[OpenAFS] Weird Windows folder redirection problem

Rodney M Dyer rmdyer@uncc.edu
Thu, 03 Feb 2005 18:28:15 -0500


Stephen,

At 05:00 PM 2/3/05, you wrote:
>We've got a weird problem here...

...snipped for brevity...


>Our users have roaming profiles and we're redirecting Desktop, My 
>Documents, and Application Data into AFS via a mapped drive 
>(U:\windows\username\...).  The U: drive is mapped with a windows startup 
>script (other scripts map other drives at startup and logon).

A few items of interest...

I also use a U: drive mount for folder redirection.  However our U: drive 
is mounted during a AFSLogonShell script that runs before folder 
redirection is performed by Windows.  When I was first investigating folder 
redirection, a drive mounted during a user logon script wouldn't work, 
because that was done after folder redirection had been setup by 
Windows.  That being said, there were some complications with this 
method.  Since the AFSLogonShell runs as user SYSTEM, the U: drive will be 
mounted with that account.  We don't want the U: drive to remain mounted as 
the SYSTEM account once the user profile is downloaded and folders have 
been redirected.  So, what we do is unmount the U: drive temporarily, after 
the folder redirection is in place, in the user logon script, and remount 
it as the user.  We can only do this because we have a special service that 
allows unpriviledged user accounts to execute specific scripts as 
SYSTEM.  The service simply listens for strings sent to a global named pipe 
and compares them to a registered list before executing them.  With that 
service I unmount the U: drive.  Then, back inside the user logon script, I 
remount the U: drive as the user.  Yes, I know this seem cumbersome, and it 
is, but it works...for now.

Essentially here is the process sequence described above:

1.  Windows authentication.
2.  OpenAFS integrated logon authentication (afslogon.dll)
      a.  AFSLogonShell (child of afslogon.dll, running as SYSTEM)
           1.  Obtain user home path from UNIX passwd file.
                set afs_homedir=/afs/uncc/usr/a/anyone
           2.  Create AFS submount share name.
                afsshare %UserName% %afs_homedir%
           3.  Disable AFS client side caching.
                fs cscpolicy all -disable
                fs cscpolicy %UserName% -disable
           4.  Mount U: drive for user.
                net use u: \\afs\%username%
           5.  Make sure all folders for redirection already exist.
           6.  Set registry "DisableFRAdminPin".  (see below)
3.  Windows profile download (I have no control).
4.  Windows folder redirection (I have no control).
5.  Group policy user logon script.
      a.  Unmount system U: drive (SYSTEM execution via service).
      b.  Remount U: as user.

Now that the OpenAFS Windows client fully supports UNC paths I'm trying to 
find time to switch my folder redirection group policy setup to use 
"\\AFS\username" instead of the U: drive mount.  However this will still be 
somewhat cumbersome because I create an AFS submount name for the user 
inside of the AFSLogonShell.  I don't want to have to pre-create and manage 
thousands of submount entries in the registry.  I simply want to create the 
submount share for the user at logon time.  The AFS logon authenticator 
afslogon.dll doesn't currently do this.

As far as your problem is concerned, it sounds just like a problem I had 
last year when I was messing about with 1.3.71.  Here are a few suggestions.

Make sure you are using 1.3.73 or above.

We also disable client side caching on all our AFS drives/directories.

         fs cscpolicy all -disable

You will also find the following registry option useful.  This registry 
option will prevent folder syncronization occuring on your AFS drive that 
is used for redirection...

      "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetCache" 
"DisableFRAdminPin" REG_DWORD 0x01

See...
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q304624

Rodney

Rodney M. Dyer
Windows Systems Programmer
Mosaic Computing Group
William States Lee College of Engineering
University of North Carolina at Charlotte
Email: rmdyer@uncc.edu
Web: http://www.coe.uncc.edu/~rmdyer
Phone: (704)687-3518
Help Desk Line: (704)687-3150
FAX: (704)687-2352
Office:  267 Smith Building