IETF Logo Mail Archive

FW: [nfsv4] Name Mappings for NFSv4 in Active Directory

"Wachdorf, Daniel R" <drwachd@sandia.gov> Thu, 09 October 2003 14:22 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA22243 for <nfsv4-archive@odin.ietf.org>; Thu, 9 Oct 2003 10:22:26 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7bg5-0006ZB-Pi for nfsv4-archive@odin.ietf.org; Thu, 09 Oct 2003 10:22:05 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h99EM5Qi025235 for nfsv4-archive@odin.ietf.org; Thu, 9 Oct 2003 10:22:05 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7bg5-0006Yw-LX for nfsv4-web-archive@optimus.ietf.org; Thu, 09 Oct 2003 10:22:05 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA22229 for <nfsv4-web-archive@ietf.org>; Thu, 9 Oct 2003 10:21:56 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A7bg3-0006wb-00 for nfsv4-web-archive@ietf.org; Thu, 09 Oct 2003 10:22:03 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1A7bg3-0006wY-00 for nfsv4-web-archive@ietf.org; Thu, 09 Oct 2003 10:22:03 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7bg1-0006Xd-DT; Thu, 09 Oct 2003 10:22:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7bfE-0006Vj-B4 for nfsv4@optimus.ietf.org; Thu, 09 Oct 2003 10:21:12 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA22198 for <nfsv4@ietf.org>; Thu, 9 Oct 2003 10:21:02 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A7bfC-0006w5-00 for nfsv4@ietf.org; Thu, 09 Oct 2003 10:21:10 -0400
Received: from mm02snlnto.sandia.gov ([132.175.109.21] helo=mm02snlnto.son.sandia.gov) by ietf-mx with esmtp (Exim 4.12) id 1A7bfB-0006vv-00 for nfsv4@ietf.org; Thu, 09 Oct 2003 10:21:09 -0400
Received: from 132.175.109.4 by MM01SNLNTO.son.sandia.gov with ESMTP ( Tumbleweed MMS SMTP Relay 01 (MMS v5.5.3)); Thu, 09 Oct 2003 08:20:21 -0600
Received: from ES01SNLNT.sandia.gov (es01snlnt.sandia.gov [134.253.130.4]) by mailgate2.sandia.gov (8.12.10/8.12.10) with ESMTP id h99EKL0M029992 for <nfsv4@ietf.org>; Thu, 9 Oct 2003 08:20:21 -0600 (MDT)
Received: by es01snlnt.sandia.gov with Internet Mail Service ( 5.5.2653.19) id <4300N7JY>; Thu, 9 Oct 2003 08:20:21 -0600
Message-ID: <AC89BDA1E3CCBC42B9CA5B50FE7934D3032D08FC@es10snlnt.sandia.gov>
From: "Wachdorf, Daniel R" <drwachd@sandia.gov>
To: "'nfsv4@ietf.org'" <nfsv4@ietf.org>
Subject: FW: [nfsv4] Name Mappings for NFSv4 in Active Directory
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-WSS-ID: 139BB12F2355323-01-01
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: nfsv4-admin@ietf.org
Errors-To: nfsv4-admin@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/nfsv4/>
X-Original-Date: Thu, 9 Oct 2003 08:20:19 -0600
Date: Thu, 09 Oct 2003 08:20:19 -0600
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit

Sorry, meant to send this to everyone.

First, I will work on getting an IETF draft of the document out.  

Second.  I think there are two areas of the problem. 1- How do the NFSv4
server/clients get the name mapping information. 2- Where is this
information stored?  

For the first part the RPC solution that you proposed works.  I do believe
that the caching of this information should be done by the NFSv4 server, not
by the RPC mapping service. 

However, the mappings need to co-inside with the user/group information
already in existence within the enterprise.  One way to do this would be
integrate the name mapping with Active Directory.  I am sure there will be
proposals to store it in other Directories.

Also, I think that direct communication between the NFSv4 server/clients and
Directory services is probably the best way to go.  Sure, communicated with
an RPC service that just stores the mappings will be faster, but if the RPC
service then has to communicate with a back end directory service, its
better to just have the NFSv4 servers talk directly to that backend
directory service.

As for the comment below, the Active Directory mapping solution could easily
allow the re-use of foreign security principals.  The altSecurityIdenties
attribute is multi-valued, so if a user changes their foreign identity, ie -
john@foreign.realm becomes johnsmith@foreign.realm, you have an entry for
each of these within the altSecurityIdentites attribute.

-----Original Message-----
From: Nicolas Williams [mailto:Nicolas.Williams@sun.com] 
Sent: Wednesday, October 08, 2003 4:09 PM
To: Wachdorf, Daniel R
Cc: nfsv4@ietf.org
Subject: Re: [nfsv4] Name Mappings for NFSv4 in Active Directory

On Wed, Oct 08, 2003 at 04:03:40PM -0600, Wachdorf, Daniel R wrote:
> I have seen that.  Is document describes a way of providing that same
> functionality (minus the communication piece) by placing this in active
> directory.
> This would allow:
> 	-foreign security principals to have group information associated
> with them.  You could add a foreign security principal into a local
> active directory group.

My draft does not address this one feature, but that's because the issue
is somewhat orthogonal to the mapping strategy itself - once you've
mapped foreign users you can make them members of groups in your domain
(yes, there be other details).

> 	-provides long term storage for a mapping of UID/GID to nfsv4 names.
> This is useful if file systems are replicated, or written to long-term
> backup mechanisms.
> 	-on the fly creation of UIDS/GIDS. (they would have be synchronized
> with the directory service).

Sounds good to me so far.

Of course, I'm interested in a solution that is not specific to
ActiveDirectory.

Besides that I'm curious as to how you address foreign domain user and
group name changes.  I solve the problem by making the permanent index
to foreign mappings be the tuple

{internal ID at foreign domain, foreign domain}

while counting on internal IDs not being reused without fair warning.


As an optimization my draft also allows for caching

user/group@domain <-> {foreign internal ID, foreign domain}

mappings for as long as a given name's foreign domain guarantees that a
name won't be reused.  I.e., if "jane@foobar.com" is renamed
"jane.doe@foobar.com" then the old name ("jane@foobar.com") won't be
re-used for X amount of time, which time is the max for which we can
cache the "jane@foobar.com" mapping.


Nico
-- 


_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email