Linux - How to Create a New Samba User and Share

I have recently connected my network to a friend's network in order for us to share services between our infrastructures. However, when you have only you using the services within your network, security sometimes is a bit lax ( although not recommended ).

The presence of someone else lurking in your network creates a sense of insecurity and I am suddenly feeling paranoid about safeguarding my systems as much as I can.

Although, my friend himself is not a threat, we need to consider the possibility of him falling victim of a hack and we do not want to see the bad guys jumping from his network to ours.

With that in mind, I am going to redesign a system that has a couple of folders shared with network to accommodate access to my friend and be as secure as possible.

First, we need to create a new user in the linux system.

sudo useradd -c 'Geraldo IPSECVPN Access' -M -N -s /bin/false geraldo

Let's break down the command to add the new user.

-c : Comment to describe the user.

-M : do not create the user's home directory.

-N : do not create a group with the same name as  the user.

-s : login shell of the new account. It is set to false because the user do not need a shell on the system.

We now will define a password for the new user.

sudo passwd geraldo

Let's confirm if the user has been created.

getent passwd | grep geraldo

geraldo:x:1001:132:Geraldo IPSECVPN Access:/home/geraldo:/bin/false

We can now add the user to the sambashare group.

sudo adduser geraldo sambashare

We need to make sure that the new user is part of the sambashare group.

getent group sambashare

sambashare:x:132:tiago,geraldo

Finally, we will lock the user to avoid that this samba user could login and reduce the security risks for the host system.

sudo usermod -L geraldo

Since this tutorial is not an in depth explanation of how to install and configure Samba, I will paste my smb.conf file and briefly explains it.

[global]
  workgroup = infoitech
  server string = HV1 - Games
  security = user
  # map to guest = Never | default 
  log file = /var/log/samba/%m.log
  max log size = 50
  printcap name = /dev/null
  load printers = no

# Samba Shares
[home]
  comment = Tiago home folder
  valid users = tiago
  path = /home/tiago
  browseable = yes

[games]
  comment = Games Folder
  path = /media/games/
  valid users = @sambashare
  browseable = yes
  force group = sambashare
  create mask = 0770
  directory mask = 0770
  read only = no

valid users = @sambashare : only users that are members of the sambashare group will be allowed login to this share.

force group = sambashare : We are forcing the group sambashare to all new files and folders created on the shared folders.

create mask & directory mask : are forcing that all files and folders created have read, write and execute for the owner & group and others no permissions.

The permissions for the folder games are:

tiago@hv1-storage-bulk:/media$ ll 
total 16
drwxr-xr-x   4 root  root       4096 Oct 14 12:49 ./
drwxr-xr-x  20 root  root       4096 Oct 18  2020 ../
drwxrwx---   4 tiago sambashare 4096 Oct 14 13:06 games/

tiago@hv1-storage-bulk:/media/games$ ll
total 16
drwxrwx---  4 tiago sambashare 4096 Oct 14 13:06 ./
drwxr-xr-x  4 root  root       4096 Oct 14 12:49 ../
drwxrwx---  9 tiago sambashare 4096 Oct 14 13:21 games_01/
drwxrwx--- 16 tiago sambashare 4096 Oct 14 13:21 games_02/

I had to create the folder /media/games because it seems that the folder /media/tiago was created by the system and has special permissions that prevented the new user to browse due to lack of permissions.

Also, here's the fstab entries for the mounts :

### GAMES_01 ###
/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part3 /media/games/games_01 ext4 defaults 0 0
################

### GAMES_02 ###
/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-part4 /media/games/games_02 ext4 defaults 0 0
################

We need to restart the Samba server after the changes.

sudo systemctl restart smbd

And finally, add the new user to the local Samba users list.

sudo smbpasswd -a geraldo

New SMB password:
Retype new SMB password:
Added user geraldo.

Let's test the connection :

tiago@desktop ~ (main)> smbclient \\\\192.168.25.10\\games -U geraldo
Enter WORKGROUP\geraldo's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Oct 14 13:06:32 2021
  ..                                  D        0  Thu Oct 14 12:49:20 2021
  games_01                            D        0  Thu Oct 14 13:21:22 2021
  games_02                            D        0  Thu Oct 14 13:21:57 2021

                134672104 blocks of size 1024. 41861420 blocks available
smb: \> exit

We have now completed the creation of a new Samba user and adjusted the shares with some extra security.

A future project will be to create a central credentials systems like a database or radius server and instead of creating local users into the system we can add users to a centralised system that will make management much easier.

RESOURCES

https://linuxize.com/post/how-to-list-users-in-linux/

https://linuxize.com/post/how-to-list-groups-in-linux/