First I would like to wholeheartedly support Neil Brown's comment. We at the Vrije Universiteit in Amsterdam (NL) also have the situation where the Kerberos administrator does not hand out machine credentials. A lot of Linux users from the Faculty of Sciences depend on the functionality that lets them access the NFS file servers with only their user credentials. Secondly I would like to make a remark on basing client id's on the system's kerberos principal's name. That same faculty, in the times it had its own IT department, used an identical keytab for all Linux workstations, using the principal names "[nfs|root|host]/workstation@xxxxxxxxx". I understand this would lead to severe problems when the client id (co_ownerid) is based solely in the systems root principal name. It seems to me that the issues about the client id look like a bag of worms. I've seen that the newest standard `requires' integrity protection for client id exchanges. I doubt that that will help when the source code of the NFS client is known and the client id is guessable. The wisest thing might be to offer different options and let the administrators pick the one they like best? Regards, Ed Keizer IT department Vrije Universiteit Amsterdam NL -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
