[OpenAFS] Re: Cell/Realm Name and DNS

Derek Atkins warlord@MIT.EDU
09 Jul 2003 11:24:52 -0400


Dr A V Le Blanc <LeBlanc@mcc.ac.uk> writes:

> On Tue 08 Jul 2003 at 01:07:54, Stefan Nobis <stefan-ml@snobis.de> wrote:
> > How important is it to choose a domain name as realm and cell name
> > for Kerberos/OpenAFS? What are the drawbacks if something other
> > than domain names are choosen?
> 
> On 07 Jul 2003 at 20:46:32, Derek Atkins <warlord@MIT.EDU> wrote:
> > It depends -- do you plan to play in the global world?  If you do, then
> > you must use a real domain name.
> 
> I'm sorry, but this isn't a real-world answer.  Our AFS cell is 13
> years old, and has always contained machines from a wide variety

It is a real-world answer to the effect that if you want to publish
your domain info for others to use, you need to either be in the
global CellServDB _OR_ you need to publish AFSDB records for your
domain.

If someone else has your domain name then THEY could publish AFSDB
records and usurp your cell from under you.

> There is no doubt that life can be easier when your cell and
> realm and DNS names coincide, but this is not always practically
> possible.  It would be nice to have all the consequences spelled
> out somewhere for those who need to make real decisions.

Yes, life is a LOT easier when you control the DNS domain of your cell.

>      -- Owen
>      LeBlanc@mcc.ac.uk

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available