[OpenAFS] New Cell setup - ideas?

Lars Schimmer l.schimmer@cgv.tugraz.at
Wed, 27 Jan 2010 10:26:04 +0100

Hash: SHA1

*sry* send the first one only to harald.

Harald Barth wrote:
> You may want to think through how you manage the pts entries, how you
> add and subtract users / groups. If you need or have another
> infrastructure for that anyway, you could easily push to that data
> to pts. And then it does not matter if you push it to one or 20 cells.
> (or not pushing but with a backend to pts)
> Because of the security implications I would go for several cells.
> Then you only have a "security disaster" if someone gets your KDC,
> not if someone gets one site.
>> It must be easy to manage for the organization - thats why I think one
>> cell could be best.
> You need to do some preconfigured shipping anyway, if you automate the
> generate boot CD process it does not matter much if you need to add a
> new cellname and security KeyFile in that process.

A complete unattended setup of a krb5 and OpenAFS cell is not possible, o=

>> Data just needs to be kept at one organization, RW on one partition, R=
>> on a second, maybe another RO on a 2nd fileserver in the same organiza=
> Sounds like different cells to me.

The one organization - one cell way sounds nice, but the work ;-)
Will think about it and test it.

Another point I missed is: the "proxy" I mentioned is a "must have" for
the users to access the data and it is combined with a indexing db which
should be able to know where each data of all organizations is located.
Kinda like the indexing service jeffrey has in mind.
If I only get the funding for it ;-)

> Harald.

Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org