|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: Kerb auth issue 2 - name use in kerberosOn Thu, 19 Dec 2002, Ofer Biran wrote: > Bill, > > I don't understand why Kerberos is different then the other methods > from this aspect. No mapping between iSCSI names and user names > used in the authentication methods is specified. This is left to > local users/principals administration. An administrator may decide > that iSCSI target principals in his domain are always > iscsi/<target_name>, and this should be known to initiators in that > domain. But someone may want / already has different scheme. Please note I was talking about behaviors for the name-is-nul case. If you put in a principal name, you use that principal name. Also, Kerberos is different in that it has concepts about who/what a principal is, and how to get the principal name given what you want to talk to. If your host name is foo.bar.com, your principal (for telnetting, etc.) is host/foo.bar.com. That's that. If your DNS name is different, your principal (and what needs to be in your keytab) is different. Two DNS names? Then you have two sets of principal keys in your keytab. All the Kerberos folks I talked to said (after translating) that as the canonical name in iSCSI is the node name, the principal SHOULD be "iscsi/<node_name>". You should really only do something different if you have a good reason. And maybe even not then. Rather than lock people into this (the stick of an RFC MUST), my thought was to use the carrot of convenience. You leave the name nul (zero-length string), and the "right" thing just happens. So no comment on the difference in semantics for the principal names in the ipsAuthCredKerberos when used via iscsiIntrAuthorization? Take care, Bill
Home Last updated: Fri Dec 20 10:19:05 2002 12092 messages in chronological order |