[OpenAFS] The removal of afscreds.exe and afs_config.exe on Windows Vista and Windows 7: Seeking Opinions

Chaz Chandler clc31@inbox.com
Wed, 30 Sep 2009 18:27:09 -0400

Jeffrey Altman wrote:
> Chaz:
> FYI, your response was sent to =22openafs-info-admin=40openafs.org=22
> which is not the mailing list.  You might want to be aware of it
> for the future.

Will do, thanks.

> ...

Thanks, as always, for taking the time to compose a thorough reply=21  I
appreciate it, and will take these ideas into consideration in the future.

However, my point was that afscreds solves a problem for me which
netidmgr does not, so I wanted to chalk one up for =22those who find
some benefit in using afscreds=22.  The caveat, of course, is that the
newest version of windows we have to worry about is XP and there are no
plans to move to anything newer.  So, afscreds is my 90% solution.  If
it's optional, I'll install it.  Creating a 100% solution based on
comments above, diagnosis, and/or bug reports may be possible, but is
not currently feasible given the time I have to devote to it and the
cost/benefit trade off.


> Jeffrey Altman
> Chaz Chandler wrote:
>> Perhaps it's just my setup, but I have on numerous occasions been able
>> to get tokens only through afscreds.  netidmgr does work for this, but
>> occasionally not.  I especially see issues when trying to get afs tokens
>> for non-=22default=22 pts users and/or switching between two users (like
>> going back and forth between =22user=22 and =22user/admin=22 over the =
course of
>> the workday).  afscreds consistently gets the tokens even when netitmgr
>> does not.  Anyone else with this problem?
>> Jeffrey Altman wrote:
>>> Ever since the release of Windows Vista I have been worried about the
>>> continued shipment of afscred.exe (AFS Authentication Tool) and
>>> afs_config.exe (AFS Client Manager Configuration Tool) in the OpenAFS
>>> installers.
>>> The Problem:
>>> Beginning with Windows Vista, Microsoft implemented a security barrier
>>> referred to as User Account Control which tightens the noose on normal
>>> user accounts and prevents them from being used to perform a variety of
>>> operations such as starting and stopping services or writing to the
>>> local machine registry hive which they were able to do in previous
>>> Windows releases.   In addition, user accounts that are members of the
>>> =22Administrators=22 group always log on to the machine as normal =
users.  In
>>> order for a process to be started with the extra special Administrators
>>> bits and explicit click through approval is required by the user.  A
>>> process that is started as an Administrative process shares the desktop
>>> but is effectively in a separate logon session.
>>> afscreds.exe and afs_config.exe perform some functionality that must be
>>> executed in the standard logon session and other functions that must be
>>> performed as an administrative process.  A process cannot be both.  As a
>>> result, depending on the user account type used and the mode the process
>>> is started with different function sets will misbehave.  If the process
>>> is started with Administrative bits, the process is unable to:
>>>  * access the MIT Kerberos v5 credential caches to obtain tokens
>>>  * create drive mappings
>>> If the process is started without the Administrative bits, the process:
>>>  * silently discards configuration changes that are saved in the =
>>>  * is unable to start or stop the afsd service
>>> Based upon feedback received at the European AFS Workshop the shipment
>>> and installation of these tools are creating a significant support =
>>> The Proposal:
>>> I propose that beginning with 1.5.66 (whenever that is) that the
>>> afscreds.exe and afs_config.exe tools not be installed at all on any
>>> Windows version Vista or beyond and that on 2000, XP and 2003 that these
>>> tools not be installed as part of the default configuration.
>>> The Impact:
>>> The afscreds tool provides three sets of functionality:
>>>  * token acquisition (and renewal if MIT KFW is present)
>>>  * drive mapping
>>>  * start/stop the afsd service
>>> Network Identity Manager has long been available as a replacement for
>>> the token acquisition functionality and it is available on any system on
>>> which MIT KFW is present.  The only systems that wouldn't have it are
>>> clients of cells that are still using kaserver. =20
>>> The drive mapping functionality has been documented as deprecated since
>>> the addition of the loopback installation permitted the use of a
>>> standard =5C=5CAFS UNC server name.  The recommended method for a user =
>>> create a drive mapping is the Windows Drive Mapping user interface
>>> provided as part of =22=5BMy=5D Computer=22 and the Explorer Shell.
>>> Starting and stopping the afsd service is an administration function
>>> that can be performed using the Windows Service MMC.
>>> The afs_config.exe tool provides:
>>>  * configuration management including cell name, server preferences,
>>> cellservdb editing,
>>>    cache size, and advanced tuning parameters
>>>  * start/stop functionality
>>>  * drive mapping
>>> While it is not ready for general purpose use, Brant Gurganus has made
>>> significant progress on his OpenAFS Cache Manager MMC snap-in.  This
>>> tool has the potential to perform the first two functions in a more
>>> complete manner than the afs_config tool ever did.  As for the drive
>>> mapping, the Explorer Shell interface can be used.  As soon as this tool
>>> is deemed ready for incorporation in the distribution it will be added.
>>> Please Provide Feedback:
>>> If you are a Windows user or a system administrator that has a large
>>> number of Windows users, please comment on whether or not you agree with
>>> the proposed action.
>>> Thank you.
>>> Jeffrey Altman

GET FREE 5GB EMAIL - Check out spam free email with many cool features=21
Visit http://www.inbox.com/email to find out more=21