rfc3010.txt

最新的RFC

   receive an NFS error of NFS4ERR_WRONGSEC.  This error allows the
   server to notify the client that the security triple currently being
   used is not appropriate for access to the server's file system
   resources.  The client is then responsible for determining what
   security triples are available at the server and choose one which is
   appropriate for the client.

3.3.2.  SECINFO

   The new SECINFO operation will allow the client to determine, on a
   per filehandle basis, what security triple is to be used for server
   access.  In general, the client will not have to use the SECINFO
   procedure except during initial communication with the server or when
   the client crosses policy boundaries at the server.  It is possible
   that the server's policies change during the client's interaction
   therefore forcing the client to negotiate a new security triple.





Shepler, et al.             Standards Track                    [Page 21]

RFC 3010                 NFS version 4 Protocol            December 2000


3.4.  Callback RPC Authentication

   The callback RPC (described later) must mutually authenticate the NFS
   server to the principal that acquired the clientid (also described
   later), using the same security flavor the original SETCLIENTID
   operation used. Because LIPKEY is layered over SPKM-3, it is
   permissible for the server to use SPKM-3 and not LIPKEY for the
   callback even if the client used LIPKEY for SETCLIENTID.

   For AUTH_NONE, there are no principals, so this is a non-issue.

   For AUTH_SYS, the server simply uses the AUTH_SYS credential that the
   user used when it set up the delegation.

   For AUTH_DH, one commonly used convention is that the server uses the
   credential corresponding to this AUTH_DH principal:

         unix.host@domain

   where host and domain are variables corresponding to the name of
   server host and directory services domain in which it lives such as a
   Network Information System domain or a DNS domain.

   Regardless of what security mechanism under RPCSEC_GSS is being used,
   the NFS server, MUST identify itself in GSS-API via a
   GSS_C_NT_HOSTBASED_SERVICE name type.  GSS_C_NT_HOSTBASED_SERVICE
   names are of the form:

         service@hostname

   For NFS, the "service" element is

         nfs

   Implementations of security mechanisms will convert nfs@hostname to
   various different forms. For Kerberos V5 and LIPKEY, the following
   form is RECOMMENDED:

         nfs/hostname

   For Kerberos V5, nfs/hostname would be a server principal in the
   Kerberos Key Distribution Center database.  For LIPKEY, this would be
   the username passed to the target (the NFS version 4 client that
   receives the callback).

   It should be noted that LIPKEY may not work for callbacks, since the
   LIPKEY client uses a user id/password.  If the NFS client receiving
   the callback can authenticate the NFS server's user name/password



Shepler, et al.             Standards Track                    [Page 22]

RFC 3010                 NFS version 4 Protocol            December 2000


   pair, and if the user that the NFS server is authenticating to has a
   public key certificate, then it works.

   In situations where NFS client uses LIPKEY and uses a per-host
   principal for the SETCLIENTID operation, instead of using LIPKEY for
   SETCLIENTID, it is RECOMMENDED that SPKM-3 with mutual authentication
   be used.  This effectively means that the client will use a
   certificate to authenticate and identify the initiator to the target
   on the NFS server.  Using SPKM-3 and not LIPKEY has the following
   advantages:

   o  When the server does a callback, it must authenticate to the
      principal used in the SETCLIENTID.  Even if LIPKEY is used,
      because LIPKEY is layered over SPKM-3, the NFS client will need to
      have a certificate that corresponds to the principal used in the
      SETCLIENTID operation.  From an administrative perspective, having
      a user name, password, and certificate for both the client and
      server is redundant.

   o  LIPKEY was intended to minimize additional infrastructure
      requirements beyond a certificate for the target, and the
      expectation is that existing password infrastructure can be
      leveraged for the initiator.  In some environments, a per-host
      password does not exist yet.  If certificates are used for any
      per-host principals, then additional password infrastructure is
      not needed.

   o  In cases when a host is both an NFS client and server, it can
      share the same per-host certificate.

4.  Filehandles

   The filehandle in the NFS protocol is a per server unique identifier
   for a file system object.  The contents of the filehandle are opaque
   to the client.  Therefore, the server is responsible for translating
   the filehandle to an internal representation of the file system
   object.  Since the filehandle is the client's reference to an object
   and the client may cache this reference, the server SHOULD not reuse
   a filehandle for another file system object.  If the server needs to
   reuse a filehandle value, the time elapsed before reuse SHOULD be
   large enough such that it is unlikely the client has a cached copy of
   the reused filehandle value.  Note that a client may cache a
   filehandle for a very long time.  For example, a client may cache NFS
   data to local storage as a method to expand its effective cache size
   and as a means to survive client restarts.  Therefore, the lifetime
   of a cached filehandle may be extended.





Shepler, et al.             Standards Track                    [Page 23]

RFC 3010                 NFS version 4 Protocol            December 2000


4.1.  Obtaining the First Filehandle

   The operations of the NFS protocol are defined in terms of one or
   more filehandles.  Therefore, the client needs a filehandle to
   initiate communication with the server.  With the NFS version 2
   protocol [RFC1094] and the NFS version 3 protocol [RFC1813], there
   exists an ancillary protocol to obtain this first filehandle.  The
   MOUNT protocol, RPC program number 100005, provides the mechanism of
   translating a string based file system path name to a filehandle
   which can then be used by the NFS protocols.

   The MOUNT protocol has deficiencies in the area of security and use
   via firewalls.  This is one reason that the use of the public
   filehandle was introduced in [RFC2054] and [RFC2055].  With the use
   of the public filehandle in combination with the LOOKUP procedure in
   the NFS version 2 and 3 protocols, it has been demonstrated that the
   MOUNT protocol is unnecessary for viable interaction between NFS
   client and server.

   Therefore, the NFS version 4 protocol will not use an ancillary
   protocol for translation from string based path names to a
   filehandle.  Two special filehandles will be used as starting points
   for the NFS client.

4.1.1.  Root Filehandle

   The first of the special filehandles is the ROOT filehandle.  The
   ROOT filehandle is the "conceptual" root of the file system name
   space at the NFS server.  The client uses or starts with the ROOT
   filehandle by employing the PUTROOTFH operation.  The PUTROOTFH
   operation instructs the server to set the "current" filehandle to the
   ROOT of the server's file tree.  Once this PUTROOTFH operation is
   used, the client can then traverse the entirety of the server's file
   tree with the LOOKUP procedure.  A complete discussion of the server
   name space is in the section "NFS Server Name Space".

4.1.2.  Public Filehandle

   The second special filehandle is the PUBLIC filehandle.  Unlike the
   ROOT filehandle, the PUBLIC filehandle may be bound or represent an
   arbitrary file system object at the server.  The server is
   responsible for this binding.  It may be that the PUBLIC filehandle
   and the ROOT filehandle refer to the same file system object.
   However, it is up to the administrative software at the server and
   the policies of the server administrator to define the binding of the
   PUBLIC filehandle and server file system object.  The client may not
   make any assumptions about this binding.




Shepler, et al.             Standards Track                    [Page 24]

RFC 3010                 NFS version 4 Protocol            December 2000


4.2.  Filehandle Types

   In the NFS version 2 and 3 protocols, there was one type of
   filehandle with a single set of semantics.  The NFS version 4
   protocol introduces a new type of filehandle in an attempt to
   accommodate certain server environments.  The first type of
   filehandle is 'persistent'.  The semantics of a persistent filehandle
   are the same as the filehandles of the NFS version 2 and 3 protocols.
   The second or new type of filehandle is the "volatile" filehandle.

   The volatile filehandle type is being introduced to address server
   functionality or implementation issues which make correct
   implementation of a persistent filehandle infeasible.  Some server
   environments do not provide a file system level invariant that can be
   used to construct a persistent filehandle.  The underlying server
   file system may not provide the invariant or the server's file system
   programming interfaces may not provide access to the needed
   invariant.  Volatile filehandles may ease the implementation of
   server functionality such as hierarchical storage management or file
   system reorganization or migration.  However, the volatile filehandle
   increases the implementation burden for the client.  However this
   increased burden is deemed acceptable based on the overall gains
   achieved by the protocol.

   Since the client will need to handle persistent and volatile
   filehandle differently, a file attribute is defined which may be used
   by the client to determine the filehandle types being returned by the
   server.

4.2.1.  General Properties of a Filehandle

   The filehandle contains all the information the server needs to
   distinguish an individual file.  To the client, the filehandle is
   opaque. The client stores filehandles for use in a later request and
   can compare two filehandles from the same server for equality by
   doing a byte-by-byte comparison.  However, the client MUST NOT
   otherwise interpret the contents of filehandles.  If two filehandles
   from the same server are equal, they MUST refer to the same file.  If
   they are not equal, the client may use information provided by the
   server, in the form of file attributes, to determine whether they
   denote the same files or different files.  The client would do this
   as necessary for client side caching.  Servers SHOULD try to maintain
   a one-to-one correspondence between filehandles and files but this is
   not required.  Clients MUST use filehandle comparisons only to
   improve performance, not for correct behavior.  All clients need to
   be prepared for situations in which it cannot be determined whether
   two filehandles denote the same object and in such cases, avoid
   making invalid assumptions which might cause incorrect behavior.



Shepler, et al.             Standards Track                    [Page 25]

RFC 3010                 NFS version 4 Protocol            December 2000


   Further discussion of filehandle and attribute comparison in the
   context of data caching is presented in the section "Data Caching and
   File Identity".

   As an example, in the case that two different path names when
   traversed at the server terminate at the same file system object, the
   server SHOULD return the same filehandle for each path.  This can
   occur if a hard link is used to create two file names which refer to
   the same underlying file object and associated data.  For example, if
   paths /a/b/c and /a/d/c refer to the same file, the server SHOULD
   return the same filehandle for both path names traversals.

4.2.2.  Persistent Filehandle

   A persistent filehandle is defined as having a fixed value for the
   lifetime of the file system object to which it refers.  Once the
   server creates the filehandle for a file system object, the server
   MUST accept the same filehandle for the object for the lifetime of
   the object.  If the server restarts or reboots the NFS server must
   honor the same filehandle value as it did in the server's previous
   instantiation.  Similarly, if the file system is migrated, the new
   NFS server must honor the same file handle as the old NFS server.

   The persistent filehandle will be become stale or invalid when the
   file system object is removed.  When the server is presented with a
   persistent filehandle that refers to a deleted object, it MUST return
   an error of NFS4ERR_STALE.  A filehandle may become stale when the
   file system containing the object is no longer available.  The file
   system may become unavailable if it exists on removable media and the
   media is no longer available at the server or the file system in
   whole has been destroyed or the file system has simply been removed
   from the server's name space (i.e. unmounted in a Unix environment).

4.2.3.  Volatile Filehandle

   A volatile filehandle does not share the same longevity
   characteristics of a persistent filehandle.  The server may determine
   that a volatile filehandle is no longer valid at many different
   points in time.  If the server can definitively de