2xsaiko

True. I knew I should have left that as “NFS 4” because someone would comment this. From what I’ve read (never used it), NFS 3 is very different to 4 and also just kind of not worth using, especially just for Windows, since it has no security at all.

Please just use Kerberos instead of fiddling with uids. It’s the only sane way to get NFS access controls and user mapping. Works on both Linux and macOS (but there’s no NFS on Windows anyway).

I’d say you can run the Kerberos KDC on the NAS but if Synology has some locked down special OS you’ll need another machine for that (edit: but you say you have other servers already so that shouldn’t be a problem).

Unfortunately SMB is so screwed that you can’t reuse ordinary Kerberos for authentication there, which is unfortunate if you want to have both that and NFS. I’ve yet to look into whether Samba AD can be used for both.

This seems super overcomplicated. What I would do is put all the subdomains on the public DNS, let HTTP(S) through the firewall for the respective hosts, deny everything from outside of your local network on the http server that isn’t under the HTTP challenge path and then run the HTTP challenge as you would for a public site.

Then you can get certs, everyone outside trying to access will get 403, and inside the network you can access as normal.

Of course you’ll have to trust your http server’s ACL for that, but I’m just going to assume servers like nginx (which I use) have a reliable implementation.