From: Trond Myklebust <trond.myklebust@fys.uio.no>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Jim Rees <rees@umich.edu>,
Daniel.Muntz@emc.com, linux-nfs@vger.kernel.org
Subject: Re: numeric UIDs
Date: Tue, 03 Aug 2010 22:02:16 -0400 [thread overview]
Message-ID: <1280887336.24669.23.camel@heimdal.trondhjem.org> (raw)
In-Reply-To: <20100803224245.GB9752@fieldses.org>
On Tue, 2010-08-03 at 18:42 -0400, J. Bruce Fields wrote:
> On Tue, Aug 03, 2010 at 06:31:15PM -0400, Trond Myklebust wrote:
> > On Tue, 2010-08-03 at 18:23 -0400, J. Bruce Fields wrote:
> > > On Tue, Aug 03, 2010 at 06:15:19PM -0400, Trond Myklebust wrote:
> > > > On Tue, 2010-08-03 at 17:57 -0400, Jim Rees wrote:
> > > > > Daniel.Muntz@emc.com wrote:
> > > > >
> > > > > I'll fourth this motion. The spec goes out of its way to declare this a
> > > > > violation. IMHO, the NFSv4.[0-n] specs should adopt the convention that a
> > > > > uid string consisting of [0-9]+ be interpreted as the string
> > > > > representation of a numeric UID--just as valid as a "user@domain" string.
> > > > >
> > > > > I argued for this as an option in the early days but was shouted down.
> > > > > Sorry I can't remember the details, it was many years ago.
> > > >
> > > > Why is nobody talking about fixing AUTH_SYS? The alternative to using
> > > > numeric uids/gids in NFS would be to use user@domain/group@domain in the
> > > > credential.
> > >
> > > I'm not sure what that does to address complaints like original
> > > poster's:
> > >
> > > http://marc.info/?l=linux-nfs&m=128080127215350&w=2
> > >
> > > And I'd like it to be possible to make the NFSv3->NFSv4 upgrade as
> > > transparent as possible.
> >
> > 1) RFC3530 does allow a workaround for cases where the _server_ doesn't
> > have a mapping from uid/gid -> name. We just haven't implemented it on
> > Linux servers (or clients).
>
> Yeah, somebody should.
>
> > 2) Why is AUTH_SYS so sacrosanct?
>
> Because it's what almost everyone uses.
No. It's the _default_. ...and a really really bad default.
The sane thing to do is to change that default instead of trying to add
in yet another ptolemaic epicycle to "fix" just one of the many
problems...
For NFSv4, an auth system that is based on user/groupnames and domains
is a sane fix. It can be made to work with legacy NFSv2/v3 uids and gids
by setting up /etc/passwords, /etc/groups and/or ldap appropriately (as
should already be the case if you are using NFSv2/v3).
> > We know it has a bunch of problems,
> > not least the one that limits ngroups <= 16, and the fact that it relies
> > on uids (as opposed to login names) being the same on client and server
> > so why not try to fix those limitations?
>
> Sure, that would be great.
>
> Again, that doesn't address the complaints above.
Yes it does.
It is far better to return an error when the NFS server doesn't
recognize the user and group name rather than to try to use a uid and
gid that is only valid on the local client. Better still, the server
could allocate a new uid or gid (just like Samba does) when it
encounters an unknown user or group name, instead of returning the
error.
The server can still default to the workaround of using the ascii
uid/gid when it is trying to export a file for which it has no
user/group.
It boils down to the fact that we all log in to our clients with
_usernames_, not uids. Trying to make the uid the fundamental object is
the mistake that got us here in the first place.
Trond
next prev parent reply other threads:[~2010-08-04 2:02 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-03 2:01 numeric UIDs Victor Mataré
2010-08-03 16:43 ` Jim Rees
2010-08-03 19:22 ` J. Bruce Fields
2010-08-03 21:49 ` Daniel.Muntz
2010-08-03 21:57 ` Jim Rees
2010-08-03 22:15 ` Trond Myklebust
2010-08-03 22:23 ` J. Bruce Fields
2010-08-03 22:31 ` Trond Myklebust
2010-08-03 22:42 ` J. Bruce Fields
2010-08-04 2:02 ` Trond Myklebust [this message]
2010-08-04 17:06 ` David Brodbeck
2010-08-04 18:30 ` Andy Adamson
2010-08-04 21:32 ` David Brodbeck
2010-08-11 23:06 ` Neil Brown
2010-08-12 13:20 ` Andy Adamson
2010-08-11 23:10 ` Neil Brown
2010-08-05 15:34 ` J. Bruce Fields
2010-08-11 23:22 ` Neil Brown
2010-08-13 14:43 ` Steve Dickson
2010-08-13 16:31 ` J. Bruce Fields
2010-08-13 17:30 ` Steve Dickson
[not found] ` <4C658146.90207-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2010-08-13 17:37 ` J. Bruce Fields
2010-08-13 18:43 ` Chuck Lever
2010-08-17 17:46 ` Tom Haynes
2010-08-17 18:18 ` J. Bruce Fields
2010-08-17 18:43 ` Tom Haynes
2010-08-17 18:49 ` J. Bruce Fields
2010-08-17 19:21 ` J. Bruce Fields
[not found] ` <4C6559FA.5070809-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2010-08-16 8:30 ` Neil Brown
2010-08-13 14:40 ` Steve Dickson
2010-08-03 19:22 ` J. Bruce Fields
2010-08-17 17:48 ` Tom Haynes
2010-08-17 18:24 ` J. Bruce Fields
2010-08-17 19:00 ` Tom Haynes
2010-08-17 20:08 ` David Brodbeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1280887336.24669.23.camel@heimdal.trondhjem.org \
--to=trond.myklebust@fys.uio.no \
--cc=Daniel.Muntz@emc.com \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=rees@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).