[OpenAFS] OpenAFS on windows - profile in AFS, who uses it?
Rodney M. Dyer
Mon, 11 Feb 2008 12:19:21 -0500
At 06:23 AM 2/11/2008, Lars Schimmer wrote:
>Ok, sorry, needed to snip thattext out, seems to be more or less the same
>like the PDF on best practice workshop 2005(or 2006?).
I believe the information you are refering to is from "AFS on Windows",
>As fas as I know, with Windows XP SP2, OpenAFS for Windows >1.5.28 and
>OpenAFS fileservers 1.4.6 I don't need most of that stuff. Oh, Compatible
>RUPSecurity set active, right.
Sorry, I forgot that small registry setting. Yes, if the XP client you are
logging into will be downloading a profile from AFS, AND that client is a
member of an Active Directory that is in a cross-realm trust relationship
with another K5 KDC, then you will need this registry key...
"AllowX-ForestPolicy-and-RUP" REG_DWORD 0x1
This setting was needed beginning with SP2.
>I was told, it is ok, to set the path of user profile in Windows AD2003
>Server to \afs\cgv.tugraz.at\home\user\win.profile and it works.
True. That is a UNC path and it should work with roaming profiles. It is
when we use UNC paths with "Folder Redirection" that small problems show
up. If the users Desktop for example has been redirected to AFS, then a
file stored on the desktop might not immediately be displayed. This is
some sort of signaling problem with the Explorer shell that apparently
(correct me here if I'm wrong) fails to work properly with AFS because, as
stated elsewhere, AFS doesn't currently support UNICODE CIFS.
> Yes, we don't use freelance mode and our cell is in distributed
> cellservDB. Config of OpenAFS msi is to set default cell to ourr and use
> automatic logon to obtain ticket/tokens while login into AD.
>So far it works with our users.
>Maybe I miss some big point or your information is just kind aoutdated?
Sorry, in my email I got a bit overzealous in describing the profile and
folder redirection problems/solutions that I used when I setup our
environment initially. It isn't exactly outdated as much as it simply
describes multiple ways of doing things, and the problems you might have
related to the solutions.
>Although the redirected folder option indeed looks nice. Need to test this.
Yes, this is the one thing I was trying to concentrate on. I did not make
it clear that, in my opinion, your profiles are just too large. Profiles
should not be much greater than 10 to 20 meg. But you are apparently not
using "Folder Redirection", and you probably don't use the AD group policy
setting to remove the local profile when your users logout. You probably
also have only a single user at each client, and they don't move to other
clients that often.
The reason I'm guessing about how you've got things setup is because if the
profile is removed at logout, then that would mean that every time a user
logs on then 400 meg of data would need to be downloaded to the local
machine. I just can't imagine that. Even if your network is fast, that's
going to take some time regardless of what cache size AFS uses. This is
assuming of course that we are talking about different users, who all
have > 100 MB profiles using the machine. If only one person ever uses the
maching daily then I suppose a large AFS cache would work fine. However I
tend to not trust caches for permanent daily data. I like to think of
caches only for the purpose of storing transactional information, to speed
it up. Even the callbacks of AFS timeout after 4 hours.
I would strongly urge you to setup "Folder Redirection" to help reduce your