this post was submitted on 20 Feb 2024
19 points (91.3% liked)

Linux

48001 readers
1188 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

(sorry in advance for the long post)

What I'm looking for:

Basically, without a lot of work to setup and maintain a Domain/Kerberos server, what's the best way to provide consistent logins and remote folder/share (from a server) access across various Linux desktops


I've configured domain controllers using Samba. I've also configured Linux systems as domain-joined hosts. Between the two I tend to find that keeping talking - especially for systems that are only on infrequently - can be a bit troublesome. Updates sometimes break the Samba server, tokens expire, etc etc

I've also used NFS of various versions, but found v4 with the Kerberos implementation a bit finicky (for similar reasons to the SMB based implementation). NFSv3 of course is fairly fast and efficient, but lacks the user-level authentication and relies on IP's for access-control.


Now it's been awhile since I've given a shot at this except for some NFS shares between VMs and SSHFS for desktops, it would be nice to have a consistent but easily maintainable way to provided common shares for larger files (videos, albums, 3d models, and projects etc) without having to constantly troubleshoot. Maybe the domain/NFS route had gotten easier but it still seems to be fairly manual at times.

top 12 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 8 months ago

Late to the thread, but SFTPGo is very nice.

It can be exposed as web server, (S)FTP Server and WebDAV, has built in authentication system, have built in brute force protection.

All in a single executable.

[–] [email protected] 3 points 8 months ago (1 children)

NFS for storage, tailscale / wireguard for access control?

[–] [email protected] 1 points 8 months ago (1 children)

I haven't played with tailscale, and most of my wireguard shenanigans have involved connecting to others' systems. Wouldn't those mostly control the network-level access but not the account-level access (centralized account/UID/gid and remote permissions) part?

[–] [email protected] 2 points 8 months ago (1 children)

Indeed, and good points. How many users do you have? I assume this isn’t just for you, and setting up multiple nfs shares with tailscale access policies isn’t feasible. SMB might be the best play. I’ll have to refresh my memory on file sharing protocols

[–] [email protected] 1 points 8 months ago

Not too many users, but an ever changing variety of devices and services :-)

[–] [email protected] 2 points 8 months ago* (last edited 8 months ago) (2 children)

Does this only need to work on LAN? I've not used Kerberos.

I've never had SMB break. It's definitely been my LAN network storage protocol of choice over the years, decent performance and perfect reliability so far.

And while I do have SSHFS set up, and use it sometimes, it's by far the slowest solution in my experience. I basically only use it to pull a file via phone if I need something off my desktop or home server that I didn't put in a location accessible via/synced to nextcloud, and I'm not at home to grab it via my desktop (which mounts my server's fulesystem via SMB).

Some time ago I finally set up off-site backup at my dad's, and while nextcloud has been my solution for convenient file storage, sharing and access from anywhere, it's extreme overkill for such a use-case.

It's better suited for syncing folders (using up space on both client and server), not mounting as a network storage location (though I think it can do that?)

What I ended up doing was setting up unencrypted FTP through the VPN that I use to access my home network. Server at dad's connects to it on startup, from there my server is able to see the off-site machine on my LAN and it can then dump backups into it.

[–] [email protected] 2 points 8 months ago* (last edited 8 months ago) (1 children)

I do actually have a NextCloud instance, which I primarily use for editing Documents (via Collabora) or syncing backups of folders like Pictures etc from the phone.

SMB/Samba by itself for just sharing folders I've had little issue with. Samba as a domain controller with domain-joined clients tied to domain logins is a more complicated beast and - in my experience -prone to breakage in my experience (expired tokens, certificate lifetimes, DNS integration, upgrade issues, etc) BUT it can provide a fairly complete package end-to-end when it works. I just feel that there should be a more Linux-centric/friendly and less bloaty solution that still others decent account-level security.

When you ask "only on LAN" the answer is yes with the caveat that I do also work through VPN, but that's often functionally the same thing save that the VPN login occurs after the user-login

[–] [email protected] 1 points 8 months ago

I don't think you can get more "linuxy" than samba. You can go down to something simpler, like FTP, or SHHFS which is basically also FTP, but there's no SMB equivalent that's "more linux".

It's all just different implementations of different protocols that exist, and SMB is used the most for a reason.

[–] [email protected] 2 points 8 months ago

Nextcloud uses webDAV, so it definitely can be mounted as a network drive (this is how I primarily use it, and it works well).

[–] [email protected] 1 points 8 months ago

I use SSHFS. I have had some trouble getting it to mount automatically, but it will show up in Dolphin so it mounts when you click. If you set up keys (ideally ed25519), disable password authentication, set up fail2ban, and use nonstandard ports for outside lan I would consider it reasonably secure.

[–] [email protected] 1 points 8 months ago

Perhaps freeipa wirh automounts?

[–] [email protected] -1 points 8 months ago* (last edited 8 months ago)

Update: Based on some other sources, it sounds like giving another shot at freeIPA might be worth investigating. It's still got Samba etc and the last time I tried it things weren't more RedHat exactly friendly to my favored flavor (Debian) but it sounds like it might be better supported now

Update #2

OMFG it's years after I tried and FreeIPA on Debian is even more of a pain. Docker container issues galore, and it basically won't start without adding a bunch of options that reduce the container security to a smoldering ruin