[Samba] domain-free multi-user use cases

Eric Levy contact at ericlevy.name
Sat Oct 23 05:12:05 UTC 2021

The former deployment you have described seems to fall into the class
of cases I have labeled (2), (i.e. "with support from a domain

The latter one also may fall into this class, but I may not understand
the meaning of "Samba is the domain controller". If Samba is the domain
controller, then a domain controller exists, which I believe makes this
deployment also suitable for association with class (2).

The proposed class (3) entails no domain server, or any similar
component, only a file server and client.

Perhaps some nuance surrounds the implications of a domain controller
co-located with the file server, but I believe, not knowing the full
details of these systems, that this difference is simply a deployment
detail of which software components reside on which hardware nodes, and
not one that bears on the distinctions among the classes I have

In particular, I believe that one feature of the latter deployment, as
well as the former, is that the file server is configured to recognize
a domain server as part of the overall deployment. Suppose you wish to
configure a client for a file server that has no association with a
domain server. Under such circumstances, I believe any use case falls
under class (1), which precludes the client creating a multiuser mount.
My argument largely centers around the observation that a multiuser
mount only may be realized through support for a proposed use-case
class (3).

On Fri, 2021-10-22 at 21:32 -0700, Aaron C. de Bruyn wrote:
> Maybe I'm completely misunderstanding what you're getting at, but
> Samba definitely supports more use-cases than that, and from what I
> can tell it supports what you're describing as the "third option".
> I have a ~30-server deployment where Linux or FreeBSD boxes are
> domain members and users access their files (via group policy
> redirected documents and various file shares via mapped drives) after
> they sign into Windows.
> That's one user per workstation accessing multiple central servers
> each using their own domain creds.
> I also have another client with a ~20 server deployment across
> multiple sites where Samba is *the* domain controller for the
> domain.  No Windows Domain Controllers involved anywhere.  Management
> is done from a Windows 10 VM with RSAT tools installed.
> Users are pulling NETLOGON/SYVOL as well as their redirected
> documents and a few mapped shares after they sign in to Windows. 
> This client also has a bunch of RDS servers users sign in to
> remotely.
> That's a handful of central RDS servers (with multiple users on each
> server) accessing shares on multiple Samba servers each with their
> own permissions.
> Perhaps you could go into a bit more detail and help me understand
> what I'm missing?
> Thanks,
> -A
> On Fri, Oct 22, 2021 at 9:22 PM Eric Levy via samba <
> samba at lists.samba.org> wrote:
> > I have browsed documentation and previously engaged this group,
> > trying
> > to resolve a means toward a deployment with specific
> > characteristics.
> > 
> > Through such investigation, it has become apparent to me that the
> > set
> > of use cases presently supported by Samba generally fall into one
> > of
> > the following two classes:
> > 
> >    1. Single-user mounts of a server share on a client, without
> > support
> >       from any third node.
> >    2. Mounts of a server share on a client, often multiuser, with
> > support
> >       from a domain server or equivalent kind of node.
> > 
> > I might easily call these two classes of use case the single-user
> > cases
> > (1) and the domain-server cases (2).
> > 
> > Two observations about this dichotomy are striking. One is that in
> > practical use, many desired configurations will fall easily into
> > one of
> > these classes. The other observation is the ease with which someone
> > may
> > imagine a valuable use case not within either class.
> > 
> > The many combinations of needs for various deployments indicate a
> > wide
> > gap between these two classes. I might suggest this gap represents
> > a
> > third class, which I might call the domain-free multi-user cases.
> > With
> > the convergence of technologies, and with deployments entering
> > increasingly diverse environments, it may seem that these use cases
> > are
> > becoming increasingly important.
> > 
> > In my earlier conversation in this group, I described my needs as
> > follows:
> > 
> >    What I want is multiple users on the client accessing the same
> > mount
> >    but with different permissions enforced for each. I want the
> >    permissions to reflect the permissions for the corresponding
> > users
> >    on the NAS.
> > 
> >    It seems by now it has been made clear that it is impossible to
> >    achieve this result without some kind of domain server...
> > 
> > Support for such functionality without a domain server would
> > require
> > development of new components on the client and server to handle
> > certain functions currently available only through the domain
> > server.
> > Such augmentation would call for good design, but is doubtless
> > feasible, at least in principle.
> > 
> > Naturally, one of the nice things about being Microsoft is that
> > after
> > you sell licenses for a few clients and a file server, you also can
> > sell a license for a domain server. The profit-focused designs of
> > software system offered by Microsoft and other companies might
> > represent a more narrow range of options than is useful generally.
> > The
> > Samba project might benefit from designs expanded to serve a more
> > inclusive variety of user needs, with fewer constraints inherited
> > from
> > commercial models. 
> > 
> > I realize that new support of the kind I am describing is a
> > substantial
> > undertaking. I am interested in learning how these thoughts might
> > be
> > received considering the current state of development and future
> > ambitions.
> > 
> > 

More information about the samba mailing list