[Samba] domain-free multi-user use cases

Eric Levy contact at ericlevy.name
Sun Oct 24 08:08:12 UTC 2021 

On Sun, 2021-10-24 at 08:57 +0100, Rowland Penny via samba wrote:
> On Sat, 2021-10-23 at 16:05 -0700, Jeremy Allison via samba wrote:
> > On Sat, Oct 23, 2021 at 03:59:42AM -0400, Eric Levy via samba
> > wrote:
> > > The most basic mount to a file server is single user, represented
> > > by
> > > (1). I have come to understand, in part from a discussion in this
> > > group, that a multiuser mount is not possible without the
> > > addition
> > > of a
> > > domain server, represented by class (2). As explained, a
> > > multiuser
> > > mount is one for which various files are owned by different users
> > > within the same mounted view, and the differences in ownership in
> > > the
> > > mounted view reflect the actual ownership of the server (though
> > > in
> > > general a user mapping may be employed).
> > 
> > No, that's not true unless you are dealing with multiple servers
> > and multiple clients. Even then, if all the clients had the same
> > local users and all the servers had the same local users (i.e.
> > user "Sam" on all clients maps to user "Sam" on all servers)
> > then you don't need a domain setup.
> > 
> > You can see why this would quickly become unscalable though :-).
> > 
> > Any client with multiple local users can attempt to connect
> > to a Samba server as different users, so long as the different
> > users are logged in simultaneously and try and access the
> > same mounted drive.
> > 
> > E.g. For Windows,if "user1" mounts drive Z:, and then "user2" tries
> > to access Z: then the client will attempt a multiplexed
> > SMB2_SESSIONSETUP + TREE_CONNECT to the server as "user2".
> > 
> > With no domain that means no kerberos so all logons will be
> > done using NTLM, which isn't really what you want security-wise.
> > 
> > But if all clients have local users: user1, user2,..., userN
> > and all servers have local users: user1, user2,..., userN
> > and each user password is the same for that user across all
> > clients and servers then each client can connect as multiple
> > users, authenticating via NTLM and all will work.
> > 
> > You'd be nuts to try and do this for more than one or
> > two users though, which is why NT Domains and AD Domains
> > were invented.
> 
> I have been there and done that, it gets really hard after about 10
> users and computers. The users tended to want to use any computer,
> which meant they had to exist on all computers and if they changed
> their password, this meant a trip round all computers to change the
> password, which could take some time, because they were not all in
> one
> building.
> 
> Rowland


I have three users and two nodes, just now, with no hardware on which
to put a domain server. 

I do not expect to have more users or hardware in the foreseeable
future. If I do, adding the domain server later won't put me in a worse
position than if I had started with one. To the contrary, I still would
have benefited from getting started sooner, with a configuration that
has less maintenance requirement.

More information about the samba mailing list