[OpenAFS] Roaming Windows Profiles
Rodney M Dyer
rmdyer@uncc.edu
Thu, 06 Feb 2003 13:48:08 -0500
At 05:34 PM 2/5/2003 -0500, you wrote:
> Pardon my ignorance since I am not an expert in Windows, but how
>do you setup folder redirection from the local machine back into
>AFS in the profile?
Dj,
Folder redirection is simple to do "in-theory", but because AFS and
Kerberos V are in the mix at our site, things get a little more
complex. We run a active directory server for grouping all of our XP
machines into a single administrative/security domain. The active
directory group policy editor allows folder redirection to be setup. This
worked fine, we just opened up the group policy editor on the AD server and
changed the neccessary options to enable folder redirection. But after we
did this, expecting folder redirection to work, it didn't (of course not).
There were a couple of things that were going on at the time that allowed
us to fix the folder redirection problems as well as others. First, we
were working out a way to get the system a user token at logon using
Kerberos V so that the profile could be downloaded out of AFS
space. Second, even after we had the user's token we found that the system
had trouble with folder redirection.
Here's what happens when our user's logon...
1. User presses Ctrl+Alt+Del and logs on using the standard Windows logon
dialog. We don't use any special GINA replacements since that would
violate my principle of touching Microsoft's technologies as little as
possible. I would rather prefer to work "out-of-the-box" with Microsoft stuff.
2. Since AFS is already installed on the workstation and "logon
authentication" is enabled, the Windows logon process calls upon the AFS
authenticator "afslogon.dll" to get the user a token into their ticket
cache. (standard afs operating condition out-of-the-box) Unfortunately
this is not done for the system (note user SYSTEM), so the profile can't
load out of AFS space and folder redirection doesn't work.
How we fixed the problem...
1. We downloaded the source for OpenAFS and found the C code for
"afslogon.dll" called appropriately enough "afslogon.c". We modified this
code so that a command shell could be executed to perform our own
authentication. This was extremely simple to do. All I did was remark out
a couple of the traditional routines and replace them with a system call.
2. Now at logon, the "afslogon.dll" executes a child process that runs a
command shell script. In that command shell script we can do anything we
want. In my script I do the following...
2a. Call kinit to get the system a Kerberos V TGT of the user.
2b. Call aklog to get the SYSTEM a user token.
2c. Call aklog again with a different option* to create a token
for the user from the Kerberos TGT.
* Note: We made a small change to the aklog code to allow this
operation. I'll tell you about it if you want to know.
2d. Validate system AFS token is good.
2e. Get user's AFS/UNIX home directory path.
2f. Check for the existance of the users home directory.
2g. Check the quota on the home directory.
2h. Create a U: drive using "subst" that points to the user's
home directory.
Note: The "n:" drive points to the top of our AFS filesystem tree
and is mounted globally by the system at workstation boot by the startup
script option of group policy. So the "u:" drive points to the user's home
directory such as...
n:\uncc\usr\a\trng01
u:\ -> n:\uncc\usr\a\trng01\.
(u stands for unix home)
(n stands for network drive)
2i. Check for existance and create if neccessary the following
directories for folder redirection and profile creation/download...
"u:\xp_profile"
"u:\pc"
"u:\pc\win_data"
"u:\pc\win_data\Desktop"
"u:\pc\win_data\Application Data"
"u:\pc\win_data\My Documents"
"u:\pc\win_data\My Music"
"u:\pc\win_data\My Pictures"
These directories must already exist in order for folder
redirection to work correctly so we create them here. We found in early
testing that the XP machine has trouble creating them in AFS if they don't
exist. Don't know why since doing it here is just a fix.
2j. We throw away the token obtained for the system because we no
longer need it.
2k. The command script is completed.
3. The "afslogon.dll" returns control back to the windows logon process.
4. XP downloads the user's profile.
5. XP sets up folder redirection.
6. XP starts the user's shell.
7. The user is logged on with a token that was obtained using Kerb V.
I know this seems rather complex, but using this method has solved almost
every issue we've encountered. And, because we can change our
"afslogon.dll" child process script any way we want, we can change things
at a moments notice without having to modify and recompile any code.
Someday soon I'm going to document all this and put it up on a web
site... Don't hold your breath.
Rodney
Rodney M. Dyer
x86 Systems Programmer
College of Engineering Computing Services
University of North Carolina at Charlotte
Email rmdyer@uncc.edu
Phone (704)687-3518
Help Desk Line (704)687-3150
FAX (704)687-2352
Office 267 Smith Building