[OpenAFS] What you need to know about Windows 10

Jeffrey Altman jaltman@your-file-system.com
Tue, 28 Jul 2015 20:28:26 -0400


This is a cryptographically signed message in MIME format.

--------------ms070901020204030106020001
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Tomorrow is Wednesday July 29 and the day that Microsoft is going to
release Windows 10 to approximately 5 million users that have either
been a part of the Windows Insider program or pre-registered for a free
upgrade.  Windows 10 will be made available to volume license customers
on August 1.  Some vendors such as Dell and Lenovo will begin shipping
pre-loaded systems tomorrow and stores such as Best Buy have been
encouraged to upgrade current stock to Windows 10 before they let the
machines out the door.  The USB Flash Disk images will be shipping on
August 30.

There will not be a build of OpenAFS 1.7 targeted at Windows 10
available on the release day.   I am hoping to produce what will be my
last "OpenAFS" branded client with support for Windows 10 by the start
of the AFS and Kerberos Best Practices Workshop on August 17th.  After
that I will only be releasing AuriStor branded clients and I will
explain why at the end of this letter.

First, what do I know about the existing 1.7.32 build and Windows 10.

1. The 1.7.32 build does work (for the most part) on Windows 10 but

1a. the installation will be damaged during an upgrade from Windows 7 or
Windows 8.1 to Windows 10.  In particular, the network provider
registration will be lost.  End users should be encouraged to run
"Repair" on the OpenAFS components after the installation is complete.

1b. there are some changes to the method by which the afs redirector is
accessed that can under some circumstance result in a BSOD.

2. The infamous Explorer Shell caching bug that resulted in reports that
there are 0 bytes free when copying files to \\AFS has been fixed in
Windows 10.

3. As a result of the Explorer Shell bug being fixed the AFS redirector
needs to be modified to undo the hack that disabled the reporting of
read only volume state.

4. There is another known bug in shell32.dll that has not been fixed
that can result in a deadlock if a UNC path such as
\\afs\share-does-not-exist\ is entered into the explorer shell or into a
file open/save dialog box.   I have a workaround to implement in OpenAFS
but it is not ready.

5. There are known bugs in the AFS redirector or service that can

5a. prevent failover to alternative .readonly volume sites

5b. result in access to the wrong file object if two or more objects
exist with names that differ only by case in the same directory

6. The Netbios interface that the afsd_service relies for the SMB server
interface has been removed in Windows 10.   As a result the AFS SMB
interface must be permanently disabled when running on Windows 10.

7. Windows 10 supports UNC hardening for secure access to roaming
profiles and network based executables and configuration files.
Microsoft best practice states that UNC hardening should be turned on.
UNC hardening protects against man in the middle attacks that can result
in execution of untrusted code or the loading of untrusted user registry
hives by the system.  OpenAFS does not support UNC hardening and it must
remain disabled.

By the workshop I plan to have an OpenAFS based installer to distribute.
 This installer will not be signed by Microsoft but by the older
cross-signing certificate method.

By the workshop I also hope to demo the first AuriStor based client
which will:

1. support UNC hardening

2. support IPv6 connectivity

3. include a new kernel driver to process ICMP messages for faster
   failover and detection of IPv6 Path MTU sizes.

4. be compiled with Visual Studio 2015

5. be signed by Microsoft

This client will be the client that I am going to submit to Microsoft
for certification testing.  It is my hope that certification approvals
will be issued by October 16th which is expected to be the day that
production quality previews of Server 2016 will be released.  As I have
mentioned previously, only drivers that were signed by Microsoft and
include a certification attributed in the signature can be loaded on
forthcoming Windows Server releases.

Support for Server Nano will not be completed by October.  I am hoping
that can be completed by Spring 2016.

Jeffrey Altman


--------------ms070901020204030106020001
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
DV0wggZCMIIFKqADAgECAhA4qwAv/66Wt1b/OVr7XecbMA0GCSqGSIb3DQEBBQUAMIHKMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWdu
IFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJbmMuIC0gRm9y
IGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWduIENsYXNzIDEgUHVibGlj
IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMzAeFw0xMTA5MDEwMDAwMDBa
Fw0yMTA4MzEyMzU5NTlaMIGmMQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29y
cG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxHjAcBgNVBAsTFVBl
cnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuU3ltYW50ZWMgQ2xhc3MgMSBJbmRpdmlk
dWFsIFN1YnNjcmliZXIgQ0EgLSBHNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMbsJ/0dY/Q7HYrB0xzIyIKGtrhKhpKqgVxyyjANL55BIlcwISWQmqP0rCrGiBeGYXITdi7s
A8snm48ggDfg5IraVaZQD/y5XCNpiUKhuh+v7w75pMkK8fg3ssbZkkqufd+4RB+buj+MBv7Y
I09IUSNqYISo7icvYN+W8hoqjDyPAMxPy/ogjrw19uHwmrYF8/wdP8YUew7a8gXk04MCpsVp
cLSp5Fbp2x1c9KY24mu1Hiot3L677joEsDAIrV9obMa9BpaIhOfmqWQtvDgwu4gmw2dmZrS0
d/nAoccOcu9m4uW5yuDzhXc1mN7UHLD+ZnHiOMtufE9AVeuX2agYHu0CAwEAAaOCAkQwggJA
MDgGCCsGAQUFBwEBBCwwKjAoBggrBgEFBQcwAYYcaHR0cDovL3BraS1vY3NwLnZlcmlzaWdu
LmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMGwGA1UdIARlMGMwYQYLYIZIAYb4RQEHFwEwUjAm
BggrBgEFBQcCARYaaHR0cDovL3d3dy5zeW1hdXRoLmNvbS9jcHMwKAYIKwYBBQUHAgIwHBoa
aHR0cDovL3d3dy5zeW1hdXRoLmNvbS9ycGEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2Ny
bC52ZXJpc2lnbi5jb20vcGNhMS1nMy5jcmwwDgYDVR0PAQH/BAQDAgEGMCkGA1UdEQQiMCCk
HjAcMRowGAYDVQQDExFWZXJpU2lnbk1QS0ktMi05NzAdBgNVHQ4EFgQUrfnDk3IttbkoYeSk
12DVxApeGgEwgfEGA1UdIwSB6TCB5qGB0KSBzTCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoT
DlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYD
VQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRp
b24gQXV0aG9yaXR5IC0gRzOCEQCLW3VWhFSFCwDPrzhIzrGkMA0GCSqGSIb3DQEBBQUAA4IB
AQDWj8Ham4jys2xNH1gvugFRXXTBRujDuHuf1kDx7/8yuolrwA40Q5+kmeak8F1IM2KFhWH+
I4gijGCbK5xlSZTEojgkSKVcpVBLaOliIqeT6Jkibj1buxBCDh9MdUc0VgmP+L2MPPNcu9KW
cFRwYk3v0RC+nUgsXuyGaweC8D3hJScoLOAWdh6z/eViltKKPV8rrvtcwhO3ZWPLNHZDn9aH
maturZXBAD9GJ4H/Nd4jDkPcFF8y+cop78JSMPWZ3bmB+DolII2CaPK5IYV0ZgThhjkWMvIt
1iqoyd7ZAAJP4xggxaWBVraV3tOCrfh7Jb5kfC6gunAs+Pl14nRNB22EMIIHEzCCBfugAwIB
AgIQFsQwSbigHCVWu2/kyYcLxDANBgkqhkiG9w0BAQUFADCBpjELMAkGA1UEBhMCVVMxHTAb
BgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBO
ZXR3b3JrMR4wHAYDVQQLExVQZXJzb25hIE5vdCBWYWxpZGF0ZWQxNzA1BgNVBAMTLlN5bWFu
dGVjIENsYXNzIDEgSW5kaXZpZHVhbCBTdWJzY3JpYmVyIENBIC0gRzQwHhcNMTQxMjE4MDAw
MDAwWhcNMTUxMjE5MjM1OTU5WjCBzjEuMCwGA1UEAwwlUGVyc29uYSBOb3QgVmFsaWRhdGVk
IC0gMTQxODg4MjM4NjEwMjErMCkGCSqGSIb3DQEJARYcamFsdG1hbkB5b3VyLWZpbGUtc3lz
dGVtLmNvbTEPMA0GA1UECwwGUy9NSU1FMR4wHAYDVQQLDBVQZXJzb25hIE5vdCBWYWxpZGF0
ZWQxHzAdBgNVBAsMFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxHTAbBgNVBAoMFFN5bWFudGVj
IENvcnBvcmF0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArXkxS27j5tr8
fOZR9mOix3TCKnCkDzfZuF2FU3tC/GbzL5ydWEO9tBE+dghdfEWHU3OLaPdvn33Zo1pQXnSu
GLS2pobbFJCeli95K8DVU2H3no9MIBfZFUNhSPF0zZ4MZydgkZEF+Gff9UyOME5EjXAMOU9G
NhyjPeKe8ACTnn5ft6D8MV599/MPE+y7H8EvRTgA2fLkSLb/ye0vASRD9F7Y2WZQaEsqkOKs
ZeT7SLsmx1XcKKNj5SvC8VOq/FXI3tfjl5nOVaAgZV4mA1h5f8Eg7WRFkeuN9f2s9WeOZ9QB
x23q9hviI29JxeES4ohTJMiZd6sfuOsKnKlq460cQwIDAQABo4IDETCCAw0wDAYDVR0TAQH/
BAIwADAOBgNVHQ8BAf8EBAMCBaAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC
MB0GA1UdDgQWBBQVJb//Y4s2c+LsGhbT88HV+hbKsDAnBgNVHREEIDAegRxqYWx0bWFuQHlv
dXItZmlsZS1zeXN0ZW0uY29tMB8GA1UdIwQYMBaAFK35w5NyLbW5KGHkpNdg1cQKXhoBMIIB
KwYIKwYBBQUHAQEEggEdMIIBGTCCARUGCCsGAQUFBzAChoIBB2xkYXA6Ly9kaXJlY3Rvcnku
dmVyaXNpZ24uY29tL0NOJTIwJTNEJTIwU3ltYW50ZWMlMjBDbGFzcyUyMDElMjBJbmRpdmlk
dWFsJTIwU3Vic2NyaWJlciUyMENBJTIwLSUyMEc0JTJDJTIwT1UlMjAlM0QlMjBQZXJzb25h
JTIwTm90JTIwVmFsaWRhdGVkJTJDJTIwT1UlMjAlM0QlMjBTeW1hbnRlYyUyMFRydXN0JTIw
TmV0d29yayUyQyUyME8lMjAlM0QlMjBTeW1hbnRlYyUyMENvcnBvcmF0aW9uJTJDJTIwQyUy
MCUzRCUyMFVTP2NBQ2VydGlmaWNhdGU7YmluYXJ5MF0GA1UdHwRWMFQwUqBQoE6GTGh0dHA6
Ly9wa2ktY3JsLnN5bWF1dGguY29tL2NhXzU2MWMxMDM2OTBjOTdhNjkyNDdhMGVmMDcxYWM4
MWFmL0xhdGVzdENSTC5jcmwwbAYDVR0gBGUwYzBhBgtghkgBhvhFAQcXATBSMCYGCCsGAQUF
BwIBFhpodHRwOi8vd3d3LnN5bWF1dGguY29tL2NwczAoBggrBgEFBQcCAjAcGhpodHRwOi8v
d3d3LnN5bWF1dGguY29tL3JwYTArBgpghkgBhvhFARADBB0wGwYSYIZIAYb4RQEQAQICBAGG
x85vFgUxMDkyMjA5BgpghkgBhvhFARAFBCswKQIBABYkYUhSMGNITTZMeTl3YTJrdGNtRXVj
M2x0WVhWMGFDNWpiMjA9MA0GCSqGSIb3DQEBBQUAA4IBAQCSL6DGrTOev0I2lQJRFG3lmTTj
5MLogoGmnpFiYtYd93wFX3Rflmaoe3ReIQTWpcj7sUXMmV+x8bj8gXN2owwqnsPTJZgidwpu
AqN32WIedDl+I53ptkZqR3imyVus1I2XABqlegzzJdOJIKyNsISV++9vR6EclD8GUuwmUkRW
TteO19vvyaIA2Cn32v/quQMIKx2L3RAh8XNyM/Spx0porfg4Vkvbfl8RNIB697Fu88HEPxmM
qyd7N1XVh04zPt4hhXkziNOodWgYBUf/vH05rmV2c/fjnVlWq9Aq7fW59HBTd7tNEOmAMo2I
UZ218s2FSDkuKCZkaCu/af8aHXg1MYIEYjCCBF4CAQEwgbswgaYxCzAJBgNVBAYTAlVTMR0w
GwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlvbjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3Qg
TmV0d29yazEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5TeW1h
bnRlYyBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQSAtIEc0AhAWxDBJuKAcJVa7
b+TJhwvEMA0GCWCGSAFlAwQCAQUAoIICdzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
CSqGSIb3DQEJBTEPFw0xNTA3MjkwMDI4MjZaMC8GCSqGSIb3DQEJBDEiBCDMg721xCsZV3yy
z30s+HzhneNN1CdUGlfttd7DpaOMJzBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjAL
BglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA
MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIHMBgkrBgEEAYI3EAQxgb4wgbswgaYxCzAJBgNV
BAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlvbjEfMB0GA1UECxMWU3ltYW50
ZWMgVHJ1c3QgTmV0d29yazEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTcwNQYD
VQQDEy5TeW1hbnRlYyBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQSAtIEc0AhAW
xDBJuKAcJVa7b+TJhwvEMIHOBgsqhkiG9w0BCRACCzGBvqCBuzCBpjELMAkGA1UEBhMCVVMx
HTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVz
dCBOZXR3b3JrMR4wHAYDVQQLExVQZXJzb25hIE5vdCBWYWxpZGF0ZWQxNzA1BgNVBAMTLlN5
bWFudGVjIENsYXNzIDEgSW5kaXZpZHVhbCBTdWJzY3JpYmVyIENBIC0gRzQCEBbEMEm4oBwl
Vrtv5MmHC8QwDQYJKoZIhvcNAQEBBQAEggEAW6f5EwO2I2vdI5zIkTPG1PvGAbnulbp8ljX+
eh95xUTolZ3WkJp+SX9sB8sm8KmIbseVDwmFqKbuYlre3WKztHXTDrz56ezaw0hthBQMhlF+
42hQSpoZHgRiiDPWoSdFtv1xHX9EXEIYr3fFU9smk2MinUXYuuG4GPNB/g4yYmecEmdNew6a
Q3KW6hIsOGZJHFVedJcoiftFM87N6v1fKapeEmys1IAGCHOIeGgS7oJGB3GDd5Bu7Ugp2B3b
NtVX/7mTRnQ0lTRxVYf18MN3686klYdqpK3MUpcWRGgghNefyZDvc0WPPbMJssjMPgobJrGp
C4vPme7GvlJF74zcZAAAAAAAAA==
--------------ms070901020204030106020001--