[OpenAFS] The removal of afscreds.exe and afs_config.exe on Windows Vista and Windows 7: Seeking Opinions

Wed, 30 Sep 2009 23:34:06 +0200

This is a cryptographically signed message in MIME format.

--------------ms080105000908010402090102
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Chaz:

FYI, your response was sent to "openafs-info-admin@openafs.org"
which is not the mailing list.  You might want to be aware of it
for the future.

user@REALM and user/admin@REALM are two different users.  NetIdMgr
explicitly permits you to maintain TGTs and AFS tokens for more than
one user at a time.  If you are using both user@REALM and user/admin@REALM
at the same time and configuring both to obtain tokens for the same
cell, then only one of the tokens can be active at a time.   There are
no PAGs on Windows and the cache manager can only associate one token
with a cell at a time.

Since this is a conflict, the AFS provider requires that you explicitly
approve the conflict when you add the same cell to multiple configurations
at the same time.   However, you need to be aware that you need to destroy
your credentials for one identity before using the second identity if you
wish to have consistent behavior. 

The difference between afscreds and netidmgr in this case is that when
using afscreds the identity is defined by the cell name and not the
Kerberos identity.   Therefore, even though you continue to have a TGT
for user@REALM after obtaining user/admin@REALM afscreds doesn't attempt
to renew them for you.  Whereas NetIdMgr will continue to renew all of
your identities that are currently active.  [Assuming of course that
you have configured NetIdMgr to perform auto-renewal which is on by
default.]

As someone who is often juggling multiple credentials including normal
and admin what I do is kick off a new command line session as a secondary
Windows user account intended for admin purposes and then obtain the
afs admin token under that account.  It ensures that I never mix my
regular user operations and my admin operations in the cells that I am
working on.

If you believe that you have found a bug even if you are not sure,
please file a report at openafs-bugs@openafs.org.  If we aren't told
there is a problem there is no method for us to address it.

Jeffrey Altman

Chaz Chandler wrote:
> Perhaps it's just my setup, but I have on numerous occasions been able
> to get tokens only through afscreds.  netidmgr does work for this, but
> occasionally not.  I especially see issues when trying to get afs tokens
> for non-"default" pts users and/or switching between two users (like
> going back and forth between "user" and "user/admin" over the course of
> the workday).  afscreds consistently gets the tokens even when netitmgr
> does not.  Anyone else with this problem?
>
> Jeffrey Altman wrote:
>> Ever since the release of Windows Vista I have been worried about the
>> continued shipment of afscred.exe (AFS Authentication Tool) and
>> afs_config.exe (AFS Client Manager Configuration Tool) in the OpenAFS
>> installers.
>>
>> The Problem:
>>
>> Beginning with Windows Vista, Microsoft implemented a security barrier
>> referred to as User Account Control which tightens the noose on normal
>> user accounts and prevents them from being used to perform a variety of
>> operations such as starting and stopping services or writing to the
>> local machine registry hive which they were able to do in previous
>> Windows releases.   In addition, user accounts that are members of the
>> "Administrators" group always log on to the machine as normal users.  In
>> order for a process to be started with the extra special Administrators
>> bits and explicit click through approval is required by the user.  A
>> process that is started as an Administrative process shares the desktop
>> but is effectively in a separate logon session.
>>
>> afscreds.exe and afs_config.exe perform some functionality that must be
>> executed in the standard logon session and other functions that must be
>> performed as an administrative process.  A process cannot be both.  As a
>> result, depending on the user account type used and the mode the process
>> is started with different function sets will misbehave.  If the process
>> is started with Administrative bits, the process is unable to:
>>
>>  * access the MIT Kerberos v5 credential caches to obtain tokens
>>
>>  * create drive mappings
>>
>> If the process is started without the Administrative bits, the process:
>>
>>  * silently discards configuration changes that are saved in the registry
>>
>>  * is unable to start or stop the afsd service
>>
>> Based upon feedback received at the European AFS Workshop the shipment
>> and installation of these tools are creating a significant support burden. 
>>
>>
>> The Proposal:
>>
>> I propose that beginning with 1.5.66 (whenever that is) that the
>> afscreds.exe and afs_config.exe tools not be installed at all on any
>> Windows version Vista or beyond and that on 2000, XP and 2003 that these
>> tools not be installed as part of the default configuration.
>>
>>
>> The Impact:
>>
>> The afscreds tool provides three sets of functionality:
>>
>>  * token acquisition (and renewal if MIT KFW is present)
>>
>>  * drive mapping
>>
>>  * start/stop the afsd service
>>
>> Network Identity Manager has long been available as a replacement for
>> the token acquisition functionality and it is available on any system on
>> which MIT KFW is present.  The only systems that wouldn't have it are
>> clients of cells that are still using kaserver.  
>>
>> The drive mapping functionality has been documented as deprecated since
>> the addition of the loopback installation permitted the use of a
>> standard \\AFS UNC server name.  The recommended method for a user to
>> create a drive mapping is the Windows Drive Mapping user interface
>> provided as part of "[My] Computer" and the Explorer Shell.
>>
>> Starting and stopping the afsd service is an administration function
>> that can be performed using the Windows Service MMC.
>>
>> The afs_config.exe tool provides:
>>
>>  * configuration management including cell name, server preferences,
>> cellservdb editing,
>>    cache size, and advanced tuning parameters
>>
>>  * start/stop functionality
>>
>>  * drive mapping
>>
>> While it is not ready for general purpose use, Brant Gurganus has made
>> significant progress on his OpenAFS Cache Manager MMC snap-in.  This
>> tool has the potential to perform the first two functions in a more
>> complete manner than the afs_config tool ever did.  As for the drive
>> mapping, the Explorer Shell interface can be used.  As soon as this tool
>> is deemed ready for incorporation in the distribution it will be added.
>>
>>
>> Please Provide Feedback:
>>
>> If you are a Windows user or a system administrator that has a large
>> number of Windows users, please comment on whether or not you agree with
>> the proposed action.
>>
>> Thank you.
>>
>> Jeffrey Altman
>>

--------------ms080105000908010402090102
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJeTCC
AxcwggKAoAMCAQICEAMF9RTCGOz151fTpHLih+cwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDgyODA0MDExOVoX
DTEwMDgyODA0MDExOVowczEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVy
aWMxHDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDZNscYIvF6xzGSAfa/QUIqiElyn0EUxL2b86eKiYqe91bj0gLr/MJoErLnb+OmokxqSAH6
y0zlFqSbiFwgNM8m69K6m/6YO+x3+5zBc+u6snwTWMEWygnhx3rQ/lMhoQOgArraL+/k9aWL
kNdaXQKk6EZVW9pfV2A4Lk4DoZGFjY8tJRWWDLlFkYnxDuIEpLYwJpwakv3QHOaq/G8KW0iE
jVhVzPobuZzwD2tuepY/bsClwqxz/gfAEpUvAn/lYTqnoT7RYljZlCIdbrgcG/HSYMxAy1Zp
Yh8Fx+9cqsG8O4nqo26SVfYZvrYhh8m6OqW8Vakdt7vBLCTa/QhIdJ4hAgMBAAGjOTA3MCcG
A1UdEQQgMB6BHGphbHRtYW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQUFAAOBgQBvbvJNXUJ4atv1CExIe0J38jZqoEUTttkXOfCDT9e3mSmVboOK
ifHDyLZQC4qSsCUfP7vdwAXjKtjak22HbfX2sEKCUgtnOkxRqXMM2V/NW/ESNVQZF0TO7L/Z
cW3icObO9FIZCSmgFMt2Al7VPfMQmaJNlqu9SLmXSwbRFJ5b4zCCAxcwggKAoAMCAQICEAMF
9RTCGOz151fTpHLih+cwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoT
HFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25h
bCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDgyODA0MDExOVoXDTEwMDgyODA0MDExOVow
czEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMxHDAaBgNVBAMTE0pl
ZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRtYW5Ac2VjdXJlLWVuZHBv
aW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZNscYIvF6xzGSAfa/
QUIqiElyn0EUxL2b86eKiYqe91bj0gLr/MJoErLnb+OmokxqSAH6y0zlFqSbiFwgNM8m69K6
m/6YO+x3+5zBc+u6snwTWMEWygnhx3rQ/lMhoQOgArraL+/k9aWLkNdaXQKk6EZVW9pfV2A4
Lk4DoZGFjY8tJRWWDLlFkYnxDuIEpLYwJpwakv3QHOaq/G8KW0iEjVhVzPobuZzwD2tuepY/
bsClwqxz/gfAEpUvAn/lYTqnoT7RYljZlCIdbrgcG/HSYMxAy1ZpYh8Fx+9cqsG8O4nqo26S
VfYZvrYhh8m6OqW8Vakdt7vBLCTa/QhIdJ4hAgMBAAGjOTA3MCcGA1UdEQQgMB6BHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOB
gQBvbvJNXUJ4atv1CExIe0J38jZqoEUTttkXOfCDT9e3mSmVboOKifHDyLZQC4qSsCUfP7vd
wAXjKtjak22HbfX2sEKCUgtnOkxRqXMM2V/NW/ESNVQZF0TO7L/ZcW3icObO9FIZCSmgFMt2
Al7VPfMQmaJNlqu9SLmXSwbRFJ5b4zCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAw
gdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0w
MzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxU
aGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg
RnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfAr
hVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/
p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8
MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWls
Q0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxh
YmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/
TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amc
OY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNxMIID
bQIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQ
AwX1FMIY7PXnV9OkcuKH5zAJBgUrDgMCGgUAoIIB0DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0wOTA5MzAyMTM0MDZaMCMGCSqGSIb3DQEJBDEWBBTdLvO4
+uoRkKvdpLmlyqt3Nd8u5jBfBgkqhkiG9w0BCQ8xUjBQMAsGCWCGSAFlAwQBAjAKBggqhkiG
9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN
AwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVl
bWFpbCBJc3N1aW5nIENBAhADBfUUwhjs9edX06Ry4ofnMIGHBgsqhkiG9w0BCRACCzF4oHYw
YjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x
LDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhADBfUUwhjs
9edX06Ry4ofnMA0GCSqGSIb3DQEBAQUABIIBAAICcgmTSoDlaw2YpIgmg+EyWt9NH1zQ2XzD
0MX51+/QnC1H2DPFT9Vh5ZWvppAL15MkL1Yc8E0nUeYT/ZOUnVKC+SDnuXPqtYT5LPrH8L4A
EeHlM7r6BGMKR+k4rvlh6cjWxP1TdAOQ5DLwJcep4qHLsFHidinsBCItDeh3xrQ83b/18j06
XE95Nwvi3+Pv4+dhQJECqUy2kZ9AYI/FohP0YU9RHnle3UKzRExjLNEv5lwQEp/Doxq1JO+C
6/4F5H4/votLSH2DMIfwfXaT653HPCDuP7wD0mbuO4wlMifPM+XYZCXe5hYsjIlthQQ2NhVX
vQ+92945SsgCQ0eMlecAAAAAAAA=
--------------ms080105000908010402090102--