Samba Logo Samba is a free software re-implementation of the SMB networking protocol. Samba provides file and print services for Linux and Microsoft Windows clients. Samba can integrate with a Microsoft Windows Server domain, either as a Domain Controller or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.

Today I will look at setting up Samba, in particular, sharing for groups. Using groups means you can achieve a more efficient means of controlling user access. I will cover installation on FreeBSD, setting up Samba shares, configuration of the server and adding users. To confirm the installation I will test connecting from a client and also check the logs if the connection is not successful.

Installation

The installation output generates a lot of useful information about the local install and also where to look for additional help.

root@freebsd120:~ # pkg install samba48
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        samba48: 4.8.12_4

Number of packages to be installed: 1

The process will require 173 MiB more space.
31 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching samba48-4.8.12_4.txz: 100%   31 MiB 989.1kB/s    00:33    
Checking integrity... done (0 conflicting)
[1/1] Installing samba48-4.8.12_4...
[1/1] Extracting samba48-4.8.12_4: 100%
=====
Message from samba48-4.8.12_4:

--
How to start: http://wiki.samba.org/index.php/Samba4/HOWTO

* Your configuration is: /usr/local/etc/smb4.conf

* All the relevant databases are under: /var/db/samba4

* All the logs are under: /var/log/samba4

* Provisioning script is: /usr/local/bin/samba-tool

For additional documentation check: http://wiki.samba.org/index.php/Samba4

Bug reports should go to the: https://bugzilla.samba.org/

Enable Samba on Startup

As with all services we have to add the service to /etc/rc.conf.

root@freebsd120:~ # echo 'samba_server_enable="YES"' >> /etc/rc.conf

Create Directories & Set Permissions

Before we configure Samba, let’s create the necessary directories and groups and assign access permissions. I’ll be creating two new shares called data and media. We will only be granting access to one of the shares so that we can view unauthorized access attempts in the logs.

root@freebsd120:~ # mkdir -p /usr/local/samba/data
root@freebsd120:~ # pw groupadd smb-data
root@freebsd120:~ # chgrp -R smb-data /usr/local/samba/data
root@freebsd120:~ # chmod -R 770 /usr/local/samba/data
root@freebsd120:~ # mkdir /usr/local/samba/media
root@freebsd120:~ # pw groupadd smb-media
root@freebsd120:~ # chgrp -R smb-media /usr/local/samba/media
root@freebsd120:~ # chmod -R 770 /usr/local/samba/media
root@freebsd120:~ # pw groupmod smb-data -m philip

Note: We did not add the user to smb-media group, we will look at this in testing the connection from a client later.

Create Samba Configuration File

Onto the main configuration file, I have created the two shares and assigned some basic global settings. Of interest to us here, is the log level line which sets minimal logging so we can view failed connection attempts. In the shares configuration we have assigned group access to @smb-data and @smb-media.

File to be created: /usr/local/etc/smb4.conf

[global]
workgroup = WORKGROUP
server string = Samba Server Version %v
security = user
passdb backend = tdbsam
log level = 1 auth_audit:1

# Example: share /usr/local/samba/data accessible only to 'smb-data' group
[data]
path = /usr/local/samba/data
valid users = @smb-data
writable = yes
browsable = yes
read only = no
guest ok = no
public = no
create mask = 0666
directory mask = 0755

# Example: share /usr/local/samba/data accessible only to 'smb-media' group
[media]
path = /usr/local/samba/media
valid users = @smb-media
writable = yes
browsable = yes
read only = no
guest ok = no
public = no
create mask = 0666
directory mask = 0755

Add Samba User

Finally, we must add the user philip to Samba. This is achieved with the smbpasswd command.

smbpasswd -a philip

Start Samba Server

Everything is now set up, so it is just a matter of starting the Samba service.

root@freebsd120:~ # service samba_server start
Performing sanity check on Samba configuration: OK
Starting nmbd.
Starting smbd.
root@freebsd120:~ # 

Test Connection From Client

philip can log into the smb-data share, as he is a member of smb-data group. He cannot log into the smb-media share, as he is not a member of smb-media group.

This can be verified in the log file: /var/log/samba4/log.smbd

[2019/11/17 18:22:00.148954,  1] ../source3/smbd/service.c:521(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

Further Reading

While the popular “Using Samba” from O’Reilly seems to be everywhere, it is a little dated. Marcelo Leal’s “Implementing Samba 4” is a worthwhile read as it covers new topics such as Active Directory Services and other advanced topics.