[OpenAFS] New Cell setup - ideas?

Jason Edgecombe jason@rampaginggeek.com
Wed, 27 Jan 2010 20:52:15 -0500

Lars Schimmer wrote:
> *sry* send the first one only to harald.
> Harald Barth wrote:
> > You may want to think through how you manage the pts entries, how you
> > add and subtract users / groups. If you need or have another
> > infrastructure for that anyway, you could easily push to that data
> > to pts. And then it does not matter if you push it to one or 20 cells.
> > (or not pushing but with a backend to pts)
> > Because of the security implications I would go for several cells.
> > Then you only have a "security disaster" if someone gets your KDC,
> > not if someone gets one site.
> >> It must be easy to manage for the organization - thats why I think one
> >> cell could be best.
> > You need to do some preconfigured shipping anyway, if you automate the
> > generate boot CD process it does not matter much if you need to add a
> > new cellname and security KeyFile in that process.
> A complete unattended setup of a krb5 and OpenAFS cell is not 
> possible, or?
> >> Data just needs to be kept at one organization, RW on one partition, RO
> >> on a second, maybe another RO on a 2nd fileserver in the same 
> organization.
> > Sounds like different cells to me.
> The one organization - one cell way sounds nice, but the work ;-)
> Will think about it and test it.
> Another point I missed is: the "proxy" I mentioned is a "must have" for
> the users to access the data and it is combined with a indexing db which
> should be able to know where each data of all organizations is located.
> Kinda like the indexing service jeffrey has in mind.
> If I only get the funding for it ;-)
You could still have one cell/org and just have the DB/kerberos server 
in a central place and just have a plain fileserver on-site in the org. 
The trick is that you'll need two servers per org in this arrangement.