[OpenAFS] The removal of afscreds.exe and afs_config.exe on Windows Vista and Windows 7: Seeking Opinions

Anders Magnusson ragge@ltu.se
Thu, 08 Oct 2009 08:26:22 +0200 

No opinions about the stuff below, but from a support perspective it is 
really nice
with the padlock down right.  When people have trouble with file 
accesses the two
questions:

- Do you have a padlock down right?
- Is there a red cross over the padlock?

are quite valuable.

-- Ragge

Jeffrey Altman wrote:
> Ever since the release of Windows Vista I have been worried about the
> continued shipment of afscred.exe (AFS Authentication Tool) and
> afs_config.exe (AFS Client Manager Configuration Tool) in the OpenAFS
> installers.
>
> The Problem:
>
> Beginning with Windows Vista, Microsoft implemented a security barrier
> referred to as User Account Control which tightens the noose on normal
> user accounts and prevents them from being used to perform a variety of
> operations such as starting and stopping services or writing to the
> local machine registry hive which they were able to do in previous
> Windows releases.   In addition, user accounts that are members of the
> "Administrators" group always log on to the machine as normal users.  In
> order for a process to be started with the extra special Administrators
> bits and explicit click through approval is required by the user.  A
> process that is started as an Administrative process shares the desktop
> but is effectively in a separate logon session.
>
> afscreds.exe and afs_config.exe perform some functionality that must be
> executed in the standard logon session and other functions that must be
> performed as an administrative process.  A process cannot be both.  As a
> result, depending on the user account type used and the mode the process
> is started with different function sets will misbehave.  If the process
> is started with Administrative bits, the process is unable to:
>
>  * access the MIT Kerberos v5 credential caches to obtain tokens
>
>  * create drive mappings
>
> If the process is started without the Administrative bits, the process:
>
>  * silently discards configuration changes that are saved in the registry
>
>  * is unable to start or stop the afsd service
>
> Based upon feedback received at the European AFS Workshop the shipment
> and installation of these tools are creating a significant support burden. 
>
>
> The Proposal:
>
> I propose that beginning with 1.5.66 (whenever that is) that the
> afscreds.exe and afs_config.exe tools not be installed at all on any
> Windows version Vista or beyond and that on 2000, XP and 2003 that these
> tools not be installed as part of the default configuration.
>
>
> The Impact:
>
> The afscreds tool provides three sets of functionality:
>
>  * token acquisition (and renewal if MIT KFW is present)
>
>  * drive mapping
>
>  * start/stop the afsd service
>
> Network Identity Manager has long been available as a replacement for
> the token acquisition functionality and it is available on any system on
> which MIT KFW is present.  The only systems that wouldn't have it are
> clients of cells that are still using kaserver.  
>
> The drive mapping functionality has been documented as deprecated since
> the addition of the loopback installation permitted the use of a
> standard \\AFS UNC server name.  The recommended method for a user to
> create a drive mapping is the Windows Drive Mapping user interface
> provided as part of "[My] Computer" and the Explorer Shell.
>
> Starting and stopping the afsd service is an administration function
> that can be performed using the Windows Service MMC.
>
> The afs_config.exe tool provides:
>
>  * configuration management including cell name, server preferences,
> cellservdb editing,
>    cache size, and advanced tuning parameters
>
>  * start/stop functionality
>
>  * drive mapping
>
> While it is not ready for general purpose use, Brant Gurganus has made
> significant progress on his OpenAFS Cache Manager MMC snap-in.  This
> tool has the potential to perform the first two functions in a more
> complete manner than the afs_config tool ever did.  As for the drive
> mapping, the Explorer Shell interface can be used.  As soon as this tool
> is deemed ready for incorporation in the distribution it will be added.
>
>
> Please Provide Feedback:
>
> If you are a Windows user or a system administrator that has a large
> number of Windows users, please comment on whether or not you agree with
> the proposed action.
>
> Thank you.
>
> Jeffrey Altman
>
>