No opinions about the stuff below, but from a support perspective it is
really nice
with the padlock down right. When people have trouble with file
accesses the two
questions:
- Do you have a padlock down right?
- Is there a red cross over the padlock?
are quite valuable.
-- Ragge
Jeffrey Altman wrote:
Ever since the release of Windows Vista I have been worried about the
continued shipment of afscred.exe (AFS Authentication Tool) and
afs_config.exe (AFS Client Manager Configuration Tool) in the OpenAFS
installers.
The Problem:
Beginning with Windows Vista, Microsoft implemented a security barrier
referred to as User Account Control which tightens the noose on normal
user accounts and prevents them from being used to perform a variety of
operations such as starting and stopping services or writing to the
local machine registry hive which they were able to do in previous
Windows releases. In addition, user accounts that are members of the
"Administrators" group always log on to the machine as normal users. In
order for a process to be started with the extra special Administrators
bits and explicit click through approval is required by the user. A
process that is started as an Administrative process shares the desktop
but is effectively in a separate logon session.
afscreds.exe and afs_config.exe perform some functionality that must be
executed in the standard logon session and other functions that must be
performed as an administrative process. A process cannot be both. As a
result, depending on the user account type used and the mode the process
is started with different function sets will misbehave. If the process
is started with Administrative bits, the process is unable to:
* access the MIT Kerberos v5 credential caches to obtain tokens
* create drive mappings
If the process is started without the Administrative bits, the process:
* silently discards configuration changes that are saved in the registry
* is unable to start or stop the afsd service
Based upon feedback received at the European AFS Workshop the shipment
and installation of these tools are creating a significant support burden.
The Proposal:
I propose that beginning with 1.5.66 (whenever that is) that the
afscreds.exe and afs_config.exe tools not be installed at all on any
Windows version Vista or beyond and that on 2000, XP and 2003 that these
tools not be installed as part of the default configuration.
The Impact:
The afscreds tool provides three sets of functionality:
* token acquisition (and renewal if MIT KFW is present)
* drive mapping
* start/stop the afsd service
Network Identity Manager has long been available as a replacement for
the token acquisition functionality and it is available on any system on
which MIT KFW is present. The only systems that wouldn't have it are
clients of cells that are still using kaserver.
The drive mapping functionality has been documented as deprecated since
the addition of the loopback installation permitted the use of a
standard \\AFS UNC server name. The recommended method for a user to
create a drive mapping is the Windows Drive Mapping user interface
provided as part of "[My] Computer" and the Explorer Shell.
Starting and stopping the afsd service is an administration function
that can be performed using the Windows Service MMC.
The afs_config.exe tool provides:
* configuration management including cell name, server preferences,
cellservdb editing,
cache size, and advanced tuning parameters
* start/stop functionality
* drive mapping
While it is not ready for general purpose use, Brant Gurganus has made
significant progress on his OpenAFS Cache Manager MMC snap-in. This
tool has the potential to perform the first two functions in a more
complete manner than the afs_config tool ever did. As for the drive
mapping, the Explorer Shell interface can be used. As soon as this tool
is deemed ready for incorporation in the distribution it will be added.
Please Provide Feedback:
If you are a Windows user or a system administrator that has a large
number of Windows users, please comment on whether or not you agree with
the proposed action.
Thank you.
Jeffrey Altman
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
