IETF Logo Mail Archive

[nfsv4] Re: Feedback on user ID for any bis work

Rick Macklem <rick.macklem@gmail.com> Fri, 16 August 2024 19:17 UTC

Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E224C14F6B0 for <nfsv4@ietfa.amsl.com>; Fri, 16 Aug 2024 12:17:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YbBhPuFwSfB7 for <nfsv4@ietfa.amsl.com>; Fri, 16 Aug 2024 12:17:39 -0700 (PDT)
Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E0F5C14F698 for <nfsv4@ietf.org>; Fri, 16 Aug 2024 12:17:39 -0700 (PDT)
Received: by mail-pj1-x102f.google.com with SMTP id 98e67ed59e1d1-2d3d7a1e45fso1213471a91.3 for <nfsv4@ietf.org>; Fri, 16 Aug 2024 12:17:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723835859; x=1724440659; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Av0isP6uhYkaINdI2eiHWuReSFE3EG4JRkZnRx/41Mk=; b=IAiSe9mCj8WRFKJgWU0WgLbzNczKHqzG3o6gSWta7M5Bis95t38ya2kVjA/1UcMEFA zs1NGn+MyKi9aO81JTts3689xUHWNk8xbkV95y/ehACGljRBm3nCEaejpSS2RHBkbOVB fNqUtQQbow+bN0OOzZnRRfY9chsD5XjgNQBJqrxgY0L1EVo+ebHJ5RuK+OuMsrEag/JK EE0RPjZh3giWZDEbW3L1MEJ2dVZe8ePJwk1Hgk2x2JyTk6Ys2HH7nfoF1i448LgXXU67 GDF6qxUQ9Vk3fhz2APIfSviYOndXiNiCYgDiNPZXvtu2uU9RpSVgMZgiuCPyzp6DLSrF 3FTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723835859; x=1724440659; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Av0isP6uhYkaINdI2eiHWuReSFE3EG4JRkZnRx/41Mk=; b=VJZs1IXMTYqb8ZZrYINquCCsHi4Of4fY4oL9Dx6lEvV38tLGU5k8s4NVvNVlA1ZK2U RTyL6ppn7n2mfyThYm0BZHP7d+C55E1EoNh7mNoa/JxUTgcQJ9PYvSfPOYe5/yDtlv/D S1MEQg0gTv5KFmXAuCoJ3NShQ4ahd3mNAqL/hxb7+AsDwmGPkC3r6MJol+b0htSqaVaY VhCKg9L9T3w/j57kH1U/iBHB8j7wEWV42idpxCaJEjZkWDA376I9CEHNaRkGkjfMvtsk TFvIgMHuCZ8r0MQAwdGQdY032+ASJAYU4oUykfprx9h9J6zAs/ELHu1DXusjDFHZ733x zNzA==
X-Forwarded-Encrypted: i=1; AJvYcCVzMGllH/tsw9w1DuB+VUj6GjUZT6fcPjAjHlHGOp7Ao7TekpEFWt5zoXuyQF1LVXQ1moktC4j+QIkiZ/v7eg==
X-Gm-Message-State: AOJu0YyWPy7mIBR92VE8hwYZA/9TZOtLmXMOztTCqpqMFrtUS8AL/EJF xRa2ABDyu1+nL0teKVJfxBLesFPaYZNYuFsuaLYeLGF0iBNKYkc9JjEF4XaH8WZxNPplNd/JJ/K q7ViEu4FYvxlK3DnoxxDDcQ2xlA==
X-Google-Smtp-Source: AGHT+IFJ147wIu3ce49irJSld1QIfjJPGy/AvCQbc2Vr9NFcROwhS/iB4cFDEJV0DMZnCRNZMQ7yEAKO/jiFcpsb/LE=
X-Received: by 2002:a17:90a:8ca:b0:2c9:9f50:3f9d with SMTP id 98e67ed59e1d1-2d3dfdaaca2mr4178039a91.5.1723835858348; Fri, 16 Aug 2024 12:17:38 -0700 (PDT)
MIME-Version: 1.0
References: <88CFBD80-2BAA-43AE-8AA5-C032C2761266@cert.org> <DCD380BF-74D5-4FED-94EA-EC995A9DB164@oracle.com>
In-Reply-To: <DCD380BF-74D5-4FED-94EA-EC995A9DB164@oracle.com>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Fri, 16 Aug 2024 12:17:27 -0700
Message-ID: <CAM5tNy7ELwEbE5z_VMC0ghePcMzkHAcEJDs4skvnxH4XJpeWLA@mail.gmail.com>
To: Chuck Lever III <chuck.lever=40oracle.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fcf3c2061fd1cf85"
Message-ID-Hash: RGGLAEGDXBDWQYKRNIZE5M57MZWPKEUK
X-Message-ID-Hash: RGGLAEGDXBDWQYKRNIZE5M57MZWPKEUK
X-MailFrom: rick.macklem@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Feedback on user ID for any bis work
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/71e-4GLyz0BYKHy0kXSI3UcBDdQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

On Fri, Aug 16, 2024 at 9:26 AM Chuck Lever III <chuck.lever=
40oracle.com@dmarc.ietf.org> wrote:

>
>
> > On Aug 16, 2024, at 11:39 AM, Chris Inacio <inacio@cert.org> wrote:
> >
> > Dave, All,
> >
> > INDIVIDUAL CONTRIBUTOR HAT ON - NOT CHAIR
> >
> > We need this super brief conversation in one of the interim meetings
> about how user identity is communicated across NFSv4, and there are 2
> options, UID/GID ‘integer's and then loosely defined ‘string’.  So I’ve
> been digging into this and I would say, most definitely, do NOT remove the
> string.  So what I can see so far, is that UID/GID numbers are used when
> auth ‘sys’ is the selected mechanism, where current the string is used when
> auth is tied to GSS-API.  As far as I can tell, the kerberos principal name
> should be the string in the field.  I certainly don’t yet have a full
> understanding about how everything is connected together.  (Just sending
> the principal is nice and everything, but you want to be able to verify it,
> and HOLY RAT HOLE ROBIN is that confusing in practice.)
> >
> > So, the thing I’m trying to make sense of, how hard would it be to
> support TLS identities (X.509 certs really) instead of Kerberos.
>
> A perhaps subtle distinction here:
>
> The current RPC-with-TLS protocol uses x.509 explicitly only for
> authenticating
> network peers (ie, hosts). RFC 9289 even says "not for user
> authentication". So
> I think the term "TLS" here is probably misplaced.
>
> You instead want to invent a new RPC security flavor or flavors that
> authenticates
> users (or, dare I say it, to extend GSSAPI to handle this for us) via an
> x.509
> certificate, or OAuth, or such like. Nothing to do with transport layer
> security,
> which doesn't know from users.
>
There is the specific case Chuck named "TLS identity squashing", where
the client's X.509 cert. identifies a single user for all RPCs done
via the TLS session.

This works ok for cases where the client is just a single user, such
as a mobile device.

As for making the Windows world work, I do not have any experience,
but a site in Sweden does it by using Windows AD as the Kerberos KDC.
(Not saying it is easy, but they do seem to make it work. I can give
you his email, if you are interested in finding out more.)

rick


>
> > That also opens a fairly different control domain.  Kerberos is well
> suited to local enterprise control.  You can do that with X.509, but
> really, my anecdotal experience says, X.509 certs for enterprise are too
> heavy a lift, but they’re the answer when you want a more global identity.
> That raises the question of target users of NFS protocol.  And if we’re (or
> maybe that’s just me doing it?) opening a wound there – then maybe we want
> to be able to support authentication and authorization that is more cloud
> compatible, which is potentially more than X.509.
> >
> > These are just thoughts and feedback on some discussions.
> >
> > Chris
> >
> >
> > P.S.
> >
> > The complexity of auth is BONKERS!!!  So to kind of dig into this I have
> a freenas server running with ZFS as the backing store.  It’s the FreeBSD
> variant 13.0 stream.  I then deployed an LDAP and Kerberos solution
> (freeipa on Fedora) to have that running on an RPi4.  (This is all in my
> house, by the way.) For clients, I have a _real_ menagerie of machines: Mac
> OS 14.6, RPi Raspbian, FreeBSD, and Win 11.  For fun, that means NFS
> versions running are:  Mac OS 14.0 - NFSv4.0, Raspbian/Linux NFSv4.2,
> FreeBSD 13.x - NFSv4.1, Win 11 - NFSv3.  I can get most of the unixen to at
> least get a Kerberos user principal TGT.  Machine-to-machine, host
> principals are still a bit of a challenge.  The Windows machine seemingly
> would rather piss in my Cheerios than do what I want.  (What engineer where
> convinced their UI people to be able to give error messages as ‘1450
> resource unavailable’ and then you need to type `net helpmsg 1450` to get
> an actual error message, which is completely useless anyway?  That person
> is either my hero or the devil.) And while Windows doesn’t want to
> cooperate at all, the unixen management of authentication identities is its
> own entire disjoint universe!  ‘SSSD' on Linux, ‘nfsuserd' on FreeBSD, and
> I haven’t even tried to cross that bridge on Mac.  So I’m still trying to
> get this collection of stuff to attempt to do full kerberos/gss-api
> negotiation on a mount.
> >
> >
> > Maybe this is why people run with auth sys!
>
> No "maybe" about it, this /is/ why people stick with auth_sys.
>
>
> --
> Chuck Lever
>
>
> _______________________________________________
> nfsv4 mailing list -- nfsv4@ietf.org
> To unsubscribe send an email to nfsv4-leave@ietf.org
>

v2.39.1 | Report a Bug | By Email | System Status