IETF Logo Mail Archive

RE: [nfsv4] Name Mappings for NFSv4 in Active Directory

"Wachdorf, Daniel R" <drwachd@sandia.gov> Thu, 09 October 2003 19:36 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA06537 for <nfsv4-archive@odin.ietf.org>; Thu, 9 Oct 2003 15:36:26 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gZw-0002JX-GG for nfsv4-archive@odin.ietf.org; Thu, 09 Oct 2003 15:36:04 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h99Ja4uk008895 for nfsv4-archive@odin.ietf.org; Thu, 9 Oct 2003 15:36:04 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gZw-0002IZ-5y for nfsv4-web-archive@optimus.ietf.org; Thu, 09 Oct 2003 15:36:04 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA06470 for <nfsv4-web-archive@ietf.org>; Thu, 9 Oct 2003 15:35:56 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A7gZu-0003Gq-00 for nfsv4-web-archive@ietf.org; Thu, 09 Oct 2003 15:36:02 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1A7gZu-0003Gn-00 for nfsv4-web-archive@ietf.org; Thu, 09 Oct 2003 15:36:02 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gZt-0002I1-Iq; Thu, 09 Oct 2003 15:36:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gYw-0002Gx-K7 for nfsv4@optimus.ietf.org; Thu, 09 Oct 2003 15:35:02 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA06414 for <nfsv4@ietf.org>; Thu, 9 Oct 2003 15:34:54 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A7gYu-0003Fy-00 for nfsv4@ietf.org; Thu, 09 Oct 2003 15:35:01 -0400
Received: from mm02snlnto.sandia.gov ([132.175.109.21] helo=mm02snlnto.son.sandia.gov) by ietf-mx with esmtp (Exim 4.12) id 1A7gYp-0003FH-00 for nfsv4@ietf.org; Thu, 09 Oct 2003 15:34:55 -0400
Received: from 132.175.109.4 by mm02snlnto.son.sandia.gov with ESMTP ( Tumbleweed MMS SMTP Relay 01 (MMS v5.5.3)); Thu, 09 Oct 2003 13:34:00 -0600
Received: from es08snlnt.sandia.gov (smtp-in.sandia.gov [134.253.130.11] ) by mailgate2.sandia.gov (8.12.10/8.12.10) with ESMTP id h99JY00M028244; Thu, 9 Oct 2003 13:34:00 -0600 (MDT)
Received: by es08snlnt.sandia.gov with Internet Mail Service ( 5.5.2653.19) id <41WMNSHR>; Thu, 9 Oct 2003 13:34:00 -0600
Message-ID: <AC89BDA1E3CCBC42B9CA5B50FE7934D3032D0906@es10snlnt.sandia.gov>
From: "Wachdorf, Daniel R" <drwachd@sandia.gov>
To: "'wurzl, mario'" <wurzl_mario@emc.com>, "Wachdorf, Daniel R" <drwachd@sandia.gov>
cc: nfsv4@ietf.org
Subject: RE: [nfsv4] Name Mappings for NFSv4 in Active Directory
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-WSS-ID: 139B67A22024242-01-01
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: nfsv4-admin@ietf.org
Errors-To: nfsv4-admin@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/nfsv4/>
X-Original-Date: Thu, 9 Oct 2003 13:33:58 -0600
Date: Thu, 09 Oct 2003 13:33:58 -0600
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit


> -----Original Message-----
> From: wurzl, mario [mailto:wurzl_mario@emc.com]
> Sent: Thursday, October 09, 2003 1:23 PM
> To: 'Wachdorf, Daniel R'
> Cc: nfsv4@ietf.org
> Subject: RE: [nfsv4] Name Mappings for NFSv4 in Active Directory
> 
> The unique purpose of the attribute 'altSecurityIdenities', is to enable
> users from trusted realms, but not from trusted domains to access Windows
> resources. It is not intended to be used for users of trusted Windows
> domains, but for users from MIT realms, or non-trusted Windows domains.
> The main problem with the use of 'altSecurityIdenities', is the need to
> create a shadow account on the local domain for each trusted user. It
> means
> administrative overhead, and duplication of accounts, which may lead to
> security problems, and goes against policies in the large majority of
> corporations, which do not want an user to have more than one account in
> the
> Windows environment.

I agree this is a problem with the approach.  I would be interested in
hearing other peoples approach to talking this problem.  I wrote the
document to explain a few discussions I had with Andy at the NFSv4conf. I
was hoping to open up some discussion to figure out how to integrate Active
Directory with NFSv4 with support for foreign realms.

> Real time creation of accounts by a server, may create a HUGE security
> vulnerability in an organization. User accounts created by a server (NFSv4
> or other), have potential access to the Windows resource on the forest
> where
> the account has been created. System administrators have very little
> control
> on dynamically created accounts.
> Like the use of the 'altSecurityIdenities' attribute as described in the
> document, dynamically created user accounts would be unacceptable from a
> corporate policy point of view.
> It also implies that Unix based NFS servers would have to implement the
> mechanism to create Computer accounts in a Windows domain, which is quite
> complex, and does not provide any value add to UNIX systems.

It's not that huge.  You can create the accounts and have them disabled, but
I do see the problems with it.  

I personally think all the accounts should be mapped before hand. I
understand that this may not be the best approach for everyone. 


> The document also mentions "SPNEGO protected Web pages".
> SPNEGO is not a security mechanism, and therefore cannot protect any
> resource. The only purpose of SPNEGO is to negotiate a security mechanism
> under the GSSAPI.
 
When I stated SPNEGO I meant "Windows Enabled Web Authentication"  We (my
group and sandia)frequently call it SPNEGO.  We use it to do Kerberos
authentication to web pages. 


> What Microsoft calls PAC is the Kerberos Authorization Data Field, and
> contains the user SID and the SIDs of the groups the user is a member off.
> It may include groups from other domain in the forest that the user might
> be
> a member off.
> 
> Mario
> 
> -----Original Message-----
> From: Wachdorf, Daniel R [mailto:drwachd@sandia.gov]
> Sent: Wednesday, October 08, 2003 5:35 PM
> To: nfsv4@ietf.org
> Subject: [nfsv4] Name Mappings for NFSv4 in Active Directory
> 
> 
> I have been working with CITI on finding a way to use Active Directory to
> use map NFSv4 names into active directory user accounts. I wrote a
> document
> that describes a scheme to map NFSv4 names and authentication principals
> into an Active Directory Domain.
> I would be interested in what the members of the list thought.  Thanks.
> 
> -dan
> 
> --------------------------------------
> Daniel Wachdorf
> drwachd@sandia.gov
> Sandia National Laboratories
> System Security Research and Integration
> 505-284-8060
> 
> 
> 



_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email