[Samba] domain-free multi-user use cases

Mon Oct 25 07:37:11 UTC 2021

On Mon, 2021-10-25 at 09:02 +0200, cn--- via samba wrote:
> Am 25.10.21 um 02:48 schrieb Eric Levy via samba:
> > NFS won't do exactly what I want. One issue is that numeric user
> > identifiers are required to match across systems, but even working
> > around this inconvenience, the larger issue is that without
> > Kerberos,
> > NFS mounts are not protected by authentication.
> 
> Ok I didn't catch that you wanted to have authentication.
> 
> > iSCSI obviously is not file sharing. Multiple clients cannot access
> > the
> > same iSCSI device simultaneously, and any client accessing the
> > device
> > must be able to use the underlying file system.
> 
> You talked about one client at the moment so I thought for one
> client 
> this would work.
> 
> 
> > I think I once reviewed a discussion about why autofs features
> > offer
> > limited support for user directories the wawy you suggest. If a
> > guide
> > for getting to this to work is available, I would review it, even
> > though the effect would not be exactly the same as a multiuser
> > mount.
> 
> Looking at it again. Autofs has the same limitation as the multiuser 
> mounts in the kernel. It only works with Auth methods that do not use
> a 
> password. However, pam_mount does work. It uses the password that
> the 
> user uses at login to mount the shares.
> 
> https://support.rstudio.com/hc/en-us/articles/360044190234-How-to-mount-a-Windows-SMB-CIFS-share-via-PAM
> 
> https://www.bu.edu/engit/knowledge-base/linux/opensuseatbu-pam_mount/
> 
> Here is an example I used to use before autofs (as I have a Domain
> in 
> the background)
> 
> <!-- volume user="*" options=nodev,vers=3.1.1" fstype="cifs" 
> server="FQDN" path="data" mountpoint="/home/%(USER)/data/" />
> 
> So this mounts the share as the logged in user with their local 
> password. Username and password have to match that on the Server.
> So each user would have the share mounted in their home directory in 
> this case.
> 
> Regards
> 
> Christian
> 

I will look into the pam_mount solution as workaround to limitations in
direct mounts.

Respecting the client count, different comments were given in different
contexts. I never wanted to suggest that I could accept a solution that
cannot scale to multiple clients, only that management of credentials
across 50 or even 10 boxes is not among my current worries. To clarify
the way I have matters at this moment, I have one client on which I
would wish to make a multiuser mount. This client is a server
supporting remote logins. Other clients are directly accessing the
shared files through simple mounts made on the fly. These are true
clients (e.g. laptops and workstations) that have no need to support a
mount that is always available beginning at boot, or that enforces
ownership and permissions correctly for different users accessing the
box.