On 04/23/09 09:12, Nicolas Williams wrote: > On Wed, Apr 22, 2009 at 10:04:21AM -0500, Nicolas Williams wrote: >> Any reason not to add a corresponding option to the NFS server when the >> CIFS case comes along? > > More to the point: if only the CIFS service has this feature then it > follows that enabling ABE on a share ought to disable NFS service for > that share as otherwise users could use NFS to defeat ABE. At the very > least this should be documented.
As a per share property, I don't think we need to document this specifically. Shares with ABE enabled will perform filtering, shares that do not have ABE enabled will not perform filtering. For example, if you share the same directory twice over SMB but only enable ABE on one of those shares, the same user would have a different view based on the specific share being accessed. > In general I would think that we ought to aim for feature parity between > the CIFS service and the NFS service for any features that could be > applicable to both. With some obvious exceptions, of course. > > Examples: > > - it should be OK for Solaris to support NFSv4 delegations but not CIFS > oplocks -- such a difference mostly affects only performance; > > - it should not be OK for Solaris to have different I18N > characteristics for NFSv4 and CIFS if that meant that NFSv4 and CIFS > clients could not easily share files with non-ASCII names through a > Solaris NAS. > > When it comes to security features of the _protocols_ (e.g., support for > Kerberos V) I'm not so sure that such a rule should apply -- you can > always turn one or the other protocol. But when it comes to security > features of the _filesystem_ methinks that those should apply in both, > NFSv4 and CIFS as much as possible (e.g., there could be minor > differences w.r.t. ACLs). ABE is not a protocol feature as much as a > filesystem feature... Yes > If I understand this case correctly the changes to the CIFS server to > support ABE will be minor, and so should be the changes to the NFS > server. Did I understand correctly? I would imagine that adding ABE support to NFS would be straight- forward because everything would be local, i.e. add the ability to set the ABE share property and have the NFS service interrogate that property for readdir requests. The CIFS service requires additional MSRPC work because the ABE property can be managed remotely (via the MMC on Windows clients) as well as locally via sharemgr, sharaesmb etc. I'll talk to the NFS team about introducing NFS ABE support at the same time as CIFS support. Alan
