Setting up Samba as a Standalone Server
The following documentation describes how to set up a Samba standalone server providing:
- a share that is accessible anonymously (guest access).
- a share that requires authentication against a local user database on the Samba host.
Creating a Basic guest only smb.conf File
The following is a minimal configuration for a Samba standalone server that only allows guest access:
[global] map to guest = Bad User log file = /var/log/samba/%m log level = 1 server role = standalone server [guest] # This share allows anonymous (guest) access # without authentication! path = /srv/samba/guest/ read only = no guest ok = yes guest only = yes
|This example defines a share that is accessible without authentication. Guest shares can be a security problem. For example on a laptop that is connected to different networks, such as home, school, and work networks. Use guest shares with care and never use a guest share with authenticated users.|
|Starting from Windows 10 1709, guest access in SMB2 and SMB3 may be disabled by default. This means that guest access from Windows 10 to a Samba share may not work, for more information, see here.|
Creating a Basic authenticated access smb.conf File
The following is a minimal configuration for a Samba standalone server:
[global] log file = /var/log/samba/%m log level = 1 server role = standalone server [demo] # This share requires authentication to access path = /srv/samba/demo/ read only = no inherit permissions = yes
- You can set a workgroup name with
workgroup = xxxxxxxx, where 'xxxxxxxx' is the required name. If the parameter isn't set, the default workgroup name 'WORKGROUP' will be used.
- You can restrict access to members of a specified group by adding
valid users = @demoGroupto the share, you will need to replace
demoGroupwith the required Unix group name.
- The log parameters are not necessary for a minimal setup. However they are useful to set the log file and increasing the log level in case of problems.
- Whilst these are only minimal smb.conf files, you can add other parameters, such as 'unix password sync = yes' to ensure the Unix & Samba passwords are kept in sync. See 'man smb.conf' for more info.
Creating a Local User Account
To provide authentication on a standalone host, you have to create the accounts locally on the operating system and additionally in the Samba database. By default, Samba uses the
tdbsam back end and stores the database in the
/usr/local/samba/private/passdb.tdb file. Optionally set a different location in the
smb.conf file using the
passdb backend parameter. See the
smb.conf 5 man page for details.
- Create a
demoUseraccount on the local system:
# useradd -M -s /sbin/nologin demoUser
- Omit the
-Mparameter if the user requires a home directory on this host. For Samba access, the account does not require a valid shell.
- To enable the
demoUseraccount on the local system:
# passwd demoUser Enter new UNIX password: Passw0rd Retype new UNIX password: Passw0rd passwd: password updated successfully
- Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell.
- Add the
demoUseraccount to the Samba database:
# smbpasswd -a demoUser New SMB password: Passw0rd Retype new SMB password: Passw0rd Added user demoUser.
- The password assigned in these steps is the one used by the user to log in to the domain.
Local Group Management
- To create a
# groupadd demoGroup
- To add the
demoUseraccount to the group:
# usermod -aG demoGroup demoUser
To create the shares directories:
# mkdir -p /srv/samba/guest/ # mkdir -p /srv/samba/demo/
Set the following POSIX permissions:
# chown -R nobody:nogroup /srv/samba/guest/ # chgrp -R demoGroup /srv/samba/demo/ # chmod 2770 /srv/samba/guest/ # chmod 2770 /srv/samba/demo/
This configures write access to members of the
demoGroup group in both directories. Other users have read access in the
/srv/samba/guest/ and no access in the
/srv/samba/demo/ directory. The SGID bit - represented by the first bit (
2) in the mode set on the directories - inherits the group of the parent directory instead setting it to the users primary group when new files are created.
For further information, see Setting up a Share Using POSIX ACLs.
Verifying the Samba configuration
You should verify the Samba configuration every time the /etc/samba/smb.conf file is updated by using the testparm utility
You can simply execute it as follows:
# testparm -s
Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions ...
If any errors are shown (you can ignore deprecation warnings), fix them before proceeding.
Samba does not include start scripts. See your distribution's documentation how further information how to automatically start a service at boot time.
- Access the
demoshare as user
# smbclient -U demoUser //SA/demo Enter demoUser's password: Passw0rd Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba x.y.z] smb: \> ls . D 0 Sun Jan 3 21:00:00 2016 .. D 0 Sun Jan 3 19:00:00 2016 demo.txt A 0 Sun Jan 3 21:00:00 2016 9943040 blocks of size 1024. 7987416 blocks available smb: \> quit
- Access the
demoshare as guest. The access is denied:
# smbclient -U guest //SA/demo Enter guest's password: Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba x.y.z] tree connect failed: NT_STATUS_ACCESS_DENIED
This section describes some advanced share configuration parameters. For further information about the used parameters, see the
smb.conf (5) man page.
[demo] path = /srv/samba/demo/ read only = no force create mode = 0660 force directory mode = 2770 force user = demoUser force group = demoGroup
force create mode and
force directory mode parameters force Samba to create new files and folders with the set permissions.
force user and
force group parameters map all connections to the specified user and group. Note that this can cause security problems if all users connecting to a share are mapped to a specific user account or group in the background.