[Samba] domain-free multi-user use cases

Sat Oct 23 07:47:41 UTC 2021

On Sat, Oct 23, 2021 at 1:29 AM Eric Levy via samba
<samba at lists.samba.org> wrote:
>
> On Fri, 2021-10-22 at 22:07 -0700, Jeremy Allison via samba wrote:
> > On Sat, Oct 23, 2021 at 12:03:18AM -0400, Eric Levy via samba wrote:
> > > In my earlier conversation in this group, I described my needs as
> > > follows:
> > >
> > >   What I want is multiple users on the client accessing the same
> > > mount
> > >   but with different permissions enforced for each. I want the
> > >   permissions to reflect the permissions for the corresponding
> > > users
> > >   on the NAS.
> > >
> > >   It seems by now it has been made clear that it is impossible to
> > >   achieve this result without some kind of domain server...
> >
> > Isn't that the bog-standard standalone file server case,
> > with user names on the client mapped into the same user
> > names on the server ?
> >
> > The clients can easily do multi-user mounts, both Windows
> > and Linux.
> >
> > I guess I don't understand exactly what you are asking
> > for here.
> >
> > In your scenario, where are the "users" defined ? How
> > does a client have multiple users logged in ? Are
> > these local users defined on the client ?
>
> When I inquired earlier to this group, it was explained that multiuser
> mounts depend on a domain server, and this explanation is also given in
> the documentation. I think the standard standalone case is that all
> files in the mount share the same owner viewed by the client, perhaps
> with some added support for special users such as "nobody". A mount
> that shows different files owned by various regular users is not
> supported. The reason is as you say, some mechanism is required to
> support a user mapping, which currently is handled only by a domain
> server.

You can definitely have multiple users on a "standalone" Linux client
each mounting a file share on a "standalone" Samba file server. And
the Samba server will enforce the user's permissions on the server
side. As Jeremy said, this is the boring case which has been supported
forever.

I'm no Samba expert, but If I wade through everything you're saying, I
think the key issue you have with that is that all of the files
*appear* (on the client side) to be owned by the user who mounted the
share. While that's a fairly superfluous limitation (as it has no
impact on what files the user can actually see/access), it is a
limitation that doesn't exist when you have a domain that can perform
ID mapping.

So perhaps what you're really after isn't a major "class 3" overhaul
of samba, but perhaps the not-yet-fully-supported(?) SMBv3 UNIX
extensions:
https://wiki.samba.org/index.php/UNIX_Extensions

Specifically the POSIX file ownership:
https://wiki.samba.org/index.php/SMB3-Linux#POSIX_file_ownership

The status of SMBv3 UNIX extension support in smbd and the Linux
kernel client is not clear to me; perhaps someone more knowledgeable
can fill-in here.

Jonathon