IETF Logo Mail Archive

Re: FW: [nfsv4] Name Mappings for NFSv4 in Active Directory

Nicolas Williams <Nicolas.Williams@sun.com> Thu, 09 October 2003 14:58 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA23332 for <nfsv4-archive@odin.ietf.org>; Thu, 9 Oct 2003 10:58:24 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7cEt-0008SY-8b for nfsv4-archive@odin.ietf.org; Thu, 09 Oct 2003 10:58:03 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h99Ew3Kf032512 for nfsv4-archive@odin.ietf.org; Thu, 9 Oct 2003 10:58:03 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7cEt-0008SJ-3q for nfsv4-web-archive@optimus.ietf.org; Thu, 09 Oct 2003 10:58:03 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA23295 for <nfsv4-web-archive@ietf.org>; Thu, 9 Oct 2003 10:57:53 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A7cEq-0007Ft-00 for nfsv4-web-archive@ietf.org; Thu, 09 Oct 2003 10:58:00 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1A7cEq-0007Fq-00 for nfsv4-web-archive@ietf.org; Thu, 09 Oct 2003 10:58:00 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7cEr-0008RD-H5; Thu, 09 Oct 2003 10:58:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7cE8-0008Qp-1j for nfsv4@optimus.ietf.org; Thu, 09 Oct 2003 10:57:16 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA23279 for <nfsv4@ietf.org>; Thu, 9 Oct 2003 10:57:05 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A7cE5-0007FV-00 for nfsv4@ietf.org; Thu, 09 Oct 2003 10:57:13 -0400
Received: from nwkea-mail-1.sun.com ([192.18.42.13]) by ietf-mx with esmtp (Exim 4.12) id 1A7cE4-0007FM-00 for nfsv4@ietf.org; Thu, 09 Oct 2003 10:57:12 -0400
Received: from centralmail1brm.Central.Sun.COM ([129.147.62.1]) by nwkea-mail-1.sun.com (8.12.10/8.12.9) with ESMTP id h99EugVo018840; Thu, 9 Oct 2003 07:56:42 -0700 (PDT)
Received: from binky.central.sun.com (binky.Central.Sun.COM [129.153.128.104]) by centralmail1brm.Central.Sun.COM (8.12.10+Sun/8.12.10/ENSMAIL,v2.2) with ESMTP id h99Euf2o004842; Thu, 9 Oct 2003 08:56:41 -0600 (MDT)
Received: from binky.central.sun.com (localhost [127.0.0.1]) by binky.central.sun.com (8.12.5+Sun/8.12.3) with ESMTP id h99EqjQx021331; Thu, 9 Oct 2003 07:52:45 -0700 (PDT)
Received: (from nw141292@localhost) by binky.central.sun.com (8.12.5+Sun/8.12.3/Submit) id h99Eqjms021330; Thu, 9 Oct 2003 09:52:45 -0500 (CDT)
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: nfsv4@ietf.org, "Wachdorf, Daniel R" <drwachd@sandia.gov>
Subject: Re: FW: [nfsv4] Name Mappings for NFSv4 in Active Directory
Message-ID: <20031009145245.GN16994@binky.central.sun.com>
Mail-Followup-To: nfsv4@ietf.org, "Wachdorf, Daniel R" <drwachd@sandia.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AC89BDA1E3CCBC42B9CA5B50FE7934D3032D08FC@es10snlnt.sandia.gov>
User-Agent: Mutt/1.4i
Sender: nfsv4-admin@ietf.org
Errors-To: nfsv4-admin@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/nfsv4/>
X-Original-Date: Thu, 9 Oct 2003 09:52:45 -0500
Date: Thu, 09 Oct 2003 09:52:45 -0500

On Thu, Oct 09, 2003 at 08:11:07AM -0600, Wachdorf, Daniel R wrote:
> First, I will work on getting an IETF draft of the document out.  
> 
> Second.  I think there are two areas of the problem. 1- How do the NFSv4
> server/clients get the name mapping information. 2- Where is this
> information stored?  
> 
> For the first part the RPC solution that you proposed works.  I do believe
> that the caching of this information should be done by the NFSv4 server, not
> by the RPC mapping service. 

Actually, the rpc mapping service is not the only way in which clients
might get at the mappings.  E.g., through the local directory. However,
I was not, and still am not, sufficiently satisfied that existing
directory services (e.g., LDAP) can adequately handle the mapping task
without adding "active" (to borrow an MS term) hooks to the directory
service.  Thus the mapper rpc, which I see as *part* of the directory
(who said a directory must use a single access protocol?
ActiveDirectory uses several).

Perhaps I should work on describing how to do this purely through LDAP,
but I needed something that was as complete as possible that I could use
to write an I-D with.

The main problem with mapping through the directory, again, is the need
to NOT use name@domain as the permanent index to the assigned UIDs/GIDs
- that's because otherwise dealing with user/group renaming / name reuse
becomes a hard problem (see rationale below).  So if you can't use
name@domain as the permanent index to the assigned UIDs/GIDs then how is
the directory to satisfy queries for name@domain?  That's where the
"active" hook I mentioned above comes in: the directory must check a
cache for name@domain, and if it misses then it must perform the lookup
for "name" at "domain"'s directory, get the permanent index to the
assigned UID/GID - the {foreign internal ID, foreign domain} tuple -
then lookup UID/GID and cache the remote lookup for some time.

> However, the mappings need to co-inside with the user/group information
> already in existence within the enterprise.  One way to do this would be

Of course.  The rpc protocol I propose does not preclude this - just
because it isn't what you think of as a directory service doesn't mean
that it can't be integrated with the directory service.

> integrate the name mapping with Active Directory.  I am sure there will be
> proposals to store it in other Directories.

Perhaps.

> Also, I think that direct communication between the NFSv4 server/clients and
> Directory services is probably the best way to go.  Sure, communicated with
> an RPC service that just stores the mappings will be faster, but if the RPC

It's not about faster.

> service then has to communicate with a back end directory service, its
> better to just have the NFSv4 servers talk directly to that backend
> directory service.

The RPC mapping service becomes part of the directory and can cache
results.  See above about how mapping name@domain does require
additional directory lookups, and not just once, and no matter how what
protocol/service the client uses to get at the mapping.

> As for the comment below, the Active Directory mapping solution could easily
> allow the re-use of foreign security principals.  The altSecurityIdenties
> attribute is multi-valued, so if a user changes their foreign identity, ie -
> john@foreign.realm becomes johnsmith@foreign.realm, you have an entry for
> each of these within the altSecurityIdentites attribute.

Ah, but you have to *know* when foreign names are changed/reassigned so
you can change your AD mapped entries accordingly.

There's the rub - if you have, say, fifty organizations "trusting" each
other by allowing their users/groups to be referenced by each others
ACLs and groups, how do you organize the necessary distribution of name
change/reassignment information from any one domain to all the others?
How reliable is this bound to be?

My take is that the most reliable way to deal with foreign name
change/reuse events is to not use foreign names as the permanent index
to the mappings.

Dealing with foreign name change/reuse events is crucial to the security
_and_ convenience of the mappings.  This is the critical problem to
solve here.

I tried to build a system for distribution of name change/reuse info in
version -00 of my draft, because I thought it would be better, easier to
use name@domain as a semi-permanent index to its assigned UID/GID.  In
the end I never did find the result satisfactory, nor did others within
Sun, so I switched to the approach in draft -01.

You have to address the same issue, and you may yet address it as I
did in version -00 of my draft (but without the RPC service?).  Not
addressing the issue, however, is hardly acceptable.  Banning name
changes is less acceptable still, though you may get away with banning
name reuse (though I find that unacceptable also).

Note that banning internal ID reuse is not only acceptable but even
common.  For example, ActiveDirectory itself strives to avoid RID
reuse, and many organizations have UID/GID no-reuse policies.  Version
-01 of my draft relies or internal ID non-reuse for security.

Cheers,

Nico
-- 

_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email