On 13 Feb 2013, at 05:32, Benjamin Kaduk <[email protected]> wrote: > Well, we allow out-of-band key management as well as VL_RegisterAddrsAndKey > to get per-server keys. So conceivably, those could have GSS identities.
If you are using RegisterAddrsAndKey you need to have a GSS identity on the server. Departmental file servers have to have GSS key material. >> Anyway, my concern/confusion with this is that the per-server keys are >> associated with a server UUID, which I believe is purely a notion of the > > Again, only if the RegisterAddrsAndKey method is used. But we want to > support it, so we must have a way to cope regardless. RegisterAddrsAndKey is the only mechanism to declare yourself as a departmental file server. > But, as you note, machines with only a fileserver will still run a bosserver > to manage the fileserver, and may not have a GSS identity avaialble. I don't think it's overly onerous to require that all machines running a bos server have a GSS identity. In most cases this just means that they need a Kerberos key, which most sites will already have a means of provisioning for their servers. Cheers, Simon_______________________________________________ AFS3-standardization mailing list [email protected] http://lists.openafs.org/mailman/listinfo/afs3-standardization
