This post will use Samba Version 4.1.6-Ubuntu (the version in use on Ubuntu 14.04 LTS Server at the time of this writing) to setup Samba (smb) shares from a drive attached to a server on a local network. Three shares will be created: dropbox, hub, and restricted which will correspond to directories on the attached drive with the same names (although the names of shares and directories can differ).
The dropbox share will allow any user to connect and read, add, and remove objects from it. The hub, will allow any user to connect and read files, but only listed users will have the ability to add and remove them. Finally the restricted share will only allow access and privileges to certain users.
Mount the Drive in the File System
First, find and mount the drive that will host the shares in the file system. Use lsblk
to print the device list, then mount
the device — in our example the device that represents our drive is /dev/sdb1.
> lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 149G 0 disk
├─sda1 8:1 0 145.1G 0 part /
├─sda2 8:2 0 1K 0 part
└─sda5 8:5 0 3.9G 0 part [SWAP]
sdb 8:16 0 1.8T 0 disk
└─sdb1 8:17 0 1.8T 0 part
> sudo mount /dev/sdb1 /media/share
To automatically mount this device, grab the UUID of the disk with blkid
and add it to the /etc/fstab file (I’m using vim, but use whatever text editor you like). Once the fstab file has been edited correctly, the drive will be mounted automatically during system start up.
> sudo blkid
/dev/sda1: UUID="ed9feafe-6654-4173-9967-7b6fe43581b5" UUID_SUB="532b088c-66f9-4ca2-8664-d80ff7612891" TYPE="btrfs"
/dev/sda5: UUID="678e7a38-6367-4305-929f-b96ae36d7329" TYPE="swap"
/dev/sdb1: LABEL="Black" UUID="46E6328FE6327EED" TYPE="ntfs"
> sudo vim /etc/fstab
Add the following line to fstab, save and close the file.
UUID=46E6328FE6327EED /media/share ntfs defaults 0 2
Creating the Share and Controlling Access
Before we begin editing the Samba configuration file, it’s a good idea to make a backup of the original. Also, access to the share is controlled by Samba, so we also need to create users within the Samba program.
> sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.orig
> sudo smbpasswd -a [user]
New SMB password:
Retype new SMB password:
Added user [user].
The following are the definitions of the shares we’ve set out to create:
dropbox
Before defining our dropbox, we change the ownership of the /media/share/dropbox directory to facilitate the requirement that anyone can access/read/write/delete files and directories. In this case, I’ve chosen to set the nobody user and nogroup group as having ownership of the dropbox.
> sudo chown nobody:nogroup /media/share/dropbox
Now, we can create the definition of the share.
[dropbox]
path = /media/share/dropbox
browseable = yes
read only = no
guest ok = yes
force user = nobody
force group = nogroup
force create mode = 664
force directory mode = 775
The path directive tells where in the file system the share is located, and browseable determines whether or not the share will be advertised on the network (in the network neighborhood on Windows systems). By setting read only to ‘no’, we’ve declared that users who can access the share can write to it, and by setting guest ok to ‘yes’ we’re not restricting access.
Forcing the user and group to nobody and nogroup respectively we’re ensuring files and directories created in the dropbox will be owned by the unprivileged Posix user and group of the same corresponding names. Forcing create mode makes sure files are created with read and write privileges to users accessing the share, and force directory mode makes sure directories are created with read, write, and execute permissions.
hub
[hub]
path = /media/share/hub
browseable = yes
read only = yes
guest ok = yes
write list = [user]
force user = nobody
force group = nogroup
force create mode = 664
force directory mode = 775
This share is a lot like the last one, but notice this share has been declared read only. This means that, although anybody can find and connect to the share, only those users listed in the write list can write new files and delete files within the share.
restricted
The restricted share will not be advertised on the network and only certain users will be allowed to access it. When these users do gain access they will have read and write permissions permissions on all files and full permissions on directories. Unix users that will have access to this share must be the user or in the group that the share forces users to use.
[restricted]
path = /media/share/restricted
browseable = no
read only = no
guest ok = no
valid users = [user]
force user = [user]
force group = restricted
force create mode = 664
force directory mode = 775