Lars Schimmer wrote:
*sry* send the first one only to harald.
Harald Barth wrote:
> You may want to think through how you manage the pts entries, how you
> add and subtract users / groups. If you need or have another
> infrastructure for that anyway, you could easily push to that data
> to pts. And then it does not matter if you push it to one or 20 cells.
> (or not pushing but with a backend to pts)
> Because of the security implications I would go for several cells.
> Then you only have a "security disaster" if someone gets your KDC,
> not if someone gets one site.
>> It must be easy to manage for the organization - thats why I think one
>> cell could be best.
> You need to do some preconfigured shipping anyway, if you automate the
> generate boot CD process it does not matter much if you need to add a
> new cellname and security KeyFile in that process.
A complete unattended setup of a krb5 and OpenAFS cell is not
possible, or?
>> Data just needs to be kept at one organization, RW on one partition, RO
>> on a second, maybe another RO on a 2nd fileserver in the same
organization.
> Sounds like different cells to me.
The one organization - one cell way sounds nice, but the work ;-)
Will think about it and test it.
Another point I missed is: the "proxy" I mentioned is a "must have" for
the users to access the data and it is combined with a indexing db which
should be able to know where each data of all organizations is located.
Kinda like the indexing service jeffrey has in mind.
If I only get the funding for it ;-)
You could still have one cell/org and just have the DB/kerberos server
in a central place and just have a plain fileserver on-site in the org.
The trick is that you'll need two servers per org in this arrangement.
Jason
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
