[Samba] domain-free multi-user use cases
Rowland Penny
rpenny at samba.org
Sun Oct 24 07:57:18 UTC 2021
On Sat, 2021-10-23 at 16:05 -0700, Jeremy Allison via samba wrote:
> On Sat, Oct 23, 2021 at 03:59:42AM -0400, Eric Levy via samba wrote:
> > The most basic mount to a file server is single user, represented
> > by
> > (1). I have come to understand, in part from a discussion in this
> > group, that a multiuser mount is not possible without the addition
> > of a
> > domain server, represented by class (2). As explained, a multiuser
> > mount is one for which various files are owned by different users
> > within the same mounted view, and the differences in ownership in
> > the
> > mounted view reflect the actual ownership of the server (though in
> > general a user mapping may be employed).
>
> No, that's not true unless you are dealing with multiple servers
> and multiple clients. Even then, if all the clients had the same
> local users and all the servers had the same local users (i.e.
> user "Sam" on all clients maps to user "Sam" on all servers)
> then you don't need a domain setup.
>
> You can see why this would quickly become unscalable though :-).
>
> Any client with multiple local users can attempt to connect
> to a Samba server as different users, so long as the different
> users are logged in simultaneously and try and access the
> same mounted drive.
>
> E.g. For Windows,if "user1" mounts drive Z:, and then "user2" tries
> to access Z: then the client will attempt a multiplexed
> SMB2_SESSIONSETUP + TREE_CONNECT to the server as "user2".
>
> With no domain that means no kerberos so all logons will be
> done using NTLM, which isn't really what you want security-wise.
>
> But if all clients have local users: user1, user2,..., userN
> and all servers have local users: user1, user2,..., userN
> and each user password is the same for that user across all
> clients and servers then each client can connect as multiple
> users, authenticating via NTLM and all will work.
>
> You'd be nuts to try and do this for more than one or
> two users though, which is why NT Domains and AD Domains
> were invented.
I have been there and done that, it gets really hard after about 10
users and computers. The users tended to want to use any computer,
which meant they had to exist on all computers and if they changed
their password, this meant a trip round all computers to change the
password, which could take some time, because they were not all in one
building.
Rowland
More information about the samba
mailing list