Re: [nfsv4] New version of NFSv4 multi-domain access draft (
"Everhart, Craig" <Craig.Everhart@netapp.com> Thu, 07 October 2010 16:18 UTC
Return-Path: <Craig.Everhart@netapp.com>
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9493B3A6FCC for <nfsv4@core3.amsl.com>; Thu, 7 Oct 2010 09:18:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.256
X-Spam-Level:
X-Spam-Status: No, score=-6.256 tagged_above=-999 required=5 tests=[AWL=-0.257, BAYES_00=-2.599, J_CHICKENPOX_46=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1pFCMBp+Iyvd for <nfsv4@core3.amsl.com>; Thu, 7 Oct 2010 09:18:54 -0700 (PDT)
Received: from mx2.netapp.com (mx2.netapp.com [216.240.18.37]) by core3.amsl.com (Postfix) with ESMTP id 7F5BC3A6F3C for <nfsv4@ietf.org>; Thu, 7 Oct 2010 09:18:54 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.57,298,1283756400"; d="scan'208";a="464204562"
Received: from smtp1.corp.netapp.com ([10.57.156.124]) by mx2-out.netapp.com with ESMTP; 07 Oct 2010 09:19:57 -0700
Received: from sacrsexc1-prd.hq.netapp.com (sacrsexc1-prd.hq.netapp.com [10.99.115.27]) by smtp1.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id o97GJuqH001581; Thu, 7 Oct 2010 09:19:57 -0700 (PDT)
Received: from rtprsexc1-prd.hq.netapp.com ([10.100.161.114]) by sacrsexc1-prd.hq.netapp.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 7 Oct 2010 09:19:57 -0700
Received: from RTPMVEXC1-PRD.hq.netapp.com ([10.100.161.111]) by rtprsexc1-prd.hq.netapp.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 7 Oct 2010 12:19:55 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 07 Oct 2010 12:19:54 -0400
Message-ID: <E7372E66F45B51429E249BF556CEFFBC0ED7AD55@RTPMVEXC1-PRD.hq.netapp.com>
In-Reply-To: <AANLkTik=VhHs-7Dk4tOV4Bq-RxpJ-9HmEcUycaehRc6s@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
thread-topic: [nfsv4] New version of NFSv4 multi-domain access draft (
thread-index: ActgxqNVvnv6J826SZGD3Uu2e/LilgFbRGZQ
References: <AANLkTik=VhHs-7Dk4tOV4Bq-RxpJ-9HmEcUycaehRc6s@mail.gmail.com>
From: "Everhart, Craig" <Craig.Everhart@netapp.com>
To: "William A. (Andy) Adamson" <androsadamson@gmail.com>, NFSv4 <nfsv4@ietf.org>
X-OriginalArrivalTime: 07 Oct 2010 16:19:55.0796 (UTC) FILETIME=[7AB4BD40:01CB663B]
Subject: Re: [nfsv4] New version of NFSv4 multi-domain access draft (
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2010 16:18:55 -0000
Couple of things I wonder about here.
The draft goes to some lengths to claim that an NFS server's use of
"name@domainname" would be problematic because of difficulties keeping
up with accounts ("a severe constraint"), and that servers "really ought
not" store authz entities in that form. While I don't agree with either
of these, I don't think that my objections are material to the point of
the draft.
Instead, if I'm reading correctly, this is a presentation about how to
do ID mapping with 32-bit or 64-bit IDs, with name service assistance.
I think that the draft could make the point about the prevalence of such
servers without needing to critique other representations. Perhaps (but
not _required_) the draft could deal with the interoperability of
servers, some of which use integers for IDs and some which use
name@domainname, in the kind of FedFS scenario you describe.
I eagerly await the 5.4.3 text, or even the plans. What's a "domain" in
this context? How does a server tell if it is in one? Does a client
need to know? What is a "domain-local ID"? In section 5.2.1, what's the
point to "assigning and publishing a unique ID to each DNS domain"?
Isn't the DNS domain name good enough?
Could we add an example to 6.2? I can't tell if the first paragraph is
a modest hole or a truck-sized hole.
Craig
> -----Original Message-----
> From: William A. (Andy) Adamson [mailto:androsadamson@gmail.com]
> Sent: Thursday, September 30, 2010 1:40 PM
> To: NFSv4
> Subject: [nfsv4] New version of NFSv4 multi-domain access draft (
>
> Hello
>
> I uploaded a new version of our internet draft "NFSv4 Multi-Domain
> Access"
>
> http://www.ietf.org/id/draft-adamson-nfsv4-multi-domain-access-03.txt
>
> Please have a look and give us any feedback.
>
> There are a number of sections that need text. Here are some issues
> that need discussion.
>
> 1) NFSv4 is not the only potential consumer. NFSv3, and SFTP, for
> example. Do we mention these and/or other potential consumers.
>
> 2) Section 5.4.3. Resolving Domain Names to Domain IDs
>
> We need to have a common way to map Domain Names to Domain IDs.
> Currently we have two suggestions
> - Just use SIDs, first asking MSFT to allocate a suitable authority
> for non-Windows domain SIDs.
> - Store 96-bit numeric IDs
> a) cast those to domain SIDs later.
> b) define a non-SID large ID format
>
> 3) Section 6.1.2. RPCSEC_GSS Authorization Context Credential Data
>
> Do we want to define a new "PAC" for multi-domain access for those
> implementations that don't provide the Windows PAC, or just insist
> upon the use of the Microsoft PAC.
>
> 4) General review of section 6.3. User Group Membership Determination
> - Do we depend upon 2307bis
> - Do we require groups within groups
>
> 5) Do we need a section on service discovery. Two potential methods:
> - Use local methods (configuration, DNS SRV RR lookups, ...) to
> discover local domain's servers, then depend on LDAP referrals for
> discovering all other domains' s
> - Use DNS SRV RRs much the way AD does.ervers.
>
>
> -->Andy
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] New version of NFSv4 multi-domain access … William A. (Andy) Adamson
- Re: [nfsv4] New version of NFSv4 multi-domain acc… James Lentini
- Re: [nfsv4] New version of NFSv4 multi-domain acc… Nicolas Williams
- Re: [nfsv4] New version of NFSv4 multi-domain acc… Everhart, Craig
- Re: [nfsv4] New version of NFSv4 multi-domain acc… William A. (Andy) Adamson