IETF Logo Mail Archive

RE: [nfsv4] Name Mappings for NFSv4 in Active Directory

"wurzl, mario" <wurzl_mario@emc.com> Thu, 09 October 2003 19:25 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA06150 for <nfsv4-archive@odin.ietf.org>; Thu, 9 Oct 2003 15:25:37 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gPK-00024O-BX for nfsv4-archive@odin.ietf.org; Thu, 09 Oct 2003 15:25:14 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h99JP6Gi007952 for nfsv4-archive@odin.ietf.org; Thu, 9 Oct 2003 15:25:06 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gPK-00024B-5s for nfsv4-web-archive@optimus.ietf.org; Thu, 09 Oct 2003 15:25:06 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA06133 for <nfsv4-web-archive@ietf.org>; Thu, 9 Oct 2003 15:24:58 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A7gPI-0003AK-00 for nfsv4-web-archive@ietf.org; Thu, 09 Oct 2003 15:25:04 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1A7gPI-0003AH-00 for nfsv4-web-archive@ietf.org; Thu, 09 Oct 2003 15:25:04 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gPF-00023Z-SH; Thu, 09 Oct 2003 15:25:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1A7gOI-00020G-Pb for nfsv4@optimus.ietf.org; Thu, 09 Oct 2003 15:24:03 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA05912 for <nfsv4@ietf.org>; Thu, 9 Oct 2003 15:23:54 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1A7gOG-00039j-00 for nfsv4@ietf.org; Thu, 09 Oct 2003 15:24:00 -0400
Received: from srexchimc2.lss.emc.com ([168.159.100.11] helo=srexchimc2.eng.emc.com) by ietf-mx with esmtp (Exim 4.12) id 1A7gOG-00039D-00 for nfsv4@ietf.org; Thu, 09 Oct 2003 15:24:00 -0400
Received: by srexchimc2.lss.emc.com with Internet Mail Service (5.5.2653.19) id <4MAWP9VB>; Thu, 9 Oct 2003 15:23:29 -0400
Message-ID: <FA2F59D0E55B4B4892EA076FF8704F5505544938@srgraham.eng.emc.com>
From: "wurzl, mario" <wurzl_mario@emc.com>
To: "'Wachdorf, Daniel R'" <drwachd@sandia.gov>
Cc: nfsv4@ietf.org
Subject: RE: [nfsv4] Name Mappings for NFSv4 in Active Directory
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
Sender: nfsv4-admin@ietf.org
Errors-To: nfsv4-admin@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/nfsv4/>
X-Original-Date: Thu, 9 Oct 2003 15:23:28 -0400
Date: Thu, 09 Oct 2003 15:23:28 -0400

The unique purpose of the attribute 'altSecurityIdenities', is to enable
users from trusted realms, but not from trusted domains to access Windows
resources. It is not intended to be used for users of trusted Windows
domains, but for users from MIT realms, or non-trusted Windows domains.
The main problem with the use of 'altSecurityIdenities', is the need to
create a shadow account on the local domain for each trusted user. It means
administrative overhead, and duplication of accounts, which may lead to
security problems, and goes against policies in the large majority of
corporations, which do not want an user to have more than one account in the
Windows environment.

Real time creation of accounts by a server, may create a HUGE security
vulnerability in an organization. User accounts created by a server (NFSv4
or other), have potential access to the Windows resource on the forest where
the account has been created. System administrators have very little control
on dynamically created accounts.
Like the use of the 'altSecurityIdenities' attribute as described in the
document, dynamically created user accounts would be unacceptable from a
corporate policy point of view.
It also implies that Unix based NFS servers would have to implement the
mechanism to create Computer accounts in a Windows domain, which is quite
complex, and does not provide any value add to UNIX systems.

The document also mentions "SPNEGO protected Web pages".
SPNEGO is not a security mechanism, and therefore cannot protect any
resource. The only purpose of SPNEGO is to negotiate a security mechanism
under the GSSAPI.

What Microsoft calls PAC is the Kerberos Authorization Data Field, and
contains the user SID and the SIDs of the groups the user is a member off.
It may include groups from other domain in the forest that the user might be
a member off.

Mario

-----Original Message-----
From: Wachdorf, Daniel R [mailto:drwachd@sandia.gov] 
Sent: Wednesday, October 08, 2003 5:35 PM
To: nfsv4@ietf.org
Subject: [nfsv4] Name Mappings for NFSv4 in Active Directory


I have been working with CITI on finding a way to use Active Directory to
use map NFSv4 names into active directory user accounts. I wrote a document
that describes a scheme to map NFSv4 names and authentication principals
into an Active Directory Domain.  
I would be interested in what the members of the list thought.  Thanks.

-dan

--------------------------------------
Daniel Wachdorf
drwachd@sandia.gov
Sandia National Laboratories
System Security Research and Integration
505-284-8060





_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email