(sorry in advance for the long post)
What I’m looking for:
Basically, without a lot of work to setup and maintain a Domain/Kerberos server, what’s the best way to provide consistent logins and remote folder/share (from a server) access across various Linux desktops
I’ve configured domain controllers using Samba. I’ve also configured Linux systems as domain-joined hosts. Between the two I tend to find that keeping talking - especially for systems that are only on infrequently - can be a bit troublesome. Updates sometimes break the Samba server, tokens expire, etc etc
I’ve also used NFS of various versions, but found v4 with the Kerberos implementation a bit finicky (for similar reasons to the SMB based implementation). NFSv3 of course is fairly fast and efficient, but lacks the user-level authentication and relies on IP’s for access-control.
Now it’s been awhile since I’ve given a shot at this except for some NFS shares between VMs and SSHFS for desktops, it would be nice to have a consistent but easily maintainable way to provided common shares for larger files (videos, albums, 3d models, and projects etc) without having to constantly troubleshoot. Maybe the domain/NFS route had gotten easier but it still seems to be fairly manual at times.
I do actually have a NextCloud instance, which I primarily use for editing Documents (via Collabora) or syncing backups of folders like Pictures etc from the phone.
SMB/Samba by itself for just sharing folders I’ve had little issue with. Samba as a domain controller with domain-joined clients tied to domain logins is a more complicated beast and - in my experience -prone to breakage in my experience (expired tokens, certificate lifetimes, DNS integration, upgrade issues, etc) BUT it can provide a fairly complete package end-to-end when it works. I just feel that there should be a more Linux-centric/friendly and less bloaty solution that still others decent account-level security.
When you ask “only on LAN” the answer is yes with the caveat that I do also work through VPN, but that’s often functionally the same thing save that the VPN login occurs after the user-login