>If I am accessing AFS via an NFS/AFS translator, what IP number
>is used for checking the PTS if it has IP numbers, wildcards or
>groups with IP numbers? Is it the NFS client's IP number, or the
>translator's number?
>
>If it is the translator's number then if someone exports /afs to
>the world, the world can bypass campus wide protections by using
>NFS from some on campus translator. This requires the
>translator's system manager to export /afs to on campus only
>systems.
>
>If it is the NFS client's number, then it is a little better, but
>you are still relying on NFS security. But since any system
>,manager could make the translator believe that it was receiving
>a request from an IP number, AFS cant trust the clients IP
>number.
>
>But in either case, you have extended the responsibility of
>protection of AFS data to the translator's system manager with
>out requiring any tokens.
>
>In no way do I want this to be considered system:authuser.
>
>Has anyone looked into how this works?
>
I tried this and the answer seems to be that it uses the IP address of the
Translator Machine (AFS client/NFS server). The NFS client access has to be
restricted via /etc/exports.
I agree it would be nice if the Xlator could pass the NFS client's address!
Chris Cowan
ISSC/SER AFS Support Team
----------------------------------------
Internet: [EMAIL PROTECTED]
IBM VNET: cc at austin
