Re: [nfsv4] New version of NFSv4 multi-domain access draft (
Nicolas Williams <Nicolas.Williams@oracle.com> Tue, 05 October 2010 16:24 UTC
Return-Path: <Nicolas.Williams@oracle.com>
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 24A073A6F79 for <nfsv4@core3.amsl.com>; Tue, 5 Oct 2010 09:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.257
X-Spam-Level:
X-Spam-Status: No, score=-6.257 tagged_above=-999 required=5 tests=[AWL=-0.259, BAYES_00=-2.599, J_CHICKENPOX_46=0.6, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t0FfcRKyPxSp for <nfsv4@core3.amsl.com>; Tue, 5 Oct 2010 09:24:15 -0700 (PDT)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 0CD013A6D33 for <nfsv4@ietf.org>; Tue, 5 Oct 2010 09:24:14 -0700 (PDT)
Received: from rcsinet13.oracle.com (rcsinet13.oracle.com [148.87.113.125]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id o95GP9Z1029514 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 5 Oct 2010 16:25:10 GMT
Received: from acsmt354.oracle.com (acsmt354.oracle.com [141.146.40.154]) by rcsinet13.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o95EEUqJ008691; Tue, 5 Oct 2010 16:25:08 GMT
Received: from abhmt004.oracle.com by acsmt355.oracle.com with ESMTP id 655861651286295907; Tue, 05 Oct 2010 09:25:07 -0700
Received: from oracle.com (/129.153.128.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 05 Oct 2010 09:25:06 -0700
Date: Tue, 05 Oct 2010 11:25:01 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: "William A. (Andy) Adamson" <androsadamson@gmail.com>
Message-ID: <20101005162500.GV9501@oracle.com>
References: <AANLkTik=VhHs-7Dk4tOV4Bq-RxpJ-9HmEcUycaehRc6s@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTik=VhHs-7Dk4tOV4Bq-RxpJ-9HmEcUycaehRc6s@mail.gmail.com>
User-Agent: Mutt/1.5.20 (2010-03-02)
Cc: NFSv4 <nfsv4@ietf.org>
Subject: Re: [nfsv4] New version of NFSv4 multi-domain access draft (
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Oct 2010 16:24:16 -0000
On Thu, Sep 30, 2010 at 01:40:23PM -0400, William A. (Andy) Adamson wrote: > There are a number of sections that need text. Here are some issues > that need discussion. > > 1) NFSv4 is not the only potential consumer. NFSv3, and SFTP, for > example. Do we mention these and/or other potential consumers. IMO: yes, mention the other potential consumers. The list is open- ended. I'd include WebDAV and even local access in remote SSHv2 sessions in the list. The risk: making people wonder why this is an NFSv4 WG work item. Answer: it goes hand in hand with the federated namespace work items, which is also not that specific to NFSv4. > 2) Section 5.4.3. Resolving Domain Names to Domain IDs > > We need to have a common way to map Domain Names to Domain IDs. > Currently we have two suggestions > - Just use SIDs, first asking MSFT to allocate a suitable authority > for non-Windows domain SIDs. Yes, let's do that. > - Store 96-bit numeric IDs > a) cast those to domain SIDs later. > b) define a non-SID large ID format (a) is fine. (b) is a fine fallback should MSFT be unwilling to assign authority numbers for this purpose. See below. > 3) Section 6.1.2. RPCSEC_GSS Authorization Context Credential Data > > Do we want to define a new "PAC" for multi-domain access for those > implementations that don't provide the Windows PAC, or just insist > upon the use of the Microsoft PAC. IMO: - we must have a mode of operation that does not require a PAC at all; - we must have a mode of operation that works with the Windows PAC only; - we should consider an I-D defining either a new PAC or an extension to the Windows one to include information that servers might need but which is not delivered by the existing Windows PAC (but first we must identify such information). Re-usign the Windows PAC implies using SIDs. If we can't get an authority number from MSFT, then we can't re-use the PAC. Unless we simply use authority #5 in the same way that Windows domains do (this is certainly an option to consider). > 4) General review of section 6.3. User Group Membership Determination > - Do we depend upon 2307bis > - Do we require groups within groups IMO: - provide a[n obviously limited] mode of operation that depends only on RFC2307 and therefore does not support group nesting; - provide a more full-fledged mode of operation that depends RFC2307bis; - provide a more full-fledged mode of operation that depends AD's schema. > 5) Do we need a section on service discovery. Two potential methods: > - Use local methods (configuration, DNS SRV RR lookups, ...) to > discover local domain's servers, then depend on LDAP referrals for > discovering all other domains' s > - Use DNS SRV RRs much the way AD does.ervers. I would prefer that we have one REQUIRED to implement service discovery mechanism as follows: a) specify local DS discovery using DNS SRV RR lookups much like AD does (i.e., have a label to indicate the purpose of the LDAP service, not just _ldap), b) use LDAP referrals (and DNS resolution of the host parts of the referrals) to discover DSes of other domains. The main benefit of this mechanism is that we can leave the work of finding topologically-close caches and/or authoritative servers to the clients' local DSes, thus avoiding the need to deal directly with topology in our spec. I would also like to make (a) general enough that clients could discover DSes of remote domains on their own. Nico --
- [nfsv4] New version of NFSv4 multi-domain access … William A. (Andy) Adamson
- Re: [nfsv4] New version of NFSv4 multi-domain acc… James Lentini
- Re: [nfsv4] New version of NFSv4 multi-domain acc… Nicolas Williams
- Re: [nfsv4] New version of NFSv4 multi-domain acc… Everhart, Craig
- Re: [nfsv4] New version of NFSv4 multi-domain acc… William A. (Andy) Adamson