Re: [nfsv4] New version of NFSv4 multi-domain access draft (

Nicolas Williams <> Tue, 05 October 2010 16:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 24A073A6F79 for <>; Tue, 5 Oct 2010 09:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.257
X-Spam-Status: No, score=-6.257 tagged_above=-999 required=5 tests=[AWL=-0.259, BAYES_00=-2.599, J_CHICKENPOX_46=0.6, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id t0FfcRKyPxSp for <>; Tue, 5 Oct 2010 09:24:15 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0CD013A6D33 for <>; Tue, 5 Oct 2010 09:24:14 -0700 (PDT)
Received: from ( []) by (Switch-3.4.2/Switch-3.4.2) with ESMTP id o95GP9Z1029514 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 5 Oct 2010 16:25:10 GMT
Received: from ( []) by (Switch-3.4.2/Switch-3.4.1) with ESMTP id o95EEUqJ008691; Tue, 5 Oct 2010 16:25:08 GMT
Received: from by with ESMTP id 655861651286295907; Tue, 05 Oct 2010 09:25:07 -0700
Received: from (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 05 Oct 2010 09:25:06 -0700
Date: Tue, 05 Oct 2010 11:25:01 -0500
From: Nicolas Williams <>
To: "William A. (Andy) Adamson" <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.20 (2010-03-02)
Cc: NFSv4 <>
Subject: Re: [nfsv4] New version of NFSv4 multi-domain access draft (
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Oct 2010 16:24:16 -0000

On Thu, Sep 30, 2010 at 01:40:23PM -0400, William A. (Andy) Adamson wrote:
> There are a number of sections that need text. Here are some issues
> that need discussion.
> 1)  NFSv4 is not the only potential consumer. NFSv3, and SFTP, for
> example. Do we mention these and/or other potential consumers.

IMO: yes, mention the other potential consumers.  The list is open-
ended.  I'd include WebDAV and even local access in remote SSHv2
sessions in the list.

The risk: making people wonder why this is an NFSv4 WG work item.
  Answer: it goes hand in hand with the federated namespace work items,
          which is also not that specific to NFSv4.

> 2) Section 5.4.3.  Resolving Domain Names to Domain IDs
> We need to have a common way to map Domain Names to Domain IDs.
> Currently we have two suggestions
> - Just use SIDs, first asking MSFT to allocate a suitable authority
> for non-Windows domain SIDs.

Yes, let's do that.

> - Store 96-bit numeric IDs
>      a) cast those to domain SIDs later.
>      b) define a non-SID large ID format

(a) is fine.  (b) is a fine fallback should MSFT be unwilling to assign
authority numbers for this purpose.  See below.

> 3) Section 6.1.2.  RPCSEC_GSS Authorization Context Credential Data
> Do we want to define a new "PAC" for multi-domain access for those
> implementations that don't provide the Windows PAC, or just insist
> upon the use of the Microsoft PAC.


 - we must have a mode of operation that does not require a PAC at all;

 - we must have a mode of operation that works with the Windows PAC only;

 - we should consider an I-D defining either a new PAC or an extension
   to the Windows one to include information that servers might need but
   which is not delivered by the existing Windows PAC (but first we must
   identify such information).

Re-usign the Windows PAC implies using SIDs.  If we can't get an
authority number from MSFT, then we can't re-use the PAC.  Unless we
simply use authority #5 in the same way that Windows domains do (this is
certainly an option to consider).

> 4) General review of section 6.3.  User Group Membership Determination
> - Do we depend upon 2307bis
> - Do we require groups within groups


 - provide a[n obviously limited] mode of operation that depends only on
   RFC2307 and therefore does not support group nesting;

 - provide a more full-fledged mode of operation that depends RFC2307bis;

 - provide a more full-fledged mode of operation that depends AD's schema.

> 5) Do we need a section on service discovery.  Two potential methods:
> - Use local methods (configuration, DNS SRV RR lookups, ...) to
>   discover local domain's servers, then depend on LDAP referrals for
>   discovering all other domains' s
> - Use DNS SRV RRs much the way AD does.ervers.

I would prefer that we have one REQUIRED to implement service discovery
mechanism as follows: a) specify local DS discovery using DNS SRV RR
lookups much like AD does (i.e., have a label to indicate the purpose of
the LDAP service, not just _ldap), b) use LDAP referrals (and DNS
resolution of the host parts of the referrals) to discover DSes of other

The main benefit of this mechanism is that we can leave the work of
finding topologically-close caches and/or authoritative servers to the
clients' local DSes, thus avoiding the need to deal directly with
topology in our spec.

I would also like to make (a) general enough that clients could discover
DSes of remote domains on their own.