configure a samba share in linux

We're going to go over creating an anonymous shared folder and a shared folder available only to certain users. This will work relatively for most linux distributions, distros like CentOS will require some SELinux changes. In this tutorial i will be using openSUSE as my distribution but the commands will be rather the same.

Configure SAMBA Shares

1. Install the SAMBA service.

openSUSE:

sudo zypper in samba -y

Debian/Ubuntu:

sudo apt install samba -y

CentOS:

sudo yum install samba -y

NOTE: Some distributions might require to install the package samba-server instead of just samba.

2. Create the folder you want to share.

The location can technically be anywhere you want, some admins place them under /opt, some in the root (/) or even inside a home folder. Im going to place my shared folder under /srv.

sudo mkdir /srv/anonymous
sudo mkdir /srv/accounting

The anonymous directory as the name suggests is going to be used for sharing files to anonymous users. The accounting directory will be used to share files with a group of users called accounting that we will create later.

3. Lets create the user group accounting.

sudo groupadd accounting

4. Now create a set of users for the group accounting and we will add them to the group.

sudo useradd chris -G accounting -m
sudo useradd angela -G accounting -m
sudo useradd taylor -G accounting -m

If you wish to later add the users' to a group, you can do so with the usermod command.

sudo usermod -aG accounting chris
sudo usermod -aG accounting angela
sudo usermod -aG accounting taylor

Parameters:

  • -G: Adds a supplementary group when creating the user
  • -m: Creates the user's home directory during creation

Lets verify the users' are part of the group accounting by running the following command.

linuxman@linux-m4u5:/srv> groups chris angela taylor
chris : users accounting
angela : users accounting
taylor : users accounting

NOTE: Notice that the users' are also part of the group users, in some distributions like Ubuntu, upon user creation they will be assigned to a group with the same name as their username.

Here we see that all users' have been added to the accounting group. Now lets check if the home directory of the users' exist with the following command.

linuxman@linux-m4u5:/srv> ls /home
angela chris linuxman taylor

And as we can see, the home directory has also been successfully created.

5. Lets set the password for each user created using the passwd command and the smbpasswd command. The passwd command is for PAM authentication to the system and smbpasswd is for authenticating with SAMBA shares.

sudo passwd chris
sudo smbpasswd -a chris

sudo passwd angela
sudo smbpasswd -a angela

sudo passwd taylor
sudo smbpasswd -a taylor

NOTE: The password I'm going to assign each user will be the same as their username, the command will alert that the password is BAD. In production, you will want to create secure passwords.

6. Lets set the appropriate permissions for our shares.

Anonymous permissions will be simple, we will give full access to all.

sudo chmod 0777 /srv/anonymous -R

For the users' Chris, Angela and Taylor, we will give them permissions via ACL's using the setfacl command. Remember we added them to the accounting group, so we will give the group accounting permissions to the accounting folder.

sudo setfacl -R -m g:accounting:rwx accounting/
sudo setfacl -R -m d:group:accounting:rwx accounting/

7. Now that users are created and the permissions are set, lets add our shares to our samba configuration. Using your favorite text editor, edit the file /etc/samba/smb.conf.

sudo vim /etc/samba/smb.conf

NOTE: On some distributions that require the samba-server package, the configuration file would be named smbd.conf.

At the bottom of the config, add the accounting share and the anonymous share in the following format.

[accounting]
    comment = Accounting share for group 'accounting'
    path = /srv/accounting
    writeable = yes
    browseable = yes
    create mask = 0777
    directory mask = 0777
    force group = accounting
[anonymous]
    comment = Public Anonymous share for anyone to use
    path = /srv/anonymous
    writeable = yes
    browseable = yes
    create mask = 0777
    directory mask = 0777
    guest ok = yes
    force user = nobody

Parameters:

  • comment: Adds a comment to the share folder.
  • path: Sets the path of the folder that will be shared.
  • writeable: Indicates whether users of a service can modify files in this directory.
  • browsable: Indicates whether this share will be listed as a share in net view.
  • create mask: This is the default permissions that will be set to newly created files of the share.
  • directory mask: This is the default permissions that will be set to newly created directories of the share.
  • force group: Specifies the group as the default group to have access to the share.
  • force user: Specifies the user as the default user to have access to the share.
  • guest ok: Indicates that connecting to this share will require no password for authentication.

8. Lets enable the service and start SAMBA then verify the shares are active.

sudo systemctl enable smb.service
sudo systemctl start smb.service

Check the status to make sure there were no errors starting the service.

sudo systemctl status smb.service

NOTE: On some distributions the service may be masked as smbd instead of smb.

Verify the shares are active using the smbclient command. On some distributions you may have to install this separately.

linuxman@linux-m4u5:/srv> smbclient -L localhost
Enter WORKGROUP\linuxman's password:

  Sharename    Type   Comment
  ---------    ----   -------
  profiles     Disk   Network Profiles Service
  users        Disk   All users
  groups       Disk   All groups
  print$       Disk   Printer Drivers
  accounting   Disk   Accounting share for group 'accounting'
  anonymous    Disk   Public Anonymous share for anyone to use
  IPC$         IPC    IPC Service (Samba 4.7.11-git.153.b36ceaf2235lp150.3.14.1-SUSE-oS15.0-x86_64)
Reconnecting with SMB1 for workgroup listing.

  Server         Comment
  ---------      -------

  Workgroup      Master
  ---------      -------

9. On some distributions you may need to allow access from the firewall. Lets allow access to ports 445 and 139 on the firewall.

If your firewall is FIREWALLD, add the ports as permanent and restart FIREWALLD.

sudo firewall-cmd --zone public --add-port 445/tcp --add-port 139/tcp --permanent
sudo systemctl restart firewalld.service

If your firewall is UFW, add the ports and a restart is usually not needed.

sudo ufw allow 445,139/tcp

Testing Access

1. I will test access from a Windows 10 VM. I logged in as each user and created a txt file with their name as the file name.

2. From our server, if we browse to the accounting folder and run the below command, we see that the txt file for each user has the appropriate permissions and we can see who is the owner.

linuxman@linux-m4u5:~> cd /srv/accounting/
linuxman@linux-m4u5:/srv/accounting> ls -l
total 0
-rwxrwxrw-+ 1 angela accounting 0 Jun 1 13:43 angela.txt
-rwxrwxrw-+ 1 chris  accounting 0 Jun 1 13:33 chris.txt
-rwxrwxrw-+ 1 taylor accounting 0 Jun 1 13:45 taylor.txt
linuxman@linux-m4u5:/srv/accounting>

3. Now i created a file in the anonymous folder called random.txt.

4. Now if we browse to the anonymous folder from our server and run the commands below, we see that the appropriate permissions are applied.

linuxman@linux-m4u5:~> cd /srv/anonymous/
linuxman@linux-m4u5:/srv/anonymous> ls -l
total 0
-rwxrw-rw- 1 nobody nobody 0 Jun 1 13:46 random.txt
linuxman@linux-m4u5:/srv/anonymous>

This concludes creating a shared folder for anonymous users and users with permissions.

If you are interested in learning more about Linux, i highly recommend this book on Linux Administration https://amzn.to/2QxgvDz