Ever since Secure Endpoints started receiving OpenAFS for Windows crash reports from Microsoft there have been a small number of reports each month in applications that load libafsauthent.dll (afscreds.exe, netidmgr.exe, ...) and others that perform afs pioctls. It has been the rare case that a mindump has been available. The dumps that have been provided have made no sense. Its been clear that the stack or heap has been overwritten but other than that there has not been enough data to provide a clue where to start looking.
Last week OpenAFS 1.5.62 was released. It was an important release that fixed a long standing data corruption error. Something I have been trying to find for more than a year. Combine it with the support for WKSSVC and SRVSVC services providing vastly improved share name enumeration and Windows 7 compatibility and 1.5.62 was a release that I wanted everyone to upgrade to. Unfortunately, the release proved to have two downsides that did not come out during testing. First, Cygwin applications could not access /afs. Second, roaming profiles in some environments failed to work. The Cygwin compatibility problem was traced to the addition of (supposedly mandatory) extended responses to NTCreateAndX requests. The roaming profiles issue was caused by previously unseen requests to open directories as "Directory::$DATA" instead of "Directory".
Given the importance of the 1.5.62 release and the show stopper nature of the two issues that had been introduced with it, I spent a good portion of this Labor Day weekend testing it. Lo and behold, during testing Network Identity Manager crashed in the Visual Studio 8 CRT memcpy(). The crash signature looked similar to many I have seen in the past but this time I had access to not just the stack trace but the entire memory image to examine in a live debugger. Not surprisingly, the state of the process made no sense. It was unclear if the stack had been damaged. Could the data be real? The memcpy() was attempting to read data out of a buffer populated by a pioctl(). The buffer size is 16KB. The data that should have be returned should not have been more than a few hundred bytes. Yet, the memcpy() was attempting to read beyond the end of the buffer. Examining the contents of the buffer closely showed that the data in the buffer did not match the request. Instead of the buffer containing a GetToken response it contained a WhichCell response. Parse the string "Freelance.Local.Root" as if it were a marshalled token and all hell breaks loose.
Two questions came to mind. First, why is there no data validation of the data received via the pioctl()? Second, how in the world did the wrong response end up being received in the first place? The lack of data validation although completely wrong is not all that surprising. This source code has not been modified since the original IBM contribution. It wasn't causing any problems and therefore didn't attract attention. The response confusion was surprising.
The OpenAFS pioctl() interface on Microsoft Windows works by implementing a transceive (an atomic write request / read response) operation using CreateFile(), WriteFile(), ReadFile(), CloseFile(). The OpenAFS SMB server treats a NTCreateAndX operation on the magic file name "_._AFS_IOCTL_._" as the trigger to indicate that a pioctl() is being performed. Each time the file is opened a new smb file identifier is allocated. The caller writes the pioctl request to the file and then when the first read is issued, the requested operation is performed and the response data is queued up and sent in response. The caller issues ReadFile calls until end of file is reached and then the file is closed. Given this model, how is it that the response could possibly get confused?
My first theory was that a bug in the OpenAFS SMB server was issuing the same file id to two requestors. After close examination of the code it turns out that due to a thread safety issue there was a race that could result in that scenario. After fixing the race, I attempted to prove that the race was the cause of the problem. I kicked off five scripts executing a different pioctl operation 100,000 times. The client side bug was obviously being triggered but there was no evidence that the race I discovered had anything to do with it. Especially considering the fact that the problem continued to occur after the fix to prevent the race was installed.
The next step was to examine the behavior of the five scripts using Sysinternal's Process Monitor while filtering on all access to paths beginning with "\\afs". The output was quite revealing. It showed that requests and their responses based solely upon the length of the response were mismatched. Some ReadFile() operations failed with end of file errors on the first read.
At this point it was time to start examining the trace output of afsd_service. What I discovered was that the smb_IoctlPrepareWrite() and smb_IoctlPrepareRead() functions were being called multiple times on the same smb file id. The theory that the same pioctl instance was being used for requests from multiple processes proved to be correct. The question remained, why was it happening? Further examination of the trace output showed something even more curious. A large number of NTCreateAndX calls were missing from the output. I expected to see one NTCreateAndX operation for each pioctl request. In fact, that was a basic assumption that the original author of the pioctl interface must have assumed was true. Too bad for all of us that it isn't.
As it turns out the Microsoft SMB redirector chooses to avoid multiple NTCreateAndX calls for a file if all of the active requests have the same security privileges and request the same access modes. Instead, the SMB redirector manages the various open/close operations locally and only closes the file after it has been idle. The CreateFile operations were issued with FILE_SHARE_READ|FILE_SHARE_WRITE share mode. This permitted multiple apps to open the file simultaneously and perform writes and reads. If two processes open the file and write a request before the first process reads its response, the first process will receive the response meant for the second process and the second process will receive an end of file error. One solution is to remove the FILE_SHARE_WRITE in order to ensure that only one process can open the pioctl file at a time.
It is now possible to run the five simultaneous pioctl performing scripts without a single error. Even so, data validation checks have been added to libafsauthent.dll to prevent invalid input from crashing applications in the future. I'm now looking forward to the 1.5.63 release and examining the Windows Error Reporting logs in a couple of months to confirm that the random crashes are no longer being reported.
Sunday, September 6, 2009
Monday, February 23, 2009
Its been nearly two years since the release of Network Identity Manager 1.3 as part of MIT Kerberos for Windows. Network Identity Manager is preparing to breakout on its own with version 2.0.
With version 2.0 the door is opened for identities based upon authentication technologies other than Kerberos v5. Whereas version 1.x is limited to providing a single sign-on experience when the initial authentication is performed with a Kerberos v5 principal name and password, version 2 permits KeyStore and Certificate initial authentication identities to be implemented. A KeyStore authentication can be used to automatically obtain Kerberos v5 ticket granting tickets for multiple Kerberos v5 identities. Each identity in turn can be used to obtain its own derived credentials such as AFS tokens, Kerberized Certificate Authority issued short lifetime X.509 client certificates, or various forms of web authentication credentials. Certificate based identites might be used with Public Key Initial Authentication for Kerberos (PKINIT) or the Globus Global Security Infrastructure.
Version 2 also improves the end user experience with:
- a new identity creation wizard
- progress dialogs
- a streamlined and less error prone mechanism for obtaining new credentials
- an updated credential display that is cleaner, less confusing, and more informative
http://www.secure-endpoints.com/netidmgr/roadmap.html
Saturday, August 2, 2008
OpenAFS for Windows with Unicode is Available
A couple of weeks ago OpenAFS for Windows with Unicode path name support was released. I thought this was going to be a big deal. Due to the lack of Unicode support there were all sorts of problems for organizations that wanted to use roaming profiles and redirected folders. Even more important is the fact that the vast majority of the world does not limit their writing to the characters represented in Windows OEM Code Pages 437 and 850. For years these individuals could not save their data into AFS using the language of their choice.
Up to this point, 1.5.5x has had one of the slowest adoption rates of any OpenAFS for Windows release over the last five years. Is this because it is Summer? Is it because most users are Americans and they do not require Unicode? Is it because everyone has given up on AFS? I don't know.
What I do know is that the Unicode version has been downloaded (in small numbers) by a broad range of top-level domains other than the United States including Malaysia, Russia, Canada, Germany, Taiwan, Brazil, Hong Kong, Poland, Yugoslavia, Croatia, Japan, and Indonesia. Hopefully, users from these countries will write in to describe how Unicode support has made their lives easier.
Up to this point, 1.5.5x has had one of the slowest adoption rates of any OpenAFS for Windows release over the last five years. Is this because it is Summer? Is it because most users are Americans and they do not require Unicode? Is it because everyone has given up on AFS? I don't know.
What I do know is that the Unicode version has been downloaded (in small numbers) by a broad range of top-level domains other than the United States including Malaysia, Russia, Canada, Germany, Taiwan, Brazil, Hong Kong, Poland, Yugoslavia, Croatia, Japan, and Indonesia. Hopefully, users from these countries will write in to describe how Unicode support has made their lives easier.
Wednesday, May 14, 2008
File System Internationalization sucks
Internationalization in file systems really sucks. There are two perspectives
in the world. First, there are the POSIX proponents who believe that names are simply nul
terminated octet sequences that have no meaning except to the application that
created them. Second, there are those who believe that names are should be portable between systems and therefore should all be encoded in a common character set. Lets call these second group of folks the UNICODE camp.
I fall into the UNICODE camp. This is most likely a side effect of having spent nearly fifteen years of my life working on Kermit, an application and file transfer protocol designed specifically to move files (by name) between computer systems using different architectures and locales. I learned very early on that if you followed the POSIX approach the end result when a file is copied from an EBCDIC system to an ASCII system or a Latin-1 system to a CP437 system is gibberish. Not only for human beings but for the applications as well.
A globally accessible file system such as AFS is in many regards similar to Kermit except that instead of copying files into a local file system from a remote system, the AFS client makes the entire remote file system accessible to the local machine. The exact same character set conversion issues occur. As long as all of the file names are in the same character set all is dandy and applications on one machine can access files created on another machine.
But what happens when the character sets are different? In that circumstance, the names become gibberish to humans and applications. In a worst case scenario, the file name as stored in the directory cannot even be represented on the local machine because the file name contains illegal code points according to the rules of the local environment.
This situation doesn't happen as frequently as it could because still most of the world is only storing US-ASCII or ISO-Latin-1 into the file system. However, even with those restrictions there are still problems. For example, the following characters are illegal on Windows systems
" / \ * ? < > | :
It doesn't matter what the underlying file system is. If those characters are in the name, the name is illegal. Any name with those characters will not be included in the directory listing.
This in turn means it is impossible to see the file, access the file, rename the file, delete the file, or delete the directory the file is located in. File systems that include objects with such names must perform name translation in order for the Windows users or applications to be able to manipulate them.
With the introduction of Unicode another set of complications are introduced. Unicode provides for multiple semantically equivalent encodings of the same string based upon whether composed or decomposed sequences are used. For historical reasons, MacOS X stores its file names using UTF-8 encoding of decomposed Unicode sequences, Microsoft Windows stores composed Unicode sequences, Linux also stores composed sequences, and all of the sequences for a given string can be different. That means that a user who types the same string on all three platforms will obtain a different octet sequence for each platform. So much for interoperability.
The POSIX supporters make the claim that names must be treated as octet strings because the locale between two different processes on the same machine can be different. All that tells me is that POSIX allows users to shoot themselves in the foot. It doesn't mean it is right. Of course, the POSIX folks do have a point. If a UNIX system is incapable of communicating the character set that is being used to the file system, how is the file system supposed to do something sane with it to provide for interoperability between heterogeneous environments.
Microsoft Windows has an advantage here in that there is a standard character set for the entire operating system and all file systems: Unicode. As a result a file system client on Windows can at least ensure that Unicode names are normalized on output, that directory entry names are normalized for display and lookup, that all illegal characters are mapped to something legal, and ensure that all strings communicated with the file server are the original directory entry names and not the normalized names used locally. This is the approach that will be taken as Unicode is added to the OpenAFS for Windows client.
I fall into the UNICODE camp. This is most likely a side effect of having spent nearly fifteen years of my life working on Kermit, an application and file transfer protocol designed specifically to move files (by name) between computer systems using different architectures and locales. I learned very early on that if you followed the POSIX approach the end result when a file is copied from an EBCDIC system to an ASCII system or a Latin-1 system to a CP437 system is gibberish. Not only for human beings but for the applications as well.
A globally accessible file system such as AFS is in many regards similar to Kermit except that instead of copying files into a local file system from a remote system, the AFS client makes the entire remote file system accessible to the local machine. The exact same character set conversion issues occur. As long as all of the file names are in the same character set all is dandy and applications on one machine can access files created on another machine.
But what happens when the character sets are different? In that circumstance, the names become gibberish to humans and applications. In a worst case scenario, the file name as stored in the directory cannot even be represented on the local machine because the file name contains illegal code points according to the rules of the local environment.
This situation doesn't happen as frequently as it could because still most of the world is only storing US-ASCII or ISO-Latin-1 into the file system. However, even with those restrictions there are still problems. For example, the following characters are illegal on Windows systems
" / \ * ? < > | :
It doesn't matter what the underlying file system is. If those characters are in the name, the name is illegal. Any name with those characters will not be included in the directory listing.
This in turn means it is impossible to see the file, access the file, rename the file, delete the file, or delete the directory the file is located in. File systems that include objects with such names must perform name translation in order for the Windows users or applications to be able to manipulate them.
With the introduction of Unicode another set of complications are introduced. Unicode provides for multiple semantically equivalent encodings of the same string based upon whether composed or decomposed sequences are used. For historical reasons, MacOS X stores its file names using UTF-8 encoding of decomposed Unicode sequences, Microsoft Windows stores composed Unicode sequences, Linux also stores composed sequences, and all of the sequences for a given string can be different. That means that a user who types the same string on all three platforms will obtain a different octet sequence for each platform. So much for interoperability.
The POSIX supporters make the claim that names must be treated as octet strings because the locale between two different processes on the same machine can be different. All that tells me is that POSIX allows users to shoot themselves in the foot. It doesn't mean it is right. Of course, the POSIX folks do have a point. If a UNIX system is incapable of communicating the character set that is being used to the file system, how is the file system supposed to do something sane with it to provide for interoperability between heterogeneous environments.
Microsoft Windows has an advantage here in that there is a standard character set for the entire operating system and all file systems: Unicode. As a result a file system client on Windows can at least ensure that Unicode names are normalized on output, that directory entry names are normalized for display and lookup, that all illegal characters are mapped to something legal, and ensure that all strings communicated with the file server are the original directory entry names and not the normalized names used locally. This is the approach that will be taken as Unicode is added to the OpenAFS for Windows client.
Wednesday, March 12, 2008
OpenAFS joins Google Summer of Code 2008
Today OpenAFS submitted an application to take part in the 2008 Google Summer of Code. OpenAFS project ideas are listed at http://www.openafs.org/gsoc.html.
Thanks to Asanka Herath, Matt Benjamin, Simon Wilkinson and Derrick Brashear for volunteering to be mentors to the next generation of OpenAFS developers.
Update: Monday 17 March 2008, OpenAFS was accepted.
Thanks to Asanka Herath, Matt Benjamin, Simon Wilkinson and Derrick Brashear for volunteering to be mentors to the next generation of OpenAFS developers.
Update: Monday 17 March 2008, OpenAFS was accepted.
Tuesday, March 4, 2008
OpenAFS vs Norton Internet Security 2008
OpenAFS requires several rules to be set in order to work with Norton Internet Security 2008.
1. Under "Personal Firewall->Program Control" add a "Allow" rule for "C:\Program Files\OpenAFS\Client\Program\afsd_service.exe"
2. Do the same for "fs.exe", "aklog.exe", and other command line utilities if so desired.
3. Under "Personal->Firewall->Trust Control, Trusted tab", add a "Trusted" rule for "02-00-4C-4F-4F-50".
4. Under the "Personal Filewall->Advanced Settings" press the "Configure" button.
5. Add a new rule:
"Allow", "Inbound", "Any computer", "Protocol: UDP", "Port 7001", and describe it as "AFS Callback Port". Make it the first rule in the list.
6. Add a new rule:
"Allow", "Outbound", "Any computer", "Protocol: UDP", "Port range: 7001-7008" and describe it as "AFS Server Ports". Make it the second rule in the list.
Finally, double check the configuration of the "Microsoft Loopback Adapter" labeled "AFS" in the Network Control Panel. Make sure that "TCP/IP is checked", that "Client for Microsoft Networking" is checked, and that "File and Printer Sharing" is not checked.
You should now be able to access "\\afs\all" in the Explorer Shell.
1. Under "Personal Firewall->Program Control" add a "Allow" rule for "C:\Program Files\OpenAFS\Client\Program\afsd_service.exe"
2. Do the same for "fs.exe", "aklog.exe", and other command line utilities if so desired.
3. Under "Personal->Firewall->Trust Control, Trusted tab", add a "Trusted" rule for "02-00-4C-4F-4F-50".
4. Under the "Personal Filewall->Advanced Settings" press the "Configure" button.
5. Add a new rule:
"Allow", "Inbound", "Any computer", "Protocol: UDP", "Port 7001", and describe it as "AFS Callback Port". Make it the first rule in the list.
6. Add a new rule:
"Allow", "Outbound", "Any computer", "Protocol: UDP", "Port range: 7001-7008" and describe it as "AFS Server Ports". Make it the second rule in the list.
Finally, double check the configuration of the "Microsoft Loopback Adapter" labeled "AFS" in the Network Control Panel. Make sure that "TCP/IP is checked", that "Client for Microsoft Networking" is checked, and that "File and Printer Sharing" is not checked.
You should now be able to access "\\afs\all" in the Explorer Shell.
Sunday, March 2, 2008
I want my OpenAFS Windows client to be fast
There are a number of configuration knobs available to tune the OpenAFS for Windows client. The most important related to throughput fall into two categories:
How much data can I cache?
CacheSize
Stats
How Fast Can I Read and Write?
BlockSize
ChunkSize
EnableSMBAsyncStore
SMBAsyncStoreSize
RxMaxMTU
SecurityLevel
TraceOption
All of these options are described in Appendix A of the Release Notes. Here are the values I use:
CacheSize = 60GB (64-bit) 1GB (32-bit)
Stats = 120,000 (64-bit) 30,000 (32-bit)
BlockSize = 4
ChunkSize = 21 (2MB)
EnableSMBAsyncStore = 1
SMBAsyncStoreSize = 262144 (but would use 1MB if I didn't use cellular networks as often)
RxMaxMTU = 9000
SecurityLevel = 1 (when I need speed I use "fs setcrypt" to adjust on the fly)
TraceOption = 0 (no logging)
How much data can I cache?
CacheSize
Stats
How Fast Can I Read and Write?
BlockSize
ChunkSize
EnableSMBAsyncStore
SMBAsyncStoreSize
RxMaxMTU
SecurityLevel
TraceOption
All of these options are described in Appendix A of the Release Notes. Here are the values I use:
CacheSize = 60GB (64-bit) 1GB (32-bit)
Stats = 120,000 (64-bit) 30,000 (32-bit)
BlockSize = 4
ChunkSize = 21 (2MB)
EnableSMBAsyncStore = 1
SMBAsyncStoreSize = 262144 (but would use 1MB if I didn't use cellular networks as often)
RxMaxMTU = 9000
SecurityLevel = 1 (when I need speed I use "fs setcrypt" to adjust on the fly)
TraceOption = 0 (no logging)
Subscribe to:
Posts (Atom)
Posts
