I think we're still at the point where everyone is finding a solution that works for them, and there isn't a common, recommended solution. The way I do it with a single user who can write to target through CIFS and using a UID collision to make sure the permissions apply everywhere works for me with one user on the network, but others have very different needs.