RE: [nfsv4] Name Mappings for NFSv4 in Active Directory
"Wachdorf, Daniel R" <drwachd@sandia.gov> Thu, 09 October 2003 19:36 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA06537 for <nfsv4-archive@odin.ietf.org>; Thu, 9 Oct 2003 15:36:26 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gZw-0002JX-GG for nfsv4-archive@odin.ietf.org; Thu, 09 Oct 2003 15:36:04 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h99Ja4uk008895 for nfsv4-archive@odin.ietf.org; Thu, 9 Oct 2003 15:36:04 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gZw-0002IZ-5y for nfsv4-web-archive@optimus.ietf.org; Thu, 09 Oct 2003 15:36:04 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA06470 for <nfsv4-web-archive@ietf.org>; Thu, 9 Oct 2003 15:35:56 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A7gZu-0003Gq-00 for nfsv4-web-archive@ietf.org; Thu, 09 Oct 2003 15:36:02 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1A7gZu-0003Gn-00 for nfsv4-web-archive@ietf.org; Thu, 09 Oct 2003 15:36:02 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gZt-0002I1-Iq; Thu, 09 Oct 2003 15:36:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gYw-0002Gx-K7 for nfsv4@optimus.ietf.org; Thu, 09 Oct 2003 15:35:02 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA06414 for <nfsv4@ietf.org>; Thu, 9 Oct 2003 15:34:54 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A7gYu-0003Fy-00 for nfsv4@ietf.org; Thu, 09 Oct 2003 15:35:01 -0400
Received: from mm02snlnto.sandia.gov ([132.175.109.21] helo=mm02snlnto.son.sandia.gov) by ietf-mx with esmtp (Exim 4.12) id 1A7gYp-0003FH-00 for nfsv4@ietf.org; Thu, 09 Oct 2003 15:34:55 -0400
Received: from 132.175.109.4 by mm02snlnto.son.sandia.gov with ESMTP ( Tumbleweed MMS SMTP Relay 01 (MMS v5.5.3)); Thu, 09 Oct 2003 13:34:00 -0600
Received: from es08snlnt.sandia.gov (smtp-in.sandia.gov [134.253.130.11] ) by mailgate2.sandia.gov (8.12.10/8.12.10) with ESMTP id h99JY00M028244; Thu, 9 Oct 2003 13:34:00 -0600 (MDT)
Received: by es08snlnt.sandia.gov with Internet Mail Service ( 5.5.2653.19) id <41WMNSHR>; Thu, 9 Oct 2003 13:34:00 -0600
Message-ID: <AC89BDA1E3CCBC42B9CA5B50FE7934D3032D0906@es10snlnt.sandia.gov>
From: "Wachdorf, Daniel R" <drwachd@sandia.gov>
To: "'wurzl, mario'" <wurzl_mario@emc.com>, "Wachdorf, Daniel R" <drwachd@sandia.gov>
cc: nfsv4@ietf.org
Subject: RE: [nfsv4] Name Mappings for NFSv4 in Active Directory
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-WSS-ID: 139B67A22024242-01-01
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: nfsv4-admin@ietf.org
Errors-To: nfsv4-admin@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/nfsv4/>
X-Original-Date: Thu, 9 Oct 2003 13:33:58 -0600
Date: Thu, 09 Oct 2003 13:33:58 -0600
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
> -----Original Message----- > From: wurzl, mario [mailto:wurzl_mario@emc.com] > Sent: Thursday, October 09, 2003 1:23 PM > To: 'Wachdorf, Daniel R' > Cc: nfsv4@ietf.org > Subject: RE: [nfsv4] Name Mappings for NFSv4 in Active Directory > > The unique purpose of the attribute 'altSecurityIdenities', is to enable > users from trusted realms, but not from trusted domains to access Windows > resources. It is not intended to be used for users of trusted Windows > domains, but for users from MIT realms, or non-trusted Windows domains. > The main problem with the use of 'altSecurityIdenities', is the need to > create a shadow account on the local domain for each trusted user. It > means > administrative overhead, and duplication of accounts, which may lead to > security problems, and goes against policies in the large majority of > corporations, which do not want an user to have more than one account in > the > Windows environment. I agree this is a problem with the approach. I would be interested in hearing other peoples approach to talking this problem. I wrote the document to explain a few discussions I had with Andy at the NFSv4conf. I was hoping to open up some discussion to figure out how to integrate Active Directory with NFSv4 with support for foreign realms. > Real time creation of accounts by a server, may create a HUGE security > vulnerability in an organization. User accounts created by a server (NFSv4 > or other), have potential access to the Windows resource on the forest > where > the account has been created. System administrators have very little > control > on dynamically created accounts. > Like the use of the 'altSecurityIdenities' attribute as described in the > document, dynamically created user accounts would be unacceptable from a > corporate policy point of view. > It also implies that Unix based NFS servers would have to implement the > mechanism to create Computer accounts in a Windows domain, which is quite > complex, and does not provide any value add to UNIX systems. It's not that huge. You can create the accounts and have them disabled, but I do see the problems with it. I personally think all the accounts should be mapped before hand. I understand that this may not be the best approach for everyone. > The document also mentions "SPNEGO protected Web pages". > SPNEGO is not a security mechanism, and therefore cannot protect any > resource. The only purpose of SPNEGO is to negotiate a security mechanism > under the GSSAPI. When I stated SPNEGO I meant "Windows Enabled Web Authentication" We (my group and sandia)frequently call it SPNEGO. We use it to do Kerberos authentication to web pages. > What Microsoft calls PAC is the Kerberos Authorization Data Field, and > contains the user SID and the SIDs of the groups the user is a member off. > It may include groups from other domain in the forest that the user might > be > a member off. > > Mario > > -----Original Message----- > From: Wachdorf, Daniel R [mailto:drwachd@sandia.gov] > Sent: Wednesday, October 08, 2003 5:35 PM > To: nfsv4@ietf.org > Subject: [nfsv4] Name Mappings for NFSv4 in Active Directory > > > I have been working with CITI on finding a way to use Active Directory to > use map NFSv4 names into active directory user accounts. I wrote a > document > that describes a scheme to map NFSv4 names and authentication principals > into an Active Directory Domain. > I would be interested in what the members of the list thought. Thanks. > > -dan > > -------------------------------------- > Daniel Wachdorf > drwachd@sandia.gov > Sandia National Laboratories > System Security Research and Integration > 505-284-8060 > > > _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www1.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] Name Mappings for NFSv4 in Active Directo… Wachdorf, Daniel R
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… Nicolas Williams
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… Nicolas Williams
- RE: [nfsv4] Name Mappings for NFSv4 in Active Dir… Wachdorf, Daniel R
- RE: [nfsv4] Name Mappings for NFSv4 in Active Dir… Wachdorf, Daniel R
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… Nicolas Williams
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… William A.(Andy) Adamson
- FW: [nfsv4] Name Mappings for NFSv4 in Active Dir… Wachdorf, Daniel R
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… Nicolas Williams
- Re: FW: [nfsv4] Name Mappings for NFSv4 in Active… Nicolas Williams
- FW: FW: [nfsv4] Name Mappings for NFSv4 in Active… Wachdorf, Daniel R
- RE: [nfsv4] Name Mappings for NFSv4 in Active Dir… wurzl, mario
- RE: [nfsv4] Name Mappings for NFSv4 in Active Dir… Wachdorf, Daniel R
- Re: FW: FW: [nfsv4] Name Mappings for NFSv4 in Ac… Nicolas Williams