OpenAFS for Windows

Contents:

• Urgent News
• How to Decide Which Version to Install
• Digital Signatures
• OpenAFS for Windows 1.7.31 (aka 1.7.3100)
• • Features
  • Documentation
  • Supported Platforms
  • Known Issues
  • 64-bit Downloads
  • 32-bit Downloads
• OpenAFS for Windows 1.6.1 (aka 1.6.0104)
• • Features
  • Documentation
  • Supported Platforms
  • Known Issues
  • 32-bit Downloads
  • 64-bit Downloads
• Kerberos for Windows (MIT or Heimdal)
• Microsoft Hot Fixes

Urgent News

• All versions of OpenAFS for Windows prior to 1.7.33 are vulnerable to OPENAFS-SA-2015-007 "Tattletale"
• All versions of OpenAFS for Windows prior to 1.5.75 are incompatible with Windows Security Update MS10-020 (KB980232).
• All versions of OpenAFS for Windows prior to 1.5.62 can experience data loss when storing data to the file server.
• Windows 7 Upgrading:
  •  Version 1.5.66 was the first release of OpenAFS for Windows that is supported on Windows 7.
  • OpenAFS for Windows must be re-installed after a Windows 7 Upgrade.  The Windows 7 Upgrade process will uninstall the Microsoft Loopback Adapter
  • Version 1.5.99b (aka 1.6.0pre2) was the first release that will not lose connectivity with \\AFS when the network configuration changes.

How to Decide Which Version to Install

OpenAFS.org maintains two active release series for the Microsoft Windows platform, 1.6.x and 1.7.x.  If life were simple, the 1.6 release series would be the most recent production quality revision and the 1.7.x would be the next generation release series that includes potentially experimental features that have not received broad testing.  Unfortunately when it comes to OpenAFS on the Microsoft Windows platform life is not simple.

Access to the \\AFS name space is acheived via the use of an SMB to AFS gateway in the 1.6 series.  This approach was developed when there were no documented methods of adding networked file system to Microsoft Windows.  It worked quite well in Windows XP and Server 2003 but is highly unstable on Windows 7 and Server 2008 R2.  Especially on systems that suspend and resume or migrate between networks.

The 1.7 series is a completely new approach.  Instead of relying on the Microsoft SMB client to interface with the Windows kernel, OpenAFS 1.7.x is a native Windows file system that is compatible with all versions of Microsoft Windows from XP SP3 to Windows 7 SP1 and Server 2008 R2 SP1.  As a native file system, 1.7 provides better performance, does not rely on a private loopback interface to publish the SMB gateway service name, and most importantly, permits the OpenAFS developers to fully control the file system source code.  No longer will OpenAFS be held hostage to the whims of Microsoft when bugs in the SMB client negatively impact access to the \\AFS name space.

The choice is yours to make but the recommendation of OpenAFS is to deploy the 1.7 series client and submit bug reports if application incompatibilities are uncovered.  The OpenAFS developers have a long track record of promptly fixing reported issues.

Digital Signatures

Installers are produced and signed by Secure Endpoints Inc. or Your File System Inc.. Note: Your File System, Inc. was renamed to AuriStor, Inc. on 28 Oct 2015. If the signature is missing do not complete the installation process and send e-mail to openafs-security@openafs.org

OpenAFS for Windows 1.7.31 (1.7.3100)

(updated 13 May 2014)

Significant Changes since 1.7.30:

• Fixes a variety of rare errors that can lead to data corruption.
  • one specific to synchronous file writes on Server 2012 R2.
• File copies from readonly volumes could fail with a Media Protected error due to failure of the afs redirector to permit setting file position on a readonly file handle.
• Prevent applications from unintentionally clearing the Reparse Point or Directory attribute when setting other attributes on files and directories.
• If a file has the DOS readonly attribute set, deny all writes, truncations, and overwrites in the redirector and not the afsd_service. Waiting for the afsd_service to see the store operation is too late. The Windows cache manager has already accepted the data.
• Fix a potential BSOD when afs redirector trace is enabled.
• Improved support for applications that set the Last Modified Timestamp to -1 to indicate that the timestamp should not be modified.

Features:

• OpenAFS is a native Microsoft Windows file system.
• Compatible with all OpenAFS and IBM/Transarc AFS Server versions
• Significantly faster than the OpenAFS 1.6 release (up to 1.2GB/second read throughput from Solid State Disk backed cache)
• Does not require the installation of the Microsoft Windows Loopback Adapter
• Provides support for kernel enforced Process and Thread Authentication Groups
• Explorer Shell integration including AFS specific property sheets and Overlay Icons for AFS Mount Points and Symlinks
• Immediate access to \\AFS namespace after system resume
• AFS Mount Points and Symlinks are File System Reparse Points

Documentation:

• 1.7.31 Release Notes (CHM) (PDF) (EPUB) (HTML)
• 1.7.31 ChangeLog

Supported Platforms:

• Windows 8.1 and Server 2012 R2 including Update 1 (X86 and AMD64)
• Windows 8 (X86 and AMD64)
• Windows Server 2012 (AMD64)
• Windows 7 (X86 and AMD64)
• Windows Server 2008 R2 (AMD64)
• Windows Server 2008 (X86 and AMD64) including SP1
• Windows Vista (X86 and AMD64) including SP1 and SP2
• Windows XP 64 (AMD64) SP2
• Windows 2003 R2 SP1 (X86 and AMD64)
• Windows 2003 SP2
• Windows XP SP3

Known Issues:

• Command Prompt shortcut LNK files when stored in AFS cannot be modified and assigned properties such as Font, Height, Width, etc. will be ignored by conhost.exe.
• Stopping and restarting the OpenAFS Service when there are open file handles will leave file locks in an inconsistent state. Windows will believe the files are locked and the AFS cache manager will be unaware of them.
• Stopping and restarting the OpenAFS Service will result in all AFS token mappings to authentication groups to be lost.
• An Explorer Shell bug when pasting files via Ctrl-V can result in an insufficient space dialog when there is sufficient space in the destination volume.

Downloads for 64-bit Windows operating systems: 2012/Win8/2008-R2/Win7/2008/Vista/2003-R2/2003/XP:

Both installers must be installed on 64-bit systems.

• 64-bit MSI installer
  
• 32-bit tools MSI installer
  

Download for 32-bit Windows operating systems: Win8/Win7/2008/Vista/2003-R2/2003/XP:

• 32-bit MSI installer
  

OpenAFS for Windows 1.6.1 (1.6.0104)

Significant Changes since 1.6.0b:

• "fs setserverprefs -vl" works again
• Improved handling of volume renames
• Windows Vista and Windows 7 Advanced Firewall Configuration
• Idle Dead Timeout improvements
• Busy RX Call Channel processing
• NAT Ping Improvements
• Correct handling of VBUSY errors
• Correct handling of VNOSERVICE errors

Features:

• Starting with the 1.5.50 release of OpenAFS for Windows, each of the AFS Client Service, the AFS Explorer Shell Extension, and the command-line tools are Unicode enabled.  No longer is OpenAFS restricted to accessing file system objects whose names can be represented in the locale specific OEM code page.  This has significant benefits for end users.  Most importantly it permits non-Western languages to now be used for file system object names in AFS from Microsoft Windows operating systems.  Now that Unicode names are supported, Roaming User Profiles and Folder Redirection will no longer fail when a user attempts to store an object with a name that cannot be represented in the OEM code page. 
• Compatible with all OpenAFS and IBM/Transarc AFS Server versions
• Support for all editions of Windows 7 and Windows Server 2008 R2
• Support for all editions of Windows Vista including SP1 and Windows Server 2008
• AFS credentials module for Network Identity Manager version 1 and version 2
• Support for 64-bit File Sizes on both 32-bit and 64-bit versions of Microsoft Windows
• Support for all AMD64 64-bit Windows platforms
• Implements Windows Byte Range Locking backed by AFS File Server Locks
• New commands:
  • fs uuid [-generate]
  • fs chown -owner <user name or id> [-path <dir/file path>+] [-literal]
  • fs chgrp -group <user name or id> [-path <dir/file path>+] [-literal]
• Improved CIFS protocol compatibility
  • Compatible with XP, XP64, Server 2003, Vista, Server 2008, Windows 7 and Server 2008 R2.
  • Supports the SRVSVC and WKSSRV services providing an improved \\AFS browsing experience.
• Hard Dead and Connection Timeout values restricted to the CIFS Session Timeout value.
  • CIFS Extended Timeouts are automatically detected when supported by the installed version of mrxsmb.sys.  See Microsoft Hot Fixes.
• Improved handling of Windows Standby/Hibernate modes when network access is unavailable
• Fixes critical data loss errors:
  • Prior to 1.5.15, write requests queued for background processing were not retried upon failure.
  • Prior to 1.5.62, write requests whose file offset is not an even multiple of the cache buffer block size would fail to store all of the dirty data.
  • Prior to 1.5.62, write requests to file servers that have 2GB file limits (aka IBM file servers and OpenAFS file servers older than 1.3.70) can fail to store dirty data on the first StoreData RPC after a InitCallBackState RPC is received.
• Increased cache hit ratio for data written to AFS by the local client
• Improved behavior when used behind Network Address Translation (NAT) devices
• Default chunk size increased to 1MB from 128KB as of 1.5.23 improving read and write performance.
• The 1.5.53 release fixed a significant memory leak (rx packets) in the rx rpc protocol library.
• The 1.5.56 and 1.5.57 releases fixes race conditions in the rx rpc protocol library that can result in the AFS Client Service terminating prematurely.
• The 1.5.60 release converts all documentation to Windows HTML Help and adds registry support for CellServDB information.
• 1.5.66
  • Network Identity Manager OpenAFS Provider now provides its own "AFS lock" notification icon to report the status of "have tokens, have no tokens, service not started, service started but inaccessible". Hovering over the icon lists the cells for which tokens exist (if any) and the OpenAFS version
    number. Double-clicking executes the Network Identity Manager default action.
  • disables the drive mapping functionality in the AFS Authentication Tool (afscreds) and AFS Configuration Tool (afs_config)
  • Workaround a file server bug that can be triggered when extending the length of a file.
  • Adds support for DNS SRV records _afs3-vlserver._udp.<cellname> in place of DNS AFSDB records.
• 1.5.75 provides compatibility with Windows Security Update MS10-020 (KB980232).
• 1.5.77 corrects an AFS RPC Path MTU discovery error that was introduced in 1.5.76.
• 1.5.99b corrects an error that caused Windows to lose connectivity with the \\AFS server after a network configuration change.

Documentation:

• 1.6.1 Release Notes (CHM) (HTML)
  
• 1.6.1 ChangeLog

Supported Platforms:

• Windows 7 (X86 and AMD64)
• Windows Server 2008 R2 (AMD64)
• Windows Server 2008 (X86 and AMD64) including SP1
• Windows Vista (X86 and AMD64) including SP1 and SP2
• Windows 2003 64 (AMD64) including SP1 and SP2
• Windows XP 64 (AMD64) including SP1 and SP2
• Windows 2003 R2 including SP1
• Windows 2003 including SP1 and SP2
• Windows XP including SP2 and SP3
• Windows 2000 Workstation and Server at SP4

Known Issues:

• If a *beta* AFS plug-in for Network Identity Manager is installed, it must be uninstalled before OpenAFS 1.6.1 is installed. Otherwise, an error indicating that the plug-in cannot be installed because the appropriate version of OpenAFS is not installed will be generated.
• The AFS plug-in for Network Identity Manager provided as part of OpenAFS 1.6.0b requires MIT Kerberos for Windows 3.1 or above.
• Directory and File Change Notifications are ignored when accessing AFS via UNC paths
• Windows Vista Specific Issues
  • The help files provided with OpenAFS are in .HLP format.  WinHlp32.exe must be downloaded separately from Microsoft.  Secure Endpoints Inc. is funding the development of compatible HtmlHelp (.CHM) files.
• Windows 7 and Server 2008 R2 Specific Issues
  • There is a bug in Windows that will prevent access to \\AFS after an IP address has been removed or assigned after boot.  When the bug is triggered, all attempts to connect to \\AFS will result in a "Bad Network Name" error.  Please reproduce this issue locally and submit bug reports to Microsoft.
  • All Vista issues apply as well.

Downloads for 32-bit Windows operating systems: Win7/2008/Vista/2003-R2/2003/XP/2000:

• 32-bit EXE installer for individual installations
• 32-bit MSI installer for managed installations
  

Downloads for 64-bit Windows operating systems: 2008-R2/Win7/2008/Vista/2003-R2/2003/XP:

• 64-bit MSI installer
  

Support for 32-bit Windows Applications on 64-bit Windows operating systems

This installer is required for any 32-bit applications that require use of AFS libraries.  This includes 32-bit versions of MIT Kerberos for Windows.

• 32-bit tools MSI installer
  

Note: In 64-bit versions of Microsoft Windows there are 64-bit and 32-bit versions of the command prompt and the Explorer Shell.  It is very important that when installing applications that the installers be started from a 64-bit process.  It is strongly recommended that the Add/Remove Programs Control Panel be used to initiate installations on 64-bit Microsoft Windows operating systems.

Kerberos (MIT or Heimdal)

OpenAFS for Windows depends on a third party Kerberos 5 implementation for network authentication.  There are two supported options:

• Heimdal Kerberos
• MIT Kerberos for Windows

The recommended version of Kerberos v5 for OpenAFS for Windows 1.7.31 is Heimdal.  Please add allow_weak_crypto = true to the [libdefaults] section of krb5.conf in %SystemDrive%\ProgramData\Kerberos.

The recommended version of Kerberos v5 for OpenAFS for Windows 1.6.1 is MIT version 3.2.2. 64-bit releases of KFW are available from Secure Endpoints Inc.  MIT Kerberos has stability issues on Windows 7 and Server 2008 R2.

MIT 3.2.2 ships with Network Identity Manager version 1.3.1. Network Identity Manager version 2.0 works with both Heimdal and MIT Kerberos.

Microsoft Hotfixes

Just as OpenAFS releases fixes on a continuous basis, so does Microsoft for their Windows products. If they are security related or deemed to be critical to the entire user base these hot fixes are pushed out via Microsoft's Windows Update service. However, if the fix is considered to be relevant only to a small user community, the hot fix is made available via a posting to Microsoft KnowledgeBase. When a new service pack is issued all of the outstanding hot fixes are rolled up and regression tested together.

OpenAFS for Windows 1.6 releases are highly dependent on the correct operation of Microsoft's SMB redirector network file system driver and the Netbios communication stack. Over the years there have been a large number of bugs found and fixed within these two subsystems. At the present time there a hot fixes that have been issued by Microsoft which have yet to be bundled into a service pack for XP 32-bit, XP 64-bit and Server 2003.  Hot Fixes that are considered critical for OpenAFS users are marked as such below.

Microsoft Windows Server 2003 and XP64

The current service pack level is 2.

• CRITICAL! http://support.microsoft.com/kb/969289  (XP 64-bit and Server 2003: not included in SP2)

Microsoft Windows XP

The current service pack level is 3.

• http://support.microsoft.com/kb/916204  (XP 32-bit included in SP3 but not SP2)
• http://support.microsoft.com/kb/955535  (XP 32-bit not in SP3 or SP2)
• http://support.microsoft.com/kb/954956  (XP 32-bit not in SP3 or SP2)
• CRITICAL! http://support.microsoft.com/kb/971421  (XP 32-bit not in SP3 or SP2)  Note: This hot fix was issued by Microsoft on 4 June 2009.  It often takes several weeks for the knowledgebase article to be published.  Contact Microsoft PSS and mention the kb number to obtain the hot fix package.