Registry keys and Environment Variables used in the Windows AFS Client ---------------------------------------------------------------------- REGISTRY KEYS: 1. Service parameters --------------------- The service parameters primarily affect the behavior of the AFS client service (afsd_service.exe). Regkey: [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters] Value : LANadapter Type : DWORD Default : -1 Variable: LANadapter LAN adapter number to use. This is the lana number of the LAN adapter that the SMB server should bind to. If unspecified or set to -1, a LAN adapter with named 'AFS' or a loopback adapter will be selected. If neither are present, then all available adapters will be bound to. When binding to a non-loopback adapter, the NetBIOS name '%hostname%-AFS' will be used (where %hostname% is the NetBIOS name of the host truncated to 11 characters). Otherwise, the NetBIOS name will be 'AFS'. Value : CacheSize Type : DWORD Default : 20480 (CM_CONFIGDEFAULT_CACHESIZE) Variable: cm_initParams.cacheSize Size of the AFS cache in 1k blocks. Value : ChunkSize Type : DWORD Default : 15 (CM_CONFIGDEFAULT_CHUNKSIZE) Variable: cm_logChunkSize (cm_chunkSize = 1 << cm_logChunkSize) Size of chunk for reading and writing. Actual chunk size is 2^cm_logChunkSize. Value : Daemons Type : DWORD Default : 2 (CM_CONFIGDEFAULT_DAEMONS) Variable: numBkgD Number of background daemons (number of threads of cm_BkgDaemon). (see cm_BkgDaemon in cm_daemon.c) Value : ServerThreads Type : DWORD Default : 4 (CM_CONFIGDEFAULT_SVTHREADS) Variable: numSvThreads Number of SMB server threads (number of threads of smb_Server). (see smb_Server in smb.c). Value : Stats Type : DWORD Default : 1000 (CM_CONFIGDEFAULT_STATS) Variable: cm_initParams.nStatCaches Cache configuration. Value : LogoffTokenTransfer Type : DWORD {1,0} Default : 1 Variable: smb_LogoffTokenTransfer If enabled (set to 1), activates functionality where the user's tokens are kept intact until smb_LogoffTokenTransferTimeout seconds elapse after user logs off. If roaming profiles are used and the roaming profile takes a long time to be written back, this ensures that the tokens remain valid until the profile save is complete. Value : LogoffTokenTransferTimeout Type : DWORD Default : 10 Variable: smb_LogoffTokenTransferTimeout See LogoffTokenTransfer above. Value : RootVolume Type : REG_SZ Default : "root.afs" Variable: cm_rootVolumeName Root volume name. Value : Mountroot Type : REG_SZ Default : "/afs" Variable: cm_mountRoot Name of root mount point. In symlinks, if a path starts with cm_mountRoot, it is assumed that the path is absolute (as opposed to relative) and is adjusted accordingly. Eg: if a path is specified as /afs/athena.mit.edu/foo/bar/baz and cm_mountRoot is "/afs", then the path is interpreted as \\afs\all\athena.mit.edu\foo\bar\baz. If a path does not start with with cm_mountRoot, the path is assumed to be relative and suffixed to the reference directory (i.e. directory where the symlink exists) Value : CachePath Type : REG_SZ or REG_EXPAND_SZ Default : "%SYSTEMDRIVE%\AFSCache" Variable: cm_CachePath Location of on-disk cache file. The default implies the root directory of the boot disk Value : NonPersistentCaching Type : DWORD [0..1] Default : 0 Variable: buf_CacheType When this registry value is set to a non-zero value, the CachePath value is ignored and the cache data is stored in the windows paging file. This prevents the use of persistent caching (when available) as well as the ability to alter the size of the cache at runtime using the "fs setcachesize" command. Value : TrapOnPanic Type : DWORD {1,0} Default : 0 Variable: traceOnPanic Issues a breakpoint in the event of a panic. (breakpoint: _asm int 3). Value : NetbiosName Type : REG_EXPAND_SZ Default : "AFS" Variable: cm_NetbiosName Specifies the NetBIOS name to be used when binding to a Loopback adapter. To provide the old behavior specify a value of "%COMPUTERNAME%-AFS" Value : IsGateway Type : DWORD {1,0} Default : 0 Variable: isGateway Select whether or not this AFS client should act as a gateway. If set and the NetBIOS name hostname-AFS is bound to a physical NIC, other machines in the subnet can access AFS via SMB connections to hostname-AFS. When IsGateway is non-zero, the LAN adapter detection code will avoid binding to a loopback adapter. This will ensure that the NetBIOS name will be of the form hostname-AFS instead of the value set by the "NetbiosName" registry value. Value : ReportSessionStartups Type : DWORD {1,0} Default : 0 Variable: reportSessionStartups If enabled, all SMB sessions created are recorded in the Application event log. This also enables other events such as drive mappings or various error types to be logged. Value : TraceBufferSize Type : DWORD Default : 5000 (CM_CONFIGDEFAULT_TRACEBUFSIZE) Variable: traceBufSize Number of entries to keep in trace log. Value : SysName Type : REG_SZ Default : "i386_nt40" Variable: cm_sysName Provides an initial value for "fs sysname". The string can contain one or more replacement values for @sys in order of preference separated by whitespace. Value : SecurityLevel Type : DWORD {1,0} Default : 0 Variable: cryptall Enables encryption on RX calls. Value : UseDNS Type : DWORD {1,0} Default : 1 Variable: cm_dnsEnabled Enables resolving volservers using AFSDB DNS queries. (see afsdb-freelance-notes). As of 1.3.60, this value is ignored as the DNS query support utilizes the Win32 DNSQuery API which is available on Win2000 and above. Value : FreelanceClient Type : DWORD {1,0} Default : 0 Variable: cm_freelanceEnabled Enables freelance client. (see afsdb-freelance-notes) Value : HideDotFiles Type : DWORD {1,0} Default : 1 Variable: smb_hideDotFiles Enables marking dotfiles with the hidden attribute. Dot files are files whose name starts with a period (excluding "." and ".."). Value : MaxMpxRequests Type : DWORD Default : 50 Variable: smb_maxMpxRequests Maximum number of multiplexed SMB requests that can be made. Value : MaxVCPerServer Type : DWORD Default : 100 Variable: smb_maxVCPerServer Maximum number of SMB virtual circuits. Value : Cell Type : REG_SZ Default : Variable: rootCellName Name of root cell (the cell from which root.afs should be mounted in \\afs\all). Value : RxNoJumbo Type : DWORD {0,1} Default : 0 Variable: rx_nojumbo If enabled, does not send or indicate that we are able to send or receive RX jumbograms. Value : RxMaxMTU Type : DWORD Default : -1 Variable: rx_mtu If set to anything other than -1, uses that value as the maximum MTU supported by the RX interface. In order to enable OpenAFS to operate across the Cisco IPSec VPN client, this value must be set to 1264 or smaller. Value : ConnDeadTimeout Type : DWORD Default : 60 (seconds) Variable: ConnDeadtimeout The Connection Dead Time is enforced to be at a minimum 15 seconds longer than the minimum SMB timeout as specified by HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters SessTimeout If the minimum SMB timeout is not specified the value is 45 seconds. See http://support.microsoft.com:80/support/kb/articles/Q102/0/67.asp Value : HardDeadTimeout Type : DWORD Default : 120 (seconds) Variable: HardDeadtimeout The Hard Dead Time is enforced to be at least double the ConnDeadTimeout. The provides an opportunity for at least one retry. Value : TraceOption Type : DWORD {0, 1, 2, 3} Default : 0 Enables logging of debug output to the Windows Event Log. Bit 0 enables logging of "Logon Events" processed by the Network Provider and Winlogon Event Notification Handler. Bit 1 enables logging of events captured by the AFS Client Service. Value : AllSubmount Type : DWORD {0, 1} Default : 1 Variable: allSubmount (smb.c) By setting this value to 0, the "\\NetbiosName\all" mount point will not be created. This allows the read-write versions of root.afs to be hidden. Value : NoFindLanaByName Type : DWORD {0, 1} Default : 0 Disables the attempt to identity the network adapter to use by looking for an adapter with a display name of "AFS". Value : MaxCPUs Type : DWORD {1..32} or {1..64} depending on the architecture Default : If this value is specified, afsd_service.exe will restrict itself to executing on the specified number of CPUs if there are a greater number installed in the machine. NOTE: Setting this entry to "1" may be required on hyperthreaded systems to avoid crashes in the RX library. Value : smbAuthType Type : DWORD {0..2} Default : 2 If this value is specified, it defines the type of SMB authentication which must be present in order for the Windows SMB client to connect to the AFS Client Service's SMB server. The values are: 0 = No authentication required 1 = NTLM authentication required 2 = Extended (GSS SPNEGO) authentication required The default is Extended authentication Value : MaxLogSize Type : DWORD {0 .. MAXDWORD} Default : 100K This entry determines the maximum size of the %WINDIR%\TEMP\afsd_init.log file. If the file is larger than this value when afsd_service.exe starts the file will be reset to 0 bytes. If this value is 0, it means the file should be allowed to grow indefinitely. Value : FlushOnHibernate Type : DWORD {0,1} Default : 1 If set, flushes all volumes before the machine goes on hibernate or stand-by. Regkey: [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters\GlobalAutoMapper] Value : for example "G:" Type : SZ Specifies the submount name to be mapped by afsd_service.exe at startup to the provided drive letter. Regkey: [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider] 2. Network provider parameters ------------------------------ Affects the network provider (afslogon.dll). Regkey: [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters] Value : FailLoginsSilently Type : DWORD Default : 0 Do not display message boxes if the login fails. Regkey: [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider] Value : NoWarnings Type : DWORD Default : 0 Disables visible warnings during logon. Value : AuthentProviderPath Type : REG_SZ NSIS : %WINDIR%\SYSTEM32\afslogon.dll Specifies the install location of the authentication provider dll. Value : Class Type : DWORD NSIS : 0x02 Specifies the class of network provider Value : DependOnGroup Type : REG_MULTI_SZ NSIS : PNP_TDI Specifies the service groups upon which the AFS Client Service depends. Windows should not attempt to start the AFS Client Service until all of the services within these groups have successfully started. Value : DependOnService Type : REG_MULTI_SZ NSIS : Tcpip NETBIOS RpcSs Specifies a list of services upon which the AFS Client Service depends. Windows should not attempt to start the AFS Client Service until all of the specified services have successfully started. Value : Name Type : REG_SZ NSIS : "OpenAFSDaemon" Specifies the display name of the AFS Client Service Value : ProviderPath Type : REG_SZ NSIS : %WINDIR%\SYSTEM32\afslogon.dll Specifies the DLL to use for the network provider Regkey: [HKLM\SOFTWARE\OpenAFS\Client] Value : CellServDBDir Type : REG_SZ Default : Specifies the directory containing the CellServDB file. When this value is not specified, the AFS Client install directory is used. Value : VerifyServiceSignature Type : REG_DWORD Default : 0x1 This value can be used to disable the runtime verification of the digital signatures applied to afsd_service.exe and the OpenAFS DLLs it loads. This test is performed to verify that the DLLs which are loaded by afsd_service.exe are from the same distribution as afsd_service.exe. This is to prevent random errors caused when DLLs from one distribution of AFS are loaded by another one. This is not a security test. The reason for disabling this test is to free up additional memory which can be used for a large cache size. Value : IoctlDebug Type : REG_DWORD Default : 0x0 This value can be used to debug the cause of pioctl() failures. Set a non-zero value and the pioctl() library will output status information to stdout. Executing command line tools such as tokens.exe, fs.exe, etc can then be used to determine why the pioctl() call is failing. Value : StoreAnsiFilenames Type : REG_DWORD Default : 0x0 This value can be used to force the AFS Client Service to store filenames using the Windows system's ANSI character set instead of the OEM Code Page character set which has traditionally been used by SMB file systems. Note: The use of ANSI characters will render access to files with 8-bit OEM file names unaccessible from Windows. This option is of use primarily when you wish to allow file names produced on Windows to be accessible from Latin-1 Unix systems and vice versa. 2.1 Domain specific configuration keys for the Network Provider --------------------------------------------------------------- The network provider can be configured to have different behavior depending on the domain that the user logs into. These settings are only relevant when using integrated login. A domain refers to an Active Directory (AD) domain, a trusted Kerberos (non-AD) realm or the local machine (i.e. local account logins). The domain name that is used for selecting the domain would be the domain that is passed into the NPLogonNotify function of the network provider. Domain specific registry keys are : [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider] (NP key) [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] (Domains key) [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain name"] (Specific domain key. One per domain.) [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST] (Localhost key) eg: HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider | +- Domain +-AD1.EXAMPLE.COM +-AD2.EXAMPLE.NET +-LOCALHOST Each of the domain specific keys can have the set of values described in 2.1.1. The effective values are chosen as described in 2.1.2. 2.1.1 Domain specific configuration values ------------------------------------------- [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\"domain name"] [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider\Domain\LOCALHOST] Value : LogonOptions Type : DWORD Default : 0x01 NSIS/WiX: depends on user configuration 0x00 - Integrated Logon is not used 0x01 - Integrated Logon is used 0x02 - High Security Mode is used 0x03 - Integrated Logon with High Security Mode is used High Security Mode generates random SMB names for the creation of Drive Mappings. This mode should not be used without Integrated Logon. As of 1.3.65 the SMB server supports SMB authentication. The High Security Mode should not be used when using SMB authentication (SMBAuthType setting is non zero). Value : FailLoginsSilently Type : DWORD (1|0) Default : 0 NSIS/WiX: (not set) If true, does not display any visible warnings in the event of an error during the integrated login process. Value : LogonScript Type : REG_SZ or REG_EXPAND_SZ Default : (null) NSIS/WiX: (only value under NP key) \afscreds.exe -:%s -x -a -m -n -q A logon script that will be scheduled to be run after the profile load is complete. If using the REG_EXPAND_SZ type, you can use any system environment variable as "%varname%" which would be expanded at the time the network provider is run. Optionally using a "%s" in the value would result in it being expanded into the AFS SMB username for the session. Value : LoginRetryInterval Type : DWORD Default : 30 NSIS/WiX: (not set) If the OpenAFS client service has not started yet, the network provider will wait for a maximum of "LoginRetryInterval" seconds while retrying every "LoginSleepInterval" seconds to check if the service is up. Value : LoginSleepInterval Type : DWORD Default : 5 NSIS/WiX: (not set) See description of LoginRetryInterval. 2.1.2 Selection of effective values for domain specific configuration ---------------------------------------------------------------------- During login to domain X, where X is the domain passed into NPLogonNotify as lpAuthentInfo->LogonDomainName or the string 'LOCALHOST' if lpAuthentInfo->LogonDomainName equals the name of the computer, the following keys will be looked up. 1. NP key. ("HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider") 2. Domains key. (NP key\"Domain") 3. Specific domain key. (Domains key\X) If the specific domain key does not exist, then the domains key will be ignored. All the configuration information in this case will come from the NP key. If the specific domain key exists, then for each of the values metioned in (2), they will be looked up in the specific domain key, domains key and the NP key successively until the value is found. The first instance of the value found this way will be the effective for the login session. If no such instance can be found, the default will be used. To re-iterate, a value in a more specific key supercedes a value in a less specific key. The exceptions to this rule are stated below. 2.1.3 Exceptions to 2.1.2 -------------------------- To retain backwards compatibility, the following exceptions are made to 2.1.2. 2.1.3.1 'FailLoginsSilently' Historically, the 'FailLoginsSilently' value was in HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters key and not in the NP key. Therefore, for backwards compatibility, the value in the Parameters key will supercede all instances of this value in other keys. In the absence of this value in the Parameters key, normal scope rules apply. 2.1.3.2 'LogonScript' If a 'LogonScript' is not specified in the specific domain key nor in the domains key, the value in the NP key will only be checked if the effective 'LogonOptions' specify a high security integrated login. If a logon script is specified in the specific domain key or the domains key, it will be used regardless of the high security setting. Please be aware of this when setting this value. 3. AFS Credentials System Tray Tool parameters ---------------------------------------------- Affects the behavior of afscreds.exe Regkey: [HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters] Value : Gateway Type : REG_SZ Default : "" Function: GetGatewayName() If the AFS client is utilizing a gateway to obtain AFS access, the name of the gateway is specified by this value. Value : Cell Type : REG_SZ Default : Variable: IsServiceConfigured() The value Cell is used to determine if the AFS Client Service has been properly configured or not. Regkey: [HKLM\SOFTWARE\OpenAFS\Client] [HKCU\SOFTWARE\OpenAFS\Client] Value : ShowTrayIcon Type : DWORD {0, 1} Default : 1 Function: InitApp(), Main_OnCheckTerminate() This value is used to determine whether or not a shortcut should be maintained in the user's Start Menu->Programs->Startup folder. This value used to be stored at [HKLM\Software\TransarcCorporation\AFS Client\AfsCreds]. The current user value is checked first; if it does not exist the local machine value is checked. Value : EnableKFW Type : DWORD {0, 1} Default : 1 Function: KFW_is_available() When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used to obtain AFS credentials. By setting this value to 0, the internal Kerberos 4 implementation will be used instead. The current user value is checked first; if it does not exist the local machine value is checked. Value : Use524 Type : DWORD {0, 1} Default : 0 Function: KFW_use_krb524() When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used to obtain AFS credentials. By setting this value to 1, the Kerberos 5 tickets will be converted to Kerberos 4 tokens via a call to the krb524 daemon. The current user value is checked first; if it does not exist the local machine value is checked. Value : AfscredsShortcutParams Type : REG_SZ Default : "-A -M -N -Q" Function: Shortcut_FixStartup This value specifies the command line options which should be set as part of the shortcut to afscreds.exe. afscreds.exe rewrites the shortcut each time it exits so as to ensure that the shortcut points to the latest version of the program. This value is used to determine which values should be used for command line parameters. The current user value is checked first; if it does not exist the local machine value is checked. Regkey: [HKCU\SOFTWARE\OpenAFS\Client] Value : Authentication Cell Type : REG_SZ Default : Function: Afscreds.exe GetDefaultCell() This value allows the user to configure a different cell name to be used as the default cell when acquiring tokens in afscreds.exe Regkey: [HKCU\SOFTWARE\OpenAFS\Client\Reminders] Value : "afs cell name" Type : DWORD {0, 1} Default : Function: LoadRemind(), SaveRemind() These values are used to save and restore the state of the reminder flag for each cell for which the user has obtained tokens. This value used to be stored at [HKLM\Software\TransarcCorporation\AFS Client\AfsCreds]. Regkey: [HKCU\SOFTWARE\OpenAFS\Client\Active Maps] Value : "upper case drive letter" Type : DWORD {0, 1} Default : These values are used to store the persistence state of the AFS drive mappings as listed in the [...\Client\Mappings] key These values used to be stored in the afsdsbmt.ini file Regkey: [HKCU\SOFTWARE\OpenAFS\Client\Mappings] Value : "upper case drive letter" Type : REG_SZ Default : These values are used to store the AFS path in Unix notation to which the drive letter is to be mapped. These values used to be stored in the afsdsbmt.ini file. Regkey: [HKLM\SOFTWARE\OpenAFS\Client\CSCPolicy] Value : "smb/cifs share name" Type : REG_SZ Default : This key is used to map SMB/CIFS shares to Client Side Caching (off-line access) policies. For each share one of the following policies may be used: "manual", "programs", "documents", "disable" These values used to be stored in afsdsbmt.ini Regkey: [HKLM\SOFTWARE\OpenAFS\Client\Freelance] Value : "numeric value" Type : REG_SZ Default : This key is used to store dot terminated mount point strings for use in constructing the fake root.afs volume when Freelance (dynamic roots) mode is activated. "athena.mit.edu#athena.mit.edu:root.cell." ".athena.mit.edu%athena.mit.edu:root.cell." These values used to be stored in afs_freelance.ini Regkey: [HKLM\SOFTWARE\OpenAFS\Client\Freelance\Symlinks] Value : "numeric value" Type : REG_SZ Default : This key is used to store a dot terminated symlink strings for use in constructing the fake root.afs volume when Freelance (dynamic roots) mode is activated. "linkname:destination-path." "athena:athena.mit.edu." "home:athena.mit.edu\user\j\a\jaltman." "filename:path\file." Regkey: [HKLM\SOFTWARE\OpenAFS\Client\Submounts] Value : "submount name" Type : REG_EXPAND_SZ Default : This key is used to store mappings of unix style AFS paths to submount names which can be referenced as UNC paths. For example the submount string "/athena.mit.edu/user/j/a/jaltman" can be associated with the submount name "jaltman.home". This can then be referenced as the UNC path \\AFS\jaltman.home. These values used to be stored in afsdsbmt.ini ENVIRONMENT VARIABLES: Variable: AFS_RPC_ENCRYPT Values: "OFF" disables the use of RPC encryption any other value allows RPC encryption to be used Default: RPC encryption is on Variable: AFS_RPC_PROTSEQ Values: "ncalrpc" - local RPC "ncacn_np" - named pipes "ncacn_ip_tcp" - tcp/ip Default: local RPC