[OpenAFS-win32-devel] AFS Server on Windows now works - please test
new builds
Douglas E. Engert
deengert@anl.gov
Fri, 02 Apr 2004 09:42:24 -0600
Jeffrey Altman wrote:
>
> I have uploaded new test builds dated 20040402 to
>
> /afs/athena.mit.edu/user/j/a/jaltman/Public/OpenAFS/
> http://web.mit.edu/~jaltman/Public/OpenAFS/
>
> The major changes since 1.3.62 are the following:
>
> * All of the resource files have been restructured to adhere to
> a set of rules IBM implemented for loading string resources.
> These rules had either been forgotten or were not discovered
> by folks working on the OpenAFS sources. The end result was
> memory corruption. This is primary item which was preventing
> the AFS Server from working.
> * Increased the size of the maximum ticket size stored in a token
> from 344 bytes to 4096. Increased the buffers used to convey
> messages between the pioctl() caller and the SMB Server from
> 1000 bytes to 8196. The code appeared to have been writing
> above the top of the stack by quite a few number of bytes.
> (please let me know if this solves the afsd_service.exe crashing
> when the service is shutdown.) The increased ticket size is
> necessary for the next item.
I read somewhere that in 2003 the Microsoft max ticket size was increased from
8000 to 12000 bytes. You may wish to consider this too.
As a side note, Microsoft has been promissing a mod for AD 2003 to be able
to issue service tickets without a PAC. We even tested it. But it is still
not packaged as a hotfix I have been asking for this since August.
(I will bug them again.) Your above change makes this mod less critical,
at least for AFS.
> * When obtaining AFS Tokens via KFW, krb524 is no longer required.
> Instead the raw Kerberos 5 ticket is used in its entirety. This
> is extremely important as it allows us to use pure Kerberos 5 KDCs
> as the source of the AFS authentication. The use of 4096 byte long
> tickets will allow tickets produced by all versions of Microsoft
> Active Directory to be used.
>
> create a user account.
> designate it DES only
> disable pre-auth
> specify its UPN to be "afs@realm"
> assign a SPN of "afs/cellname" to the UPN with setspn.exe
>
> *
Working on msklog yesterday, which almost does the same thing as above, I think
I found a bug in openafs src/rxkad/ticket5.c This is used on the
AFS servers. In the krb5_des_decrypt routine, the variable ret is not initilized.
If the etype is not ETYPE_DES_CBC_CRC, no cksum_fun is set,
so ret is never set. ret is then used as the return code which may be garbage.
This means that a des-cbc-md5 ticket may be rejected.
I am still looking at this.
>
> Do not enforce the funky 8dot3 pattern matching rule that the first "."
> is special when using long file names. (you must use "*.*" and not "*")
> Instead only enforce it when performing 8dot3 searches.
>
> Note: The following items are known to be horribly broken in this build:
>
> * The AFS Shell Extensions menu is entirely non-functional
> * The installer launches the AFS Server Configuration tool on an upgrade
> in a mode which forces server configuration as opposed to management.
> * Every other reported bug in the OpenAFS Request Tracker
>
> When installing the AFS Server note the following things:
>
> * if you are installing the AFS Server on a machine which has the
> loopback
> adapter installed, you must add an entry into the
> %WINDIR%\System32\Drivers\Etc\Hosts
> file for the IP Address you chose to use
> * you must have an empty NTFS partition available before you start the
> installation process
> * do not turn on Freelance mode when installing the AFS Server
> * The "afs" password you enter on the first screen must match the
> password
> you specify in the Active Directory or the KDC. This password will be
> entered into the local kaserver database for you in case you are not
> using KFW.
> * Performance sucks when the client and the server are both on the same
> machine and you are writing to a read-write volume
>
> Enjoy!!!!
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444