Chris's Wiki :: blog/unix/NFSFutureDesire

What I want from a future version of NFS

June 26, 2013

Years ago I wrote about my then desires for a better version of NFS here and here. Since then I've revised my opinions somewhat and today (prompted by a comment here) I want to talk about it again.

We have two use cases, which for convenience I will call 'NFS v3' and 'Samba'. The NFS v3 use case is traditional Unix filesystem activity between trusted machines, where it is an important feature that the servers trust the client machines to properly identify users (because insisting otherwise means you lose a number of important capabilities). The Samba use case is giving an individual user access to their files without trusting their machine to properly identify users, because their machine is not under our control and security.

Then, what I would like in a future version of NFS is:

strong 'machine' authentication involving shared secrets via public key cryptography or the like. IP addresses are no longer good enough. We are already kludging our own solution but I would like a better one that is integrated into the protocol.
per-machine (and per-filesystem) flexible UID and GID mapping. I think that in theory you might be able to do this today with NFS v4 if you had suitable software on the server side (but current Linux software doesn't do it).
(This would let you handle the 'Samba' case; just give user machines an extremely restricted mapping.)
optional encryption for the transport stream. It needs to be optional so that it doesn't slow down the 'trusted machines on a trusted network' case.

I used to think that I wanted sub-filesystems to be automatically mounted and accessible. It's okay if this happens but I'm no longer convinced that it's as useful as I thought it would be; in many real cases you do not want how filesystems are associated together to be clearly visible to users because such associations can change.

I don't think you can do machine authentication in NFS v4 as it stands (at least without going fully into strong authentication for the users) but you might be able to get everything else by allowing some machines to 'authenticate' with NFS style 'I trust the client' authentication and then insisting that everyone else support Kerberos authentication.

(Or maybe NFS v4 can actually do machine authentication via Kerberos and then trust the client's UID/GID/name information. I haven't looked at NFS v4 too much for various reasons, including an inaccurate perception that it actively required Kerberos and couldn't be used in the traditional NFS way.)

However I'm not sure that the 'Samba' usage case is very important or interesting for NFS specifically. We do have some people who run their own Unix machines and would like to mount some NFS filesystems but I rather expect that almost all user machines will be Windows or Macs and are not going to have NFS clients (v4 or otherwise). On the other hand, there is one potentially common case of user-run Unix machines and that is cloud computing instances; it would be nice to provide researchers using them with a relatively frictionless way of getting good access to our filesystems.

(Given the bandwidth charges that cloud computing provides like to levy, the researchers might not want to use it. But at least we'd be able to give them an option.)

Comments on this page:

From 198.189.14.2 at 2013-06-26 12:48:20:

Would IPsec AH work for machine authentication?

From 31.151.153.51 at 2013-06-26 14:01:21:

for Kerberos with NFSv4 to work you need to have an LDAP environment (or distribute your password file all over the place, but seriosusly, LDAP is the way to go). Then the nfs server needs to have a host and service principal in one (so merged in the keytab with ktutil), the client hosts too (so the clients need a host and nfs keytab as well merged in the host keytab) and the user authenticating needs a kerberos ticket.

We are using this with netapp failover cluster and an omnios server joined to a freeipa ldap/kerberos domain. Soon we will add cross domain trust to our AD domain.

One thing that tripped me at the beginning is that from a non-AD domain joined linux/unix workstation/server I kan kinit to the AD domain and then using smbclient -k or nautilus if in gnome, you may use the cifs shares. We have succesfully used this in combination with keytabs for cronjobs without using passwords on the crontabs. This is not possible in NFSv4 with kerberos, you need to have a host keytab with a nfs service principal plus the user ticket. I consider this a bug.

It is not required to use krb5(i/p/whatever). The possibility to use NFSv4 with its non-trivial acls is a huge win for us. We combine this with netgroups to limit what host may use the shares, the traffic is not encrypted, but the acls prevent most troubles. This is only possible when using a zfs solaris based filer or netapp, linux nfsv4 is still waiting till someone wakes up and merges the richacls patch in the mainstream kernel, but after waiting for 3 years I just gave up on that. They find posix acl apparently enough.

One of the biggest problems with NFSv4 is that applications (userland) are ignorant of the underlying filesystem. They simply ignore the acls on directories. I keep opening bugzillas at redhat, they are (slowly) fixing stuff. There is a load of legacy posix breaking stuff, like cp, mv, chmod, chown, basic stuff. In omnios and I guess in other opensolaris derivatives, you have the /usr/bin/* binaries and the /usr/gnu/bin/* binaries; using the right one prevents those problems.

By cks at 2013-06-26 16:00:48:

IPSec AH might well do the job, although it might also have a performance impact (I'd have to measure and I actually have no idea these days). The other problem is that IPSec is fiendishly complex to set up, even with fixed keys. I'm not sure the marginal improvement is worth the pain for us.

Written on 26 June 2013.

«	Balancing Illumos against ZFS on Linux

How much of our incoming email is checked at SMTP DATA time