On Thu, 14 Feb 2013 14:02:11 -0500 (EST) Benjamin Kaduk <[email protected]> wrote:
> I think that the most promising approach is probably to have an > afs3-bos@host GSS identity for each machine running a bosserver, and > use that for the GSS negotiation service. Tokens thus obtained will > be tied to that particular machine's bosserver, and 'bos -localauth' > will only be able to affect the local machine upon which it is > running. It does make administering machines serving multiple cells > cleaner, though, and preservers our abstractions. Can't we have it use either afs3-bos@host or afs-rxgk@_afs.cell? It seems unnecessary to require the generation of a new identity for each bosserver, if they're all allowed to have the cell-wide key, unless I'm missing something. -- Andrew Deason [email protected] _______________________________________________ AFS3-standardization mailing list [email protected] http://lists.openafs.org/mailman/listinfo/afs3-standardization
