Samba Full Documentation
This guide covers Samba installation and configuration for Linux, including creating shares, users, Windows integration, security, and remote access.
Install Samba
# Update packages
sudo apt update
# Install Samba
sudo apt install samba -y
sudo apt update
# Install Samba
sudo apt install samba -y
Check Samba Version
smbd --version
Create Share Directory
sudo mkdir -p /srv/samba/share
sudo chmod 777 /srv/samba/share
sudo chmod 777 /srv/samba/share
Edit Samba Configuration
sudo nano /etc/samba/smb.conf
# Add at the end of the file:
[Shared]
path = /srv/samba/share
browseable = yes
writable = yes
guest ok = yes
read only = no
# Add at the end of the file:
[Shared]
path = /srv/samba/share
browseable = yes
writable = yes
guest ok = yes
read only = no
Restart & Enable Samba Service
sudo systemctl restart smbd
sudo systemctl enable smbd
sudo systemctl enable smbd
Add Samba User (Optional)
# Add Linux user
sudo adduser myuser
# Add Samba password
sudo smbpasswd -a myuser
# Restrict share to this user
# In smb.conf, modify:
guest ok = no
valid users = myuser
sudo adduser myuser
# Add Samba password
sudo smbpasswd -a myuser
# Restrict share to this user
# In smb.conf, modify:
guest ok = no
valid users = myuser
Folder Permissions
sudo chown -R myuser:myuser /srv/samba/share
sudo chmod -R 770 /srv/samba/share
sudo chmod -R 770 /srv/samba/share
Allow Samba Through UFW
sudo ufw allow samba
sudo ufw reload
sudo ufw reload
Samba Ports & Network Access
# TCP ports for Samba
137, 138, 139, 445
# Allow only local subnet
sudo ufw allow from 192.168.1.0/24 to any port 445
137, 138, 139, 445
# Allow only local subnet
sudo ufw allow from 192.168.1.0/24 to any port 445
Access Samba Share from Windows
# Using IP address
\\192.168.1.20
# Using hostname
\\fileserver\Shared
\\192.168.1.20
# Using hostname
\\fileserver\Shared
Windows Network Discovery (wsdd)
sudo apt install wsdd
sudo systemctl enable wsdd
sudo systemctl start wsdd
sudo systemctl enable wsdd
sudo systemctl start wsdd
Remote Access via VPN
# Recommended for public IPs
# Set up WireGuard/OpenVPN on server or pfSense
# Connect Windows client to VPN
# Access Samba share as if on LAN: \\10.x.x.x\Shared
# Set up WireGuard/OpenVPN on server or pfSense
# Connect Windows client to VPN
# Access Samba share as if on LAN: \\10.x.x.x\Shared
Security Tips
# Never expose Samba directly to public internet
# Use VPN or SSH tunnel
# Limit access by subnet
sudo ufw allow from 192.168.1.0/24 to any port 445
# Use strong passwords for Samba users
sudo smbpasswd -a myuser
# Use VPN or SSH tunnel
# Limit access by subnet
sudo ufw allow from 192.168.1.0/24 to any port 445
# Use strong passwords for Samba users
sudo smbpasswd -a myuser
Test Samba Share
smbclient -L localhost
smbclient //localhost/Shared -U myuser
smbclient //localhost/Shared -U myuser
Check Samba Logs
sudo tail -f /var/log/samba/log.smbd
sudo tail -f /var/log/samba/log.nmbd
sudo tail -f /var/log/samba/log.nmbd
Disable Guest Access (Force Login)
# Edit Samba config
sudo nano /etc/samba/smb.conf
# Global settings
[global]
security = user
map to guest = never
# Share settings
[Shared]
guest ok = no
public = no
# Restart Samba
sudo systemctl restart smbd
sudo nano /etc/samba/smb.conf
# Global settings
[global]
security = user
map to guest = never
# Share settings
[Shared]
guest ok = no
public = no
# Restart Samba
sudo systemctl restart smbd
Restrict Access by IP
# Allow only local network
[global]
hosts allow = 192.168.1. 127.0.0.1
hosts deny = 0.0.0.0/0
# Restart Samba
sudo systemctl restart smbd
[global]
hosts allow = 192.168.1. 127.0.0.1
hosts deny = 0.0.0.0/0
# Restart Samba
sudo systemctl restart smbd
Bind Samba to Specific Interfaces
[global]
interfaces = lo eth0
bind interfaces only = yes
# Prevents exposure on unintended networks
interfaces = lo eth0
bind interfaces only = yes
# Prevents exposure on unintended networks
Disable SMB1 Protocol
[global]
min protocol = SMB2
# SMB1 is insecure and should never be used
min protocol = SMB2
# SMB1 is insecure and should never be used
Use Samba Groups
# Create group
sudo groupadd sambashare
# Add user to group
sudo usermod -aG sambashare myuser
# Update folder ownership
sudo chown -R root:sambashare /srv/samba/share
sudo chmod -R 770 /srv/samba/share
# Restrict in smb.conf
valid users = @sambashare
sudo groupadd sambashare
# Add user to group
sudo usermod -aG sambashare myuser
# Update folder ownership
sudo chown -R root:sambashare /srv/samba/share
sudo chmod -R 770 /srv/samba/share
# Restrict in smb.conf
valid users = @sambashare
Strict Firewall Rules
# Allow only LAN access
sudo ufw allow from 192.168.1.0/24 to any port 445
# Deny all other access
sudo ufw deny 445
# Reload firewall
sudo ufw reload
sudo ufw allow from 192.168.1.0/24 to any port 445
# Deny all other access
sudo ufw deny 445
# Reload firewall
sudo ufw reload
Protect Samba with Fail2Ban
# Install Fail2Ban
sudo apt install fail2ban -y
# Create Samba jail config
sudo nano /etc/fail2ban/jail.local
[samba]
enabled = true
port = 445
filter = samba
logpath = /var/log/samba/log.smbd
maxretry = 5
# Restart service
sudo systemctl restart fail2ban
sudo apt install fail2ban -y
# Create Samba jail config
sudo nano /etc/fail2ban/jail.local
[samba]
enabled = true
port = 445
filter = samba
logpath = /var/log/samba/log.smbd
maxretry = 5
# Restart service
sudo systemctl restart fail2ban
Enable Samba Logging
[global]
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
# Monitor logs
sudo tail -f /var/log/samba/log.smbd
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
# Monitor logs
sudo tail -f /var/log/samba/log.smbd
Clear Cached Credentials
# On Windows:
Control Panel → Credential Manager → Remove saved credentials
# On Linux (example):
rm -rf ~/.cache/samba
# Then reconnect to share
Control Panel → Credential Manager → Remove saved credentials
# On Linux (example):
rm -rf ~/.cache/samba
# Then reconnect to share
Hide Share from Network Browsing
[Shared]
browseable = no
# Users must manually enter path
\\192.168.1.20\Shared
browseable = no
# Users must manually enter path
\\192.168.1.20\Shared
Recommended Secure Setup
# Minimum secure config
guest ok = no
map to guest = never
min protocol = SMB2
valid users = @sambashare
# Network security
Allow only LAN (UFW + hosts allow)
# Access method
Use VPN (WireGuard) for remote access
# Never do this
DO NOT open port 445 to the internet
guest ok = no
map to guest = never
min protocol = SMB2
valid users = @sambashare
# Network security
Allow only LAN (UFW + hosts allow)
# Access method
Use VPN (WireGuard) for remote access
# Never do this
DO NOT open port 445 to the internet