IETF Logo Mail Archive

[nfsv4] Re: numeric vs, name@domain representations of users and groups

David Noveck <davenoveck@gmail.com> Wed, 03 June 2026 18:16 UTC

Return-Path: <davenoveck@gmail.com>
X-Original-To: nfsv4@mail2.ietf.org
Delivered-To: nfsv4@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E696CFA3CFC4 for <nfsv4@mail2.ietf.org>; Wed, 3 Jun 2026 11:16:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780510585; bh=ri0NAHX1H0v8bofYSKrVhrFiMMWnvlBdVdCznP6FOog=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=PFC5EgCxVZ4xjEF5LK1vBlcFhA84X8vGI2V1fI6LJM9wC1gm+JCpicGIkFtHAvdTL YQxg29/eSaRIiK1EuMdkFpLIDT3hWk/P0fPQGlBc3CU6r1jXWjRIQJdl3rBmTyYI/k WIgza8spB9MKmRsi2Hk8jD91iNg4WWeoGyel5rDQ=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rzokRsrgrM7e for <nfsv4@mail2.ietf.org>; Wed, 3 Jun 2026 11:16:25 -0700 (PDT)
Received: from mail-oo1-xc30.google.com (mail-oo1-xc30.google.com [IPv6:2607:f8b0:4864:20::c30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7DAF0FA3CFBD for <nfsv4@ietf.org>; Wed, 3 Jun 2026 11:16:25 -0700 (PDT)
Received: by mail-oo1-xc30.google.com with SMTP id 006d021491bc7-69d7aa0ac18so8248090eaf.0 for <nfsv4@ietf.org>; Wed, 03 Jun 2026 11:16:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1780510579; cv=none; d=google.com; s=arc-20240605; b=XiGMYPBgOEoTuAXRAMVovbBiDJQ03jz1BAx7DzCoZQYzHKt6HqeiMolpd9Usev96+f MQhchyxMsas63v7pZySXv3pj9SLZXk8fqR9Fo7le/RPX8/arHTmJMwcpOXxPZz8bf5o9 2tVTjK9pTyOeEX5dvgcHGyIw/XYkfI94mwtjU+YLaFGLVVWjiEPM1PB9q/RqNKDuvwqc trn+f5vNkOzT5q06ZqS4lhYJ7oKBgjv9sdHPuRKBjIYxisnniNqkP3xI6biaCHQd84qY YJKZ2eVQzRvcZ3ABO1OQyq9qj3xoMAn/BSPCsG1tYDAlwlbtqNs/RLX8iZH4lP1Fv1k8 hPEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=5954gIBzfit86iw/6FwoQpEUJKZsWTvdmspLroP8ktM=; fh=DP2NnrQOsftRnvczwNwVDS4okYcD/MpJmnx4LFYSBRI=; b=gCbGqkJ7vZi+kdvMENI6YSNYM8svVo4b1WiULyysVxXd/a3wKIqQfhf8JOkkWMLxql WRM6+UZ8xcigvkb2DPkffo9/t/2ikRHfh/UAG6thmzzkughWCEs4Vzm/dupPE3zYlLrO qSrMKAsJMlVpublIpvwX3pInnsp2Hx0FEeXqYdDKcR9cEQI0HGXOu22VWpkEFE/n3SCd 0YvsLj827aNqr2DkFGn1rY9+7L0swjGThx33kXkRQIQ1BW5J5RtCj3OrjQjezMBwC4qm Vh0fgErduhypcQ7KX8kvosbCbOpnWjs2cWR2RzimsX3fgh33KIxvFjRMNxGOBbFiI0Td FI6w==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780510579; x=1781115379; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=5954gIBzfit86iw/6FwoQpEUJKZsWTvdmspLroP8ktM=; b=CAQ+caATGyea9M9wJq0ggTLkeH0xV75fI0+Qeq6F+RD7hCPm12OoEioPhixgX8RYpH F5L4NxwIGCGVezlWA73d2xoHOmVrMCBFNjQPdXstJZPb9iz2ATcL9mCRkWdhiZT9RW15 nQ+ppxq6yQO8dqARApX4QrndIGzFygOTrUBDKNdYjg+DNpbfAxUG6H3w7zcsEPL5S7Tw zzIEySxXj+o34nV55MSMNd7fNZ2D1OAnIg8Tm2kjInISuC5Nvq2K0ERt3qYu7up6G+Qo 1ZZ6/4uWQM9x4E21o+dPrNbam4NAbhNX1Ad7XyJbrPTpuQpxmQgm/TijabEerggANZ45 Rckg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780510579; x=1781115379; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=5954gIBzfit86iw/6FwoQpEUJKZsWTvdmspLroP8ktM=; b=csWBfZxtegx6hVadnOUQqLOeC3eQgUtndKZ6D+DLBSNAUbkOPQwv2FkORkobzzYM+O srnWnhjAywgPHKe3HH4vgTd1x42ORi8ilhbuExX+4XzsgmUPwoNL7bb4+aAHepbnloQW NJgEtQpp7vmOo7tKuC5qgJBq1IZq0F4b0YYnbgFTwLJ0MjcXd++hd3OIYymWLUdxp6Az ++HH44Fka7+WeevFIXCK70v1im6kEH/uK7a6WKH03QmalhKRNfU+9sUDM8lBA29UAThg PGMv1fel3OUtfFLu+BbJ4flvHRtZDfpQpA9yealGzpb7jc4k7HwnH2KkGPmRa+pmjnCk 2qYA==
X-Forwarded-Encrypted: i=1; AFNElJ+mJydey4Iz7/+21zKmeq5HxbLqNR4mSrGXu3aDrX+PCcDJW1uDHveHXTQVPE9BtYdsNQe0zw==@ietf.org
X-Gm-Message-State: AOJu0YxajbXMlJ9Bk/EkRVKBmfILl0U3WLtIo6HQRYp/ZRPc2pAyI3VM 4f2/XhG5/nNsv9AZaCSpiyL41dM7EBFmKU9ZGx+/h+zJssJ+BbgaATUeoNAe++1pPgqz1Dru7Kk 5Sox6aJ/UDf3PSjbrElQ3MyJ4GwcVP4U=
X-Gm-Gg: Acq92OEEmdnUYMDJd0SJa0MtAN72s5us4z07rYsQB8K38TcplHXs84S1wlxs3qGaYJv 4aGwLhOP5qvnogGPOZslMdBMLwTxHCQmSSkhjwyvRNiXnVCgkxE3JwesTu23RzYKMHTgMrsMdxD 4b/gAnyCLTv5Eg+31gq6A8HqKmZkKSW6NtYed3Z5/jtuHU9pgKFDRooHPDkU194hZwH30xHRQqq LkX8RijPp+GsNNBfY1VcmCrbggcr6r97OuaziniiBjFX5QI1eBxwGxITDaMeo0QMVQnlRWN6pj1 do7Dg5xzzLQ4FD9KITI=
X-Received: by 2002:a05:6820:4810:b0:69d:7774:fb51 with SMTP id 006d021491bc7-69e47e617d9mr2363757eaf.12.1780510579316; Wed, 03 Jun 2026 11:16:19 -0700 (PDT)
MIME-Version: 1.0
References: <CADaq8jcQArumZGc6uBcDOx0YbAiEVoejBrHyDO1NcodM4XqXxg@mail.gmail.com> <ahzyGKrED2BuIRi6@mana> <CADaq8jfJNKeMAE8TmGS62u7RDj6-AY6cVJ19hLiWuQHtioLbOQ@mail.gmail.com> <20260602180930.qkwbtcjzbfosjt6f@pali>
In-Reply-To: <20260602180930.qkwbtcjzbfosjt6f@pali>
From: David Noveck <davenoveck@gmail.com>
Date: Wed, 03 Jun 2026 14:16:06 -0400
X-Gm-Features: AVHnY4JhI2HBToFPyJSVn2wjUag0Ex8IvLg2U11PGSwL-gmsH8EhbokpNjUqAEk
Message-ID: <CADaq8jewXNYr=TZ58mr1ChyZuE+ZBO34SoN0Hcv5DrYsDVKwDg@mail.gmail.com>
To: Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
Content-Type: multipart/alternative; boundary="000000000000995fb606535d6c21"
Message-ID-Hash: SYMXSYR2EB2XNQZYULZMKINQJT6FFBOW
X-Message-ID-Hash: SYMXSYR2EB2XNQZYULZMKINQJT6FFBOW
X-MailFrom: davenoveck@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [nfsv4] Re: numeric vs, name@domain representations of users and groups
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/V14_aDuZz7TIp4UtZKVdHbjLplc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

On Tue, Jun 2, 2026 at 2:09 PM Pali Rohár <pali-ietf-nfsv4@ietf.pali.im>
wrote:

> On Tuesday 02 June 2026 13:52:15 David Noveck wrote:
> > On Sun, May 31, 2026 at 10:47 PM Thomas Haynes <loghyr@gmail.com> wrote:
> >
> > > On Sun, May 31, 2026 at 10:04:59AM -0800, David Noveck wrote:
> > > > Previous specifications such as RFC5661 and RFC8881 had little
> useful to
> > > > say about this matter, leading to the text making this depend  on
> use of
> > > > AUTH_SYS in the text regarding this in security-14.
> > > >
> > > > I have just discovered that RFC7530 takes pretty much the same
> approach
> > > and
> > > > intend to refer to RFC7530 in a forthcoming security-15 which will be
> > > > submitted within the next week together with rfc8881bis-08.
> > > >
> > > > IIRC, someone previously mentioned the existence of an implementation
> > > > that used name@domain together with AUTH_SYS, which RFC7530 says
> *SHOULD
> > > > NOT* be done.  Even apart from the whole "valid reasons" imbroglio,
> > >
> > > Where does it say that? I see that it says you SHOULD NOT use numeric
> > > ids with AUTH_KRB5.
> > >
> >
> > But In  section 5.9 of rfc7530, it does say, "For any other security
> > mechanism, the server SHOULD accept
> > such numeric values."  I guess that makes it OK to accept both and I
> > mistaken in assuming that
> > the numeric form was recommended.  Nevertheless, the one of the
> treatment is
> > miles/liggt-years away from the whole "you-might-*subvert-*the-switch-to
> > -name@domain arrative in other
> > docments.
>
> Section 5.9 of RFC8881 says:
>
> "To avoid this mechanism being used to subvert user and group
> translation, so that a client might pass all of the owners and groups in
> numeric form, a server SHOULD return an NFS4ERR_BADOWNER error when
> there is a valid translation for the user or owner designated in this
> way. In that case, the client must use the appropriate name@domain
> string and not the special form for compatibility."
>
> IMHO, this email discussion just shows that this topic is not clear what
> server or client MUST do or SHOULD do and what SHOULD NOT.
>

Right.  Two important sources of this lack of clarity:

   -  My misreading of RFC7530, which Tom pointed out.
   - The fact that different specfications say different things and that
   the obvious quasi-solution, to treat v4.0 and v4.1 as having different
   requirements results in a maintenance nightmare.

I'm going to make a proposal addressing current confusions in security-15.
There appears to be no reasonable chance of it being in
*draft-ietf-nfsv4-security-00* in any reasonable time frame.  I am hoping
to have participation from all sides on tis and hope to have a discussion
at the nextt interim meeting.

I'm not anticipating this will achieve consensus but it will take a
coherent position on the issues so that we have a basis to argue what
should be in the security document so that we have a consensus that can
appear when the security document is ready for publication, assuming that
Gorry finds a way to resolve the adoption blockage.

v2.46.0 | Report a Bug | By Email | System Status