(sorry in advance for the long post)
What I’m looking for:
Basically, without a lot of work to setup and maintain a Domain/Kerberos server, what’s the best way to provide consistent logins and remote folder/share (from a server) access across various Linux desktops
I’ve configured domain controllers using Samba. I’ve also configured Linux systems as domain-joined hosts. Between the two I tend to find that keeping talking - especially for systems that are only on infrequently - can be a bit troublesome. Updates sometimes break the Samba server, tokens expire, etc etc
I’ve also used NFS of various versions, but found v4 with the Kerberos implementation a bit finicky (for similar reasons to the SMB based implementation). NFSv3 of course is fairly fast and efficient, but lacks the user-level authentication and relies on IP’s for access-control.
Now it’s been awhile since I’ve given a shot at this except for some NFS shares between VMs and SSHFS for desktops, it would be nice to have a consistent but easily maintainable way to provided common shares for larger files (videos, albums, 3d models, and projects etc) without having to constantly troubleshoot. Maybe the domain/NFS route had gotten easier but it still seems to be fairly manual at times.
NFS for storage, tailscale / wireguard for access control?
I haven’t played with tailscale, and most of my wireguard shenanigans have involved connecting to others’ systems. Wouldn’t those mostly control the network-level access but not the account-level access (centralized account/UID/gid and remote permissions) part?
Indeed, and good points. How many users do you have? I assume this isn’t just for you, and setting up multiple nfs shares with tailscale access policies isn’t feasible. SMB might be the best play. I’ll have to refresh my memory on file sharing protocols
Not too many users, but an ever changing variety of devices and services :-)
Late to the thread, but SFTPGo is very nice.
It can be exposed as web server, (S)FTP Server and WebDAV, has built in authentication system, have built in brute force protection.
All in a single executable.
Does this only need to work on LAN? I’ve not used Kerberos.
I’ve never had SMB break. It’s definitely been my LAN network storage protocol of choice over the years, decent performance and perfect reliability so far.
And while I do have SSHFS set up, and use it sometimes, it’s by far the slowest solution in my experience. I basically only use it to pull a file via phone if I need something off my desktop or home server that I didn’t put in a location accessible via/synced to nextcloud, and I’m not at home to grab it via my desktop (which mounts my server’s fulesystem via SMB).
Some time ago I finally set up off-site backup at my dad’s, and while nextcloud has been my solution for convenient file storage, sharing and access from anywhere, it’s extreme overkill for such a use-case.
It’s better suited for syncing folders (using up space on both client and server), not mounting as a network storage location (though I think it can do that?)
What I ended up doing was setting up unencrypted FTP through the VPN that I use to access my home network. Server at dad’s connects to it on startup, from there my server is able to see the off-site machine on my LAN and it can then dump backups into it.
Nextcloud uses webDAV, so it definitely can be mounted as a network drive (this is how I primarily use it, and it works well).
I do actually have a NextCloud instance, which I primarily use for editing Documents (via Collabora) or syncing backups of folders like Pictures etc from the phone.
SMB/Samba by itself for just sharing folders I’ve had little issue with. Samba as a domain controller with domain-joined clients tied to domain logins is a more complicated beast and - in my experience -prone to breakage in my experience (expired tokens, certificate lifetimes, DNS integration, upgrade issues, etc) BUT it can provide a fairly complete package end-to-end when it works. I just feel that there should be a more Linux-centric/friendly and less bloaty solution that still others decent account-level security.
When you ask “only on LAN” the answer is yes with the caveat that I do also work through VPN, but that’s often functionally the same thing save that the VPN login occurs after the user-login
I don’t think you can get more “linuxy” than samba. You can go down to something simpler, like FTP, or SHHFS which is basically also FTP, but there’s no SMB equivalent that’s “more linux”.
It’s all just different implementations of different protocols that exist, and SMB is used the most for a reason.
I use SSHFS. I have had some trouble getting it to mount automatically, but it will show up in Dolphin so it mounts when you click. If you set up keys (ideally ed25519), disable password authentication, set up fail2ban, and use nonstandard ports for outside lan I would consider it reasonably secure.
Perhaps freeipa wirh automounts?
Update: Based on some other sources, it sounds like giving another shot at freeIPA might be worth investigating. It’s still got Samba etc and the last time I tried it things weren’t more RedHat exactly friendly to my favored flavor (Debian) but it sounds like it might be better supported now
Update #2
OMFG it’s years after I tried and FreeIPA on Debian is even more of a pain. Docker container issues galore, and it basically won’t start without adding a bunch of options that reduce the container security to a smoldering ruin