[nfsv4] Re: Feedback on user ID for any bis work

Chris Inacio <inacio@cert.org> Mon, 19 August 2024 05:23 UTC

Return-Path: <inacio@cert.org>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2865C14F747 for <nfsv4@ietfa.amsl.com>; Sun, 18 Aug 2024 22:23:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jNjrLvGAJsGu for <nfsv4@ietfa.amsl.com>; Sun, 18 Aug 2024 22:23:15 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0060.outbound.protection.office365.us [23.103.208.60]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D691C14F705 for <nfsv4@ietf.org>; Sun, 18 Aug 2024 22:23:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=EO4vk/9zvztdi1j1wHmAnjPtHmfgk5o5/En6Oji8zxmJVnIFkhNBrIztwuLpF2VoxRr68JnBdkvFFI+AUG3+wtYyvwP5iHbrNYQnaNeZ70w/BaUsh21rM595tEQuG8i1hcJnmUJTFkYdq2iMlgyzzfGstvxgWtH236L+yhw3m1HEyyrQaTVYw7TCWvtFRlCLtlx0rEWX4vSSE5JeYiSKyQwHNR3wqaGNsEmQld4pZ3TQP1tQ77vR4biV2Fzn+/OOVfDFFsGz7pwu7QPF6OLjetCbLxX32k/BWNOUSIoFUKW2BE9SPXzrqUNBGNPOdphIJQbpEgGiOZkMOyc5Oaks8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KyopyaHZ1VBvMmbk3F6/aR7n7Qr7lC53DzoaLBnMzdk=; b=Pi/XK+DmQMs099Q+/xl8XcT52whX8LdqgTE3TvI18De8xxZsu3k6oQPmeS1f0fUaf0OIADbkmEFBhQgNNeE1FCgZaz2Scwfoc1D3K0F9QpZrjc/h5tXc0TRwFUdP4EHfmpWEskAAXLJV5wQ5/gEVwkWODQ/qmRcTj+hzYH8kCywuc+rWZ+eKl7aQM8fyhTLr7JV4+Ri1Cm29oYpW2tT1ME3sTsbsKpMP76kbgNcYMR8BtEfMJxtUiIIW7pEaZZCHE7aHqzbUSbLQ2fYIwDSALiNkRvC5bFLjK+MmJ700yEyRljoY66hIDKhCH8C0UcRsdZALU8RFA32ykVVmoXprHQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KyopyaHZ1VBvMmbk3F6/aR7n7Qr7lC53DzoaLBnMzdk=; b=hGD+x6ZLspHNNYRmQ7D+Yg1VfyuHQ1clpMnwMtbeGjvV0dwq5FHh2FQ1UlFyE6Qyjbr7CPIahOT/a8ovBH6Akvfn8ggDub36vvaBuTiJ++z5WVlJXpj5TCIVBk7nTf7hJzlBNGfunT42QE6gHeuQ11jEpJKCf8yqYalbi0ViQ/U=
Received: from SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:172::5) by SA1P110MB1584.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:190::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.33; Mon, 19 Aug 2024 05:23:12 +0000
Received: from SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM ([fe80::8aff:57ad:83e3:4567]) by SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM ([fe80::8aff:57ad:83e3:4567%7]) with mapi id 15.20.7828.031; Mon, 19 Aug 2024 05:23:12 +0000
From: Chris Inacio <inacio@cert.org>
To: Rick Macklem <rick.macklem@gmail.com>
Thread-Topic: [nfsv4] Feedback on user ID for any bis work
Thread-Index: AQHa7/KENiRYeJcou0WYQwGslqPYTLIsDSYAgAICrIA=
Date: Mon, 19 Aug 2024 05:23:11 +0000
Message-ID: <606EAABF-83EF-48D0-88F9-D835C78896FE@cert.org>
References: <88CFBD80-2BAA-43AE-8AA5-C032C2761266@cert.org> <CAM5tNy7+oEc_k0pBLPCzP-ZDzTBThk3XpnWt2R9cQ6NiVw0+zw@mail.gmail.com>
In-Reply-To: <CAM5tNy7+oEc_k0pBLPCzP-ZDzTBThk3XpnWt2R9cQ6NiVw0+zw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3776.700.51)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1P110MB0975:EE_|SA1P110MB1584:EE_
x-ms-office365-filtering-correlation-id: add948b4-bc3a-4d6c-2a46-08dcc00f04df
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230040|366016|4022899009|1800799024|38070700018;
x-microsoft-antispam-message-info: THphBu/BAC4ZDw240y0Lfr3YHWEUl/uaGtaxf+qJqznKHgNY11nFA7pxT2ebsT9R2h+dbM7X5j0GtICASSCqbQpA+IfmMr7Py+sy7N3bLspIT8cOCaQSKAa1txyVkLuyATLHnNbfkUzZFEWkUQpJpmM5KpteiUzPR+wGmPuhojNnurqYzmwpdqN/rPGyo+QxxTqF5MUYGLlJzuiXkkxSsl6Y7EY1pzLktJmhZnPMBm3ouKSio7fsDNdCYqlc0yZZVifUSSbGSHOUT8wtiLp3Py6ELdl8MZs4UhFEf9+1Ql46ekPIYZXAnzTTau5DTwfbjIsU+TLHlX/tWQanSGXk16CLMX9p6JcJavYHYU0z217dUqorI0z60gQpZocVZ4Vu3cq3617f8HU6jrjPnyr7/al+L35olyyklEfZlwcX7Ssj1Z7LSRX9eBMen3vyfRxQCN1icC1NV73UKw+ZuLYfYlPlwNyE/X7GnQv/vZ7GVMv17rJ0HIZz2tffqHxvOZ1FWQjxweLeAIHYzmKvIAHf+klFvTdM982awc+vQzZNiasjbZDoiKX35vfmUAvQYL63/nlvIAnL9Fv42YMJI2Tq3HymA5hlxKQuPKLOY4BuF6p+FT7P8u1ySLqKEmzZZa8axzwV1emusG2P1wE2JNOGqcV1n/Hj0ce6Axt1WQdnwzoQfnQzkLFOEO9Ogzj4yp6BBC80CZjxeQahp+m3BOoOI/Z3bvPht7t4KP1D/a9bpOI2HxWDJQ0q3HUyjiwdk4ywAndGDTX6L7lbUxvQWZCrP2P+bPqhX4Dvnv4k3qjUJEAit0ZxXgzCNpuJqhMDX83W5n9XdHYwERUJAFr9n9oxpmTkdWNX/b+L9LPEHtm70bKNlbXodGNgeuT7lDzVVdpF6Ll1OZc6bSgLarabZiHipDxssXDczWy+puiVgKqSNLVztCIvGN3MIKICnrU0fu2tmWnp6VhzuTf8HVIxTpyWP/M9qt28AjvJzW9m8Wb9IAv85b+1+2Ev8IjUAG4vJThvTEnD7ShdWPDzyPzifRSKyuXWgA4crir4+sgRGd0fMNTEGfJiBHMuI9NeLc5ktE4tFA4r/FAXLf60nk+c/E0EXwXtBXK70/MpJMEzlG8dNLO/Udc+wAYAjqeq/acZw3oOaYbmRWbCbLIPs1H56ESfYVyv8bF0/OTEH2EgutucvSV+m3M7mEKI/LHnAGqbiCsRFvaP30ggnLYRRoRwbfMJQoH/WTBUhY98ZmPwWdohE183Ov0skK7Zk9A4UXcTTX74Xm4dHHZlCQeZ1ZGUDDK75+rIl2Y9hoTD9eFxxwT1pheIvu7OTLnQDg+zwxRxdtFUAli61CAq29mOM3ckWZbT9xU0dSPqJGE2POZtNX9VqD4=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(4022899009)(1800799024)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Bdwun8JGTRZzrSME6YLGChG+YA/l7O9h8EtMxtmlxpmPlRxzPl0ZUPOO4x/pD241oRfNLybXqNqmpG1NPJV1kVYP2pjWgF3qlQpbBhQ3Io8aswx7mWYghI4qIChn8d0LhwEBbuvpUDn6JHBoTj4Cnf6eY4Rv83QBpIkgAgsjTHw6EFpGO394Z3PEJZfe2X3X5HslF0I80qBh71qLXmiUVc3dUCXX0Ds4wqZmtL4D3tXLGALLtCIScGYpZXmI2esivuuAaO9cLQ+vOipXMiHOflkh3/tibJjbcVUIDf1E32sau2p3B1MhcRd7exZOc3WEr6hrr051tbhxiLQlIqj/ld0+9vV1lHFom82EleSrlgilBh9r5njdw8wlGdJMKYdzhrQhy/O5g4HbvrudpITDDfVzGy4xIlUwcAGHMQJVwGjg0f+v8dOAgqYw3IgWIJu04/RJgaBUF5Ey9T3HoKw09d1UBXTJlt3zNqAaS1ix88SQOspDtNE4MMSxTeIhIEQEcej3E5kL2FdBMrFDyROzNUK27e7Xb24sDiT9z1ntRqB5Gq++rRjjB07OpWYM/ZcuSw7s0Zk2wtSFMt1gfO91iF6+wrsrR6YVc7/cC6jPZeg3wN94cF62GTmBrMAevAIir6HD3dj2kHG1ySeK1MlITVOcmNetn5IzLc6LyWXSkpQ8VzQtaRO6QaZYsFnsc68VM0iNQ6qcFxxzan8JEsB8bjgoBorywdV2/4PL5elj/uQlfpkCL+pgVIlanR8SKPVWrXtK27GUek+xj54+/BnRzCAtipws6Rg6pbY/YHy8hYh9D5YR+/eW95CVlXTpIkeSHGTUHLhNOD0JzbGGbneEOWMr58KKOPSS9fmF8epvWkcqroNCyDtGlqO22+0glwv3tFQ4+ibKBRQnZRBFQHEibjrXlAc7rZjS1mZMYU7svQvjKDeiqkpuiVw9EcX6iCGHud6MKJgGHFDuSfw0qov+Ngb+hEVu0pUNi12kH8hTOmAVRk/iawl/8WfcCcJpe/sgdY2Jn67UW2x8BGozqlIj3Pqfz4nn8QAk25U2RbsIjRuFUKiTTx9i8JD3xynpnz6Semj2p/+YssMaZkJiBMIOIDJgpR6EQnmVoVRxGhZBvz7oBdWiZAPCdEYZr9E40TvLdEqCEwRxn5jJgtWbqQusLK2TsyOeaWeKaKp0cqaGM2BCkh/wL5MZ5nXnUl5e1w4BeKzd53DbmJ4JGavA45fuXW2Gf24Xus2f9hFmc7Xzv5OmTAx41vivBe53e3jasKrfBwij2wbzd4P/gR1nqMiS2oWjN6e6G6mstE2dv8xm+vgrwPsOfP0n9aVdxL05+nnWdU4aKNZ/TyYpg3/Yt7KSQ/78C4IeJGY59tprNs3LGvMPAA+0A2MAaWB14FDaf7AH5RcXX8GKzH2Y2C24ABKal9yUacurjyuoQgcZcy7EdhFlmkNQlrn5U/0bIdd7DRXEdXcL9qI6JSefJ/3jMCXFJHzTJZxsEo2Q1Dcw25YiskE/F8WFho48JG4Hvc4ONsdE
Content-Type: text/plain; charset="utf-8"
Content-ID: <C8433A1B7180E14DA2ED9B5653AA1F6A@NAMP110.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1P110MB0975.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: add948b4-bc3a-4d6c-2a46-08dcc00f04df
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Aug 2024 05:23:11.8209 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1P110MB1584
Message-ID-Hash: QQSU7HBJR5WPPMNIXQLRZHKIM2AS3TSW
X-Message-ID-Hash: QQSU7HBJR5WPPMNIXQLRZHKIM2AS3TSW
X-MailFrom: inacio@cert.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Feedback on user ID for any bis work
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/RYD5afPCfeNH1WxRHApSbaKOKAk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

> 
> Chris
> 
> 
> P.S.
> 
> The complexity of auth is BONKERS!!!  So to kind of dig into this I have a freenas server running with ZFS as the backing store.  It’s the FreeBSD variant 13.0 stream.  I then deployed an LDAP and Kerberos solution (freeipa on Fedora) to have that running on an RPi4.  (This is all in my house, by the way.) For clients, I have a _real_ menagerie of machines: Mac OS 14.6, RPi Raspbian, FreeBSD, and Win 11.  For fun, that means NFS versions running are:  Mac OS 14.0 - NFSv4.0, Raspbian/Linux NFSv4.2, FreeBSD 13.x - NFSv4.1, Win 11 - NFSv3.  I can get most of the unixen to at least get a Kerberos user principal TGT.  Machine-to-machine, host principals are still a bit of a challenge.  The Windows machine seemingly would rather piss in my Cheerios than do what I want.  (What engineer where convinced their UI people to be able to give error messages as ‘1450 resource unavailable’ and then you need to type `net helpmsg 1450` to get an actual error message, which is completely useless anyway?  That person is either my hero or the devil.) And while Windows doesn’t want to cooperate at all, the unixen management of authentication identities is its own entire disjoint universe!  ‘SSSD' on Linux, ‘nfsuserd' on FreeBSD, and I haven’t even tried to cross that bridge on Mac.  So I’m still trying to get this collection of stuff to attempt to do full kerberos/gss-api negotiation on a mount.
> As a complete aside, the CITI NFSv4.1 client for Windows has been worked on
> lately and it would be really nice if someone could install/test it.
> (I just do not have a Windows system that could do it.)
> Since you mentioned Windows11 with NFSv3, I thought you just might be
> interested. In case you or anyone else has not seen the announcement,
> you can find it here:
> https://marc.info/?l=linux-nfs&m=172298210520795&w=4
> 
> rick
> 
> 

[ci] I actually built this a week or two ago on my win11 machine.  I haven’t installed it though.  My win11 machine is a tiny little underpowered box.  (my sons Win11 gaming machine is not so under powered (or tiny), but I digress…). Anyway, I could try to install it and test it some.  I was irritated at the DFS hack you have to do and that it requires Cygwin in order to really do its thing.

[ci] Maybe I’ll have the day job purchase a not unreasonable, but small, win11 machine for me to do some of this testing.


> 
> Maybe this is why people run with auth sys!
> 
> 
> _______________________________________________
> nfsv4 mailing list -- nfsv4@ietf.org
> To unsubscribe send an email to nfsv4-leave@ietf.org