[AFS3-std] Re: tokens for bosserver
Simon Wilkinson
simon@sxw.org.uk
Sat, 16 Feb 2013 15:26:43 +0000
On 14 Feb 2013, at 23:10, Andrew Deason <adeason@sinenomine.net> wrote:
> My thinking was that servers with the cell-wide key would just
> use afs-rxgk@_afs.cell, and servers that don't have the cell-wide key
> would use afs3-bos@host. The client would try with afs3-bos@host, but if
> that doesn't exist (or the connection negotiation fails), we would retry
> assuming that we can use afs-rxgk@_afs.cell. That's a problem?
There's two issues here. Firstly, only machines hosting vlservers have acces=
s to the key material necessary to accept GSSNegotiate calls for afs-rxgk@_a=
fs.cell. Machines with the rxgk cell-wide key can accept rxgk challenges usi=
ng cell-wide tokens, but the failure mode here is such that I don't think yo=
u'd want to base a key negotiation on it.
Secondly, in situations where bos is managing servers for multiple cells, ho=
w do you decide which afs-rxgk@_afs.cell to use?
S.=