RE: [nfsv4] Name Mappings for NFSv4 in Active Directory
"wurzl, mario" <wurzl_mario@emc.com> Thu, 09 October 2003 19:25 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA06150 for <nfsv4-archive@odin.ietf.org>; Thu, 9 Oct 2003 15:25:37 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gPK-00024O-BX for nfsv4-archive@odin.ietf.org; Thu, 09 Oct 2003 15:25:14 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h99JP6Gi007952 for nfsv4-archive@odin.ietf.org; Thu, 9 Oct 2003 15:25:06 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gPK-00024B-5s for nfsv4-web-archive@optimus.ietf.org; Thu, 09 Oct 2003 15:25:06 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA06133 for <nfsv4-web-archive@ietf.org>; Thu, 9 Oct 2003 15:24:58 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A7gPI-0003AK-00 for nfsv4-web-archive@ietf.org; Thu, 09 Oct 2003 15:25:04 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1A7gPI-0003AH-00 for nfsv4-web-archive@ietf.org; Thu, 09 Oct 2003 15:25:04 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gPF-00023Z-SH; Thu, 09 Oct 2003 15:25:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gOI-00020G-Pb for nfsv4@optimus.ietf.org; Thu, 09 Oct 2003 15:24:03 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA05912 for <nfsv4@ietf.org>; Thu, 9 Oct 2003 15:23:54 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A7gOG-00039j-00 for nfsv4@ietf.org; Thu, 09 Oct 2003 15:24:00 -0400
Received: from srexchimc2.lss.emc.com ([168.159.100.11] helo=srexchimc2.eng.emc.com) by ietf-mx with esmtp (Exim 4.12) id 1A7gOG-00039D-00 for nfsv4@ietf.org; Thu, 09 Oct 2003 15:24:00 -0400
Received: by srexchimc2.lss.emc.com with Internet Mail Service (5.5.2653.19) id <4MAWP9VB>; Thu, 9 Oct 2003 15:23:29 -0400
Message-ID: <FA2F59D0E55B4B4892EA076FF8704F5505544938@srgraham.eng.emc.com>
From: "wurzl, mario" <wurzl_mario@emc.com>
To: "'Wachdorf, Daniel R'" <drwachd@sandia.gov>
Cc: nfsv4@ietf.org
Subject: RE: [nfsv4] Name Mappings for NFSv4 in Active Directory
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
Sender: nfsv4-admin@ietf.org
Errors-To: nfsv4-admin@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/nfsv4/>
X-Original-Date: Thu, 9 Oct 2003 15:23:28 -0400
Date: Thu, 09 Oct 2003 15:23:28 -0400
The unique purpose of the attribute 'altSecurityIdenities', is to enable users from trusted realms, but not from trusted domains to access Windows resources. It is not intended to be used for users of trusted Windows domains, but for users from MIT realms, or non-trusted Windows domains. The main problem with the use of 'altSecurityIdenities', is the need to create a shadow account on the local domain for each trusted user. It means administrative overhead, and duplication of accounts, which may lead to security problems, and goes against policies in the large majority of corporations, which do not want an user to have more than one account in the Windows environment. Real time creation of accounts by a server, may create a HUGE security vulnerability in an organization. User accounts created by a server (NFSv4 or other), have potential access to the Windows resource on the forest where the account has been created. System administrators have very little control on dynamically created accounts. Like the use of the 'altSecurityIdenities' attribute as described in the document, dynamically created user accounts would be unacceptable from a corporate policy point of view. It also implies that Unix based NFS servers would have to implement the mechanism to create Computer accounts in a Windows domain, which is quite complex, and does not provide any value add to UNIX systems. The document also mentions "SPNEGO protected Web pages". SPNEGO is not a security mechanism, and therefore cannot protect any resource. The only purpose of SPNEGO is to negotiate a security mechanism under the GSSAPI. What Microsoft calls PAC is the Kerberos Authorization Data Field, and contains the user SID and the SIDs of the groups the user is a member off. It may include groups from other domain in the forest that the user might be a member off. Mario -----Original Message----- From: Wachdorf, Daniel R [mailto:drwachd@sandia.gov] Sent: Wednesday, October 08, 2003 5:35 PM To: nfsv4@ietf.org Subject: [nfsv4] Name Mappings for NFSv4 in Active Directory I have been working with CITI on finding a way to use Active Directory to use map NFSv4 names into active directory user accounts. I wrote a document that describes a scheme to map NFSv4 names and authentication principals into an Active Directory Domain. I would be interested in what the members of the list thought. Thanks. -dan -------------------------------------- Daniel Wachdorf drwachd@sandia.gov Sandia National Laboratories System Security Research and Integration 505-284-8060 _______________________________________________ nfsv4 mailing list nfsv4@ietf.org https://www1.ietf.org/mailman/listinfo/nfsv4
- [nfsv4] Name Mappings for NFSv4 in Active Directo… Wachdorf, Daniel R
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… Nicolas Williams
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… Nicolas Williams
- RE: [nfsv4] Name Mappings for NFSv4 in Active Dir… Wachdorf, Daniel R
- RE: [nfsv4] Name Mappings for NFSv4 in Active Dir… Wachdorf, Daniel R
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… Nicolas Williams
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… William A.(Andy) Adamson
- FW: [nfsv4] Name Mappings for NFSv4 in Active Dir… Wachdorf, Daniel R
- Re: [nfsv4] Name Mappings for NFSv4 in Active Dir… Nicolas Williams
- Re: FW: [nfsv4] Name Mappings for NFSv4 in Active… Nicolas Williams
- FW: FW: [nfsv4] Name Mappings for NFSv4 in Active… Wachdorf, Daniel R
- RE: [nfsv4] Name Mappings for NFSv4 in Active Dir… wurzl, mario
- RE: [nfsv4] Name Mappings for NFSv4 in Active Dir… Wachdorf, Daniel R
- Re: FW: FW: [nfsv4] Name Mappings for NFSv4 in Ac… Nicolas Williams