[AFS3-std] Re: rxgk-afs tokens for ptservers, etc.
Simon Wilkinson
simon@sxw.org.uk
Wed, 13 Feb 2013 22:05:32 +0000
On 13 Feb 2013, at 05:32, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> Well, we allow out-of-band key management as well as VL_RegisterAddrsAndKe=
y to get per-server keys. So conceivably, those could have GSS identities.
If you are using RegisterAddrsAndKey you need to have a GSS identity on the s=
erver. Departmental file servers have to have GSS key material.
>> Anyway, my concern/confusion with this is that the per-server keys are
>> associated with a server UUID, which I believe is purely a notion of the
>=20
> Again, only if the RegisterAddrsAndKey method is used. But we want to sup=
port it, so we must have a way to cope regardless.
RegisterAddrsAndKey is the only mechanism to declare yourself as a departmen=
tal file server.
> But, as you note, machines with only a fileserver will still run a bosserv=
er to manage the fileserver, and may not have a GSS identity avaialble.
I don't think it's overly onerous to require that all machines running a bos=
server have a GSS identity. In most cases this just means that they need a K=
erberos key, which most sites will already have a means of provisioning for t=
heir servers.
Cheers,
Simon=