Samba

Samba is a type of network attached storage that is compatible with both Linux and Windows machines.

It is a free software suite (under GPLv3) that re-implements the SMB (Server Message Block) protocol.

Setting up Samba

This page describes how you'd set up Samba on a Linux machine.

Installing Samba

Install the Samba package with the package manager.

# Debian-based
sudo apt-get update
sudo apt-get install -y samba
# RedHat-based
sudo dnf install -y samba

• You can additionally install samba-client package if you want access to tools like smbclient, smbget, etc.

Choose/create the directory to server over Samba.

sudo mkdir -m0755 -p /srv/samba/share1

---

Configuring your Samba Share

Configure Samba to share the directory in /etc/samba/smb.conf.

sudo vi /etc/samba/smb.conf

• This file may be under /usr/local/samba/lib/smb.conf or /usr/samba/lib/smb.conf on some systems.

Add an entry following the format specified in the file.

An example, which will create a public share that anyone on your network can access:

[PublicShare]
   path = /srv/samba/share1
   browsable = yes
   read only = no
   guest ok = yes

• path: The directory to serve
• browsable: Will make it visible in Windows and Linux network browsers
• read only: Allows/disallows writing to the share
• guest ok: Enables/disables requiring authentication

Tip: You can use testparm to make sure your config is valid.

Restart the samba service after making changes to the files.

sudo systemctl restart smbd

---

Mount / Access the Share

Access Share from Linux

To access the share from Linux, you need the cifs-utils package.

sudo apt-get install -y cifs-utils

• CIFS stands for "Common Internet Filesystem".

The Samba share will be available using //server-ip/ShareName.
In this case, //192.168.x.x/PublicShare (replace x with your host IP).

sudo mount -t cifs //192.168.x.x/PublicShare /mnt -o guest

This will mount the share directly to the /mnt directory. If you want it to have its own directory, create one first.

sudo umount /mnt # if you mounted already
sudo mkdir -p /mnt/samba
sudo mount -t cifs //192.168.x.x/PublicShare /mnt/samba/ -o guest

• -o guest: No username or password is sent. The Samba server must have guest ok = yes enabled for the share to accept unauthenticated connections.

You may need to change the ownership of the Samba share on the Samba server if you want to write to the shares.

---

Access Share from Windows

Accessing the share with File Explorer

To access the Samba share from Windows, just open the File Explorer and type \\server-ip\ShareName in the navigation bar.

If you want to mount it, open File Explorer and right click on "Network", and then select "Map network drive".

Enter the address the same way, \\server-ip\ShareName, and select a drive letter, then click "Finish".

---

Map the Samba Share with PowerShell

Use the New-SmbMapping cmdlet to create a SMB (Server Message Block) mapping on the SMB client to the SMB share.

New-SmbMapping -LocalPath "X:" -RemotePath "\\server-ip\ShareName"

This will mount the Samba share and assign it the drive letter X.
This cmdlet only maps the Samba share for the current user. If you want the share to be accessible to all users on the system, you can use New-SmbGlobalMapping instead.

---

Adding Authentication to the Samba Share

You can add user-based authentication to the Samba share by modifying the entry in /etc/samba/smb.conf.

[SecureShare]
   path=/srv/samba/share1
   browsable = yes
   read only = no
   guest ok = no
   valid users = sambauser

• valid users = sambauser specifies a single Samba user.
  • If you specified @smbusers, it will allow all users in the group smbusers access to the share.

Note: Setting valid users in the share's settings will only allow users on that list to access the share, even if guest ok = yes is set.

This is mostly the same as the PublicShare config, but we are not allowing guests (guest ok = no).
We're specifying a single user that's allowed access to the share (username sambauser).

---

Then, you'll need to create a user on the system with the correct name.

sudo useradd sambauser
sudo passwd sambauser

Give the user a password and then set the Samba password.

sudo smbpasswd -a sambauser

• This adds the user to Samba's internal password database (e.g., adds a smbpasswd user).

  • This is stored in /var/lib/samba/private/passdb.tdb (or in /var/lib/samba/private/smbpasswd on some systems).
    • .tdb is a "Trivial Database", a binary database file.
  • On legacy systems, it may be in /etc/samba/smbpasswd.
  • This is not a file to be edited directly. Use smbpasswd to manage it.

• The smbpasswd user is a Samba-specific user stored in /var/lib/samba/private/.
  Requires a matching Linux user to exist.

• You can use sudo pdbedit -L to verify it was successful.

  • Use this command to view the Samba users on the system.

Then, we can mount the Samba share in an authenticated manner.

sudo mount -t cifs //server-ip/SecureShare /mnt/samba-secure -o username=sambauser

It will prompt you for the password you set using smbpasswd.
Once you've entered it, it's mounted!

---

If you want to have write access to the share on the clients, change the ownership of the share to your Samba user:

sudo chown -R sambauser:sambauser /srv/samba/

Also make sure read only = no in your smb.conf file.

---

Managing Samba Users

You can use the smbpasswd command to manage Samba users.

sudo smbpasswd -a sambauser  # Add a user and change password
sudo smbpasswd -x sambauser  # Delete a user
sudo smbpasswd sambauser     # Change password

The smbpasswd -a sambauser will add the user as a Samba user, and change the Samba password for the user sambauser.

This user account must already exist on the host (e.g., have an entry in /etc/passwd).

You can use the pdbedit command to view current Samba users and details.

sudo pdbedit -L             # List all Samba users in /etc/passwd format
sudo pdbedit -Lv sambauser  # Inspect the user details of sambauser

• pdbedit -L will list all the Samba users by default. Specify a username
• The Samba users will share a UID with the system's corresponding user.
  • E.g., sambauser has UID 1002 in /etc/passwd. pdbedit -L will show 1002 as sambauser's UID.

Using sambaclient

If you don't want to mount the Samba share directly, you can use sambaclient to open up a prompt to interact with the share.

sambaclient //server-ip/ShareName

Type ? or help to see a list of commands.

The get command will copy a file to your home directory by default.

get hi.txt

This copies hi.txt to your home dir.

Use put to copy a local file into the Samba share.

put /home/kolkhis/somefile somefile

This copies the local file /home/kolkhis/somefile to the NFS share.

Securing Samba Shares

You can limit the access to a Samba share inside the config file.
There are also config options for setting default file permissions, setting read-only access for certain users, giving write access to certain users, and more.

Find the entry you want to limit, and decide how you want to limit it.

Limit Access by IP

• You can only allow access to a certain IP (or multiple, separated with commas, spaces, or tabs):

  [MyShare]
     hosts allow = 192.168.1.11, 192.168.1.12
     hosts deny = ALL
     ...
  

• Allow access to an entire subnet by leaving out the last number of the IP:

  [MyShare]
     hosts allow = 192.168.1.
     hosts deny = ALL
     ...
  

  This only allows any IP in the 192.168.1.0/24 subnet.

• Specify more than one subnet by separating with spaces, commas, or tabs:
  

  [MyShare]
     hosts allow = 192.168.1. 127.
     hosts deny = ALL
     ...
  

  This allows any IP in the 192.168.1.0/24 subnet, and the localhost.

• You can allow entire subnets with exceptions as well:

  [MyShare]
     hosts allow = 192.168.1. except 192.168.1.12
     hosts deny = ALL
  

  This will allow the whole subnet except for 192.168.1.12

• You can also specify a subnet mask directly (CIDR notation isn't supported).

  [MyShare]
     hosts allow = 10.0.0.0/255.0.0.0
     hosts deny = ALL
  

• You can also just specify hosts that aren't allowed to access the share:

  [MyShare]
     hosts deny = 192.168.4.
  

• Specify both a hosts allow and hosts deny to only allow trusted subnets:

  [MyShare]
     hosts allow = 192.168.1. 127.
     hosts deny = ALL
  

Limit by User

• Specify users that can have access to the share:

  [MyShare]
     guest ok = no
     valid users = sambauser @sambagroup
  

  • Only the user sambauser and members of the group sambagroup will be able to access this share.
  • This will not allow guest access.

• You can specifically prevent certain users from accessing a share:

  [MyShare]
     guest ok = no
     valid users = sambauser @sambagroup
     invalid users = troll
  

• You can also make shares read-only for specific users:
  

  [MyShare]
     guest ok = no
     valid users = sam sambauser @sambagroup
     read list = sam
  

  Now the user sam will have read-only access to the share.

• Do the same with write access.
  

  [MyShare]
     guest ok = no
     valid users = sam sambauser @sambagroup
     write list = sambauser
  

  Even if the share is read-only, sambauser will have write access.

Hiding Files from Unauthorized Users

You can simply set hide readable in your smb.conf entry to hide files from users who do not have read access to them.

[MyShare]
   guest ok = no
   valid users = sambauser @sambagroup
   hide unreadable = yes

This will prevent the user from seeing any files they don't have access to.

This kind of enforces security through obscurity, which is not a solid security posture, but it's still a good measure to take if you don't want users messing with files they can't access.

Setting Permissions

• We can set the default permissions for files that are newly created in the share.
  Use the create mode setting to specify the permissions:

  [MyShare]
     guest ok = no
     valid users = sambauser @sambagroup
     create mode = 0640
  

  This sets the default permissions for newly created files on the share.
  • This sets the default permissions to -rw-r----- (640) for new files.

• We can set the maximum allowed permissions for files that are newly created in the share.
  Use the create mask option to limit the permissions:

  [MyShare]
     guest ok = no
     valid users = sambauser @sambagroup
     create mask = 0640
  

  This sets the maximum allowed permissions for new files created on the share.
  • This limits the maximum permissions to rw-r----- (640) for new files.

• We can also enforce minimum permissions on directories in the share with force directory mode.
  

  [MyShare]
     guest ok = no
     valid users = sambauser @sambagroup
     force directory mode = 750
  

  This will ensure that the minimum permissions on any new directories created

• We can also control what permissions bits the client is allowed to modify by setting the security mask.
  

  [MyShare]
     guest ok = no
     valid users = sambauser @sambagroup
     security mask = 750
  

  This limits which permission bits a client is allowed to modify (e.g., with chmod).
  Clients can only change permission bits that are included in this mask.
  This only applies when the client tries to change permissions on a file/directory.

---

There are a bunch of other options for controlling how permissions work in your samba shares.

Below is a table explaining what each option does.

Option	Purpose
directory mask	Max allowed permissions for new directories
force create mode	Forces minimum permissions for new files
force directory mode	Forces minimum permissions for new directories
security mask	Limits chmod permissions on files
directory security mask	Limits chmod permissions on directories
force security mask	Forces chmod permissions on files (removed in Samba 4.0.0)
force security directory mask	Forces chmod permissions on directories (removed in Samba 4.0.0)
inherit permissions	New files inherit parent directory permissions
inherit owner	New files inherit parent directory ownership
force user	Forces all file ownership to a specific user
force group	Forces all file ownership to a specific group
map archive	Map Windows archive attribute
map hidden	Map Windows hidden attribute
map system	Map Windows system attribute

Using these options gives you very granular control over what a user can do on your Samba shares.

For instance, if you want to give a user write access but you don't want to allow them to set write permissions on files. That type of control is extremely useful.

tl;dr (mask/mode/force/security)

• create mask and directory mask define MAXIMUM permissions
• force create mode and force directory mode force-set bits ON

---

• create mask and directory mask limit what permission bits are allowed when a file or directory is created.

  • These also apply to permissions changed with chmod.
  • If a user tries to chmod a permission bit that isn't included in the mask, it will not be applied.

• force create mode and force directory mode ensure that certain bits are always set.

• force security mode and force directory security mode relate to chmod behavior.

  • These security mode settings are removed in Samba 4.0.0+.

A Note About Masks in Samba

Note: Samba uses mode and mask interchangeably for new file creation settings.

create mode is a synonym for create mask.
directory mode is a synonym for directory mask.

Samba uses the mask attribute to specify the max allowed permissions for files and directories.

This is distinct from umask, which specifies permissions that are disallowed.

Say we have this:

[SecureShare]
    create mask = 0640
    directory mask = 0750

• create mask: Sets the default permissions for newly created files to 0640 (-rw-r-----)
• directory mask: Sets the default permissions for directories to 0750 (-rwxr-x---)

Unlike umask, the mask in Samba does not use the bitwise inverse of the mask for determining the default file permissions.

Install tl;dr

# Server-side
sudo apt-get update
sudo apt-get install -y samba
# Or, on RedHat-based systems:
sudo dnf install -y samba samba-common samba-client

# Create share directory
sudo mkdir -p /srv/samba/share

# Add config entry for share
sudo vi /etc/samba/smb.conf

The config entry should look like this:

# For shares that don't require authentication
[PublicShare]
   path = /srv/samba/share1
   browsable = yes
   read only = no
   guest ok = yes

# for a share that requires authentication
[SecureShare]
   path=/srv/samba/share1
   browsable = yes
   read only = no
   guest ok = no
   valid users = sambauser

After changing the smb.conf, restart the smbd service.

sudo systemctl restart smbd

If you're using a secure share with authentication, add some login credentials.

sudo useradd sambauser
sudo passwd sambauser
sudo smbpasswd -a sambauser

Then, on your client machines, install cifs-utils.

sudo apt-get install -y cifs-utils

Then mount the Samba share.

sudo mount -t cifs //192.168.x.x/ShareName -o guest
# Or, if using a secure share
sudo mount -t cifs //192.168.x.x/ShareName -o username=sambauser

Alternatively, use sambaclient to interact with the Samba share.

To access the share on Windows, open File Explorer and either type \\server-ip\ShareName into the File Explorer URI bar, or right click on "Network", then "Map network drive...".

Task	Command
Install Samba	sudo apt install samba or sudo dnf install samba samba-common samba-client
Create Share	sudo mkdir -p /srv/samba/share1
Configure Share	Add to /etc/samba/smb.conf
Restart Samba	sudo systemctl restart smbd
Mount Share (Linux)	sudo mount -t cifs //server-ip/share /mnt -o guest
Access Share (Windows/File Explorer)	\\server-ip\sharename
Access Share (Windows/PowerShell)	New-SmbMapping -LocalPath "X:" -RemotePath \\server-ip\sharename
Add Samba User	sudo smbpasswd -a sambauser
List Samba Users	sudo pdbedit -L
Command-Line Client	smbclient //server-ip/share -U sambauser

Linux/Unix Password Sync

This part is configured by default on some installations of Samba on Linux.
But, if you find that your Samba user's password and the Linux user's password are out of sync with each other, you'll need to configure password sync.

---

If Samba is not configured for password sync, when you change the password of a user using either passwd or smbpasswd, the passwords for the Linux system and the Samba share will be out of sync.
This is avoided by setting the unix password sync = yes in the [global] section of the samba config file /etc/samba/smb.conf.

[global]
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

The passwd program and passwd chat options need to be set for the Unix password sync to work properly on Linux.

The passwd chat line needs to exactly match the output of the passwd program being used (in this case, /usr/bin/passwd) returns when changing a password using that program.

Clearing SMB Sessions on Windows

If you've made changes to the Samba share or credentials and try to reconnect via Windows, then you may run into an issue where you get an error looking something like:

The network folder specified is currently mapped using
a different user name and password.  
To connect using a different user name and password, first
disconnect any existing mappings to this network share.

You can clear the cached credentials using PowerShell:

net use

This will show network drives.

If you see your drive there (\\192.168.x.x\ShareName), that's your Samba session that you need to clear.

net use \\192.168.x.x\ShareName /delete
# Or, delete all samba sessions
net use * /delete

This will clear it, and you'll be able to map/mount the Samba share again through File Explorer.

Resources

Linux:

• man samba
• man 5 smb.conf
• man smbd
• https://linux-training.be/networking/ch21.html
• https://www.tecmint.com/install-samba-rhel-rocky-linux-and-almalinux/
• https://www.suse.com/support/kb/doc/?id=000016742
• https://wiki.samba.org/index.php/Main_Page

Windows: - https://learn.microsoft.com/en-us/powershell/module/smbshare/new-smbmapping?view=windowsserver2025-ps - https://learn.microsoft.com/en-us/powershell/module/smbshare/new-smbglobalmapping?view=windowsserver2025-ps