On 13 Feb 2013, at 05:32, Benjamin Kaduk <[email protected]> wrote:

> Well, we allow out-of-band key management as well as VL_RegisterAddrsAndKey 
> to get per-server keys.  So conceivably, those could have GSS identities.

If you are using RegisterAddrsAndKey you need to have a GSS identity on the 
server. Departmental file servers have to have GSS key material.

>> Anyway, my concern/confusion with this is that the per-server keys are
>> associated with a server UUID, which I believe is purely a notion of the
> 
> Again, only if the RegisterAddrsAndKey method is used.  But we want to 
> support it, so we must have a way to cope regardless.

RegisterAddrsAndKey is the only mechanism to declare yourself as a departmental 
file server.

> But, as you note, machines with only a fileserver will still run a bosserver 
> to manage the fileserver, and may not have a GSS identity avaialble.

I don't think it's overly onerous to require that all machines running a bos 
server have a GSS identity. In most cases this just means that they need a 
Kerberos key, which most sites will already have a means of provisioning for 
their servers.

Cheers,

Simon_______________________________________________
AFS3-standardization mailing list
[email protected]
http://lists.openafs.org/mailman/listinfo/afs3-standardization

Reply via email to