[OpenAFS] Weird Windows folder redirection problem
Rodney M Dyer
rmdyer@uncc.edu
Thu, 03 Feb 2005 18:28:15 -0500
Stephen,
At 05:00 PM 2/3/05, you wrote:
>We've got a weird problem here...
...snipped for brevity...
>Our users have roaming profiles and we're redirecting Desktop, My
>Documents, and Application Data into AFS via a mapped drive
>(U:\windows\username\...). The U: drive is mapped with a windows startup
>script (other scripts map other drives at startup and logon).
A few items of interest...
I also use a U: drive mount for folder redirection. However our U: drive
is mounted during a AFSLogonShell script that runs before folder
redirection is performed by Windows. When I was first investigating folder
redirection, a drive mounted during a user logon script wouldn't work,
because that was done after folder redirection had been setup by
Windows. That being said, there were some complications with this
method. Since the AFSLogonShell runs as user SYSTEM, the U: drive will be
mounted with that account. We don't want the U: drive to remain mounted as
the SYSTEM account once the user profile is downloaded and folders have
been redirected. So, what we do is unmount the U: drive temporarily, after
the folder redirection is in place, in the user logon script, and remount
it as the user. We can only do this because we have a special service that
allows unpriviledged user accounts to execute specific scripts as
SYSTEM. The service simply listens for strings sent to a global named pipe
and compares them to a registered list before executing them. With that
service I unmount the U: drive. Then, back inside the user logon script, I
remount the U: drive as the user. Yes, I know this seem cumbersome, and it
is, but it works...for now.
Essentially here is the process sequence described above:
1. Windows authentication.
2. OpenAFS integrated logon authentication (afslogon.dll)
a. AFSLogonShell (child of afslogon.dll, running as SYSTEM)
1. Obtain user home path from UNIX passwd file.
set afs_homedir=/afs/uncc/usr/a/anyone
2. Create AFS submount share name.
afsshare %UserName% %afs_homedir%
3. Disable AFS client side caching.
fs cscpolicy all -disable
fs cscpolicy %UserName% -disable
4. Mount U: drive for user.
net use u: \\afs\%username%
5. Make sure all folders for redirection already exist.
6. Set registry "DisableFRAdminPin". (see below)
3. Windows profile download (I have no control).
4. Windows folder redirection (I have no control).
5. Group policy user logon script.
a. Unmount system U: drive (SYSTEM execution via service).
b. Remount U: as user.
Now that the OpenAFS Windows client fully supports UNC paths I'm trying to
find time to switch my folder redirection group policy setup to use
"\\AFS\username" instead of the U: drive mount. However this will still be
somewhat cumbersome because I create an AFS submount name for the user
inside of the AFSLogonShell. I don't want to have to pre-create and manage
thousands of submount entries in the registry. I simply want to create the
submount share for the user at logon time. The AFS logon authenticator
afslogon.dll doesn't currently do this.
As far as your problem is concerned, it sounds just like a problem I had
last year when I was messing about with 1.3.71. Here are a few suggestions.
Make sure you are using 1.3.73 or above.
We also disable client side caching on all our AFS drives/directories.
fs cscpolicy all -disable
You will also find the following registry option useful. This registry
option will prevent folder syncronization occuring on your AFS drive that
is used for redirection...
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetCache"
"DisableFRAdminPin" REG_DWORD 0x01
See...
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q304624
Rodney
Rodney M. Dyer
Windows Systems Programmer
Mosaic Computing Group
William States Lee College of Engineering
University of North Carolina at Charlotte
Email: rmdyer@uncc.edu
Web: http://www.coe.uncc.edu/~rmdyer
Phone: (704)687-3518
Help Desk Line: (704)687-3150
FAX: (704)687-2352
Office: 267 Smith Building