[OpenAFS-devel] Re: rxk5 branch is ready; please test
Adam Megacz
megacz@cs.berkeley.edu
Thu, 17 Jan 2008 00:32:22 -0800
Jeffrey Hutzelman <jhutz@cmu.edu> writes:
> Note that supporting separate service keys for each server is _very_
> complex; it not only requires the cache manager to discover the
> correct service principals and maintain separate sets of tickets for
> each server, but also for a variety of administrative tools to
> handle using different tickets to talk to different servers, as when
> you use 'vos' to perform an operation that requires both updating
> the VLDB and performing volume operations on one or more servers.
I see. Does it somehow go beyond the usual kerberos algorithm of:
concatenate "service/", the hostname to which packets are being sent,
and "@REALM" to form the principal?
I suppose if you only know the IP of the fileserver (not its hostname)
that would be a big problem. Is that the reason why it's difficult to
figure out what principal to use/expect?
> So, don't go looking for this functionality any time soon. It's
> harder than it looks, and not real high on most people's priority
> lists.
Okay.
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380