Linux - How to Create a New Samba User and Share

I have recently connected my network to a friend's network in order for us to share services between our infrastructures. However, when you have only you using the services within your network, security sometimes is a bit lax ( although not recommended ).

The presence of someone else lurking in your network creates a sense of insecurity and I am suddenly feeling paranoid about safeguarding my systems as much as I can.

Although, my friend himself is not a threat, we need to consider the possibility of him falling victim of a hack and we do not want to see the bad guys jumping from his network to ours.

With that in mind, I am going to redesign a system that has a couple of folders shared with network to accommodate access to my friend and be as secure as possible.

First, we need to create a new user in the linux system.

sudo useradd -c 'Geraldo IPSECVPN Access' -M -N -s /bin/false geraldo
Usage: useradd [options] LOGIN

Let's break down the command to add the new user.

-c : Comment to describe the user.

-M : do not create the user's home directory.

-N : do not create a group with the same name as  the user.

-s : login shell of the new account. It is set to false because the user do not need a shell on the system.

We now will define a password for the new user.

sudo passwd gerlado
Usage: passwd [options] [LOGIN]

Let's confirm if the user has been created.

getent passwd | grep geraldo
geraldo:x:1001:132:Geraldo IPSECVPN Access:/home/geraldo:/bin/false

We can now add the user to the sambashare group.

sudo adduser geraldo sambashare

We need to make sure that the new user is part of the sambashare group.

getent group sambashare
sambashare:x:132:tiago,geraldo

Finally, we will lock the user to avoid that this samba user could login and reduce the security risks for the host system.

sudo usermod -L geraldo
-L, --lock | lock the user account.

Since this tutorial is not an in depth explanation of how to install and configure Samba, I will paste my smb.conf file and briefly explains it.

[global]
  workgroup = infoitech
  server string = HV1 - Games
  security = user
  # map to guest = Never | default 
  log file = /var/log/samba/%m.log
  max log size = 50
  printcap name = /dev/null
  load printers = no

# Samba Shares
[home]
  comment = Tiago home folder
  valid users = tiago
  path = /home/tiago
  browseable = yes

[games]
  comment = Games Folder
  path = /media/games/
  valid users = @sambashare
  browseable = yes
  force group = sambashare
  create mask = 0770
  directory mask = 0770
  read only = no
/etc/samba/smb.conf

valid users = @sambashare : only users that are members of the sambashare group will be allowed login to this share.

force group = sambashare : We are forcing the group sambashare to all new files and folders created on the shared folders.

create mask & directory mask : are forcing that all files and folders created have read, write and execute for the owner & group and others no permissions.

The permissions for the folder games are:

tiago@hv1-storage-bulk:/media$ ll 
total 16
drwxr-xr-x   4 root  root       4096 Oct 14 12:49 ./
drwxr-xr-x  20 root  root       4096 Oct 18  2020 ../
drwxrwx---   4 tiago sambashare 4096 Oct 14 13:06 games/
/media/
tiago@hv1-storage-bulk:/media/games$ ll
total 16
drwxrwx---  4 tiago sambashare 4096 Oct 14 13:06 ./
drwxr-xr-x  4 root  root       4096 Oct 14 12:49 ../
drwxrwx---  9 tiago sambashare 4096 Oct 14 13:21 games_01/
drwxrwx--- 16 tiago sambashare 4096 Oct 14 13:21 games_02/
/media/games
I had to create the folder /media/games because it seems that the folder /media/tiago was created by the system and has special permissions that prevented the new user to browse due to lack of permissions.

Also, here's the fstab entries for the mounts :

### GAMES_01 ###
/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3 /media/games/games_01 ext4 defaults 0 0
################

### GAMES_02 ###
/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part4 /media/games/games_02 ext4 defaults 0 0
################
/etc/fstab

We need to restart the Samba server after the changes.

sudo systemctl restart smbd

And finally, add the new user to the local Samba users list.

sudo smbpasswd -a geraldo
New SMB password:
Retype new SMB password:
Added user geraldo.

Let's test the connection :

tiago@desktop ~ (main)> smbclient \\\\192.168.25.10\\games -U geraldo
Enter WORKGROUP\geraldo's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Oct 14 13:06:32 2021
  ..                                  D        0  Thu Oct 14 12:49:20 2021
  games_01                            D        0  Thu Oct 14 13:21:22 2021
  games_02                            D        0  Thu Oct 14 13:21:57 2021

                134672104 blocks of size 1024. 41861420 blocks available
smb: \> exit

We have now completed the creation of a new Samba user and adjusted the shares with some extra security.

A future project will be to create a central credentials systems like a database or radius server and instead of creating local users into the system we can add users to a centralised system that will make management much easier.

RESOURCES

Disable a user’s login without disabling the account
Let’s say I create a user named “bogus” using the adduser command. How can I make sure this user will NOT be a viable login option, without disabling the account. In short, I want the account to be
How to Add a Samba User in Linux
A new user needs to be added as a samba user in Linux to be able to access the samba share. The user connect using a samba password and access the shared resources.
List Samba users?
So yesterday evening I was pulling my hair out (figuratively -- I’m bald) for over an hour trying to figure out why smbpasswd kept rejecting my attempts to reset the password for one of my Samba us...
Difference between “chmod 775” and “chmod 2755″
What is the difference between chmod 775 and chmod 2755?
How can I create a non-login user?
I’d like to create a user and a group both called subversion on a RHEL 5 system. I looked at the man page for useradd and I guess the command would be just be... useradd subversion However, not s...

https://linuxize.com/post/how-to-list-users-in-linux/

https://linuxize.com/post/how-to-list-groups-in-linux/

Best practice for shared directory on server (samba windows 10 clients)
Setting up file sharing on Linux server (Ubuntu) with Samba for Windows 10 clients. Originally setup this environment 7 years ago on Fedora server, but I am uncertain that I did it in the best prac...
smb.conf
Can fstab options uid and gid be the user-group name or must they be numeric?
I’m learning how to set up a tmpfs in fstab for my www-data user and I was wondering if I can use the actual user/group name instead if the numeric ids (personal preference)? I’m on Debian with ex...
Make Samba Go Faster - Amahi Wiki

Share Tweet Send
0 Comments
Loading...
You've successfully subscribed to Infoitech - [B]logging
Great! Next, complete checkout for full access to Infoitech - [B]logging
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.