[Samba] domain-free multi-user use cases

Eric Levy contact at ericlevy.name
Sat Oct 23 08:18:15 UTC 2021 


On Sat, 2021-10-23 at 09:13 +0100, Rowland Penny via samba wrote:
> On Sat, 2021-10-23 at 04:00 -0400, Eric Levy via samba wrote:
> > On Sat, 2021-10-23 at 03:47 -0400, Jonathon Reinhart wrote:
> > > On Sat, Oct 23, 2021 at 1:29 AM Eric Levy via samba
> > > <samba at lists.samba.org> wrote:
> > > > On Fri, 2021-10-22 at 22:07 -0700, Jeremy Allison via samba
> > > > wrote:
> > > > > On Sat, Oct 23, 2021 at 12:03:18AM -0400, Eric Levy via samba
> > > > > wrote:
> > > > > > In my earlier conversation in this group, I described my
> > > > > > needs
> > > > > > as
> > > > > > follows:
> > > > > > 
> > > > > >   What I want is multiple users on the client accessing the
> > > > > > same
> > > > > > mount
> > > > > >   but with different permissions enforced for each. I want
> > > > > > the
> > > > > >   permissions to reflect the permissions for the
> > > > > > corresponding
> > > > > > users
> > > > > >   on the NAS.
> > > > > > 
> > > > > >   It seems by now it has been made clear that it is
> > > > > > impossible
> > > > > > to
> > > > > >   achieve this result without some kind of domain server...
> > > > > 
> > > > > Isn't that the bog-standard standalone file server case,
> > > > > with user names on the client mapped into the same user
> > > > > names on the server ?
> > > > > 
> > > > > The clients can easily do multi-user mounts, both Windows
> > > > > and Linux.
> > > > > 
> > > > > I guess I don't understand exactly what you are asking
> > > > > for here.
> > > > > 
> > > > > In your scenario, where are the "users" defined ? How
> > > > > does a client have multiple users logged in ? Are
> > > > > these local users defined on the client ?
> > > > 
> > > > When I inquired earlier to this group, it was explained that
> > > > multiuser
> > > > mounts depend on a domain server, and this explanation is also
> > > > given in
> > > > the documentation. I think the standard standalone case is that
> > > > all
> > > > files in the mount share the same owner viewed by the client,
> > > > perhaps
> > > > with some added support for special users such as "nobody". A
> > > > mount
> > > > that shows different files owned by various regular users is
> > > > not
> > > > supported. The reason is as you say, some mechanism is required
> > > > to
> > > > support a user mapping, which currently is handled only by a
> > > > domain
> > > > server.
> > > 
> > > You can definitely have multiple users on a "standalone" Linux
> > > client
> > > each mounting a file share on a "standalone" Samba file server.
> > > And
> > > the Samba server will enforce the user's permissions on the
> > > server
> > > side. As Jeremy said, this is the boring case which has been
> > > supported
> > > forever.
> > > 
> > > I'm no Samba expert, but If I wade through everything you're
> > > saying,
> > > I
> > > think the key issue you have with that is that all of the files
> > > *appear* (on the client side) to be owned by the user who mounted
> > > the
> > > share. While that's a fairly superfluous limitation (as it has no
> > > impact on what files the user can actually see/access), it is a
> > > limitation that doesn't exist when you have a domain that can
> > > perform
> > > ID mapping.
> > > 
> > > So perhaps what you're really after isn't a major "class 3"
> > > overhaul
> > > of samba, but perhaps the not-yet-fully-supported(?) SMBv3 UNIX
> > > extensions:
> > > https://wiki.samba.org/index.php/UNIX_Extensions
> > > 
> > > Specifically the POSIX file ownership:
> > > https://wiki.samba.org/index.php/SMB3-Linux#POSIX_file_ownership
> > > 
> > > The status of SMBv3 UNIX extension support in smbd and the Linux
> > > kernel client is not clear to me; perhaps someone more
> > > knowledgeable
> > > can fill-in here.
> > > 
> > > Jonathon
> > 
> > I think you are describing a case of each user maintaining a
> > separate
> > single-user mount.
> > 
> > I am describing a multiuser mount, which I understand to be a
> > mount,
> > often created through the administrative user account, in which
> > various
> > files within the same mounted view are shown as owned by different
> > users, reflecting the ownership of the files on the server.
> > 
> 
> You probably can do what you require on a standalone server by using
> the vfs_acl_xattr module, you will end up with what is known as a
> workgroup.
> 
> The only problem with a workgroup is that they do not scale well. You
> will need to create the same users everywhere, with the same
> passwords.
> This is why Windows created domains, you maintain the users and
> groups
> in just one place, not on EVERY workgroup computer.
> 
> Rowland
> 

Could you provide (or reference) a basic overview of the steps required
to achieve this scenario, assuming I currently have one Linux server
running Samba, and one Linux client with Samba installed?

More information about the samba mailing list