[OpenAFS-win32-devel] No more feature changes expected before 1.3.70; future release plans

Jeffrey Altman jaltman@columbia.edu
Fri, 16 Jul 2004 02:41:30 -0400


This is a cryptographically signed message in MIME format.

--------------ms050502050906020101040301
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

As of tonight's builds, 2004-07-15, I am not expecting to commit any new
functional changes to OpenAFS for Windows.   The one exception will
be the additional of a new help engine if someone volunteers to update
the online help files.

Please test these releases extensively in your environments and make plans
to distribute the 1.3.70 release to your end users.  After the release 
of 1.3.70
I anticipate a hiatus of additional releases for about two months.  
After that
I will resume issuing releases about once a month.  However, from this 
point
forward the changes to the OpenAFS client will be more dramatic.  In 
particular,
the set of changes I would like to ship in December or January will include
a completely new user interface.  As such I expect that the September 
release
will not be considered a "stable" release.   Unless there is a good 
reason to
delay the release I am going to target the release of 1.3.70 for Tuesday
July 27th.   As such please attempt to find testing time sometime within the
next several days so as to leave time for bug fixes to be applied as needed.

As mentioned earlier in the week, the original intention was to call this
release 1.4 as the 1.4 version number is the value reserved for the next 
stable
release on Unix.  Unfortunately the state of the Unix distribution is 
such that
it is not ready to cut a new stable branch.  As such we in the Windows world
will continue to label releases as either "stable" or "development" 
independent
of the version number.

If someone has time it would be nice to be able to obtain some performance
comparisons between 1.2.10 and the latest daily builds.  Both with and 
without
crypt mode on.  I expect the new builds will compare quite favorably.

As always I encourage all organizations that wish to contribute to 
OpenAFS for
Windows development to contact me.  Financial contributions as well as 
in kind
assistance are seriously appreciated.   There is much to do and it is 
only going to
be accomplished with the support of the organizations which rely on this 
software
within their organizations.

Thanks.  I hope the efforts of myself and Asanka are well received.

Jeffrey Altman


Daily builds can be obtained from:

   /afs/athena.mit.edu/user/j/a/jaltman/Public/OpenAFS/
   \\afs\athena.mit.edu\user\j\a\jaltman\Public\OpenAFS\
   http://web.mit.edu/~jaltman/Public/OpenAFS/

Here is the complete list of changes since the 1.3.65 release:

   * The network provider can be configured to have different behavior
     depending on the domain that the user logs into.  These settings are
     only relevant when using integrated login.  A domain refers to an
     Active Directory (AD) domain, a trusted Kerberos (non-AD) realm or the
     local machine (i.e. local account logins).  The domain name that is
     used for selecting the domain would be the domain that is passed into
     the NPLogonNotify function of the network provider. (see registry.txt
     for details)

   * Added a new registry value [HKCU\SOFTWARE\OpenAFS\Client]
     "Authentication Cell" which may be used to specify a default
     authentication cell for afscreds.exe which is different from
     the default cell for the AFS Client Service daemon.

   * Added a Logoff WinLogon Event Notification function to afslogon.dll.
     afslogon.dll moved to %WINDIR%\System32\.
     New registry entries added to register the dll for Winlogon events.

     The logoff event will now force a call to ktc_ForgetAllTokens()
     using the context of the user being logged off.

     Need to double check that this code does not prevent profile data
     from being written back to an afs volume

   * Windows XP SP2 Internet Connection Firewall interoperability
     has been added.

   * The %WINDIR%\afsdsbmt.ini contains four sections:
        Submounts, Drive Mappings, Active Maps and CSC Policies.
     The Submounts and CSC policies are now stored in the registry under
        [HKLM\SOFTWARE\OpenAFS\Client\Submounts]
        [HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy]
     The Drive Mappings and Active Maps are stored in the registry under
        [HKCU\SOFTWARE\OpenAFS\Client\Mappings]
        [HKCU\SOFTWARE\OpenAFS\Client\Active Maps]

     There is no automatic migration of this data as it would be impossible
     to consistently migrate data to user profiles which may not be active
     when the machine is updated.

   * The %WINDIR%\afs_freelance.ini contains lists of mountpoints for the
     fake root.afs volume.  For the same reasons as for the cellservdb file,
     this information should not be in %WINDIR%.  This information is now
     kept under the registry key
        [HKLM\SOFTWARE\OpenAFS\Client\Freelance]

     The data from the afs_freelance.ini file will be automatically
     migrated to the registry on first execution of afsd_service.exe

   * Keeping the CellServDB file in the location %WINDIR%\afsdcell.ini is
     troublesome for several reasons.  One, it is confusing for those who
     expect the file to be named "CellServDB" instead of "afsdcell.ini".
     Two, this file is not a Windows Profile formatted file.  Three,
     applications should not be reading or writing to %WINDIR%.  It causes
     problems for Windows Terminal Server.

     The new location of CellServDB will be the OpenAFS Client install
     directory which is by default C:\Program Files\OpenAFS\Client and can
     be determined by querying the registry for
     [HKLM\SOFTWARE\TransarcCorporation\AFS Client\CurrentVersion]PathName

     The existing afsdcell.ini will be migrated by the NSIS installer.
     The Wix installer must still be updated to do the same.

   * Change NSIS installer to use DNS by default; to remove Integrated Logon
     High Security mode; and to add Terminal Services compatibility registry
     entries to allow the OpenAFS tools to find the afsdcell.ini and other
     configuration files in %WINDIR%.
 
   * Add support for authenticated SMB connections.   This will remove
     the need for high security mode in most situations.  Both NTLM
     and Extended Security (GSS SPNEGO) modes are supported.  Effectively,
     only NTLM can be used even though Kerberos is now supported.  The
     reason is that it is not possible to construct a service principal
     which is unique to each individual machine.

     SMB Extended Auth does not work on XP SP2 unless one of two registry
     modifications are made:

     (1) To disable the check for matching host names on loopback 
connections
        set this key.  This does not require a reboot:

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
            "DisableLoopbackCheck"=dword:00000001

     (2) To add the AFS SMB/CIFS service name to an approved list.  This
        does require a reboot:

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
            "BackConnectionHostNames"=multi-sz "AFS" "MACHINE-AFS"

     afsd_service.exe will automatically add the current Netbios Name
     to the BackConnectionHostNames list and then temporarily disable
     the loopback check for one cycle of startup/shutdown of the service.
     We assume most folks do not start/stop without a reboot so this
     will be adequate in most cases.

   * Fix security hole in afslogon.dll which allowed passwords to be
     sent in clear text to the KDC in a misformed principal name.

   * Fix cm_GetCell() to properly handle expired dns entries
     without crashing

   * If Freelance mode is active and the afs_freelance.ini
     file does not exist, do not create an empty file.
     Instead create a file containing ro and rw mountpoints
     to the default cell using the standard conventions.

   * Modify the Freelance support to handle the ability
     to create rw mount points in the fake root.afs volume.

   * Changed the RPC mechanism used for token setting from
     named pipes to local.  Use of named pipes can be restored
     by setting the environment variable AFS_RPC_PROTSEQ to
     "ncacn_np".

     Named pipes were required when a Windows 9x system was
     using a NT system in gateway mode which is incompatible
     with our use of local loopback adapters.

   * In afscreds.exe, if a username of the form user@REALM is
     specified and no password is specified, do not perform a
     kinit operation.  Only perform the aklog functionality.

   * Add a new registry value which allows the number of processors
     on which afsd_service.exe executes to be restricted.  Valid
     values are 1..numOfProcessors

       HKLM\SYSTEM\CurrentControlSet\Services\TransarcAfsDaemon\Parameters
          (DWORD) MaxCPUs



--------------ms050502050906020101040301
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJPzCC
AvowggJjoAMCAQICAwxk8TANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTI3MTc1ODU4WhcNMDUwNTI3MTc1ODU4
WjBrMQ8wDQYDVQQEEwZBbHRtYW4xFTATBgNVBCoTDEplZmZyZXkgRXJpYzEcMBoGA1UEAxMT
SmVmZnJleSBFcmljIEFsdG1hbjEjMCEGCSqGSIb3DQEJARYUamFsdG1hbkBjb2x1bWJpYS5l
ZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc3JqO5AsZrozd+mJ2mPuCTYo2
+nJ9Qq6jtUYtp7YTMW4d2Q6GLhNaHb1l9m74SxuY4f5vP6JtZjr6p9+LCCxD0w0NVLKRgUDp
z+tKFitbkJe9BSCxCURRvY3vdWA71gSCUvZAN3346hHb4oGVqgdpmfFJXYAHWpC46wiL72N9
WxySzY17/0eU0c8+r9dNoLpPQeL43O66O80jCl1qnXMaXaakZPsfm+5W90MYXhpQ1WIQpv02
lBn3BH5YE8xwbsNrw5AF4v7pjMuW85GI6FrDmfbpJX473Rpl5rmv3TpXkJ+7UsIIO1puyS8r
1o7kjDZ5EUYJxxglTGR6XL/RNzqHAgMBAAGjMTAvMB8GA1UdEQQYMBaBFGphbHRtYW5AY29s
dW1iaWEuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAZYeVFCMP0iV+UVa0
eFoXkzMVl61CNAVY2YQ9/QQazO3G4qNiif35ArrnjPRDRj5M7WTeOCFqPVuvCttyJRiDKsEe
L4Yah22mRA3mR7x52j2FquPYZ9qCr1IhrNGzsMk+gopX5G0fTHZb6+uDu5SeMPNNcIznGA7M
CMpXAJ2PcKgwggL6MIICY6ADAgECAgMMZPEwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMC
WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA0MDUyNzE3NTg1OFoXDTA1
MDUyNzE3NTg1OFowazEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMx
HDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xIzAhBgkqhkiG9w0BCQEWFGphbHRtYW5A
Y29sdW1iaWEuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3NyajuQLGa6M
3fpidpj7gk2KNvpyfUKuo7VGLae2EzFuHdkOhi4TWh29ZfZu+EsbmOH+bz+ibWY6+qffiwgs
Q9MNDVSykYFA6c/rShYrW5CXvQUgsQlEUb2N73VgO9YEglL2QDd9+OoR2+KBlaoHaZnxSV2A
B1qQuOsIi+9jfVscks2Ne/9HlNHPPq/XTaC6T0Hi+NzuujvNIwpdap1zGl2mpGT7H5vuVvdD
GF4aUNViEKb9NpQZ9wR+WBPMcG7Da8OQBeL+6YzLlvORiOhaw5n26SV+O90aZea5r906V5Cf
u1LCCDtabskvK9aO5Iw2eRFGCccYJUxkely/0Tc6hwIDAQABozEwLzAfBgNVHREEGDAWgRRq
YWx0bWFuQGNvbHVtYmlhLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAGWH
lRQjD9IlflFWtHhaF5MzFZetQjQFWNmEPf0EGsztxuKjYon9+QK654z0Q0Y+TO1k3jghaj1b
rwrbciUYgyrBHi+GGodtpkQN5ke8edo9harj2Gfagq9SIazRs7DJPoKKV+RtH0x2W+vrg7uU
njDzTXCM5xgOzAjKVwCdj3CoMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TEL
MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
MRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT
ZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENB
MSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcx
NzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVl
bWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnK
mVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/
cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8
YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4
oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5j
cmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwy
LTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4
Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowg
T2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAzswggM3AgEB
MGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0
ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMZPEw
CQYFKw4DAhoFAKCCAacwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx
DxcNMDQwNzE2MDY0MTMwWjAjBgkqhkiG9w0BCQQxFgQUgazECnb5P4+7orob4OE3i1ZoieQw
UgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN
AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgweAYJKwYBBAGCNxAEMWswaTBiMQswCQYD
VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE
AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwxk8TB6BgsqhkiG9w0B
CRACCzFroGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ
dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB
AgMMZPEwDQYJKoZIhvcNAQEBBQAEggEAGqjQ0iV6RUYhhAK5YSFPhFVsd9CGE7CjQQ8ARJBb
IM2fsTS8MnmbbCLw/NGxYAvT61+ietXbfPjpqdvxexx68pTKaS/mZ+WfJWNKgMdcb1NguOSM
aZUpUVNrqUrhprOqiC1uYOis9C1l3Du/2odra3YfaOGrzfSJpBclV9QW9jjEOJVeMhZ1D6zs
zXvstL56wtrm4xP+zl18F0fDb5Gjz6SQkuYCDMgibpz6bSdOTufjz/psULdWUpWavt96aD6C
n3ZkV60O+MOgKmHEJFZ1me+VytW2L+znPyYCGNxBBkmj+SI2XdYoY1TjtC04W61OuhI1hgY/
SrG8MWh/szmNMQAAAAAAAA==
--------------ms050502050906020101040301--