(sorry in advance for the long post)
What I’m looking for:
Basically, without a lot of work to setup and maintain a Domain/Kerberos server, what’s the best way to provide consistent logins and remote folder/share (from a server) access across various Linux desktops
I’ve configured domain controllers using Samba. I’ve also configured Linux systems as domain-joined hosts. Between the two I tend to find that keeping talking - especially for systems that are only on infrequently - can be a bit troublesome. Updates sometimes break the Samba server, tokens expire, etc etc
I’ve also used NFS of various versions, but found v4 with the Kerberos implementation a bit finicky (for similar reasons to the SMB based implementation). NFSv3 of course is fairly fast and efficient, but lacks the user-level authentication and relies on IP’s for access-control.
Now it’s been awhile since I’ve given a shot at this except for some NFS shares between VMs and SSHFS for desktops, it would be nice to have a consistent but easily maintainable way to provided common shares for larger files (videos, albums, 3d models, and projects etc) without having to constantly troubleshoot. Maybe the domain/NFS route had gotten easier but it still seems to be fairly manual at times.
Late to the thread, but SFTPGo is very nice.
It can be exposed as web server, (S)FTP Server and WebDAV, has built in authentication system, have built in brute force protection.
All in a single executable.
NFS for storage, tailscale / wireguard for access control?
I haven’t played with tailscale, and most of my wireguard shenanigans have involved connecting to others’ systems. Wouldn’t those mostly control the network-level access but not the account-level access (centralized account/UID/gid and remote permissions) part?
Indeed, and good points. How many users do you have? I assume this isn’t just for you, and setting up multiple nfs shares with tailscale access policies isn’t feasible. SMB might be the best play. I’ll have to refresh my memory on file sharing protocols
Not too many users, but an ever changing variety of devices and services :-)
I use SSHFS. I have had some trouble getting it to mount automatically, but it will show up in Dolphin so it mounts when you click. If you set up keys (ideally ed25519), disable password authentication, set up fail2ban, and use nonstandard ports for outside lan I would consider it reasonably secure.
Perhaps freeipa wirh automounts?
Update: Based on some other sources, it sounds like giving another shot at freeIPA might be worth investigating. It’s still got Samba etc and the last time I tried it things weren’t more RedHat exactly friendly to my favored flavor (Debian) but it sounds like it might be better supported now
Update #2
OMFG it’s years after I tried and FreeIPA on Debian is even more of a pain. Docker container issues galore, and it basically won’t start without adding a bunch of options that reduce the container security to a smoldering ruin