[AFS3-std] Re: tokens for bosserver
Jason Edgecombe
jason@rampaginggeek.com
Thu, 14 Feb 2013 22:32:20 -0500
On 02/14/2013 05:41 PM, Andrew Deason wrote:
> On Thu, 14 Feb 2013 14:02:11 -0500 (EST)
> Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>
>> I think that the most promising approach is probably to have an
>> afs3-bos@host GSS identity for each machine running a bosserver, and
>> use that for the GSS negotiation service. Tokens thus obtained will
>> be tied to that particular machine's bosserver, and 'bos -localauth'
>> will only be able to affect the local machine upon which it is
>> running. It does make administering machines serving multiple cells
>> cleaner, though, and preservers our abstractions.
> Can't we have it use either afs3-bos@host or afs-rxgk@_afs.cell? It
> seems unnecessary to require the generation of a new identity for each
> bosserver, if they're all allowed to have the cell-wide key, unless I'm
> missing something.
>
how does afs3-bos@host map to kerberos/GSS? would it map to
afs3-bos/host.domain.com@REALM?