[Freeipa-users] ipa impressions and more questions
Simo Sorce
ssorce at redhat.com
Wed Sep 17 16:30:50 UTC 2008
On Wed, 2008-09-17 at 12:07 -0400, Andrew C. Dingman wrote:
> On Wed, 2008-09-17 at 10:45 -0400, Simo Sorce wrote:
> > > That is, most services don't need service principles. Generally
> > > speaking, DHCP, SNMP, and DNS are all unauthenticated services, and
> > > therefore have no need of service principles. DHCP is pretty much
> > devoid
> > > of any authentication capability. SNMP has some authentication
> > > capability, but it's currently built around an SNMP-specific
> > mechanism
> > > that doesn't play with Kerberos. Likewise, DNS has some limited
> > > authentication capability that almost nobody uses, and Kerberos
> > support
> > > is a non-standard extension that's only even useful for a few
> > operations
> > > that most clients never attempt.
> >
> > I agree for DHCP and SNMP (do we really have entries for those in the
> > UI?), but disagree about DNS. Kerberos can be used (and we plan to use
> > it in v2) for GSS-TSIG authenticated DNS update requests.
>
> I wasn't speaking about what I think *should* be. GSS-TSIG is *vastly*
> nicer in my opinion than TSIG on its own, and I'm glad to see increasing
> support for it. I simply meant that in most current deployments, clients
> don't do any form of TSIG. My comments were meant to be descriptive of
> current widespread usage, not prescriptive. IPA is an improvement on
> that common usage that I'm quite happy to see. In general, you and I
> tend to be in close agreement about what *should* be.
Unsurprisingly I agree :-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list