[nfsv4] New version of NFSv4 multi-domain access draft (

"William A. (Andy) Adamson" <androsadamson@gmail.com> Thu, 30 September 2010 17:39 UTC

Return-Path: <androsadamson@gmail.com>
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id D1C853A6D40 for <nfsv4@core3.amsl.com>; Thu, 30 Sep 2010 10:39:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_46=0.6]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id 3X-JBQ+B69Qy for <nfsv4@core3.amsl.com>; Thu, 30 Sep 2010 10:39:38 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com []) by core3.amsl.com (Postfix) with ESMTP id D33AE3A6D36 for <nfsv4@ietf.org>; Thu, 30 Sep 2010 10:39:37 -0700 (PDT)
Received: by iwn3 with SMTP id 3so3252153iwn.31 for <nfsv4@ietf.org>; Thu, 30 Sep 2010 10:40:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=UpI+S0wSMFocfVHUBIktlqucGd4U6eaCY3jIaHp8Ln4=; b=FC2I+fBwJy+SSTRW2bS/ycXH4ZLGR6KE+AGBOqqO2IPfxzmDGk8Uinp0FOPKkZE5hU vVqCuietMIYF5W3ypL6/wDsOGpjewCL51XIPvFsxjI3mkgqr+/aLD+eBqHe4UGaIhPUx 78Sjow7mCfQRpghQr1Fvj+RacrBhFoKOoK1Bo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=CeyiP8fVWOoFUWP92yKwslZUXr+8qQM7tJHsI+kjpZd6Tl+rsk0v3KAZojlgUysfOY HZax1GPYC1kKSB4wOlE3WsV+8dTnRV4Jlg5V8Xb9ssXEy2QPpH7PesjqHSp85rAbnNvv JQiwQw8jNH6IsC6QPzqx4hxYPLCqLOg5KL4hw=
MIME-Version: 1.0
Received: by with SMTP id u6mr4071142ibc.121.1285868423801; Thu, 30 Sep 2010 10:40:23 -0700 (PDT)
Received: by with HTTP; Thu, 30 Sep 2010 10:40:23 -0700 (PDT)
Date: Thu, 30 Sep 2010 13:40:23 -0400
Message-ID: <AANLkTik=VhHs-7Dk4tOV4Bq-RxpJ-9HmEcUycaehRc6s@mail.gmail.com>
From: "William A. (Andy) Adamson" <androsadamson@gmail.com>
To: NFSv4 <nfsv4@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [nfsv4] New version of NFSv4 multi-domain access draft (
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2010 17:39:39 -0000


I uploaded a new version of our internet draft "NFSv4 Multi-Domain Access"


Please have a look and give us any feedback.

There are a number of sections that need text. Here are some issues
that need discussion.

1)  NFSv4 is not the only potential consumer. NFSv3, and SFTP, for
example. Do we mention these and/or other potential consumers.

2) Section 5.4.3.  Resolving Domain Names to Domain IDs

We need to have a common way to map Domain Names to Domain IDs.
Currently we have two suggestions
- Just use SIDs, first asking MSFT to allocate a suitable authority
for non-Windows domain SIDs.
- Store 96-bit numeric IDs
     a) cast those to domain SIDs later.
     b) define a non-SID large ID format

3) Section 6.1.2.  RPCSEC_GSS Authorization Context Credential Data

Do we want to define a new "PAC" for multi-domain access for those
implementations that don't provide the Windows PAC, or just insist
upon the use of the Microsoft PAC.

4) General review of section 6.3.  User Group Membership Determination
- Do we depend upon 2307bis
- Do we require groups within groups

5) Do we need a section on service discovery.  Two potential methods:
- Use local methods (configuration, DNS SRV RR lookups, ...) to
  discover local domain's servers, then depend on LDAP referrals for
  discovering all other domains' s
- Use DNS SRV RRs much the way AD does.ervers.