On Thu, 14 Feb 2013, Andrew Deason wrote:
On Thu, 14 Feb 2013 14:02:11 -0500 (EST)
Benjamin Kaduk <[email protected]> wrote:
I think that the most promising approach is probably to have an
afs3-bos@host GSS identity for each machine running a bosserver, and
use that for the GSS negotiation service. Tokens thus obtained will
be tied to that particular machine's bosserver, and 'bos -localauth'
will only be able to affect the local machine upon which it is
running. It does make administering machines serving multiple cells
cleaner, though, and preservers our abstractions.
Can't we have it use either afs3-bos@host or afs-rxgk@_afs.cell? It
seems unnecessary to require the generation of a new identity for each
bosserver, if they're all allowed to have the cell-wide key, unless I'm
missing something.
That seems like an implementation decision which need not be standardized,
but yes, we could. Simon doesn't like the idea, though.
-Ben
_______________________________________________
AFS3-standardization mailing list
[email protected]
http://lists.openafs.org/mailman/listinfo/afs3-standardization
