Re: [nfsv4] New version of NFSv4 multi-domain access draft (

"William A. (Andy) Adamson" <> Thu, 07 October 2010 17:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A60D23A6FA0 for <>; Thu, 7 Oct 2010 10:25:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.199
X-Spam-Status: No, score=-2.199 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, J_CHICKENPOX_46=0.6]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pkf5-AI5-2Gq for <>; Thu, 7 Oct 2010 10:25:27 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 358F23A6F76 for <>; Thu, 7 Oct 2010 10:25:27 -0700 (PDT)
Received: by iwn10 with SMTP id 10so94710iwn.31 for <>; Thu, 07 Oct 2010 10:26:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=yuMo4tcx/9YoqhzIW4yfqigwtyrJDqcV/KT/wyuPXxo=; b=oEnQUmW+Yq9yhjoTSzG6NbA2EWmapoSy81xHof0pRbMN7LhaM/BftVvpQfHnvENk08 Ob6T/8YbaiPOm06cQ+Z00xpxRyTJfJsXwtNTbTq5tSZUSjr6+nVfYDmzVjGJGt5Pk9qZ 7gGomt0L2IrVdF2ip14qco5Dz/2EcMiZyjIzQ=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=OpX+k+wZb1b3W5Tf+hmYaqv1cNPbh8cxCSU/gZpBzTZJhQUcE3kjp9FEIaGcNZ6wBx a9o3NqhissyDgQQj63BQXYJVoSJq9T6/GEiOzmnNExF9xmOOHqov4njfN/wRRzhsU9mo r0OGek/W4K3CTFwLSPeLfL8cJf1EPuVEdotKk=
MIME-Version: 1.0
Received: by with SMTP id p11mr1152073ibp.179.1286472389833; Thu, 07 Oct 2010 10:26:29 -0700 (PDT)
Received: by with HTTP; Thu, 7 Oct 2010 10:26:29 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Thu, 07 Oct 2010 13:26:29 -0400
Message-ID: <>
From: "William A. (Andy) Adamson" <>
To: "Everhart, Craig" <>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: NFSv4 <>
Subject: Re: [nfsv4] New version of NFSv4 multi-domain access draft (
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Oct 2010 17:25:28 -0000

On Thu, Oct 7, 2010 at 12:19 PM, Everhart, Craig
<> wrote:
> Couple of things I wonder about here.
> The draft goes to some lengths to claim that an NFS server's use of
> "name@domainname" would be problematic because of difficulties keeping
> up with accounts ("a severe constraint"), and that servers "really ought
> not" store authz entities in that form.  While I don't agree with either
> of these, I don't think that my objections are material to the point of
> the draft.


> Instead, if I'm reading correctly, this is a presentation about how to
> do ID mapping with 32-bit or 64-bit IDs, with name service assistance.

The intention is describe possible implementation strategies for all
combinations of ID mapping: large ID -> small ID, small ID -> large
ID, and large ID -> large ID when the large IDs are of different
formats. We have not finished this job.

> I think that the draft could make the point about the prevalence of such
> servers without needing to critique other representations.

No critique intended.

> Perhaps (but
> not _required_) the draft could deal with the interoperability of
> servers, some of which use integers for IDs and some which use
> name@domainname, in the kind of FedFS scenario you describe.

Yes, that is our intention.  BTW do you know of any file systems that
store name@domainname on disk?

> I eagerly await the 5.4.3 text, or even the plans.  What's a "domain" in
> this context?

The DNS Domain presented to a server in name@domain

> How does a server tell if it is in one?

Every NFSv4 server is in a domain, and needs to be able to return a
canonical name@domain for each local representation of a user or
group. (second bullet in section 3)

>  Does a client
> need to know?

Yes - to perform a setacl which sends name@domain on the wire.

> What is a "domain-local ID"?

>From section 4 :

      Domain-local ID: Most installations assign numeric, local
      identifiers to users and groups, using a namespace local to their
      domain.  We call this a domain-local ID.

> In section 5.2.1, what's the
> point to "assigning and publishing a unique ID to each DNS domain"?

To have a level of indirection between the on disk domain portion of
an ID and the actual DNS domain name to handle (admittedly rare) DNS
domain name changes. The reason to publish this is to allow remote
servers that are presented with the ID the ability to map back from
the numeric domain ID to the DNS domain name.

The windows SID does this.

> Isn't the DNS domain name good enough?

Mostly, as noted in section 5.2.

> Could we add an example to 6.2?  I can't tell if the first paragraph is
> a modest hole or a truck-sized hole.

Sure, or at least add more descriptive text about the different
possibilties  Section 7.1 describes an attribute for LDAP which is one
way to perform the mapping.  By 'hole' are you thinking a security
hole? (we should specify here that all mapping and name service
communications need to be over a secured channel).


>                Craig
>> -----Original Message-----
>> From: William A. (Andy) Adamson []
>> Sent: Thursday, September 30, 2010 1:40 PM
>> To: NFSv4
>> Subject: [nfsv4] New version of NFSv4 multi-domain access draft (
>> Hello
>> I uploaded a new version of our internet draft "NFSv4 Multi-Domain
>> Access"
>> Please have a look and give us any feedback.
>> There are a number of sections that need text. Here are some issues
>> that need discussion.
>> 1)  NFSv4 is not the only potential consumer. NFSv3, and SFTP, for
>> example. Do we mention these and/or other potential consumers.
>> 2) Section 5.4.3.  Resolving Domain Names to Domain IDs
>> We need to have a common way to map Domain Names to Domain IDs.
>> Currently we have two suggestions
>> - Just use SIDs, first asking MSFT to allocate a suitable authority
>> for non-Windows domain SIDs.
>> - Store 96-bit numeric IDs
>>      a) cast those to domain SIDs later.
>>      b) define a non-SID large ID format
>> 3) Section 6.1.2.  RPCSEC_GSS Authorization Context Credential Data
>> Do we want to define a new "PAC" for multi-domain access for those
>> implementations that don't provide the Windows PAC, or just insist
>> upon the use of the Microsoft PAC.
>> 4) General review of section 6.3.  User Group Membership Determination
>> - Do we depend upon 2307bis
>> - Do we require groups within groups
>> 5) Do we need a section on service discovery.  Two potential methods:
>> - Use local methods (configuration, DNS SRV RR lookups, ...) to
>>   discover local domain's servers, then depend on LDAP referrals for
>>   discovering all other domains' s
>> - Use DNS SRV RRs much the way AD does.ervers.
>> -->Andy
>> _______________________________________________
>> nfsv4 mailing list