On 02/14/2013 05:41 PM, Andrew Deason wrote:
On Thu, 14 Feb 2013 14:02:11 -0500 (EST)
Benjamin Kaduk <[email protected]> wrote:
I think that the most promising approach is probably to have an
afs3-bos@host GSS identity for each machine running a bosserver, and
use that for the GSS negotiation service. Tokens thus obtained will
be tied to that particular machine's bosserver, and 'bos -localauth'
will only be able to affect the local machine upon which it is
running. It does make administering machines serving multiple cells
cleaner, though, and preservers our abstractions.
Can't we have it use either afs3-bos@host or afs-rxgk@_afs.cell? It
seems unnecessary to require the generation of a new identity for each
bosserver, if they're all allowed to have the cell-wide key, unless I'm
missing something.
how does afs3-bos@host map to kerberos/GSS? would it map to
afs3-bos/host.domain.com@REALM?
_______________________________________________
AFS3-standardization mailing list
[email protected]
http://lists.openafs.org/mailman/listinfo/afs3-standardization
