consistency check
!
! The persistent cache is stored in a Hidden System file at
! %WinDir%\TEMP\AFSCache. If there is a problem with the persistent cache
! that prevent the AFS Client Service from being able to start a validation check
! on the file can be performed.
!
! afsd_service.exe --validate-cache
! <cache-path>
!
!
3.39. Delayed Write Errors with Microsoft Office Applications
Microsoft Office makes heavy use of asynchronous --- 2058,2066 ---- file. When cloning machines that have Windows AFS client installed, the AFSCache files should be deleted as part of the cloning process.
!3.39. Delayed Write Errors with Microsoft Office Applications
Microsoft Office makes heavy use of asynchronous *************** *** 2082,2090 **** applications should be modified to use of \\AFS\<cellname>\<path> instead of drive letters.
!3.41. 64-bit Microsoft Windows Installations
Although 64-bit Windows platforms support both 64-bit and 32-bit applications, the OpenAFS Service installed on the machine must be --- 2104,2112 ---- applications should be modified to use of \\AFS\<cellname>\<path> instead of drive letters.
!3.41. 64-bit Microsoft Windows Installations
Although 64-bit Windows platforms support both 64-bit and 32-bit applications, the OpenAFS Service installed on the machine must be *************** *** 2138,2460 **** Start and Stop Service features of the AFS System Tray tool and the AFS Control Panel will not work unless they are “Run as Administrator”.
!! The help files provided with OpenAFS are in .HLP format. ! Windows Vista does not include a help engine for this format. 4. How to Debug Problems with OpenAFS for Windows: ! !
OpenAFS for Windows provides a wide range of tools to assist ! the developers in debugging problems. The techniques available are varied ! because of the wide range of issues that have been discovered over the ! years. When filing bug reports to the ! OpenAFS developers, please collect as much information as possible and forward ! it as part of the bug
! !4.1. ! pioctl debugging (IoctlDebug ! registry key)
! !pioctl (path-based ioctl) calls are used by various tools to ! communicate with the AFS Client Service. Some of the operations performed ! include:
! !· setting/querying ! tokens (tokens.exe, aklog.exe, afscreds.exe)
! !· setting/querying ! ACLs
! !· setting/querying ! cache parameters
! !· flushing ! files or volumes
! !· setting/querying ! server preferences
! !· querying ! path location
! !· checking ! the status of servers and volumes
! !· setting/querying ! the sysname list
! !pioctl calls are implemented by writing to a special UNC ! path that is processed by the AFS Client Service. If there is a ! failure to communicate with the AFS Client Service via SMB/CIFS, it will be ! impossible to perform any of the above operations.
! !To assist in debugging these problems, the registry value:
! ![HKLM\SOFTWARE\OpenAFS\Client]
! !REG_DWORD: IoctlDebug = 0x01
! !should be set. Then any of the commands that perform ! pioctl calls should be executed from the command prompt. With this key ! set the pioctl library will generate debugging output to stderr. The ! output will contain the Win32 API calls executed along with their most ! important parameters and their return code. The MSDN Library and ! the Microsoft KnowledgeBase can be used as a reference to help you determine ! the configuration probem with your system.
! !4.2. ! afsd_service initialization log (%WinDir%\TEMP\afsd_init.log)
! !Every time the AFS Client Service starts it appends data ! about its progress and configuration to a file. This file provides ! information crucial to determining why the service cannot start when there are ! problems. When the process terminates due to a panic condition it will ! write to this file the source code file and line number of the error. In ! many cases the panic condition is due to a misconfiguration of the ! machine. In other cases it might be due to a programming error in the ! software. A quick review of the location in the source code will quickly ! reveal the reason for the termination.
! !The MaxLogSize ! registry value determines the maximum size of the %WINDIR%\TEMP\afsd_init.log ! file. If the file is larger than this value when OpenAFS Client Service ! starts, the file will be reset to 0 bytes. If value is set to 0, the file ! will be allowed to grow indefinitely.
! !4.3. ! afsd_service debug logs (fs trace {-on, -off, -dump} ! ->%WinDir%\TEMP\afsd.log)
! !When attempting to debug the behavior of the SMB/CIFS Server ! and the Cache Manager it is often useful to examine a log of the operations ! being performed. While running the AFS Client Service keeps an in memory ! log of many of its actions. The default number of actions preserved ! at any one time is 5000. This can be adjusted with the registry value:
! !! [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
! !REG_DWORD TraceBufferSize
! !A restart of the service is necessary when adjusting this ! value. Execute "fs trace -on" to clear to the log and ! "fs trace -dump" to output the contents of the log to the file.
! !4.4. ! Using SysInternal’s DbgView and FileMon Tools
! !An alternatve option to the use of "fs trace ! -dump" to capture internal OpenAFS Client Service events is to use a tool ! such as Sysinternal's DbgView to capture real-time debugging output. When ! the OpenAFS Client Service starts and Bit 2 of the TraceOption value in the registry is set, all ! trace log events are output using the Windows Debug Monitor interface ! (OutputDebugString).
! !! [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
! !REG_DWORD ! TraceOption = 0x04
! !Use “fs trace –on” and “fs trace –off” to toggle the generation ! of log messages.
! !Sysinternal’s ! FileMon utility can be use to monitor the file operations requested by ! applications and their success or failure. Use the Volumes menu to ! restrict FileMon monitor to Network volumes only in order to reduce the ! output to just the CIFS requests. Turn on the Advanced Output ! option in order to log with finer granularity.
! !Turn on the Clock Time and Show Milliseconds ! options in both tools to make it easier to synchronize the application requests ! and the resulting OpenAFS Client Service operations. The captured ! data can be stored to files for inclusion in bug reports.
! !4.5. Microsoft MiniDumps
! (fs minidump -> %WinDir%\TEMP\afsd.dmp)
!
! If the AFS Client Service become unresponsive to any form of ! communication there may be a serious error that can only be debugged by someone ! with access to the source code and a debugger. The "fs ! minidump" command can be used to force the generation of a MiniDump file ! containing the state of all of the threads in the AFS Client Service process.
! !4.6. ! Single Sign-on (Integrated Logon) debugging
! !If you are having trouble with the Integrated Logon ! operations it is often useful to be able to obtain a log of what it is ! attempting to do. Setting Bit 0 of the TraceOption registry value:
! !! [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters]
! !REG_DWORD TraceOption = 0x01
! !will instruct the Integrated Logon Network Provider and ! Event Handlers to log information to the Windows Event Log: Application under ! the name “AFS Logon".
! !4.7. ! RX (AFS RPC) debugging (rxdebug)
! !The rxdebug.exe tool can be used to query a variety of ! information about the AFS services installed on a given machine. The port ! for the AFS Cache Manager is 7001.
! !Usage: rxdebug -servers <server machine> [-port ! <IP port>] [-nodally]
! !! [-allconnections] [-rxstats] [-onlyserver] [-onlyclient]
! ![-onlyport ! <show only <port>>]
! ![-onlyhost ! <show only <host>>]
! ![-onlyauth ! <show only <auth level>>] [-version]
! ![-noconns] ! [-peers] [-help]
! !Where: ! -nodally don't show dallying ! conns
! !! -allconnections don't filter out uninteresting connections
! !! -rxstats show Rx statistics
! !! -onlyserver only show server conns
! !! -onlyclient only show client conns
! !! -version show AFS version id
! !! -noconns show no connections
! !! -peers show peers
! !4.8. ! Cache Manager debugging (cmdebug)
! !The cmdebug.exe tool can be used to query the state of the ! AFS Cache Manager on a given machine.
! !Usage: cmdebug -servers <server machine> [-port ! <IP port>] [-long]
! ![-refcounts] ! [-callbacks] [-addrs] [-cache] [-help]
! !Where: -long ! print all info
! !-refcounts ! print only cache entries with positive reference counts
! !-callbacks ! print only cache entries with callbacks
! !! -addrs print only host interfaces
! !! -cache print only cache configuration
! !4.9. ! Persistent Cache consistency check
! !The persistent cache is stored in a Hidden System file at ! %WinDir%\TEMP\AFSCache. If there is a problem with the persistent cache ! that prevent the AFS Client Service from being able to start a validation check ! on the file can be performed.
! !afsd_service.exe --validate-cache ! <cache-path>
! !