Samba (SMB/CIFS)¶
What Is It?¶
Samba is the open-source Linux implementation of the SMB (Server Message Block) protocol. SMB was originally developed by IBM and later extended by Microsoft as the standard file-sharing protocol for Windows environments. Samba allows Linux servers to share files and printers with Windows clients — and with other Linux machines using the CIFS (Common Internet File System) driver.
Unlike NFS (which is Unix-centric and authentication-free by default), Samba requires username and password authentication for access. It is commonly used in environments with mixed Windows and Linux clients, or wherever password-protected share access is needed.
Installation¶
dnf install samba samba-client cifs-utils
| Package | Purpose |
|---|---|
samba | The Samba server daemon (smbd, nmbd) |
samba-client | Client tools (smbclient, smbpasswd) |
cifs-utils | Kernel support for mounting CIFS/SMB shares (mount.cifs) |
Key Files and Directories¶
| Path | Purpose |
|---|---|
/etc/samba/smb.conf | Main Samba configuration file |
/var/log/samba/ | Samba log files |
/var/lib/samba/ | Samba runtime state (passdb, etc.) |
Configuration¶
Minimal Working Configuration¶
Add a share section to /etc/samba/smb.conf:
[sysadm]
comment = Samba share for sysadmin lab
path = /data/samba
valid users = @samba_group
browsable = yes
writable = yes
Then create the group, add users, set permissions, and set the SELinux context:
groupadd samba_group
usermod -aG samba_group scoring
smbpasswd -a scoring # set Samba password for scoring user
chmod -R 0755 /data/samba
chown -R root:samba_group /data/samba
chcon -t samba_share_t /data/samba
Important Directives¶
Global section ([global]) — applies server-wide:
| Directive | Meaning |
|---|---|
workgroup | Windows workgroup or domain name |
server string | Description shown when browsing |
security = user | Use username/password authentication (default) |
log file | Path to log file |
max log size | Log rotation size in KB |
Share section ([sharename]) — one per share:
| Directive | Meaning |
|---|---|
path | Directory on the server to share |
comment | Human-readable description |
valid users | Comma-separated users or @groupname (@ prefix means group) |
browsable | Whether the share appears in network browse lists |
writable | Whether clients can write to the share |
read only | Inverse of writable |
create mask | Permissions for files created via the share |
directory mask | Permissions for directories created via the share |
Common Commands¶
# Verify smb.conf syntax
testparm
# Start and enable Samba (smbd handles file sharing, nmbd handles browsing)
systemctl enable --now smb nmb
# Add or change a Samba password for a system user
smbpasswd -a <username>
# List available shares on a server (including your own)
smbclient -L //localhost -U <username>
# Mount a Samba share (client)
mount -t cifs -o username=<user> //<server-ip>/<sharename> /mnt/samba
# Unmount
umount /mnt/samba
Logging and Debugging¶
# View Samba service logs
journalctl -u smb
journalctl -u nmb
# Check log files directly
tail -f /var/log/samba/log.smbd
# Verify config file syntax
testparm
Common issues: - NT_STATUS_LOGON_FAILURE — wrong password, or the user does not have a Samba password (smbpasswd -a <user>) - NT_STATUS_ACCESS_DENIED — user is not in valid users, or permissions/SELinux context are wrong - Share not visible in smbclient -L — smb service not running, or user not in valid users - mount error(13): Permission denied — same as access denied above
Security Considerations¶
Firewall ports:
firewall-cmd --add-service=samba --permanent
firewall-cmd --reload
This opens ports 139 (NetBIOS session) and 445 (SMB direct). Alternatively:
firewall-cmd --add-port=139/tcp --permanent
firewall-cmd --add-port=445/tcp --permanent
firewall-cmd --reload
SELinux context: Directories shared by Samba must have the samba_share_t SELinux type, or SELinux will block access even if file permissions are correct:
chcon -t samba_share_t /data/samba
# Make it persistent across relabels:
semanage fcontext -a -t samba_share_t "/data/samba(/.*)?"
restorecon -Rv /data/samba
Samba passwords are separate from Linux system passwords. A user must exist as a Linux user AND have a Samba password set via smbpasswd -a.
Further Reading¶
Related Documentation¶
- Concepts: Filesystems
- SOPs: Filesystem Management