[nfsv4] Re: Feedback on user ID for any bis work
Mark Liam Brown <brownmarkliam@gmail.com> Fri, 06 September 2024 11:15 UTC
Return-Path: <brownmarkliam@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACABCC15198B for <nfsv4@ietfa.amsl.com>; Fri, 6 Sep 2024 04:15:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S90JtRYrDItY for <nfsv4@ietfa.amsl.com>; Fri, 6 Sep 2024 04:15:14 -0700 (PDT)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CF7FC14CE22 for <nfsv4@ietf.org>; Fri, 6 Sep 2024 04:15:14 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id af79cd13be357-7a81309072dso125273785a.0 for <nfsv4@ietf.org>; Fri, 06 Sep 2024 04:15:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725621313; x=1726226113; darn=ietf.org; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=HCZAwXMDWu2HdYs1tYp3isA+IyAm0n47eBLA/DicPfo=; b=HbjTh69Nj34W6cUkTpCWc8aHA9iptEoPgy3gqdfG/3dIBmlmTsWT3SIeEN2YGFuwGY OSLFgSgSNLa4RJGJEudhFehbhdi2LZ1WiUXA4xUci8Q0o3WRg165nyyyNeBkoTrXTkRT MwgaSFRabqN9JQxebfERkJ8yRuhgq5vmqmMsZHcA92kKd9CK7MaznydNXmd/4yILTLNR /LDdszHoFNuTdTTOj/3tBGB3/d3RC2Jls6W9WTR0gUw/ktJpr79xvJWUorB3Gl3IxYoT Jf23jeQ7XzCQWvyB33Jl1QUMSzSTS2d+oa5OtJMZepOJ7qmM5ghoPvEUyxaV1DQw9hTk msVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725621313; x=1726226113; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HCZAwXMDWu2HdYs1tYp3isA+IyAm0n47eBLA/DicPfo=; b=G2KL84Ig3sOJSt4f3324c8/Gaeu2Ouvab++YZwuWCBkkjijyPXjA8Zthrv24ZVqAbD gJiKvbUZJx++a4qu5X5ibBnT3M6K51Xpaqta43XfVT6PRFXso1oLrND5TeAe9B9kMFzT 0KF0k8delZ55Wq363jPAZBiyLEYxW4RueI0mHGwPamXpnfzIhe+UfJW8OSUuLxJbMgKu mJYbPXXt2Shb7uLaRysZKi2HDhrgsAwAMun6NAsp1yeka0AfAo0CdPO8eHawIHoQ8ylb dRfII735BY514o3OZQDxdueCURL69NJBEUCfanpuASgiyLxObxDdHAE3zCWIEC/xFhki cGGw==
X-Gm-Message-State: AOJu0Yx3QkksVk1DWzlNco7D2znceONdRfAExPvTIS0ea1+Z136l9S+P NvsOUm8eKjQ65G4nkLkg0kldB+cEB8E0P7ugt71c4Lt3BdYOJ8Xg8aiEycoLVmPO1skvNhsvyy3 TlFN9gP6JI2sfml+wN9M7VY+/Qy0Kvg==
X-Google-Smtp-Source: AGHT+IFP5sNXBPCJTcQz4qOXDt6suca4bD3ySHfjoUrR6YpTrz1ae6sCgooaOIsoKrHHtCIFGRBXRGbMV3wM+ZuE/Ak=
X-Received: by 2002:a17:902:d4c2:b0:205:968b:31e2 with SMTP id d9443c01a7336-206f0682c5bmr26414155ad.59.1725621301739; Fri, 06 Sep 2024 04:15:01 -0700 (PDT)
MIME-Version: 1.0
References: <88CFBD80-2BAA-43AE-8AA5-C032C2761266@cert.org> <DCD380BF-74D5-4FED-94EA-EC995A9DB164@oracle.com>
In-Reply-To: <DCD380BF-74D5-4FED-94EA-EC995A9DB164@oracle.com>
From: Mark Liam Brown <brownmarkliam@gmail.com>
Date: Fri, 06 Sep 2024 13:14:25 +0200
Message-ID: <CAN0SSYwrebn8Btzbi9142dr3pX1ViLf7FqDAd8aaOHxHercJNA@mail.gmail.com>
To: NFSv4 <nfsv4@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: NM26MAHSEUR54XZIPCS5Z2UPUYPYY2Q2
X-Message-ID-Hash: NM26MAHSEUR54XZIPCS5Z2UPUYPYY2Q2
X-MailFrom: brownmarkliam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Feedback on user ID for any bis work
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/1ahUBmAFD1GcWTXoYpGuaiZcNHQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>
On Fri, Aug 16, 2024 at 6:26 PM Chuck Lever III <chuck.lever=40oracle.com@dmarc.ietf.org> wrote: > > > > > On Aug 16, 2024, at 11:39 AM, Chris Inacio <inacio@cert.org> wrote: > > > > Dave, All, > > > > INDIVIDUAL CONTRIBUTOR HAT ON - NOT CHAIR > > > > We need this super brief conversation in one of the interim meetings about how user identity is communicated across NFSv4, and there are 2 options, UID/GID ‘integer's and then loosely defined ‘string’. So I’ve been digging into this and I would say, most definitely, do NOT remove the string. So what I can see so far, is that UID/GID numbers are used when auth ‘sys’ is the selected mechanism, where current the string is used when auth is tied to GSS-API. As far as I can tell, the kerberos principal name should be the string in the field. I certainly don’t yet have a full understanding about how everything is connected together. (Just sending the principal is nice and everything, but you want to be able to verify it, and HOLY RAT HOLE ROBIN is that confusing in practice.) > > > > So, the thing I’m trying to make sense of, how hard would it be to support TLS identities (X.509 certs really) instead of Kerberos. > > A perhaps subtle distinction here: > > The current RPC-with-TLS protocol uses x.509 explicitly only for authenticating > network peers (ie, hosts). RFC 9289 even says "not for user authentication". So > I think the term "TLS" here is probably misplaced. > > You instead want to invent a new RPC security flavor or flavors that authenticates > users (or, dare I say it, to extend GSSAPI to handle this for us) via an x.509 > certificate, or OAuth, or such like. Nothing to do with transport layer security, > which doesn't know from users. > > > > That also opens a fairly different control domain. Kerberos is well suited to local enterprise control. You can do that with X.509, but really, my anecdotal experience says, X.509 certs for enterprise are too heavy a lift, but they’re the answer when you want a more global identity. That raises the question of target users of NFS protocol. And if we’re (or maybe that’s just me doing it?) opening a wound there – then maybe we want to be able to support authentication and authorization that is more cloud compatible, which is potentially more than X.509. > > > > These are just thoughts and feedback on some discussions. > > > > Chris > > > > > > P.S. > > > > The complexity of auth is BONKERS!!! So to kind of dig into this I have a freenas server running with ZFS as the backing store. It’s the FreeBSD variant 13.0 stream. I then deployed an LDAP and Kerberos solution (freeipa on Fedora) to have that running on an RPi4. (This is all in my house, by the way.) For clients, I have a _real_ menagerie of machines: Mac OS 14.6, RPi Raspbian, FreeBSD, and Win 11. For fun, that means NFS versions running are: Mac OS 14.0 - NFSv4.0, Raspbian/Linux NFSv4.2, FreeBSD 13.x - NFSv4.1, Win 11 - NFSv3. I can get most of the unixen to at least get a Kerberos user principal TGT. Machine-to-machine, host principals are still a bit of a challenge. The Windows machine seemingly would rather piss in my Cheerios than do what I want. (What engineer where convinced their UI people to be able to give error messages as ‘1450 resource unavailable’ and then you need to type `net helpmsg 1450` to get an actual error message, which is completely useless anyway? That person is either my hero or the devil.) And while Windows doesn’t want to cooperate at all, the unixen management of authentication identities is its own entire disjoint universe! ‘SSSD' on Linux, ‘nfsuserd' on FreeBSD, and I haven’t even tried to cross that bridge on Mac. So I’m still trying to get this collection of stuff to attempt to do full kerberos/gss-api negotiation on a mount. > > > > > > Maybe this is why people run with auth sys! > > No "maybe" about it, this /is/ why people stick with auth_sys. But even auth_sys must support user@name on Windows, because Windows has no concept of uid/gid. The Windows NFS41 driver just sends the Windows domain\user converted to user@domain to the NFS server. Mark -- IT Infrastructure Consultant Windows, Linux
- [nfsv4] Feedback on user ID for any bis work Chris Inacio
- [nfsv4] Re: Feedback on user ID for any bis work Chuck Lever III
- [nfsv4] Re: Feedback on user ID for any bis work Chuck Lever III
- [nfsv4] Re: Feedback on user ID for any bis work Pali Rohár
- [nfsv4] Re: Feedback on user ID for any bis work Chris Inacio
- [nfsv4] Re: Feedback on user ID for any bis work Rick Macklem
- [nfsv4] Re: Feedback on user ID for any bis work Chris Inacio
- [nfsv4] Re: Feedback on user ID for any bis work Chuck Lever III
- [nfsv4] Re: Feedback on user ID for any bis work Mkrtchyan, Tigran
- [nfsv4] Re: Feedback on user ID for any bis work Chris Inacio
- [nfsv4] Re: Feedback on user ID for any bis work David Noveck
- [nfsv4] Re: Feedback on user ID for any bis work Rick Macklem
- [nfsv4] Re: Feedback on user ID for any bis work Chris Inacio
- [nfsv4] Re: Feedback on user ID for any bis work Rick Macklem
- [nfsv4] Re: Feedback on user ID for any bis work Chris Inacio
- [nfsv4] Re: Feedback on user ID for any bis work Mkrtchyan, Tigran
- [nfsv4] Re: Feedback on user ID for any bis work Chuck Lever III
- [nfsv4] Re: Feedback on user ID for any bis work Chris Inacio
- [nfsv4] Re: Feedback on user ID for any bis work Mkrtchyan, Tigran
- [nfsv4] Re: Feedback on user ID for any bis work Mark Liam Brown
- [nfsv4] Re: Feedback on user ID for any bis work Chuck Lever III
- [nfsv4] Fwd: Re: Feedback on user ID for any bis … David Noveck