Samba File Server on Ubuntu

Trademark Notice

Samba® is a registered trademark of the Software Freedom Conservancy. Windows® is a trademark of Microsoft Corporation. All trademarks are used for representation purposes only. This content is for educational purposes only.

Complete guide to installing and configuring Samba file server for Windows/Linux file sharing on Ubuntu.

Installation

# Update package list
sudo apt update

# Install Samba
sudo apt install -y samba samba-common-bin

# Check status
sudo systemctl status smbd
sudo systemctl status nmbd

# Enable at boot
sudo systemctl enable smbd
sudo systemctl enable nmbd

# Check version
smbd --version

Basic Configuration

Backup Original Config

# Backup configuration
sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.backup

# View configuration
sudo nano /etc/samba/smb.conf

Global Settings

# Edit Samba configuration
sudo nano /etc/samba/smb.conf

[global]
# Server information
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = fileserver

# Networking
interfaces = lo ens33
bind interfaces only = yes

# Security
security = user
map to guest = bad user
guest account = nobody

# Logging
log file = /var/log/samba/log.%m
max log size = 1000
log level = 1

# Performance
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
read raw = yes
write raw = yes
max xmit = 65535
aio read size = 16384
aio write size = 16384

File Shares

Public Share (Anonymous Access)

# Create share directory
sudo mkdir -p /srv/samba/public
sudo chown nobody:nogroup /srv/samba/public
sudo chmod 777 /srv/samba/public

# Add to smb.conf
sudo nano /etc/samba/smb.conf

[Public]
path = /srv/samba/public
browseable = yes
writable = yes
guest ok = yes
read only = no
force user = nobody
force group = nogroup
create mask = 0777
directory mask = 0777

Authenticated User Share

# Create share directory
sudo mkdir -p /srv/samba/shared
sudo chown root:smbusers /srv/samba/shared
sudo chmod 2770 /srv/samba/shared

# Create Samba group
sudo groupadd smbusers

# Add to smb.conf
sudo nano /etc/samba/smb.conf

[Shared]
path = /srv/samba/shared
browseable = yes
writable = yes
guest ok = no
valid users = @smbusers
force group = smbusers
create mask = 0660
directory mask = 0770

User Home Directories

[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S

Private User Share

# Create user directory
sudo mkdir -p /srv/samba/john
sudo chown john:john /srv/samba/john
sudo chmod 700 /srv/samba/john

# Add to smb.conf

[John]
path = /srv/samba/john
browseable = no
writable = yes
guest ok = no
valid users = john
create mask = 0600
directory mask = 0700

User Management

Create Samba Users

# Create system user (without shell access)
sudo useradd -M -s /sbin/nologin smbuser

# Add to smbusers group
sudo usermod -aG smbusers smbuser

# Create Samba password
sudo smbpasswd -a smbuser

# Enable Samba user
sudo smbpasswd -e smbuser

# List Samba users
sudo pdbedit -L -v

Manage Samba Users

# Change Samba password
sudo smbpasswd smbuser

# Disable Samba user
sudo smbpasswd -d smbuser

# Enable Samba user
sudo smbpasswd -e smbuser

# Delete Samba user
sudo smbpasswd -x smbuser

Apply Configuration

# Test configuration
sudo testparm

# Restart Samba services
sudo systemctl restart smbd
sudo systemctl restart nmbd

# Open firewall
sudo ufw allow samba
# Or specific ports
sudo ufw allow 137/udp
sudo ufw allow 138/udp
sudo ufw allow 139/tcp
sudo ufw allow 445/tcp

Advanced Shares

Read-Only Share

[ReadOnly]
path = /srv/samba/readonly
browseable = yes
read only = yes
guest ok = yes

Department Share with Admins

[IT-Department]
path = /srv/samba/it-dept
browseable = yes
writable = yes
valid users = @it-team
admin users = @it-admins
force group = it-team
create mask = 0660
directory mask = 0770

Share with Recycle Bin

[Shared-Recycle]
path = /srv/samba/shared
writable = yes
valid users = @smbusers

# Recycle bin
vfs objects = recycle
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:exclude = *.tmp,*.temp
recycle:exclude_dir = /tmp,/temp

Share with Audit

[Audited-Share]
path = /srv/samba/audited
writable = yes
valid users = @smbusers

# Full audit
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rmdir write rename
full_audit:failure = connect
full_audit:facility = local7
full_audit:priority = NOTICE

Windows Domain Integration

Join Active Directory

# Install required packages
sudo apt install -y realmd sssd sssd-tools adcli samba-common-bin

# Discover AD domain
sudo realm discover example.com

# Join domain
sudo realm join -U Administrator example.com

# Verify join
sudo realm list

# Configure Samba for AD
sudo nano /etc/samba/smb.conf

[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
security = ads
idmap config * : backend = tdb
idmap config * : range = 10000-999999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 1000000-1999999
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
winbind offline logon = false

# Restart services
sudo systemctl restart smbd nmbd winbind

# Test AD authentication
wbinfo -u  # List AD users
wbinfo -g  # List AD groups

Performance Tuning

# Edit configuration for performance
sudo nano /etc/samba/smb.conf

[global]
# Network performance
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=524288 SO_SNDBUF=524288
read raw = yes
write raw = yes
max xmit = 65535
min receivefile size = 16384

# Async I/O
aio read size = 16384
aio write size = 16384
aio write behind = true

# Caching
getwd cache = yes
stat cache = yes

# Performance tuning
use sendfile = yes
strict locking = no
oplocks = yes
level2 oplocks = yes

Security Hardening

Encrypt SMB Traffic

[global]
# SMB encryption
smb encrypt = required
server min protocol = SMB3

# Signing
server signing = mandatory
client signing = mandatory

IP-Based Access Control

[Restricted-Share]
path = /srv/samba/restricted
writable = yes
valid users = @smbusers

# Allow from specific IPs
hosts allow = 192.168.1. 10.0.0. 127.0.0.1
hosts deny = ALL

Audit Logging

# Enable detailed logging
sudo nano /etc/samba/smb.conf

[global]
log level = 3
log file = /var/log/samba/log.%m
max log size = 5000

# Per-client logging
log level = 3 auth:5 winbind:5

Monitoring

View Active Connections

# Show connected clients
sudo smbstatus

# Show locks
sudo smbstatus -L

# Show shares
sudo smbstatus -S

# Show PIDs
sudo smbstatus -p

# Continuous monitoring
watch -n 5 sudo smbstatus

View Logs

# View Samba logs
sudo tail -f /var/log/samba/log.smbd
sudo tail -f /var/log/samba/log.nmbd

# Per-client logs
sudo tail -f /var/log/samba/log.192.168.1.100

Client Access

Windows Client

# Map network drive (GUI)
# Right-click "This PC" > "Map network drive"
# \\server\share

# Command line
net use Z: \\server\share password /user:username

# View mapped drives
net use

# Disconnect
net use Z: /delete

Linux Client

# Install smbclient
sudo apt install -y smbclient cifs-utils

# List shares
smbclient -L //server -U username

# Connect to share
smbclient //server/share -U username

# Mount share temporarily
sudo mount -t cifs //server/share /mnt/samba -o username=user,password=pass

# Mount share permanently
sudo nano /etc/fstab

//server/share /mnt/samba cifs username=user,password=pass,iocharset=utf8 0 0

# Or use credentials file
//server/share /mnt/samba cifs credentials=/root/.smbcreds,iocharset=utf8 0 0

# Create credentials file
sudo nano /root/.smbcreds

username=user
password=pass
domain=WORKGROUP

# Set permissions
sudo chmod 600 /root/.smbcreds

# Mount
sudo mount -a

macOS Client

# Connect via Finder
# Finder > Go > Connect to Server
# smb://server/share

# Command line
mkdir ~/Desktop/samba
mount_smbfs //user@server/share ~/Desktop/samba

Backup Configuration

# Backup Samba configuration
sudo tar -czf samba-backup-$(date +%Y%m%d).tar.gz \
    /etc/samba/ \
    /var/lib/samba/

# Backup share data
sudo rsync -avz /srv/samba/ /backup/samba/

Troubleshooting

Test Configuration

# Test smb.conf syntax
sudo testparm

# Test specific configuration
sudo testparm -s

# Verbose output
sudo testparm -v

Network Diagnostics

# Check if services are running
sudo systemctl status smbd nmbd

# Check listening ports
sudo netstat -tlnp | grep -E '(smbd|nmbd)'
sudo ss -tlnp | grep -E '(smbd|nmbd)'

# Test network connectivity
ping server
telnet server 445

Common Issues

Cannot connect from Windows:

# Check firewall
sudo ufw status

# Enable SMBv1 (not recommended)
# Or configure minimum protocol
sudo nano /etc/samba/smb.conf

[global]
server min protocol = SMB2
client min protocol = SMB2

Permission denied:

# Check SELinux (if enabled)
sudo getenforce

# Check file permissions
ls -la /srv/samba/share

# Check Samba user
sudo pdbedit -L

# Set proper ownership
sudo chown -R user:group /srv/samba/share
sudo chmod 770 /srv/samba/share

Best Practices

1. Use SMB3: Enable SMB encryption and signing
2. Strong Passwords: Enforce strong Samba passwords
3. Principle of Least Privilege: Grant minimal permissions needed
4. Regular Backups: Backup configuration and data
5. Monitoring: Regularly review logs and connections
6. Updates: Keep Samba updated
7. Network Isolation: Use firewall rules to limit access
8. Audit: Enable full audit logging for sensitive shares
9. Segregation: Separate public and private shares
10. Documentation: Document share structure and permissions

Resources

• Official Documentation: https://www.samba.org/samba/docs/
• Ubuntu Samba Guide: https://ubuntu.com/server/docs/samba-file-server
• Wiki: https://wiki.samba.org/
• Configuration Guide: https://www.samba.org/samba/docs/using_samba/toc.html