[OpenAFS] OpenAFS installation messes up Windows 8 file access
control
Jeffrey Altman
jaltman@secure-endpoints.com
Mon, 16 Sep 2013 00:30:28 -0400
This is a cryptographically signed message in MIME format.
--------------ms040403020004030305090002
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Tim,
if you are experiencing undesirable behavior on paths located in the AFS
name space then the afs redirectorcan be involved. if the path is local
disk or CIFS then the redirector cannot b The Windows Multiple UNC
provider simply will not send those file system operations to the afs
file system.
i can certainly believe that the explorer shell has bugs that are
triggered by the mere existence of a non Microsoft file system. The
explorer shell has a lot of hard coded assumptions that require NTFS or
CIFS. this is part of the reason that their new ReFS file system is not
supported on client systems.
it is also possible that another file system filter installed on the
machine is altering the return code which prevents user account control
from be triggered. however, it sounds like the real problem is that
the explorer shell thinks the volume you are working on is readonly and
therefore decides to hide the UI controls.
this would be an explorer shell bug which must be addressed by Microsoft.=
Jeffrey Altman
On 9/15/2013 10:03 PM, Tim Adye wrote:
> Hi Jeffrey,
>=20
> Thanks for the information.
>=20
>> The only interaction between OpenAFS and the Explorer Shell is the "AF=
S
>> Shell Extension" which provides the "AFS Context Menu", the "AFS
>> Property Sheets", and "Mount Point and Symlink Overlay Icons". This i=
s
>> the functionality you would have disabled using "autoruns".
>=20
> Yes, I tried disabling all of those, but that didn't help.
>=20
> If, as you suggest, it isn't OpenAFS running, then there must be someth=
ing that the OpenAFS installer and uninstaller do to affect Windows Explo=
rer. I installed and uninstalled OpenAFS many times (often with no other =
action except for the reboot) and the problematic behaviour I described a=
ppeared if, and only if, OpenAFS was installed (whether running or not).
>=20
> Could there be some local policy or groups that are changed by the inst=
aller? I know that it adds the "AFS Client Admins" group, though that can=
't be it as the uninstaller doesn't remove the group.
>=20
> Thanks,
> Tim.
>=20
> -----Original Message-----
> From: Jeffrey Altman [mailto:jaltman@secure-endpoints.com]=20
> Sent: 15 September 2013 23:35
> To: Adye, Tim (STFC,RAL,PPD)
> Cc: openafs-info@openafs.org
> Subject: Re: [OpenAFS] OpenAFS installation messes up Windows 8 file ac=
cess control
>=20
> Tim,
>=20
> I'm sorry you are experiencing a problem but the reason you didn't find=
> any changes that were made by OpenAFS is because OpenAFS doesn't make
> any changes.
>=20
> The only interaction between OpenAFS and the Explorer Shell is the "AFS=
> Shell Extension" which provides the "AFS Context Menu", the "AFS
> Property Sheets", and "Mount Point and Symlink Overlay Icons". This is=
> the functionality you would have disabled using "autoruns".
>=20
> Jeffrey Altman
>=20
> On 9/15/2013 4:08 PM, Tim Adye wrote:
>> Hi,
>>
>> The OpenAFS client installation is doing something nasty to the file a=
ccess
>> control on my Windows 8 system. After installing OpenAFS, I can no lon=
ger
>> move, copy, or delete files with the File Explorer in local Windows fo=
lders
>> that require administrator privileges.=20
>>
>> What should happen, and happens again if I uninstall OpenAFS, is that =
I get
>> a pop-up message such as "File Access Denied: You'll need to provide
>> administrator permission to copy to this folder". I can then then sele=
ct
>> "Continue" (perhaps needing an admin password) to copy the file.
>>
>> When OpenAFS is installed, there is no pop-up message and the copy sil=
ently
>> fails. This occurs with drag-and-drop and Ctrl/C+X+V copy and move, an=
d
>> deleting with the "Delete" key or button. Oddly, the pop-up message do=
es
>> appear when creating or renaming a file or folder, so those operations=
still
>> work. It is also possible to delete files from the context menu (which=
show
>> the admin icon and don't normally require confirmation).
>>
>> This is a problem with Windows Explorer (now called File Explorer in W=
indows
>> 8) and seemingly nothing to do with OpenAFS, except that it occurs whe=
never
>> OpenAFS is installed. I can fix the problem by uninstalling OpenAFS, a=
nd the
>> problem comes back when I reinstall OpenAFS. I tried disabling all the=
>> OpenAFS components with "autoruns" (and restarting), but the problem
>> remained. So I guess it is some change made by the OpenAFS installatio=
n
>> program. What changes does it make to the Windows Account Control and
>> authorisation systems that might cause such an issue? I tried comparin=
g
>> registry dumps before and after uninstalling OpenAFS, but didn't see
>> anything obvious.
>>
>> I used the standard OpenAFS IFS install and all the default options (a=
ll
>> enabled, except integrated login), but it didn't help to disable the r=
est.
>>
>> I am using 64-bit Windows 8 Standard Edition (so I can't check for use=
r or
>> group policy changes, since that control panel requires Windows 8 Pro)=
=2E I
>> installed 64-bit OpenAFS 1.7.2600, but had the same problem with an ol=
der
>> version, 1.7.0800, that does not give me this problem on a Windows 7 P=
ro
>> system. So, it could be Windows 8 (vs 7) or Standard Edition (vs Pro).=
>>
>> Does anyone have any ideas? I would be very grateful for any fix or
>> work-around. With OpenAFS installed, it is extremely cumbersome to mak=
e any
>> program file changes on my system. The only way I have to copy or move=
>> program files in Windows Explorer is by taking ownership and changing =
the
>> permissions on all directories and files involved, making the move, an=
d
>> restoring the original permissions - a cumbersome and risky operation.=
Or
>> else to do everything from the command-line from an Admin account.
>>
>> Thanks,
>> Tim.
>>
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D cut here =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> Tim Adye T.J.Adye@rl.ac.uk http://hepunx.rl.ac.uk/~adye
>> ATLAS Group, Particle Physics Dept, Rutherford Appleton Lab
>>
>>
>=20
>=20
--------------ms040403020004030305090002
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINITCC
BkIwggUqoAMCAQICEDirAC//rpa3Vv85Wvtd5xswDQYJKoZIhvcNAQEFBQAwgcoxCzAJBgNV
BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1
c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0
aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMgUHJp
bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTExMDkwMTAwMDAwMFoXDTIx
MDgzMTIzNTk1OVowgaYxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3Jh
dGlvbjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEeMBwGA1UECxMVUGVyc29u
YSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5TeW1hbnRlYyBDbGFzcyAxIEluZGl2aWR1YWwg
U3Vic2NyaWJlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxuwn
/R1j9DsdisHTHMjIgoa2uEqGkqqBXHLKMA0vnkEiVzAhJZCao/SsKsaIF4ZhchN2LuwDyyeb
jyCAN+DkitpVplAP/LlcI2mJQqG6H6/vDvmkyQrx+DeyxtmSSq5937hEH5u6P4wG/tgjT0hR
I2pghKjuJy9g35byGiqMPI8AzE/L+iCOvDX24fCatgXz/B0/xhR7DtryBeTTgwKmxWlwtKnk
VunbHVz0pjbia7UeKi3cvrvuOgSwMAitX2hsxr0GloiE5+apZC28ODC7iCbDZ2ZmtLR3+cCh
xw5y72bi5bnK4POFdzWY3tQcsP5mceI4y258T0BV65fZqBge7QIDAQABo4ICRDCCAkAwOAYI
KwYBBQUHAQEELDAqMCgGCCsGAQUFBzABhhxodHRwOi8vcGtpLW9jc3AudmVyaXNpZ24uY29t
MBIGA1UdEwEB/wQIMAYBAf8CAQAwbAYDVR0gBGUwYzBhBgtghkgBhvhFAQcXATBSMCYGCCsG
AQUFBwIBFhpodHRwOi8vd3d3LnN5bWF1dGguY29tL2NwczAoBggrBgEFBQcCAjAcGhpodHRw
Oi8vd3d3LnN5bWF1dGguY29tL3JwYTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnZl
cmlzaWduLmNvbS9wY2ExLWczLmNybDAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwx
GjAYBgNVBAMTEVZlcmlTaWduTVBLSS0yLTk3MB0GA1UdDgQWBBSt+cOTci21uShh5KTXYNXE
Cl4aATCB8QYDVR0jBIHpMIHmoYHQpIHNMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVy
aVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsT
MShjKSAxOTk5IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBD
BgNVBAMTPFZlcmlTaWduIENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkgLSBHM4IRAItbdVaEVIULAM+vOEjOsaQwDQYJKoZIhvcNAQEFBQADggEBANaP
wdqbiPKzbE0fWC+6AVFddMFG6MO4e5/WQPHv/zK6iWvADjRDn6SZ5qTwXUgzYoWFYf4jiCKM
YJsrnGVJlMSiOCRIpVylUEto6WIip5PomSJuPVu7EEIOH0x1RzRWCY/4vYw881y70pZwVHBi
Te/REL6dSCxe7IZrB4LwPeElJygs4BZ2HrP95WKW0oo9Xyuu+1zCE7dlY8s0dkOf1oeZq26t
lcEAP0Yngf813iMOQ9wUXzL5yinvwlIw9ZnduYH4OiUgjYJo8rkhhXRmBOGGORYy8i3WKqjJ
3tkAAk/jGCDFpYFWtpXe04Kt+HslvmR8LqC6cCz4+XXidE0HbYQwggbXMIIFv6ADAgECAhBD
9g0v0uWUgU7fsq2qabM8MA0GCSqGSIb3DQEBBQUAMIGmMQswCQYDVQQGEwJVUzEdMBsGA1UE
ChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdv
cmsxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuU3ltYW50ZWMg
Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHNDAeFw0xMzAxMTUwMDAwMDBa
Fw0xNDAxMTYyMzU5NTlaMIHOMS4wLAYDVQQDDCVQZXJzb25hIE5vdCBWYWxpZGF0ZWQgLSAx
MzU4Mjc1NTk5Njg2MSswKQYJKoZIhvcNAQkBFhxqYWx0bWFuQHNlY3VyZS1lbmRwb2ludHMu
Y29tMQ8wDQYDVQQLDAZTL01JTUUxHjAcBgNVBAsMFVBlcnNvbmEgTm90IFZhbGlkYXRlZDEf
MB0GA1UECwwWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEdMBsGA1UECgwUU3ltYW50ZWMgQ29y
cG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDGK4TaaHgHBkEIqx9
xgS06g4a1HdPcm5Lspe5OkYgSdxRiX84qp6msq+DWu1yQqmAxoS0a70Ctp99UgojGzKn2F8g
nIEEFe0bOMbye736C4LWashMhB8iRXbNmfQHJU5mrLoeghHUnTsmRZsFOagpwZgHAC4ZKITq
87yJvVGGfIAS77EuoZx3PlQCTeq6xdmas4BzLxb+DF3vYkRvtLOnh3ixsEu1Js1QjIcrBIA8
bZp0fU9SZWTU1MSHheYykKhBDBNurQpYEJ1VkJGvgITfcRUUfifxe7HbMlyDHJQtzn9mpocE
xiF1Vtzthcw6BhdqDhw4IvhWin+CY1Q6XOoHAgMBAAGjggLVMIIC0TAMBgNVHRMBAf8EAjAA
MA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwHQYD
VR0OBBYEFLNBzIZb/xB6K+oeDwfBVLaB3qbUMCcGA1UdEQQgMB6BHGphbHRtYW5Ac2VjdXJl
LWVuZHBvaW50cy5jb20wHwYDVR0jBBgwFoAUrfnDk3IttbkoYeSk12DVxApeGgEwggErBggr
BgEFBQcBAQSCAR0wggEZMIIBFQYIKwYBBQUHMAKGggEHbGRhcDovL2RpcmVjdG9yeS52ZXJp
c2lnbi5jb20vQ04lMjAlM0QlMjBTeW1hbnRlYyUyMENsYXNzJTIwMSUyMEluZGl2aWR1YWwl
MjBTdWJzY3JpYmVyJTIwQ0ElMjAtJTIwRzQlMkMlMjBPVSUyMCUzRCUyMFBlcnNvbmElMjBO
b3QlMjBWYWxpZGF0ZWQlMkMlMjBPVSUyMCUzRCUyMFN5bWFudGVjJTIwVHJ1c3QlMjBOZXR3
b3JrJTJDJTIwTyUyMCUzRCUyMFN5bWFudGVjJTIwQ29ycG9yYXRpb24lMkMlMjBDJTIwJTNE
JTIwVVM/Y0FDZXJ0aWZpY2F0ZTtiaW5hcnkwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL3Br
aS1jcmwuc3ltYXV0aC5jb20vY2FfNTYxYzEwMzY5MGM5N2E2OTI0N2EwZWYwNzFhYzgxYWYv
TGF0ZXN0Q1JMLmNybDBsBgNVHSAEZTBjMGEGC2CGSAGG+EUBBxcBMFIwJgYIKwYBBQUHAgEW
Gmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vY3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cu
c3ltYXV0aC5jb20vcnBhMCoGCmCGSAGG+EUBEAMEHDAaBhFghkgBhvhFARABAgIEAYazFxYF
MTA5MjIwDQYJKoZIhvcNAQEFBQADggEBAHgy34Smu5krf/eRWcjkEwnLYWZSXqo8T6/FBeSS
TUE/E7DB6k27NUate7u5keQnrWmohWErxU/ona1WVHIdvSmK1Ow4IbUM9Pl4TKsDmBezDd8U
eQU6q7KtkQuooeO/OgaJ49NXq/UgqoTXi72sAVpiPtOqgRJ4m+oO6Hv9OF5co49z5zMRFI6A
SHEVi/41s8iYxlv++2ghtDDIA6vLS3MhGogh0wXFszn/dcWeluOkQZR9glfLr7Y853v3OBoh
u1k40Q3NpnTl9ZgODP6Gh/hD08fXmBka0/p9rFRhR1NQBQg0WQbwS0ScFiECviWt9TbN2k/e
GLwmOQD4a4Md7uoxggRSMIIETgIBATCBuzCBpjELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5
bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMR4w
HAYDVQQLExVQZXJzb25hIE5vdCBWYWxpZGF0ZWQxNzA1BgNVBAMTLlN5bWFudGVjIENsYXNz
IDEgSW5kaXZpZHVhbCBTdWJzY3JpYmVyIENBIC0gRzQCEEP2DS/S5ZSBTt+yrappszwwCQYF
Kw4DAhoFAKCCAmswGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTMwOTE2MDQzMDI4WjAjBgkqhkiG9w0BCQQxFgQUhloDzrmyidjiWeTSurjRMxLYqoEwbAYJ
KoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4G
CCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCB
zAYJKwYBBAGCNxAEMYG+MIG7MIGmMQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMg
Q29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxHjAcBgNVBAsT
FVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuU3ltYW50ZWMgQ2xhc3MgMSBJbmRp
dmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHNAIQQ/YNL9LllIFO37KtqmmzPDCBzgYLKoZIhvcN
AQkQAgsxgb6ggbswgaYxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3Jh
dGlvbjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEeMBwGA1UECxMVUGVyc29u
YSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5TeW1hbnRlYyBDbGFzcyAxIEluZGl2aWR1YWwg
U3Vic2NyaWJlciBDQSAtIEc0AhBD9g0v0uWUgU7fsq2qabM8MA0GCSqGSIb3DQEBAQUABIIB
ALL5suKq2sKjnwVdOU7qsBnXrjHTewwDKOcGbSDpBBWfc2GE/m2+p6mOCywS5JMk721Wt0nQ
+oMDo5vXcqugrekAsEKlWyCCZIWx828vlkTnsOVR96eSxCss1wvsFR7h8z+UIn6qPoVLe+0V
VhP7+tTBfshgUxX5Z15aFtFtSurkQ9+KNgqhKcukgvpQ3bL6T+0F5IU2EmKkHbH2NVX73wl7
foDzB2L6lDYeKCM9FbMUQQnpwsf3MGuBkfyq/Et49p3pEFvOgY2OsEQdGlf/8BvAblMaqkql
glrS2f+QeRdI1lMjxkBEJhc0tc+kthsL0VjxX390kgj1ODQW6Nu404gAAAAAAAA=
--------------ms040403020004030305090002--