From: Nicolas Williams (Nicolas.Williams@sun.com)
Date: 10/29/03-05:27:02 PM Z
From: Nicolas Williams <Nicolas.Williams@sun.com> Subject: Re: [nfsv4] AUTH_GSS for Callbacks Message-ID: <20031029232702.GE24528@binky.central.sun.com> Date: Wed, 29 Oct 2003 15:27:02 -0800 On Wed, Oct 29, 2003 at 06:18:46PM -0500, wurzl, mario wrote: Mike> When the server does the call back, the target and initiator Mike> principals are simply reversed. The initiator principal is Mike> nfs@<fqdn of server host>, and the target principal is Mike> root/<fqdn of client host>. > > This implies that a system administrator will have to generate keys for a > service 'root@client' and store it in the Kerberos keytab of all client > systems. I have a hard time imagining a system administrator doing this > process for a network with several thousand clients. > It may become even worse if the principal for SETCLIENTID could be any user. Multi-user clients are all pretty much going to need to have a Kerberos V host-based principal and key(s), unless they never authenticate users logging in to them (no kerberized telnet, no Kerberos password validation, etc...). So if you have a client that has the typical "host@fqdn" principal then that's enough and you should not need to have a root@fqdn" principal also. (Yes, I know, Solaris clients insist on having a root@fqdn principal.) Cheers, Nico -- _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www1.ietf.org/mailman/listinfo/nfsv4
This archive was generated by hypermail 2.1.2 : 03/04/05-02:12:51 AM Z CST