[Samba] domain-free multi-user use cases

[Patrick Goetz]

On 10/27/21 13:11, David Brodbeck wrote:
> 
> 
> On Wed, Oct 27, 2021 at 8:31 AM Patrick Goetz via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> 
>     NFSv4 does allow you to do local identity mapping, but it apparently
>     doesn't respect permissions/ACLs, so I'm not sure what the point is.
>     (Apparently because I've never tried to use this feature.)
> 
> 
> It does, but it has its own ACLs separate from the Posix ACLs most 
> people are familiar with...which are themselves separate from the NT 
> ACLs Samba uses. IIRC it does honor normal file permissions as well but 
> it's been a while since I last used it. Also, some idmapping features 
> only work if you're also using Kerberos.
> 
> NFSv3 can do Posix ACLs if both the client and server are Linux and it's 
> enabled on both ends. But it requires matching UIDs and GIDs.
> 
> Neither NFSv4 ACLs nor Posix ACLs allow nested groups.
> 
> The whole NFS interoperability situation is a bit of a hot mess.
> 

It's a hot mess because the kernel developers refuse to acknowledge the 
need to incorporate a VFS permissions model closer to NFS or Windows 
ACLs. Really, this can be simplified to "the kernel needs to adopt NFS 
ACLs". Windows ACLs jumped the shark long ago, likely due to corporate 
customer requests to handle edge cases.  Other than the stuff no sane 
person would ever use, Windows and NFS ACLs are largely identical (since 
NFSv4 just copied Windows).

The nested groups thing is a nice feature of AD, although it's not that 
hard to live without it. Having a better default permissions system is 
far more important. The most important hindsight innovation of AD is 
treating computers like users; i.e. as a thing that needs UID with 
directory properties and authentication.



> -- 
> David Brodbeck (they/them)
> System Administrator, Department of Mathematics
> University of California, Santa Barbara
>