Applies to Ubuntu 14.xx-18.xx
We’re going to go over creating an anonymous shared folder and a shared folder available only to certain users. This will work relatively for most linux distributions, distros like CentOS will require some SELinux changes. In this tutorial i will be using openSUSE as my distribution but the commands will be rather the same.
Configure SAMBA Shares
1. Install the SAMBA service.
sudo zypper in samba -y
sudo apt install samba -y
sudo yum install samba -y
NOTE: Some distributions might require to install the package
samba-server instead of just
2. Create the folder you want to share.
The location can technically be anywhere you want, some admins place them under
/opt, some in the root (
/) or even inside a home folder. Im going to place my shared folder under
sudo mkdir /srv/anonymous sudo mkdir /srv/accounting
The anonymous directory as the name suggests is going to be used for sharing files to anonymous users. The accounting directory will be used to share files with a group of users called accounting that we will create later.
3. Lets create the user group
sudo groupadd accounting
4. Now create a set of users for the group accounting and we will add them to the group.
sudo useradd chris -G accounting -m sudo useradd angela -G accounting -m sudo useradd taylor -G accounting -m
If you wish to later add the users’ to a group, you can do so with the
sudo usermod -aG accounting chris sudo usermod -aG accounting angela sudo usermod -aG accounting taylor
- -G: Adds a supplementary group when creating the user
- -m: Creates the user’s home directory during creation
Lets verify the users’ are part of the group accounting by running the following command.
linuxman@linux-m4u5:/srv> <strong>groups chris angela taylor</strong> chris : users accounting angela : users accounting taylor : users accounting
NOTE: Notice that the users’ are also part of the group
users, in some distributions like Ubuntu, upon user creation they will be assigned to a group with the same name as their username.
Here we see that all users’ have been added to the accounting group. Now lets check if the home directory of the users’ exist with the following command.
linuxman@linux-m4u5:/srv> ls /home angela chris linuxman taylor
And as we can see, the home directory has also been successfully created.
5. Lets set the password for each user created using the
passwd command and the
smbpasswd command. The
passwd command is for PAM authentication to the system and
smbpasswd is for authenticating with SAMBA shares.
sudo passwd chris sudo smbpasswd -a chris sudo passwd angela sudo smbpasswd -a angela sudo passwd taylor sudo smbpasswd -a taylor
NOTE: The password I’m going to assign each user will be the same as their username, the command will alert that the password is BAD. In production, you will want to create secure passwords.
6. Lets set the appropriate permissions for our shares.
Anonymous permissions will be simple, we will give full access to all.
sudo chmod 0777 /srv/anonymous -R
For the users’ Chris, Angela and Taylor, we will give them permissions via ACL’s using the
setfacl command. Remember we added them to the accounting group, so we will give the group accounting permissions to the accounting folder.
sudo setfacl -R -m g:accounting:rwx accounting/ sudo setfacl -R -m d:group:accounting:rwx accounting/
7. Now that users are created and the permissions are set, lets add our shares to our samba configuration. Using your favorite text editor, edit the file
sudo vim /etc/samba/smb.conf
NOTE: On some distributions that require the
samba-server package, the configuration file would be named
At the bottom of the config, add the accounting share and the anonymous share in the following format.
[accounting] comment = Accounting share for group 'accounting' path = /srv/accounting writeable = yes browseable = yes create mask = 0777 directory mask = 0777 force group = accounting [anonymous] comment = Public Anonymous share for anyone to use path = /srv/anonymous writeable = yes browseable = yes create mask = 0777 directory mask = 0777 guest ok = yes force user = nobody
- comment: Adds a comment to the share folder.
- path: Sets the path of the folder that will be shared.
- writeable: Indicates whether users of a service can modify files in this directory.
- browsable: Indicates whether this share will be listed as a share in net view.
- create mask: This is the default permissions that will be set to newly created files of the share.
- directory mask: This is the default permissions that will be set to newly created directories of the share.
- force group: Specifies the group as the default group to have access to the share.
- force user: Specifies the user as the default user to have access to the share.
- guest ok: Indicates that connecting to this share will require no password for authentication.
8. Lets enable the service and start SAMBA then verify the shares are active.
sudo systemctl enable smb.service sudo systemctl start smb.service
Check the status to make sure there were no errors starting the service.
sudo systemctl status smb.service
NOTE: On some distributions the service may be masked as
smbd instead of
Verify the shares are active using the
smbclient command. On some distributions you may have to install this separately.
linuxman@linux-m4u5:/srv> smbclient -L localhost Enter WORKGROUP\linuxman's password: Sharename Type Comment --------- ---- ------- profiles Disk Network Profiles Service users Disk All users groups Disk All groups print$ Disk Printer Drivers accounting Disk Accounting share for group 'accounting' anonymous Disk Public Anonymous share for anyone to use IPC$ IPC IPC Service (Samba 4.7.11-git.153.b36ceaf2235lp184.108.40.206-SUSE-oS15.0-x86_64) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- -------
9. On some distributions you may need to allow access from the firewall. Lets allow access to ports 445 and 139 on the firewall.
If your firewall is FIREWALLD, add the ports as permanent and restart FIREWALLD.
sudo firewall-cmd --zone public --add-port 445/tcp --add-port 139/tcp --permanent sudo systemctl restart firewalld.service
If your firewall is UFW, add the ports and a restart is usually not needed.
sudo ufw allow 445,139/tcp
1. I will test access from a Windows 10 VM. I logged in as each user and created a txt file with their name as the file name.
2. From our server, if we browse to the accounting folder and run the below command, we see that the txt file for each user has the appropriate permissions and we can see who is the owner.
linuxman@linux-m4u5:~> cd /srv/accounting/ linuxman@linux-m4u5:/srv/accounting> ls -l total 0 -rwxrwxrw-+ 1 angela accounting 0 Jun 1 13:43 angela.txt -rwxrwxrw-+ 1 chris accounting 0 Jun 1 13:33 chris.txt -rwxrwxrw-+ 1 taylor accounting 0 Jun 1 13:45 taylor.txt linuxman@linux-m4u5:/srv/accounting>
3. Now i created a file in the anonymous folder called random.txt.
4. Now if we browse to the anonymous folder from our server and run the commands below, we see that the appropriate permissions are applied.
linuxman@linux-m4u5:~> cd /srv/anonymous/ linuxman@linux-m4u5:/srv/anonymous> ls -l total 0 -rwxrw-rw- 1 nobody nobody 0 Jun 1 13:46 random.txt linuxman@linux-m4u5:/srv/anonymous>
This concludes creating a shared folder for anonymous users and users with permissions.