Re: FW: FW: [nfsv4] Name Mappings for NFSv4 in Active Directory
Nicolas Williams <Nicolas.Williams@sun.com> Thu, 09 October 2003 20:56 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA10645 for <nfsv4-archive@odin.ietf.org>; Thu, 9 Oct 2003 16:56:35 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7hpR-0007Q3-FF for nfsv4-archive@odin.ietf.org; Thu, 09 Oct 2003 16:56:14 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h99Ku93c028518 for nfsv4-archive@odin.ietf.org; Thu, 9 Oct 2003 16:56:09 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7hpR-0007Pt-9p for nfsv4-web-archive@optimus.ietf.org; Thu, 09 Oct 2003 16:56:09 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA10587 for <nfsv4-web-archive@ietf.org>; Thu, 9 Oct 2003 16:56:00 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A7hpP-0004Q3-00 for nfsv4-web-archive@ietf.org; Thu, 09 Oct 2003 16:56:07 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1A7hpO-0004Q0-00 for nfsv4-web-archive@ietf.org; Thu, 09 Oct 2003 16:56:06 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7hpJ-0007P0-AL; Thu, 09 Oct 2003 16:56:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7hoy-0007H1-8E for nfsv4@optimus.ietf.org; Thu, 09 Oct 2003 16:55:40 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA10560 for <nfsv4@ietf.org>; Thu, 9 Oct 2003 16:55:31 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A7hov-0004Pd-00 for nfsv4@ietf.org; Thu, 09 Oct 2003 16:55:37 -0400
Received: from brmea-mail-2.sun.com ([192.18.98.43]) by ietf-mx with esmtp (Exim 4.12) id 1A7hov-0004Pa-00 for nfsv4@ietf.org; Thu, 09 Oct 2003 16:55:37 -0400
Received: from centralmail1brm.Central.Sun.COM ([129.147.62.1]) by brmea-mail-2.sun.com (8.12.10/8.12.9) with ESMTP id h99KtaPh022919; Thu, 9 Oct 2003 14:55:36 -0600 (MDT)
Received: from binky.central.sun.com (binky.Central.Sun.COM [129.153.128.104]) by centralmail1brm.Central.Sun.COM (8.12.10+Sun/8.12.10/ENSMAIL,v2.2) with ESMTP id h99Kta2o006787; Thu, 9 Oct 2003 14:55:36 -0600 (MDT)
Received: from binky.central.sun.com (localhost [127.0.0.1]) by binky.central.sun.com (8.12.5+Sun/8.12.3) with ESMTP id h99KpeQx021626; Thu, 9 Oct 2003 13:51:40 -0700 (PDT)
Received: (from nw141292@localhost) by binky.central.sun.com (8.12.5+Sun/8.12.3/Submit) id h99KpeKS021625; Thu, 9 Oct 2003 13:51:40 -0700 (PDT)
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: "Wachdorf, Daniel R" <drwachd@sandia.gov>
Cc: "'nfsv4@ietf.org'" <nfsv4@ietf.org>
Subject: Re: FW: FW: [nfsv4] Name Mappings for NFSv4 in Active Directory
Message-ID: <20031009205140.GP17088@binky.central.sun.com>
Mail-Followup-To: "Wachdorf, Daniel R" <drwachd@sandia.gov>, "'nfsv4@ietf.org'" <nfsv4@ietf.org>
References: <AC89BDA1E3CCBC42B9CA5B50FE7934D3032D08FF@es10snlnt.sandia.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AC89BDA1E3CCBC42B9CA5B50FE7934D3032D08FF@es10snlnt.sandia.gov>
User-Agent: Mutt/1.4i
Sender: nfsv4-admin@ietf.org
Errors-To: nfsv4-admin@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/nfsv4/>
X-Original-Date: Thu, 9 Oct 2003 13:51:40 -0700
Date: Thu, 09 Oct 2003 13:51:40 -0700
On Thu, Oct 09, 2003 at 10:00:14AM -0600, Wachdorf, Daniel R wrote:
> > Actually, the rpc mapping service is not the only way in which clients
> > might get at the mappings. E.g., through the local directory. However,
> > I was not, and still am not, sufficiently satisfied that existing
> > directory services (e.g., LDAP) can adequately handle the mapping task
> > without adding "active" (to borrow an MS term) hooks to the directory
> > service. Thus the mapper rpc, which I see as *part* of the directory
> > (who said a directory must use a single access protocol?
> > ActiveDirectory uses several).
> >
> This would be a great idea, if all the directory service vendors were on
> board. My main problem with it is that I doubt active directory will ever
> include this (Anyone from MS out there?).
You can implement a mapper service that works with AD without having to
add the "active" hooks to AD that I described. How? I leave that as an
excercise for the reader :)
> I am coming at this from an end users point of view; we already have the
> entire infrastructure in place to manage our users/groups with active
> directory, most sites already have this in place. Additionally, AD provides
> the necessary Kerberos infrastructure needed to run NFSV4. A solution
> should integrate Active Directory.
You have an infrastructure, but the it doesn't address the problem.
> It possible that you could stick the rpc mapping service on active
> directory. The question then becomes, how do you provide a mapping (or
> association) between the mappings you are creating and the accounts within
> active directory. I am hopping to provide a solution for that.
You use the QISID. I again leave the details to the reader - I think I
know how.
> > Perhaps I should work on describing how to do this purely through LDAP,
> > but I needed something that was as complete as possible that I could use
> > to write an I-D with.
> >
> > The main problem with mapping through the directory, again, is the need
> > to NOT use name@domain as the permanent index to the assigned UIDs/GIDs
> > - that's because otherwise dealing with user/group renaming / name reuse
> > becomes a hard problem (see rationale below). So if you can't use
> > name@domain as the permanent index to the assigned UIDs/GIDs then how is
> > the directory to satisfy queries for name@domain? That's where the
> > "active" hook I mentioned above comes in: the directory must check a
> > cache for name@domain, and if it misses then it must perform the lookup
> > for "name" at "domain"'s directory, get the permanent index to the
> > assigned UID/GID - the {foreign internal ID, foreign domain} tuple -
> > then lookup UID/GID and cache the remote lookup for some time.
>
> I am not sure about what you mean here and below. From what I understand
> about your RFC, I think we are talking about the same think. Correct me if
> I am wrong.
>
> You would have an external user user@foreign.com and you call in your draft
> an ESID. You would then map them to an internal, account in active
> directory a QISID, which then has the attribute for a MISID, the UID.
No. The QISID is the {internal ID from remote domain, remote domain}
tuple.
I.e., if I want to map "jane@bar.com" to a UID in foo.com I:
- if (!lookup "jane@bar.com" in the foo.com directory cache)
then
- lookup "jane" at bar.com's user directory and get, say, UID 12345
- if (!lookup {UID 12345, "bar.com"} in foo.com)
then
- atomically assign the next available UID in foo.com[*], say,
54321, to
{UID 12345, "bar.com"}
and record the assignment in the directory (to prevent
assignment of the same UID to any other user).
The assignment that is recorded [permanently] in foo.com's
directory is:
{UID 12345, "bar.com"} <-> {UID 54321, "foo.com"}
[*] Possibly from a pool for that purpose.
fi
- lookup the length of time for which I can cache names from
bar.com (this is the length of time for which the admins of
bar.com promise not to reuse names after they become unused) and
cache the following mappings for upto that much time:
"jane@bar.com" <-> {UID 54321, "foo.com"}
fi
That's more or less the algorithm - simplified so I can present more
clearly what happens when the mappings aren't already established
> I don't think this is true that it requires multiple lookups. If I am
> querying active directory for the user account associated with a foreign
> security principal. I do one query for the account with the
> altSecurityIdentites, then I get the user account, gid, and uid. I can then
> cache this.
When the "jane@bar.com" <-> {UID 54321, "foo.com"} mapping expires then
"jane" has to be looked up again at bar.com to get the permanent mapping
index, {UID 12345, "bar.com"}.
>
> > The RPC mapping service becomes part of the directory and can cache
> > results. See above about how mapping name@domain does require
> > additional directory lookups, and not just once, and no matter how what
> > protocol/service the client uses to get at the mapping.
>
> True, but is this necessary. From what little I know, vendors are already
> designing solutions to communicate with and LDAP directory store. Why not
> let the NFSv4 servers decide how they will cache the information.
My draft does not mandate the use of the mapper service. It describes a
mapping algorithm/strategy and then it defines a protocol that can be
used to make it happen without having to monkey around with existing
directory services in ways that are very platform-specific.
> > > As for the comment below, the Active Directory mapping solution could
> > easily
> > > allow the re-use of foreign security principals. The
> > altSecurityIdenties
> > > attribute is multi-valued, so if a user changes their foreign identity,
> > ie -
> > > john@foreign.realm becomes johnsmith@foreign.realm, you have an entry
> > for
> > > each of these within the altSecurityIdentites attribute.
> >
> > Ah, but you have to *know* when foreign names are changed/reassigned so
> > you can change your AD mapped entries accordingly.
> >
> > There's the rub - if you have, say, fifty organizations "trusting" each
> > other by allowing their users/groups to be referenced by each others
> > ACLs and groups, how do you organize the necessary distribution of name
> > change/reassignment information from any one domain to all the others?
> > How reliable is this bound to be?
> >
> > My take is that the most reliable way to deal with foreign name
> > change/reuse events is to not use foreign names as the permanent index
> > to the mappings.
> >
> > Dealing with foreign name change/reuse events is crucial to the security
> > _and_ convenience of the mappings. This is the critical problem to
> > solve here.
>
> First, I don't understand how your solution allows for the changing of names
> without some notification. How do users get access to their old files
> referenced by the UID, GUID without know how to map that user's new foreign
> security identity to the old one?
Rename example:
- "jane@bar.com" gets mapped to, say, UID 54321 at foo.com
- "jane@bar.com" is renamed "jane.doe@bar.com", but her QISID,
{UID 12345, "bar.com"}
stays the same (i.e., "jane@bar.com" changed names, but not UIDs)
- so next time we have to map "jane.doe@bar.com" we first lookup "jane"
at bar.com and get QISID {UID 12345, "bar.com"}, so we then lookup
that QISID in foo.com and, lo and behold, there is an assignment
already and so
"jane.doe@bar.com" get mapped to UID 54321 at foo.com
Name reuse example:
- now a new employee at bar.com gets hired and gets "jane" as her
username (perhaps because her first name is "Jane", who knows)
(The important thing is that this new "jane@bar.com" not be created
until after X amount of time, which is the max for which other
domains are allowed to cache <name>@bar.com to QISIDs.)
- to map "jane@bar.com" we lookup "jane" at bar.com's directory and
get, say, UID 432876, that is, QISID {UID 432876, "bar.com"}
(Again, it is important that {UID 432876, "bar.com"} not have been
used previously.)
- now we assign a UID, say, 50000, from foo.com to {UID 432876,
"bar.com"} and cache
"jane@bar.com" <-> {UID 50000, "foo.com"}
So, version -01 of my draft deals with renames and name reassignement.
With the caveat that:
- trusted domains MUST NOT reuse internal IDs (not without fair
warning)
- trusted domains MUST NOT reuse names (ESIDs) for a certain amount of
time after they are released, which amount must be published
somewhere
OR
trusted domains MUST NOT publish that amount of time, and domains
that trust them MUST NOT cache ESID<->mapped ISID entries.
> Secondly, these events occur infrequently. There is probably already some
> administrative overhead associated with changing someone's security
> identifier. I don't think it's that much trouble to allow notification of
> the change.
Now try extending this overhead by requiring that all domains that trust
a given domain MUST be informed of name changes/reuse in the trusted
domain.
Should the notifications be synchronous? (I.e., no name change/reuse
until all trusting domains are notified.) If so, how can this scale?
Or should the notifications be lazy? (I.e., change/reuse the name and
then tell the trusting domain - if this causes any problems for anyone,
oh well.) If so, how can you justify this?
>
> > I tried to build a system for distribution of name change/reuse info in
> > version -00 of my draft, because I thought it would be better, easier to
> > use name@domain as a semi-permanent index to its assigned UID/GID. In
> > the end I never did find the result satisfactory, nor did others within
> > Sun, so I switched to the approach in draft -01.
> >
> > You have to address the same issue, and you may yet address it as I
> > did in version -00 of my draft (but without the RPC service?). Not
> > addressing the issue, however, is hardly acceptable. Banning name
> > changes is less acceptable still, though you may get away with banning
> > name reuse (though I find that unacceptable also).
> >
> > Note that banning internal ID reuse is not only acceptable but even
> > common. For example, ActiveDirectory itself strives to avoid RID
> > reuse, and many organizations have UID/GID no-reuse policies. Version
> > -01 of my draft relies or internal ID non-reuse for security.
>
> I think this would have to be a given.
Which? The last paragraph? or the one before it?
I want you to agree that the foreign name change/reuse issue MUST be
addressed by any mapping proposal. :)
Cheers,
Nico
--
_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] Name Mappings for NFSv4 in Active Directo… Wachdorf, Daniel R
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… Nicolas Williams
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… Nicolas Williams
- RE: [nfsv4] Name Mappings for NFSv4 in Active Dir… Wachdorf, Daniel R
- RE: [nfsv4] Name Mappings for NFSv4 in Active Dir… Wachdorf, Daniel R
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… Nicolas Williams
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… William A.(Andy) Adamson
- FW: [nfsv4] Name Mappings for NFSv4 in Active Dir… Wachdorf, Daniel R
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… Nicolas Williams
- Re: FW: [nfsv4] Name Mappings for NFSv4 in Active… Nicolas Williams
- FW: FW: [nfsv4] Name Mappings for NFSv4 in Active… Wachdorf, Daniel R
- RE: [nfsv4] Name Mappings for NFSv4 in Active Dir… wurzl, mario
- RE: [nfsv4] Name Mappings for NFSv4 in Active Dir… Wachdorf, Daniel R
- Re: FW: FW: [nfsv4] Name Mappings for NFSv4 in Ac… Nicolas Williams