[OpenAFS] OpenAFS on windows - profile in AFS, who uses it?

Rodney M. Dyer rmdyer@uncc.edu
Mon, 11 Feb 2008 12:19:21 -0500 

At 06:23 AM 2/11/2008, Lars Schimmer wrote:
>Ok, sorry, needed to snip thattext out, seems to be more or less the same 
>like the PDF on best practice workshop 2005(or 2006?).

I believe the information you are refering to is from "AFS on Windows", 
2004 workshop

>As fas as I know, with Windows XP SP2, OpenAFS for Windows >1.5.28 and 
>OpenAFS fileservers 1.4.6 I don't need most of that stuff.  Oh, Compatible 
>RUPSecurity set active, right.

Sorry, I forgot that small registry setting.  Yes, if the XP client you are 
logging into will be downloading a profile from AFS, AND that client is a 
member of an Active Directory that is in a cross-realm trust relationship 
with another K5 KDC, then you will need this registry key...

    "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" 
"AllowX-ForestPolicy-and-RUP" REG_DWORD 0x1

This setting was needed beginning with SP2.

>I was told, it is ok, to set the path of user profile in Windows AD2003 
>Server to  \afs\cgv.tugraz.at\home\user\win.profile and it works.

True.  That is a UNC path and it should work with roaming profiles.  It is 
when we use UNC paths with "Folder Redirection" that small problems show 
up.  If the users Desktop for example has been redirected to AFS, then a 
file stored on the desktop might not immediately be displayed.  This is 
some sort of signaling problem with the Explorer shell that apparently 
(correct me here if I'm wrong) fails to work properly with AFS because, as 
stated elsewhere, AFS doesn't currently support UNICODE CIFS.

>  Yes, we don't use freelance mode and our cell is in distributed 
> cellservDB.  Config of OpenAFS msi is to set default cell to ourr and use 
> automatic logon to obtain ticket/tokens while login into AD.
>
>So far it works with our users.
>
>Maybe I miss some big point or your information is just kind aoutdated?

Sorry, in my email I got a bit overzealous in describing the profile and 
folder redirection problems/solutions that I used when I setup our 
environment initially.  It isn't exactly outdated as much as it simply 
describes multiple ways of doing things, and the problems you might have 
related to the solutions.

>Although the redirected folder option indeed looks nice. Need to test this.

Yes, this is the one thing I was trying to concentrate on.  I did not make 
it clear that, in my opinion, your profiles are just too large.  Profiles 
should not be much greater than 10 to 20 meg.  But you are apparently not 
using "Folder Redirection", and you probably don't use the AD group policy 
setting to remove the local profile when your users logout.  You probably 
also have only a single user at each client, and they don't move to other 
clients that often.

The reason I'm guessing about how you've got things setup is because if the 
profile is removed at logout, then that would mean that every time a user 
logs on then 400 meg of data would need to be downloaded to the local 
machine.  I just can't imagine that.  Even if your network is fast, that's 
going to take some time regardless of what cache size AFS uses.  This is 
assuming of course that we are talking about different users, who all 
have > 100 MB profiles using the machine.  If only one person ever uses the 
maching daily then I suppose a large AFS cache would work fine.  However I 
tend to not trust caches for permanent daily data.  I like to think of 
caches only for the purpose of storing transactional information, to speed 
it up.  Even the callbacks of AFS timeout after 4 hours.

I would strongly urge you to setup "Folder Redirection" to help reduce your 
profile sizes.

Rodney