From: Trond Myklebust <Trond.Myklebust@netapp.com>
To: Neil Brown <neilb@suse.de>
Cc: "J. Bruce Fields" <bfields@fieldses.org>,
Steve Dickson <SteveD@redhat.com>, Spelic <spelic@shiftmail.org>,
linux-nfs@vger.kernel.org
Subject: Re: NFSv4 behaviour on unknown users
Date: Tue, 30 Nov 2010 22:10:02 -0500 [thread overview]
Message-ID: <1291173002.7694.7.camel@heimdal.trondhjem.org> (raw)
In-Reply-To: <20101201135740.0d3b5948@notabene.brown>
On Wed, 2010-12-01 at 13:57 +1100, Neil Brown wrote:
> I have a strong memory from about 7 years ago of Brian Pawlowski saying - or
> possibly being quoted as saying - that the user information in NFS requests
> (the stuff that idmapper handles) is totally independent of the RPC
> authentication mechanism being used (the AUTH_SYS / RPCSEC_GSS stuff).
>
> I always thought that was nonsense, but I wasn't in a position to discuss it
> at the time for reasons that I really don't recall.
>
> If users are being authorised using numbers (AUTH_SYS) then it only (to me)
> makes sense to communication all identies as numbers.
> And if users are being authenticated as name@domain strings, then it only
> make sense to communicate all identities as name@domain.
>
> But this path is not the path for NFSv4 followed.
>
> I've very glad to see Linux NFS allowing numeric IDs "on the wire" and hope
> to see this very sensible approach widely adopted (where AUTH_SYS is used).
> I think it would be great if nfsd did the same thing completely in-kernel
> without reference to idmapd. Accepting either numeric or domain-based is
> trivial. Choosing which to send on a per-client basis might be a challenge,
> but probably not a big one.
>
>
> I wonder if Brian remembers saying anything like that...
I think you need to take beepy's words in context here: as I believe I
mentioned previously, RFC3530 (and its predecessor RFC3010) assumed
everyone would be using principals for authenticating, either through
RPCSEC_GSS w/ krb5, or through the SPKM/Lipkey mechanism. So sure was
everyone of this, that AUTH_SYS isn't even mentioned as a valid
authentication mechanism, and so nobody had to worry about the
consequences of using it.
The fact we still use AUTH_SYS today is, BTW, very much a result of the
failure of SPKM/Lipkey to deliver on its promise of strong
authentication with no extra infrastructure requirements. If it had, we
wouldn't be needing this hack.
Cheers
Trond
--
Trond Myklebust
Linux NFS client maintainer
NetApp
Trond.Myklebust@netapp.com
www.netapp.com
next prev parent reply other threads:[~2010-12-01 3:10 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-29 18:12 NFSv4 behaviour on unknown users Spelic
2010-11-29 18:22 ` Trond Myklebust
2010-11-29 18:38 ` Spelic
2010-11-29 19:01 ` J. Bruce Fields
2010-11-29 19:09 ` Trond Myklebust
2010-11-30 15:36 ` Steve Dickson
2010-11-30 22:19 ` Trond Myklebust
2010-11-30 22:26 ` J. Bruce Fields
2010-11-30 22:33 ` Trond Myklebust
2010-11-30 22:36 ` J. Bruce Fields
2010-11-30 22:47 ` Trond Myklebust
2010-12-01 2:57 ` Neil Brown
2010-12-01 3:10 ` Trond Myklebust [this message]
2010-12-01 3:23 ` Neil Brown
2010-12-01 16:29 ` J. Bruce Fields
2010-12-02 23:10 ` Thomas Haynes
2010-12-02 23:18 ` Trond Myklebust
2010-12-02 23:28 ` Spencer Shepler
2010-12-08 0:15 ` 'J. Bruce Fields'
2010-12-10 19:00 ` Thomas Haynes
2010-12-10 19:17 ` J. Bruce Fields
2010-11-29 22:09 ` Daniel.Muntz
2010-11-29 22:57 ` Spencer Shepler
2010-11-29 23:16 ` Trond Myklebust
2010-11-29 23:25 ` Spencer Shepler
2010-11-29 23:26 ` Trond Myklebust
2010-11-29 23:30 ` Spencer Shepler
2010-11-29 23:40 ` Trond Myklebust
2010-11-30 0:02 ` Spencer Shepler
2010-11-30 11:44 ` Spelic
2010-11-30 13:04 ` Trond Myklebust
2010-11-30 15:48 ` Boaz Harrosh
2010-11-29 23:34 ` Daniel.Muntz
2010-11-29 23:36 ` Spencer Shepler
-- strict thread matches above, loose matches on Subject: below --
2010-11-29 17:32 Spelic
2010-11-29 19:50 ` Simon Kirby
2010-11-29 22:47 ` Spelic
2010-11-30 15:20 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1291173002.7694.7.camel@heimdal.trondhjem.org \
--to=trond.myklebust@netapp.com \
--cc=SteveD@redhat.com \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
--cc=spelic@shiftmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).