[AFS3-std] Re: rxgk-afs tokens for ptservers, etc.
Andrew Deason
adeason@sinenomine.net
Tue, 12 Feb 2013 16:59:06 -0600
On Tue, 12 Feb 2013 17:06:07 -0500
Jeffrey Hutzelman <jhutz@cmu.edu> wrote:
> I'm not sure what to do about the bosserver. It's really more of a
> management tool than part of the main protocol suite. It seems like,
> at a minimum, it ought to be possible to obtain a token for a given
> bosserver by negotiating directly with that server, the same as for
> any other rxgk service. Arguably the same should be possible for
> volservers and maybe even fileservers, though in practice that doesn't
> seem as useful.
So, if I understand you correctly, if something like this existed, the
gss identity would be afs3-bos@<host>, like for other such services? It
seems like a pain to construct the credentials for that for each
service, but if it was just bos, that's not as bad.
That may make things quite confusing operationally, since it means you'd
have to e.g. construct new host keys for krb5 when the host changes.
That's normal for most krb5 services, but not for AFS; and even for AFS
the "fileserver" identity is still tied to the uuid, which doesn't
change when you move the box.
So in that situation, you'd have a mix of the "normal" kerberos-y
behavior, and the AFS-specific behavior. That seems pretty likely to be
confusing. I can see a likely scenario where someone moves a box, and
they don't change the keys, and since fileserver access works they think
everything is fine. And then some emergency pops up and they suddenly
realize they can't access bos, right when they really really want to...
--
Andrew Deason
adeason@sinenomine.net