On Sat, 16 Feb 2013 15:26:43 +0000 Simon Wilkinson <[email protected]> wrote:
> There's two issues here. Firstly, only machines hosting vlservers have > access to the key material necessary to accept GSSNegotiate calls for > afs-rxgk@_afs.cell. Machines with the rxgk cell-wide key can accept > rxgk challenges using cell-wide tokens, but the failure mode here is > such that I don't think you'd want to base a key negotiation on it. What failure mode? > Secondly, in situations where bos is managing servers for multiple > cells, how do you decide which afs-rxgk@_afs.cell to use? Possibly the simplest way is just to not support using the cell-wide key for bozo when you want to control several cells with it. But there are several other options (to pick a few: pick one with -cell like we do now, use separate bosservers for each cell, somehow accept any like HTTP negotiate auth can do). -- Andrew Deason [email protected] _______________________________________________ AFS3-standardization mailing list [email protected] http://lists.openafs.org/mailman/listinfo/afs3-standardization
