Table of Contents
Understanding Samba in a Linux Environment
Samba is the standard way to share files and printers between Linux/Unix systems and Windows machines using the SMB/CIFS protocol. In a modern network, Samba can act as:
- A simple file/print server in a workgroup
- A member server in an existing Windows Active Directory (AD)
- A domain controller (AD-compatible) itself
This chapter focuses on practical Samba use for Linux servers in typical small to medium environments.
Core Samba Components and Terminology
Samba is made of several daemons and tools. The most important for basic file sharing are:
smbd
Handles file and printer sharing, authentication, permissions, and SMB protocol.nmbd(older setups)
Handles NetBIOS name service and browsing on legacy networks (often not needed on modern AD/DNS-based networks).winbindd
Integrates Windows/AD users and groups into a Linux system (ID mapping, authentication).samba(AD DC mode)
A combined daemon for Active Directory Domain Controller features.
Key concepts:
- Share: A directory exported over SMB (e.g.
\\server\share). - Workgroup: A simple peer-to-peer grouping of machines; no centralized domain controller.
- Domain / AD domain: Centralized authentication and policy managed by domain controllers.
- NetBIOS name: Legacy SMB hostname (e.g.
MYFILESRV); still used in many environments.
Installing Samba
Package names vary, but typically:
- Debian/Ubuntu:
samba,samba-common-bin - RHEL/CentOS/Fedora:
samba,samba-client,samba-common - openSUSE:
samba,samba-client - Arch:
samba
Example (Debian/Ubuntu):
sudo apt update
sudo apt install sambaExample (Fedora/RHEL with DNF):
sudo dnf install samba samba-clientEnsure the main daemons are enabled and running:
sudo systemctl enable --now smb
# on some distros:
sudo systemctl enable --now smbd nmbdThe Samba Configuration File
The main configuration is /etc/samba/smb.conf. It’s divided into:
- A global section:
[global]– server-wide settings - One or more share sections:
[sharename]– per-share settings
The file format is ini-like:
[global]
workgroup = WORKGROUP
server string = My Samba Server
[public]
path = /srv/samba/public
read only = no
guest ok = yesAfter editing, always check for syntax errors:
testparm
If testparm reports no errors, reload Samba:
sudo systemctl reload smb
# or:
sudo systemctl reload smbdBasic Server Identity and Workgroup Settings
Key [global] options for a simple workgroup server:
[global]
workgroup = WORKGROUP
server string = Fileserver
netbios name = FILESRV01
# Recommended for modern clients
security = user
map to guest = Bad User
# Use systemd logging; depends on distro
logging = syslogExplanation of important parameters:
workgroup
Must match the Windows workgroup or domain name (for simple setups oftenWORKGROUP).netbios name
The name Windows users will see (e.g.\FILESRV01).security = user
Standard mode: users must authenticate.map to guest = Bad User
If an unknown username is used, map to the guest account (useful for public/guest shares).
Creating Basic File Shares
Preparing Directories and Permissions
Before defining a share, create the directory and set appropriate ownership and permissions at the filesystem level.
Example: a public share accessible to everyone on the LAN:
sudo mkdir -p /srv/samba/public
sudo chown nobody:nogroup /srv/samba/public # Debian-style
sudo chmod 0777 /srv/samba/public
Or a private share for user alice:
sudo mkdir -p /srv/samba/alice
sudo chown alice:alice /srv/samba/alice
sudo chmod 0700 /srv/samba/aliceSamba respects Linux permissions, so setting them correctly is essential.
Example: Public (Guest) Share
Add to /etc/samba/smb.conf:
[public]
path = /srv/samba/public
browseable = yes
read only = no
guest ok = yesKey options:
path– directory on the Linux filesystem.browseable– show in network neighborhood.read only–noallows writes.guest ok– allows access without authentication (maps to the guest account).
Ensure the guest account exists and is mapped (often nobody or guest); some distros handle this automatically.
Example: Private Per-User Share
Assume you want a private share for alice:
- Create the directory and set permissions (done earlier).
- Create a Samba password for
alice:
sudo smbpasswd -a alice- Configure the share:
[alice]
path = /srv/samba/alice
browseable = no
read only = no
valid users = alice
Now alice authenticates from Windows or Linux clients using her Samba (or system) credentials.
Controlling Access: `valid users`, `write list`
Some useful per-share access controls:
valid users = user1 user2 @group1
Only these users/groups may access the share.invalid users = user3
Explicitly deny listed users.read only = yes
Make the share read-only by default.write list = user1 @group2
Grant write access to these users/groups on an otherwise read-only share.
Example: department share:
[dept]
path = /srv/samba/dept
browseable = yes
read only = yes
valid users = @deptstaff
write list = @deptadminManaging Samba Users and Passwords
Samba usually maintains its own user database, linked to system accounts.
Typical workflow:
- Create a system user (if not already present):
sudo useradd -m alice
sudo passwd alice- Add the user to Samba:
sudo smbpasswd -a alice- Enable/disable Samba account:
sudo smbpasswd -e alice # enable
sudo smbpasswd -d alice # disableSamba authenticates users against this Samba password database (or AD/LDAP, in more advanced setups).
Guest Access and the Guest Account
For truly public shares:
guest ok = yesin the share definition.map to guest = Bad Userin[global].
Check or set the guest account in smb.conf:
[global]
guest account = nobodyEnsure the guest account’s filesystem permissions allow read/write as needed.
Integration with Linux Permissions and ACLs
Samba uses underlying filesystem permissions:
- Basic Unix permissions (
chmod,chown,chgrp) - POSIX ACLs (
setfacl,getfacl) for finer control (per-user or per-group beyond owner/group/other)
When you need complex permission schemes (e.g. multiple groups with different rights), use filesystem ACLs and possibly force group, create mask, and directory mask.
Example to force new files in a share to belong to a particular group:
[projects]
path = /srv/samba/projects
read only = no
valid users = @projteam
force group = projteam
create mask = 0660
directory mask = 0770Connecting from Clients
From Windows
- Open File Explorer.
- In the address bar, type
\\SERVERNAMEor\\IP_ADDRESS. - When prompted, enter
usernameand the Samba password.
To map a network drive:
- Right-click “This PC” → “Map network drive…”
- Choose a drive letter.
- Enter
\\SERVERNAME\sharename. - Check “Connect using different credentials” if needed.
From Linux
Using smbclient (CLI test):
smbclient -L //server -U alice
smbclient //server/alice -U alice
Permanent mount with cifs in /etc/fstab (requires cifs-utils):
sudo mkdir -p /mnt/alice
echo '//server/alice /mnt/alice cifs username=alice,password=SECRET,iocharset=utf8,vers=3.0 0 0' | sudo tee -a /etc/fstab
sudo mount -a
For security, store credentials in a root-owned file and reference it with credentials=/root/.smbcred instead of embedding passwords in /etc/fstab.
Printer Sharing with Samba (Overview)
Samba can export Linux printers to Windows clients:
- Configure the printer on the Linux system (CUPS).
- In
smb.conf, define a printers share:
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes
guest ok = no
create mask = 0700- Make sure
smbdhas access to the CUPS system (handled automatically on many distros).
Details of printer drivers and CUPS are handled elsewhere; here, Samba is just making the printer visible to SMB clients.
Joining a Samba Server to Active Directory (Member Server Basics)
In AD environments, Samba servers often act as domain members to:
- Use AD accounts and groups for authentication.
- Apply share permissions based on AD groups.
High-level steps (details vary by distro):
- Set the realm and workgroup in
[global]:
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
security = ADS
winbind use default domain = yes- Configure DNS and time synchronization with the AD domain.
- Join the domain:
sudo net ads join -U Administrator- Use
winbindto map AD users/groups to Unix IDs.
Full AD integration involves ID mapping backends and PAM/NSS configuration, which are covered in more advanced materials. For file sharing, the main concept is that Samba can delegate authentication to AD and then enforce access based on AD identities.
Common Security and Hardening Considerations
- Restrict which hosts can connect:
[global]
hosts allow = 192.168.1. 127.
hosts deny = 0.0.0.0/0- Use modern SMB versions (avoid SMB1):
[global]
server min protocol = SMB2
server max protocol = SMB3- Integrate with the system firewall (see the dedicated firewalls chapter):
Open thesamba/smbservice on the appropriate interfaces only. - Keep Samba updated to avoid known vulnerabilities.
Basic Troubleshooting
Checking Service Status and Logs
Check daemons:
sudo systemctl status smb
# or:
sudo systemctl status smbd nmbdCommon log locations:
/var/log/samba/(e.g.log.smbd,log.nmbd,log.<client-name>)- System journal (via
journalctlwhen Samba logs there)
Increase log level temporarily for debugging:
[global]
log level = 3Remember to reduce it again in production to avoid large logs.
Network and Name Resolution Issues
- Verify ports 445 (SMB) and sometimes 139 are reachable.
- Test name resolution:
ping server
smbclient -L //server -NIf names don’t resolve, connect via IP or fix DNS/NetBIOS configuration.
Authentication Problems
- Check that the user exists in both the system and Samba:
getent passwd alice
sudo pdbedit -L | grep alice- Reset the Samba password:
sudo smbpasswd alice- Ensure
valid users,write list, and filesystem permissions line up.
Summary
Samba lets a Linux system participate as a first-class SMB file and print server in mixed networks, especially with Windows clients. The essential skills are:
- Installing Samba and managing the
smbd/nmbdservices. - Editing
/etc/samba/smb.confsafely and validating it withtestparm. - Creating secure shares using a combination of Samba options and underlying Linux permissions.
- Managing Samba users and, in more advanced scenarios, integrating with Active Directory.
- Diagnosing connection, permission, and authentication issues using logs and basic network tools.