[Freeipa-users] ipa impressions and more questions
Andrew C. Dingman
acd at redhat.com
Wed Sep 17 16:07:34 UTC 2008
On Wed, 2008-09-17 at 10:45 -0400, Simo Sorce wrote:
> > That is, most services don't need service principles. Generally
> > speaking, DHCP, SNMP, and DNS are all unauthenticated services, and
> > therefore have no need of service principles. DHCP is pretty much
> devoid
> > of any authentication capability. SNMP has some authentication
> > capability, but it's currently built around an SNMP-specific
> mechanism
> > that doesn't play with Kerberos. Likewise, DNS has some limited
> > authentication capability that almost nobody uses, and Kerberos
> support
> > is a non-standard extension that's only even useful for a few
> operations
> > that most clients never attempt.
>
> I agree for DHCP and SNMP (do we really have entries for those in the
> UI?), but disagree about DNS. Kerberos can be used (and we plan to use
> it in v2) for GSS-TSIG authenticated DNS update requests.
I wasn't speaking about what I think *should* be. GSS-TSIG is *vastly*
nicer in my opinion than TSIG on its own, and I'm glad to see increasing
support for it. I simply meant that in most current deployments, clients
don't do any form of TSIG. My comments were meant to be descriptive of
current widespread usage, not prescriptive. IPA is an improvement on
that common usage that I'm quite happy to see. In general, you and I
tend to be in close agreement about what *should* be.
--
Andrew C. Dingman, RHCA, RHCSS, RHCX
Instructor, Red Hat Global Learning Services
adingman at redhat.com
gpg: 4DEB 3DF1 1007 B26D EC76 80F4 3C26 A4EB 2975 74B2
More information about the Freeipa-users
mailing list