Jason Edgecombe
Wed, 27 Jan 2010 17:53:11 -0800
Lars Schimmer wrote:
You could still have one cell/org and just have the DB/kerberos server in a central place and just have a plain fileserver on-site in the org. The trick is that you'll need two servers per org in this arrangement.*sry* send the first one only to harald. Harald Barth wrote: > You may want to think through how you manage the pts entries, how you > add and subtract users / groups. If you need or have another > infrastructure for that anyway, you could easily push to that data > to pts. And then it does not matter if you push it to one or 20 cells. > (or not pushing but with a backend to pts) > Because of the security implications I would go for several cells. > Then you only have a "security disaster" if someone gets your KDC, > not if someone gets one site. >> It must be easy to manage for the organization - thats why I think one >> cell could be best. > You need to do some preconfigured shipping anyway, if you automate the > generate boot CD process it does not matter much if you need to add a > new cellname and security KeyFile in that process.A complete unattended setup of a krb5 and OpenAFS cell is not possible, or?>> Data just needs to be kept at one organization, RW on one partition, RO>> on a second, maybe another RO on a 2nd fileserver in the same organization.> Sounds like different cells to me. The one organization - one cell way sounds nice, but the work ;-) Will think about it and test it. Another point I missed is: the "proxy" I mentioned is a "must have" for the users to access the data and it is combined with a indexing db which should be able to know where each data of all organizations is located. Kinda like the indexing service jeffrey has in mind. If I only get the funding for it ;-)
Jason _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info