Sharing folders in a home network with Samba

Samba is a great tool to share files and folders between computers. Distributions that emphasize ease-of-use, such as Ubuntu, offer comfortable graphical user interfaces to share folders with a few mouse clicks. However, if you, like me, are not a professional network administrator, it is easy to overlook that Samba requires you to set up user permissions correctly at four different places. If you omit one, you will experience lots of ‘access denied’ and other errors.

In the following, I assume that you have already set up a Samba server and implemented basic security measures.

To share a folder, you need to do four things:

Add a user to the system that runs the Samba server.
Add this user to the Samba user configuration.
Share a specific folder with this user.
Make sure that file system permissions are appropriately set.

Add a user account to the system running the server

When I set up my server, I overlooked that external users need to be made known to the server system in two places, first as a system user, and second as a Samba user. It is not sufficient to just add a Samba user if there is no corresponding user account on the server system.

For the purpose of the demonstration, let’s assume that you want to share folders with your spouse.

$ sudo adduser spouse
[sudo] password for daniel: 
Adding user 'spouse' ...
Adding new group 'spouse' (1003) ...
Adding new user 'spouse' (1002) with group 'spouse' ...
Creating home directory '/home/spouse' ...
Copying files from '/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for spouse
Enter the new value, or press ENTER for the default
  Full Name []: 
  Room Number []: 
  Work Phone []: 
  Home Phone []: 
  Other []: 
Is the information correct? [Y/n]

To prevent creating a dedicated home directory and local logins, use this variant of the command:

$ sudo adduser --no-create-home --disabled-login --shell /bin/false spouse

Add a Samba user

To enable this newly created user to log into the Samba server, you need to add it using a special command, because user accounts are not automatically synchronized between the operating system and the Samba server. The smbpasswd takes care of adding Samba users.

$ sudo smbpasswd -a spouse
[sudo] password for daniel: 
New SMB password:
Retype new SMB password:
Added user spouse.

Make use of the pdbedit program to verify that the new Samba user exists:

$ sudo pdbedit -L
spouse:1002:
daniel:1000:Daniel Kraus

One way to share a folder is to use the graphical tool in Ubuntu by right-clicking on a folder name and choosing Local Network Share:

Nautilus context menu

Alternatively, you can issue a terminal command, which also allows you to specify which users have access to the folder:

$ sudo net usershare add documents /home/daniel/Documents "Daniel's documents"
everyone:d,daniel:f,spouse:f

This enables sharing of Daniel’s Documents folder under the name ‘documents’, but access is denied to everyone (everyone:d) except for users ‘daniel’ and ‘spouse’, who both have full read/write access (f). See man net for details.

Unfortunately, there does not seem to be a comfortable way to edit existing usershares; if you want to modify a share, you need to run the command again, with different options.

Set file system permissions

At this point, user ‘spouse’ should be able to log into the Samba server on Daniel’s laptop by clicking on “Connect to server” in the file manager:

Connecting to a Samba server (note that the `spouse @` part can be omitted if the spouse has identical user names on both her own computer and the Samba server

However, when you attempt to open the shared folder, the spouse will likely see a username/password prompt that she cannot overcome. This is because file system permissions need to be set on the folder.

At this point, Linux’ ability to add users to groups comes in handy.

$ sudo addgroup family
Adding group `family' (GID 1004) ...
Done.
$ sudo addgroup spouse family
Adding user `spouse' to group `family' ...
Adding user spouse to group family
Done.

Once you have created a group (family in this example) and added at least the user who is going to connect to the server, you can set the file permissions on the folder:

$ chgrp family Documents
$ chmod 750 Documents

The above command will grant the owner of the Documents folder full access, and allow members of the family group to enter the folder and read it.